* development-restricted:
Add missing credit for set_hostname issue
Add changelog entry for TLS 1.2 Finished fix
TLS1.2: Check for failures in Finished calculation
ssl_session_reset: preserve HOSTNAME_SET flag
Document the need to call mbedtls_ssl_set_hostname
Improve documentation of mbedtls_ssl_set_hostname
Changelog entries for requiring mbedls_ssl_set_hostname() in TLS clients
Add a note about calling mbedtls_ssl_set_hostname to mbedtls_ssl_setup
mbedtls_ssl_set_hostname tests: add tests with CA callback
Call mbedtls_ssl_set_hostname in the generic endpoint setup in unit tests
Require calling mbedtls_ssl_set_hostname() for security
Create error code for mbedtls_ssl_set_hostname not called
Keep track of whether mbedtls_ssl_set_hostname() has been called
Access ssl->hostname through abstractions in certificate verification
mbedtls_ssl_set_hostname tests: baseline
Add a flags field to mbedtls_ssl_context
Automate MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK dependency
Make guards more consistent between X.509-has-certs and SSL-has-certs
Fix Doxygen markup
Make ticket_alpn field private
Conflicts:
programs/ssl/ssl_test_common_source.c
Previously, the length of the label was limited to the maximal length
that would be used in the TLS 1.3 key schedule. With the keying material
exporter, labels of up to 249 bytes may be used.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
HKDF-Expand can produce at most 255 * hash_size bytes of key material,
so this limit applies to the TLS 1.3 key material exporter.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h
to control if the function mbedtls_ssl_export_keying_material() should
be available. By default, the option is disabled.
This is because the exporter for TLS 1.2 requires client_random and
server_random need to be stored after the handshake is complete.
Signed-off-by: Max Fillinger <max@max-fillinger.net>
The TLS-Exporter in TLS 1.2 requires client_random and server_random.
Unless MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined, these aren't stored
after the handshake is completed.
Therefore, mbedtls_ssl_export_keying_material() exists only if either
MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined or MBEDTLS_SSL_PROTO_TLS1_2
is *not* defined.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
This way, it's not required that the label is null-terminated. This
allows us to avoid an allocation in
mbedtls_ssl_tls12_export_keying_material().
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Previously, if MBEDTLS_SSL_CONTEXT_SERIALIZATION is not defined,
randbytes are not stored after the handshake is done, but they are
needed for TLS-Exporter in TLS 1.2.
This commit also saves randbytes if MBEDTLS_SSL_PROTO_TLS1_2 is defined.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
The length of the generated key must fit into a uint16_t, so it must not
be larger than 0xffff.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
RFC 8446 made it look like we can't use Derive-Secret for the second
step, but actually, Transcript-Hash and Hash are the same thing, so we
can.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
The TLS-Exporter is a function to derive shared symmetric keys for the
server and client from the secrets generated during the handshake.
It is defined in RFC 8446, Section 7.5 for TLS 1.3 and in RFC 5705 for
TLS 1.2.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
