c55eeb682d
tls13: check if the session ticket is compatible with key exchange modes
...
The server check if the ticket_flags is compatible with the advertised
key exchange modes in Pre-Shared Key Exchange Modes extension. The
incompatible ticket should be mark as not matched.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-01-13 11:05:53 +08:00
9f92695c8d
tls13: set key exchange mode in ticket_flags on client/server
...
Set the ticket_flags when:
- server: preparing NST (new session ticket) message
- client: postprocessing NST message
Clear the ticket_flags when:
- server: preparing NST message
- client: parsing NST message
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-01-13 11:05:53 +08:00
449bd8303e
Switch to the new code style
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2023-01-11 14:50:10 +01:00
141bbe7bee
tls13: Adjust include files
...
- remove duplicate and unused included
- Adjust the order to system, mbedtls global, local.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-12-09 09:51:20 +08:00
1797b05602
Fix typos prior to release
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com >
2022-12-04 17:19:59 +00:00
a8d3c5048f
Rename new session ticket name for TLS 1.3
...
NewSessionTicket is different with TLS 1.2.
It should not share same state.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-19 20:12:35 +08:00
97be6a913e
fix various issues
...
- typo error
- replace `ssl->hanshake` with handshake
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-09 22:43:31 +08:00
7de2ff0310
Refactor extension list print
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-08 23:51:39 +08:00
79aa721ade
Rename ext print function and macro
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-08 23:51:39 +08:00
b95dd3683b
Add missing mask set and tls13 unrecognized extension
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-08 23:51:38 +08:00
c437ee3bac
fix wrong return value
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-08 21:04:15 +08:00
e5991328ff
fix tls13 psk only test fail
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-08 16:16:29 +08:00
50e00e3ac6
Refactor server hello
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-06 11:54:22 +08:00
edab637b51
Refactor new session ticket
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-06 11:54:22 +08:00
63a459cde5
Refactor client_hello parser and writer
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-06 11:54:21 +08:00
4b8f2f7266
Refactor sent extension message output
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-11-06 11:54:21 +08:00
c4bf5d658e
fix various issues
...
- Signature of
- mbedtls_tls13_set_hs_sent_ext_mask
- check_received_extension and issues
- Also fix comment issue.
- improve readablity.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-31 16:41:42 +08:00
0c354a211b
introduce sent/recv extensions field
...
And remove `extensions_present`
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-31 16:41:42 +08:00
e18dc7eb9a
Add forbidden extensions check for ClientHello
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-31 16:41:42 +08:00
471dee5a12
Add debug helpers to track extensions
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-31 16:41:42 +08:00
04e2133f45
Merge pull request #6482 from ronald-cron-arm/tls13-misc
...
TLS 1.3: Update documentation for the coming release and misc
2022-10-28 11:09:03 +02:00
eac00ad2a6
tls13: server: Note down client not being authenticated in SSL context
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2022-10-25 20:02:03 +02:00
744fd37d23
Merge pull request #6467 from davidhorstmann-arm/fix-unusual-macros-0
...
Fix unusual macros
2022-10-25 19:55:29 +02:00
766c0cdb1f
tls13: Add missing kex guards
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2022-10-22 14:42:04 +02:00
41a443a68d
tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK.*ENABLED
...
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED to guard
code specific to one of the TLS 1.3 key exchange mode with
PSK.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2022-10-22 14:42:04 +02:00
928cbd34e7
tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
...
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED to guard
code specific to the TLS 1.3 ephemeral key exchange mode.
Use it also for the dependencies of TLS 1.3 only tests
relying on ephemeral key exchange mode, but for
tests in tls13-kex-modes.sh where the change is done
later using all
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_.*ENABLED macros.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2022-10-22 14:42:04 +02:00
49e4184812
Merge pull request #6299 from xkqian/tls13_add_servername_check
...
Add server name check when proposing pre-share key
2022-10-13 16:00:59 +02:00
0fe6631486
Merge pull request #6291 from gilles-peskine-arm/platform.h-unconditional-3.2
...
Include platform.h unconditionally
2022-10-13 10:19:22 +02:00
28af501cae
Fix the ticket_lifetime equal to 0 issue
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-13 08:18:19 +00:00
be98f96de2
Remove useless hostname check in server side
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:03:44 +00:00
281fd1bdd8
Add server name check when proposeing pre-share key
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:03:41 +00:00
c2bfaf00d9
fix wrong typo
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-11 18:07:19 +08:00
03aa174d7c
Improve test message and title
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-10 21:48:37 +08:00
a99cbfa2d3
fix various issues
...
- rename function and variable
- change signature of `ssl_tls13_has_configured_psk`
- remove unnecessary statements
- remove unnecessary local variables
- wrong variable initial value
- improve output message
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-08 14:35:47 +08:00
21b89761f8
Refactor macro-spanning if in ssl_tls13_server.c
...
Signed-off-by: David Horstmann <david.horstmann@arm.com >
2022-10-07 14:08:42 +01:00
25ab654781
Add dummy ticket support
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-07 10:11:05 +08:00
e3358e14b2
Merge pull request #6051 from mprse/permissions_2b_v2
...
Permissions 2b: TLS 1.3 sigalg selection
2022-09-28 09:50:04 +02:00
b72dac4ed7
Fix PSA identifier of RSA_PKCS1V15 signing algorithms
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2022-09-27 09:25:47 +02:00
2c282c9bd0
Merge pull request #6180 from yuhaoth/pr/add-tls13-multiple-session-tickets
...
TLS 1.3: NewSessionTicket: Add support for sending multiple tickets per session.
2022-09-23 15:48:33 +01:00
359e65f784
limit session ticket number when resumption
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-22 23:47:43 +08:00
07ba2be20b
Merge pull request #6304 from yuhaoth/pr/exclude-pre_shared_key-from-hrr-msg
...
TLS 1.3: PSK: Exclude pre_shared_key for HRR
2022-09-22 10:21:06 +02:00
b7e3fa7fbd
move count decrement after success sent
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-22 13:21:29 +08:00
d0766eca58
fix various issues
...
- Improve comments
- Align count variable name to `new_session_tickets_count`
- move tickets_count init to handshake init
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-22 13:21:29 +08:00
67ea2543ed
tls13: server: Add sig alg checks when selecting best certificate
...
When selecting the server certificate based on
the signature algorithms supported by the client,
check the signature algorithms as close as possible
to the way they are checked to compute the
signature for the server to prove it possesses
the private key associated to the certificate.
That way we minimize the odds of selecting a
certificate for which the server will not be
able to compute the signature to prove it
possesses the private key associated to the
certificate.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2022-09-20 14:26:32 +02:00
d4e7500a07
Enable multi session tickets on Server
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-19 14:24:03 +08:00
be0224aef3
Merge pull request #6167 from yuhaoth/pr/finalize-tls13-session-tickets
2022-09-18 21:18:13 +02:00
ad4d2bb3e1
Exclude pre_shared_key for HRR
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-16 18:16:49 +08:00
945b23c46f
Include platform.h unconditionally: automatic part
...
We used to include platform.h only when MBEDTLS_PLATFORM_C was enabled, and
to define ad hoc replacements for mbedtls_xxx functions on a case-by-case
basis when MBEDTLS_PLATFORM_C was disabled. The only reason for this
complication was to allow building individual source modules without copying
platform.h. This is not something we support or recommend anymore, so get
rid of the complication: include platform.h unconditionally.
There should be no change in behavior since just including the header should
not change the behavior of a program.
This commit replaces most occurrences of conditional inclusion of
platform.h, using the following code:
```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2022-09-15 20:33:07 +02:00
0a55cc647c
Remove unnecessary var and improve comment
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-15 16:15:06 +08:00
f7dad3cfbe
fix various issues
...
- Naming
- format
- Reduce negative tolerance window
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-14 22:31:39 +08:00
