lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Merge pull request #5369 from xkqian/add_2nd_client_hello

Browse Source 
Add 2nd client hello
This commit is contained in:
Ronald Cron
2022-03-28 12:18:41 +02:00
committed by GitHub
parent cefa904759 5c252620c5
commit e44d8e7eea
6 changed files with 803 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
library/ssl_cli.c
View File

@ -608,7 +608,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
*/
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
ssl->handshake->verify_cookie != NULL )
ssl->handshake->cookie != NULL )
{
return( 0 );
}
@ -846,7 +846,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
{
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
if( ssl->handshake->verify_cookie == NULL )
if( ssl->handshake->cookie == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
*p++ = 0;
@ -854,15 +854,15 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
else
{
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
ssl->handshake->verify_cookie,
ssl->handshake->verify_cookie_len );
ssl->handshake->cookie,
ssl->handshake->verify_cookie_len );
*p++ = ssl->handshake->verify_cookie_len;
MBEDTLS_SSL_CHK_BUF_PTR( p, end,
ssl->handshake->verify_cookie_len );
memcpy( p, ssl->handshake->verify_cookie,
ssl->handshake->verify_cookie_len );
memcpy( p, ssl->handshake->cookie,
ssl->handshake->verify_cookie_len );
p += ssl->handshake->verify_cookie_len;
}
}
@ -1645,16 +1645,16 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
}
MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
mbedtls_free( ssl->handshake->verify_cookie );
mbedtls_free( ssl->handshake->cookie );
ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
if( ssl->handshake->verify_cookie == NULL )
ssl->handshake->cookie = mbedtls_calloc( 1, cookie_len );
if( ssl->handshake->cookie == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
}
memcpy( ssl->handshake->verify_cookie, p, cookie_len );
memcpy( ssl->handshake->cookie, p, cookie_len );
ssl->handshake->verify_cookie_len = cookie_len;
/* Start over at ClientHello */
@ -1736,8 +1736,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
else
{
/* We made it through the verification process */
mbedtls_free( ssl->handshake->verify_cookie );
ssl->handshake->verify_cookie = NULL;
mbedtls_free( ssl->handshake->cookie );
ssl->handshake->cookie = NULL;
ssl->handshake->verify_cookie_len = 0;
}
}

20
library/ssl_misc.h
View File

@ -704,14 +704,20 @@ struct mbedtls_ssl_handshake_params
} buffering;
#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
* for dtls / tls 1.3
* Srv: unused */
unsigned char verify_cookie_len; /*!< Cli: cookie length for
* dtls / tls 1.3
#if defined(MBEDTLS_SSL_CLI_C) && \
( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
* HelloRetryRequest cookie for TLS 1.3 */
#endif /* MBEDTLS_SSL_CLI_C &&
( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned char verify_cookie_len; /*!< Cli: HelloVerifyRequest cookie
* length
* Srv: flag for sending a cookie */
#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
uint16_t hrr_cookie_len; /*!< HelloRetryRequest cookie length */
#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */

8
library/ssl_tls.c
View File

@ -3100,9 +3100,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
mbedtls_pk_free( &handshake->peer_pubkey );
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_free( handshake->verify_cookie );
#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_CLI_C) && \
( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
mbedtls_free( handshake->cookie );
#endif /* MBEDTLS_SSL_CLI_C &&
( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_flight_free( handshake->flight );

60
library/ssl_tls13_client.c
View File

@ -659,7 +659,7 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
{
size_t cookie_len;
uint16_t cookie_len;
const unsigned char *p = buf;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@ -671,19 +671,55 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
mbedtls_free( handshake->verify_cookie );
handshake->verify_cookie_len = 0;
handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
if( handshake->verify_cookie == NULL )
mbedtls_free( handshake->cookie );
handshake->hrr_cookie_len = 0;
handshake->cookie = mbedtls_calloc( 1, cookie_len );
if( handshake->cookie == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "alloc failed ( %" MBEDTLS_PRINTF_SIZET " bytes )",
( "alloc failed ( %ud bytes )",
cookie_len ) );
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
}
memcpy( handshake->verify_cookie, p, cookie_len );
handshake->verify_cookie_len = (unsigned char) cookie_len;
memcpy( handshake->cookie, p, cookie_len );
handshake->hrr_cookie_len = cookie_len;
return( 0 );
}
static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *out_len )
{
unsigned char *p = buf;
*out_len = 0;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
if( handshake->cookie == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
return( 0 );
}
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
handshake->cookie,
handshake->hrr_cookie_len );
MBEDTLS_SSL_CHK_BUF_PTR( p, end, handshake->hrr_cookie_len + 6 );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding cookie extension" ) );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_COOKIE, p, 0 );
MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len + 2, p, 2 );
MBEDTLS_PUT_UINT16_BE( handshake->hrr_cookie_len, p, 4 );
p += 6;
/* Cookie */
memcpy( p, handshake->cookie, handshake->hrr_cookie_len );
*out_len = handshake->hrr_cookie_len + 6;
return( 0 );
}
@ -873,6 +909,14 @@ static int ssl_tls13_write_client_hello_body( mbedtls_ssl_context *ssl,
p += output_len;
#endif /* MBEDTLS_SSL_ALPN */
/* Echo the cookie if the server provided one in its preceding
* HelloRetryRequest message.
*/
ret = ssl_tls13_write_cookie_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*