lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-01 10:06:53 +03:00
Code Activity

tls13: Add allowed extesions constants.

Browse Source 
- And refactor check_received_extension

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu
2022-10-31 13:20:57 +08:00
parent 7a485c1fdf
commit df0ad658a3
2 changed files with 66 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
library/ssl_misc.h
View File

@ -134,76 +134,83 @@ uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
* not specified for the message in which it appears, it MUST abort the handshake * not specified for the message in which it appears, it MUST abort the handshake
* with an "illegal_parameter" alert. * with an "illegal_parameter" alert.
*/ */
#define MBEDTLS_SSL_EXT_UNRECOGNIZED ( 1U << 31 )
/* Extensions that not recognized by TLS 1.3 */
#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED \
( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS ) | \
MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC ) | \
MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET ) | \
MBEDTLS_SSL_EXT_MASK( SESSION_TICKET ) | \
MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) )
/* RFC 8446 section 4.2. Allowed extensions for ClienHello */ /* RFC 8446 section 4.2. Allowed extensions for ClienHello */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
( MBEDTLS_SSL_EXT_SERVERNAME | \ ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \
MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \ MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \
MBEDTLS_SSL_EXT_STATUS_REQUEST | \ MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \ MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \
MBEDTLS_SSL_EXT_SIG_ALG | \ MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \
MBEDTLS_SSL_EXT_USE_SRTP | \ MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \
MBEDTLS_SSL_EXT_HEARTBEAT | \ MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \
MBEDTLS_SSL_EXT_ALPN | \ MBEDTLS_SSL_EXT_MASK( ALPN ) | \
MBEDTLS_SSL_EXT_SCT | \ MBEDTLS_SSL_EXT_MASK( SCT ) | \
MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \ MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \
MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \ MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \
MBEDTLS_SSL_EXT_PADDING | \ MBEDTLS_SSL_EXT_MASK( PADDING ) | \
MBEDTLS_SSL_EXT_KEY_SHARE | \ MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \ MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \
MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES | \ MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) | \
MBEDTLS_SSL_EXT_EARLY_DATA | \ MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \
MBEDTLS_SSL_EXT_COOKIE | \ MBEDTLS_SSL_EXT_MASK( COOKIE ) | \
MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS | \ MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) | \
MBEDTLS_SSL_EXT_CERT_AUTH | \ MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \
MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH | \ MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH ) | \
MBEDTLS_SSL_EXT_SIG_ALG_CERT | \ MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \
MBEDTLS_SSL_EXT_UNRECOGNIZED ) MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
( MBEDTLS_SSL_EXT_SERVERNAME | \ ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \
MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \ MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \
MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \ MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \
MBEDTLS_SSL_EXT_USE_SRTP | \ MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \
MBEDTLS_SSL_EXT_HEARTBEAT | \ MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \
MBEDTLS_SSL_EXT_ALPN | \ MBEDTLS_SSL_EXT_MASK( ALPN ) | \
MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \ MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \
MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \ MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \
MBEDTLS_SSL_EXT_EARLY_DATA ) MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) )
/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */ /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
( MBEDTLS_SSL_EXT_STATUS_REQUEST | \ ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
MBEDTLS_SSL_EXT_SIG_ALG | \ MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \
MBEDTLS_SSL_EXT_SCT | \ MBEDTLS_SSL_EXT_MASK( SCT ) | \
MBEDTLS_SSL_EXT_CERT_AUTH | \ MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \
MBEDTLS_SSL_EXT_OID_FILTERS | \ MBEDTLS_SSL_EXT_MASK( OID_FILTERS ) | \
MBEDTLS_SSL_EXT_SIG_ALG_CERT | \ MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \
MBEDTLS_SSL_EXT_UNRECOGNIZED ) MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
/* RFC 8446 section 4.2. Allowed extensions for Certificate */ /* RFC 8446 section 4.2. Allowed extensions for Certificate */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
( MBEDTLS_SSL_EXT_STATUS_REQUEST | \ ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
MBEDTLS_SSL_EXT_SCT ) MBEDTLS_SSL_EXT_MASK( SCT ) )
/* RFC 8446 section 4.2. Allowed extensions for ServerHello */ /* RFC 8446 section 4.2. Allowed extensions for ServerHello */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
( MBEDTLS_SSL_EXT_KEY_SHARE | \ ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \ MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \
MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */ /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
( MBEDTLS_SSL_EXT_KEY_SHARE | \ ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
MBEDTLS_SSL_EXT_COOKIE | \ MBEDTLS_SSL_EXT_MASK( COOKIE ) | \
MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ) MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
( MBEDTLS_SSL_EXT_EARLY_DATA | \ ( MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \
MBEDTLS_SSL_EXT_UNRECOGNIZED ) MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
/* /*
* Helper macros for function call with return check. * Helper macros for function call with return check.

25
library/ssl_tls13_generic.c
View File

@ -1685,28 +1685,22 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
* with an "illegal_parameter" alert. * with an "illegal_parameter" alert.
* *
*/ */
int mbedtls_ssl_tls13_check_received_extension( int mbedtls_ssl_tls13_check_received_extension(
mbedtls_ssl_context *ssl, mbedtls_ssl_context *ssl,
int hs_msg_type, int hs_msg_type,
unsigned int received_extension_type, unsigned int received_extension_type,
uint32_t hs_msg_allowed_extensions_mask ) uint32_t hs_msg_allowed_extensions_mask )
{ {
#if defined(MBEDTLS_DEBUG_C) uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type ); received_extension_type );
#endif
uint32_t extension_mask = mbedtls_tls13_get_extension_mask( received_extension_type );
MBEDTLS_SSL_DEBUG_MSG( 3, MBEDTLS_SSL_PRINT_EXT_TYPE(
( "%s : received %s(%x) extension", 3, hs_msg_type, received_extension_type, "received" );
hs_msg_name,
mbedtls_tls13_get_extension_name( received_extension_type ),
(unsigned int)received_extension_type ) );
if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 ) if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( MBEDTLS_SSL_PRINT_EXT_TYPE(
3, ( "%s : forbidden extension received.", hs_msg_name ) ); 3, hs_msg_type, received_extension_type, "is illegal" );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
@ -1721,7 +1715,7 @@ int mbedtls_ssl_tls13_check_received_extension(
switch( hs_msg_type ) switch( hs_msg_type )
{ {
case MBEDTLS_SSL_HS_SERVER_HELLO: case MBEDTLS_SSL_HS_SERVER_HELLO:
case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value. case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
case MBEDTLS_SSL_HS_CERTIFICATE: case MBEDTLS_SSL_HS_CERTIFICATE:
/* Check if the received extension is sent by peer message.*/ /* Check if the received extension is sent by peer message.*/
@ -1732,8 +1726,8 @@ int mbedtls_ssl_tls13_check_received_extension(
return( 0 ); return( 0 );
} }
MBEDTLS_SSL_DEBUG_MSG( MBEDTLS_SSL_PRINT_EXT_TYPE(
3, ( "%s : unexpected extension received.", hs_msg_name ) ); 3, hs_msg_type, received_extension_type, "is unsupported" );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
@ -1741,3 +1735,4 @@ int mbedtls_ssl_tls13_check_received_extension(
} }
#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */