mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-29 11:41:15 +03:00
Merge pull request #8755 from ronald-cron-arm/tls13-client-early-data-status
TLS 1.3: Refine and test client early data status
This commit is contained in:
@ -731,14 +731,23 @@ struct mbedtls_ssl_handshake_params {
|
||||
uint8_t key_exchange_mode; /*!< Selected key exchange mode */
|
||||
|
||||
/** Number of HelloRetryRequest messages received/sent from/to the server. */
|
||||
int hello_retry_request_count;
|
||||
uint8_t hello_retry_request_count;
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
|
||||
/**
|
||||
* Number of dummy change_cipher_spec (CCS) record sent. Used to send only
|
||||
* one CCS per handshake without having to complicate the handshake state
|
||||
* transitions.
|
||||
*/
|
||||
uint8_t ccs_count;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
/** selected_group of key_share extension in HelloRetryRequest message. */
|
||||
uint16_t hrr_selected_group;
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
|
||||
#endif
|
||||
/** selected_group of key_share extension in HelloRetryRequest message. */
|
||||
uint16_t hrr_selected_group;
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
uint16_t new_session_tickets_count; /*!< number of session tickets */
|
||||
#endif
|
||||
@ -2136,6 +2145,38 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
const unsigned char *end,
|
||||
size_t *out_len);
|
||||
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
/*
|
||||
* The client has not sent the first ClientHello yet, it is unknown if the
|
||||
* client will send an early data indication extension or not.
|
||||
*/
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0
|
||||
|
||||
/*
|
||||
* The client has sent an early data indication extension in its first
|
||||
* ClientHello, it has not received the response (ServerHello or
|
||||
* HelloRetryRequest) from the server yet. The transform to protect early data
|
||||
* is not set and early data cannot be sent yet.
|
||||
*/
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_SENT 4
|
||||
|
||||
/*
|
||||
* The client has sent an early data indication extension in its first
|
||||
* ClientHello, it has not received the response (ServerHello or
|
||||
* HelloRetryRequest) from the server yet. The transform to protect early data
|
||||
* has been set and early data can be written now.
|
||||
*/
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE 5
|
||||
|
||||
/*
|
||||
* The client has sent an early data indication extension in its first
|
||||
* ClientHello, the server has accepted them and the client has received the
|
||||
* server Finished message. It cannot send early data to the server anymore.
|
||||
*/
|
||||
#define MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED 6
|
||||
#endif /* MBEDTLS_SSL_CLI_C */
|
||||
|
||||
#endif /* MBEDTLS_SSL_EARLY_DATA */
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
@ -1100,7 +1100,7 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl)
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
|
||||
|
@ -1180,26 +1180,21 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
|
||||
ssl_tls13_early_data_has_valid_ticket(ssl) &&
|
||||
ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED &&
|
||||
ssl->handshake->hello_retry_request_count == 0) {
|
||||
if (ssl->handshake->hello_retry_request_count == 0) {
|
||||
if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
|
||||
ssl_tls13_early_data_has_valid_ticket(ssl) &&
|
||||
ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
|
||||
ret = mbedtls_ssl_tls13_write_early_data_ext(
|
||||
ssl, 0, p, end, &ext_len);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
p += ext_len;
|
||||
|
||||
ret = mbedtls_ssl_tls13_write_early_data_ext(
|
||||
ssl, 0, p, end, &ext_len);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_SENT;
|
||||
} else {
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
|
||||
}
|
||||
p += ext_len;
|
||||
|
||||
/* Initializes the status to `rejected`. It will be updated to
|
||||
* `accepted` if the EncryptedExtension message contain an early data
|
||||
* indication extension.
|
||||
*/
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
|
||||
} else {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write early_data extension"));
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EARLY_DATA */
|
||||
|
||||
@ -1236,7 +1231,7 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
|
||||
size_t psk_len;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
|
||||
if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
|
||||
if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_SENT) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(
|
||||
1, ("Set hs psk for early data when writing the first psk"));
|
||||
|
||||
@ -1299,6 +1294,7 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl)
|
||||
1, ("Switch to early data keys for outbound traffic"));
|
||||
mbedtls_ssl_set_outbound_transform(
|
||||
ssl, ssl->handshake->transform_earlydata);
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE;
|
||||
#endif
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EARLY_DATA */
|
||||
@ -1971,6 +1967,13 @@ static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl)
|
||||
}
|
||||
|
||||
ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id;
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
if (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) {
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
|
||||
}
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -2230,6 +2233,8 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
|
||||
}
|
||||
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED;
|
||||
} else if (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) {
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -2567,9 +2572,8 @@ static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl)
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) {
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_SERVER_FINISHED_RECEIVED;
|
||||
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA);
|
||||
} else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
|
||||
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
|
||||
} else
|
||||
#endif /* MBEDTLS_SSL_EARLY_DATA */
|
||||
{
|
||||
@ -3059,18 +3063,25 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
|
||||
case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
|
||||
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
|
||||
if (ret == 0) {
|
||||
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
|
||||
ret = 0;
|
||||
if (ssl->handshake->ccs_count == 0) {
|
||||
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
|
||||
if (ret != 0) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
|
||||
break;
|
||||
|
||||
case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
|
||||
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
|
||||
if (ret == 0) {
|
||||
mbedtls_ssl_handshake_set_state(
|
||||
ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
|
||||
ret = 0;
|
||||
if (ssl->handshake->ccs_count == 0) {
|
||||
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
|
||||
if (ret != 0) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
|
||||
break;
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
@ -3083,6 +3094,7 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
|
||||
1, ("Switch to early data keys for outbound traffic"));
|
||||
mbedtls_ssl_set_outbound_transform(
|
||||
ssl, ssl->handshake->transform_earlydata);
|
||||
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE;
|
||||
}
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_EARLY_DATA */
|
||||
|
@ -1390,6 +1390,8 @@ int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl)
|
||||
/* Dispatch message */
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_write_record(ssl, 0));
|
||||
|
||||
ssl->handshake->ccs_count++;
|
||||
|
||||
cleanup:
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= write change cipher spec"));
|
||||
|
@ -3482,10 +3482,14 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
|
||||
break;
|
||||
|
||||
case MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO:
|
||||
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
|
||||
if (ret == 0) {
|
||||
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
|
||||
ret = 0;
|
||||
if (ssl->handshake->ccs_count == 0) {
|
||||
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
|
||||
if (ret != 0) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
|
||||
|
||||
|
Reference in New Issue
Block a user