From 34da3727d6feef7322bd15e238bcef6317cf5edc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 19 Sep 2021 18:05:08 +0800 Subject: [PATCH 1/8] Add check read ptr macro Signed-off-by: Jerry Yu --- library/ssl_misc.h | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 3f3f505031..4cbefdbfd4 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -409,6 +409,29 @@ static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur, } \ } while( 0 ) +/** + * \brief This macro checks if the remaining size in a input buffer is + * greater or equal than a needed space. If it is not the case, + * it returns an SSL_DECODE_ERROR error and sends DECODE_ERROR + * alert message. + * + * \param cur Pointer to the current position in the buffer. + * \param end Pointer to one past the end of the buffer. + * \param need Needed space in bytes. + * + */ +#define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \ + do { \ + if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \ + { \ + MBEDTLS_SSL_DEBUG_MSG( 1, \ + ( "missing input data in %s", __func__ ) ); \ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ + MBEDTLS_ERR_SSL_DECODE_ERROR ); \ + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); \ + } \ + } while( 0 ) + #ifdef __cplusplus extern "C" { #endif From 1b7c4a464c385421f2a2f33ec3d22de7c6530007 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 9 Sep 2021 17:09:12 +0800 Subject: [PATCH 2/8] tls13: add key exchange modes in handshake params Signed-off-by: Jerry Yu --- library/ssl_misc.h | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 4cbefdbfd4..9f9192fc07 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -509,6 +509,9 @@ struct mbedtls_ssl_handshake_params /* * Handshake specific crypto variables */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + int tls1_3_kex_modes; /*!< key exchange modes for TLS 1.3 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) @@ -1438,6 +1441,43 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context * MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +static inline unsigned mbedtls_ssl_tls1_3_check_kex_modes( mbedtls_ssl_context *ssl, + int kex_mode_mask ) +{ + return( ( ssl->handshake->tls1_3_kex_modes & kex_mode_mask ) != 0 ); +} + +static inline int mbedtls_ssl_tls1_3_psk_enabled( mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ) ); +} + +static inline int mbedtls_ssl_tls1_3_psk_ephemeral_enabled( + mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) ); +} + +static inline int mbedtls_ssl_tls1_3_ephemeral_enabled( mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) ); +} + +static inline int mbedtls_ssl_tls1_3_some_ephemeral_enabled( mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); +} + +static inline int mbedtls_ssl_tls1_3_some_psk_enabled( mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ /** From e15e665cfb9de25232ef69cb6893fbd010c63d21 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 28 Sep 2021 21:06:07 +0800 Subject: [PATCH 3/8] fix comments and check return issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 9f9192fc07..8074a3aeeb 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -410,14 +410,14 @@ static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur, } while( 0 ) /** - * \brief This macro checks if the remaining size in a input buffer is - * greater or equal than a needed space. If it is not the case, - * it returns an SSL_DECODE_ERROR error and sends DECODE_ERROR - * alert message. + * \brief This macro checks if the remaining length in an input buffer is + * greater or equal than a needed length. If it is not the case, it + * returns an SSL_DECODE_ERROR error and pends DECODE_ERROR alert + * message. * * \param cur Pointer to the current position in the buffer. * \param end Pointer to one past the end of the buffer. - * \param need Needed space in bytes. + * \param need Needed length in bytes. * */ #define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \ @@ -1442,9 +1442,9 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context * } static inline unsigned mbedtls_ssl_tls1_3_check_kex_modes( mbedtls_ssl_context *ssl, - int kex_mode_mask ) + int kex_modes_mask ) { - return( ( ssl->handshake->tls1_3_kex_modes & kex_mode_mask ) != 0 ); + return( ( ssl->handshake->tls1_3_kex_modes & kex_modes_mask ) == 0 ); } static inline int mbedtls_ssl_tls1_3_psk_enabled( mbedtls_ssl_context *ssl ) From adf861aad4c12c7328282ac2a14da6e716b7b674 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 29 Sep 2021 21:22:08 +0800 Subject: [PATCH 4/8] Address kex_modes check function Signed-off-by: Jerry Yu --- library/ssl_misc.h | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 8074a3aeeb..d269e6f858 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1441,6 +1441,16 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context * MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +/** + * Given a list of key exchange modes, check if at least one of them is + * supported. + * + * \param[in] ssl SSL context + * \param key_modes_mask Mask of the key exchange modes to check + * + * \return 0 if at least one of the key exchange modes is supported, + * <>0 otherwise. + */ static inline unsigned mbedtls_ssl_tls1_3_check_kex_modes( mbedtls_ssl_context *ssl, int kex_modes_mask ) { @@ -1449,32 +1459,32 @@ static inline unsigned mbedtls_ssl_tls1_3_check_kex_modes( mbedtls_ssl_context * static inline int mbedtls_ssl_tls1_3_psk_enabled( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ) ); } static inline int mbedtls_ssl_tls1_3_psk_ephemeral_enabled( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) ); } static inline int mbedtls_ssl_tls1_3_ephemeral_enabled( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) ); } static inline int mbedtls_ssl_tls1_3_some_ephemeral_enabled( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); } static inline int mbedtls_ssl_tls1_3_some_psk_enabled( mbedtls_ssl_context *ssl ) { - return( mbedtls_ssl_tls1_3_check_kex_modes( ssl, + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); } From 0cabad375b67892005cc22947accb0ffbcbf3f7f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 30 Sep 2021 09:52:35 +0800 Subject: [PATCH 5/8] fix doxygen parameter wrong Signed-off-by: Jerry Yu --- library/ssl_misc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d269e6f858..85c7779705 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1446,7 +1446,7 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context * * supported. * * \param[in] ssl SSL context - * \param key_modes_mask Mask of the key exchange modes to check + * \param kex_modes_mask Mask of the key exchange modes to check * * \return 0 if at least one of the key exchange modes is supported, * <>0 otherwise. From dca3d5ddf9d5164308cf88415b72854ec6cd150d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 8 Oct 2021 14:19:29 +0800 Subject: [PATCH 6/8] fix document issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 85c7779705..cdd5609675 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -412,8 +412,9 @@ static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur, /** * \brief This macro checks if the remaining length in an input buffer is * greater or equal than a needed length. If it is not the case, it - * returns an SSL_DECODE_ERROR error and pends DECODE_ERROR alert - * message. + * returns #MBEDTLS_SSL_DECODE_ERROR error and pends a + * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message. + * It is used to guaranteed remaining length. * * \param cur Pointer to the current position in the buffer. * \param end Pointer to one past the end of the buffer. @@ -1449,7 +1450,7 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context * * \param kex_modes_mask Mask of the key exchange modes to check * * \return 0 if at least one of the key exchange modes is supported, - * <>0 otherwise. + * !=0 otherwise. */ static inline unsigned mbedtls_ssl_tls1_3_check_kex_modes( mbedtls_ssl_context *ssl, int kex_modes_mask ) From 205fd82f7ec395ba7da1a24f0573f18840fab431 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 8 Oct 2021 16:16:24 +0800 Subject: [PATCH 7/8] fix check_name fail Signed-off-by: Jerry Yu --- library/ssl_misc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cdd5609675..4205a477c1 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -412,7 +412,7 @@ static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur, /** * \brief This macro checks if the remaining length in an input buffer is * greater or equal than a needed length. If it is not the case, it - * returns #MBEDTLS_SSL_DECODE_ERROR error and pends a + * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message. * It is used to guaranteed remaining length. * From e4eefc716a16fd7a879189b5322b9275b5b80b9e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 9 Oct 2021 10:40:40 +0800 Subject: [PATCH 8/8] Improve document for chk_buf_read_ptr Signed-off-by: Jerry Yu --- library/ssl_misc.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 4205a477c1..6b33cb5dbc 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -414,7 +414,9 @@ static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur, * greater or equal than a needed length. If it is not the case, it * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message. - * It is used to guaranteed remaining length. + * + * This is a function-like macro. It is guaranteed to evaluate each + * argument exactly once. * * \param cur Pointer to the current position in the buffer. * \param end Pointer to one past the end of the buffer.