Ronald Cron
49e4184812
Merge pull request #6299 from xkqian/tls13_add_servername_check
...
Add server name check when proposing pre-share key
2022-10-13 16:00:59 +02:00
Gilles Peskine
0fe6631486
Merge pull request #6291 from gilles-peskine-arm/platform.h-unconditional-3.2
...
Include platform.h unconditionally
2022-10-13 10:19:22 +02:00
Xiaokang Qian
126bf8e4d7
Address some comments
...
Delete reference immediately after shallow copy
Fix format issues
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-13 02:57:15 +00:00
Xiaokang Qian
997669aeeb
Fix heap use-after-free corruption issue
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 14:30:27 +00:00
Xiaokang Qian
baa4764d77
Fix typo issues
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:06:51 +00:00
Xiaokang Qian
8730644da1
Move ticket and hostname set code just after shallow-copy
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:06:51 +00:00
Xiaokang Qian
ed3afcd6c3
Fix various typo and macro guards issues
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:06:51 +00:00
Xiaokang Qian
ed0620cb13
Refine code base on comments
...
Move code to proper macro guards protection
Fix typo issues
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:06:51 +00:00
Xiaokang Qian
03409290d2
Add MBEDTLS_SSL_SESSION_TICKETS guard to server name check
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:06:51 +00:00
Xiaokang Qian
a3b451f950
Adress kinds of comments base on review
...
Rename function name to mbedtls_ssl_session_set_hostname
Add two extra check cases for server name
Fix some coding styles
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:06:51 +00:00
Xiaokang Qian
2f9efd3038
Address comments base on review
...
Change function name to ssl_session_set_hostname()
Remove hostname_len
Change hostname to c_string
Update test cases to multi session tickets
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:06:49 +00:00
Xiaokang Qian
bc663a0461
Refine code based on commnets
...
Change code layout
Change hostname_len type to size_t
Fix various issues
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:06:01 +00:00
Xiaokang Qian
adf84a4a8c
Remove public api mbedtls_ssl_reset_hostname()
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:05:11 +00:00
Xiaokang Qian
6af2a6da74
Fix session save-load overflow issue
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:03:44 +00:00
Xiaokang Qian
ecd7528c7f
Address some comments
...
Hostname_len has at least one byte
Change structure serialized_session_tls13
Fix various issues
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:03:44 +00:00
Xiaokang Qian
281fd1bdd8
Add server name check when proposeing pre-share key
...
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com >
2022-10-12 11:03:41 +00:00
Jerry Yu
21092062f3
Restrict cipher suite validation to TLS1.3
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-10 21:21:31 +08:00
Jerry Yu
40afab61a8
Add ciphersuite check in set_session
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-08 14:35:43 +08:00
Jerry Yu
21f9095fa8
Revert "move ciphersuite validation to set_session"
...
This reverts commit 19ae6f62c7
.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-08 14:35:34 +08:00
Jerry Yu
19ae6f62c7
move ciphersuite validation to set_session
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-07 10:11:05 +08:00
Jerry Yu
8897c07075
Add server only guards for psk callback
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-10-07 10:11:05 +08:00
David Horstmann
3b2276a439
Refactor macro-spanning ifs in ssl_tls.c
...
Signed-off-by: David Horstmann <david.horstmann@arm.com >
2022-10-06 17:59:57 +01:00
Paul Elliott
2c282c9bd0
Merge pull request #6180 from yuhaoth/pr/add-tls13-multiple-session-tickets
...
TLS 1.3: NewSessionTicket: Add support for sending multiple tickets per session.
2022-09-23 15:48:33 +01:00
Jerry Yu
f3bdf9dd51
fix various issues
...
- improve document about configuration item.
- format issue
- variable type issue.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-22 23:47:14 +08:00
Tom Cosgrove
87d9c6c4d8
Ensure client mbedtls_ssl_handshake_step() returns success for HELLO_REQUEST
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com >
2022-09-22 09:27:56 +01:00
Jerry Yu
d0766eca58
fix various issues
...
- Improve comments
- Align count variable name to `new_session_tickets_count`
- move tickets_count init to handshake init
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-22 13:21:29 +08:00
Tom Cosgrove
2fdc7b3599
Return an error from mbedtls_ssl_handshake_step() if neither client nor server
...
This prevents an infinite loop in mbedtls_ssl_handshake(). Fixes #6305 .
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com >
2022-09-21 12:33:17 +01:00
Jerry Yu
1ad7ace6b7
Add conf new session tickets
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-09-19 14:22:21 +08:00
Manuel Pégourié-Gonnard
07018f97d2
Make legacy_or_psa.h public.
...
As a public header, it should no longer include common.h, just use
build_info.h which is what we actually need anyway.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2022-09-16 12:02:48 +02:00
Gilles Peskine
945b23c46f
Include platform.h unconditionally: automatic part
...
We used to include platform.h only when MBEDTLS_PLATFORM_C was enabled, and
to define ad hoc replacements for mbedtls_xxx functions on a case-by-case
basis when MBEDTLS_PLATFORM_C was disabled. The only reason for this
complication was to allow building individual source modules without copying
platform.h. This is not something we support or recommend anymore, so get
rid of the complication: include platform.h unconditionally.
There should be no change in behavior since just including the header should
not change the behavior of a program.
This commit replaces most occurrences of conditional inclusion of
platform.h, using the following code:
```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2022-09-15 20:33:07 +02:00
Alexey Tsvetkov
2ca343796d
Add const to move variables to .rodata section
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com >
2022-09-07 17:59:57 +01:00
Ronald Cron
e00d6d6b55
Merge pull request #6135 from yuhaoth/pr/tls13-finalize-external-psk-negotiation
...
TLS 1.3: SRV: Finalize external PSK negotiation
2022-08-31 17:21:57 +02:00
Manuel Pégourié-Gonnard
bf22a2500b
Merge pull request #6208 from AndrzejKurek/tls-tests-no-md-structured
...
Remove the dependency on MD from TLS 1.2 tests
2022-08-30 12:34:37 +02:00
Dave Rodgman
fac3ea5656
Merge pull request #6184 from leorosen/ssl_tls_curve_group_id_null_protect
...
mbedtls_ssl_check_curve prevent potential NULL pointer dereferencing
2022-08-24 15:16:45 +01:00
Tom Cosgrove
bcc13c943f
Add further missing whitespaces inside parentheses
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com >
Co-authored-by: Dave Rodgman <dave.rodgman@arm.com >
2022-08-24 15:08:16 +01:00
Tom Cosgrove
20c1137350
Fix coding style
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com >
Co-authored-by: Dave Rodgman <dave.rodgman@arm.com >
2022-08-24 15:06:13 +01:00
Andrzej Kurek
cccb044804
Style & formatting fixes
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com >
2022-08-23 05:26:02 -04:00
Andrzej Kurek
8c95ac4500
Add missing dependencies / alternatives
...
A number of places lacked the necessary dependencies on one of
the used features: MD, key exchange with certificate,
entropy, or ETM.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com >
2022-08-22 17:46:50 -04:00
Andrzej Kurek
25f271557b
Update SHA and MD5 dependencies in the SSL module
...
The same elements are now also used when MBEDTLS_USE_PSA_CRYPTO
is defined and respective SHA / MD5 defines are missing.
A new set of macros added in #6065 is used to reflect these dependencies.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com >
2022-08-22 17:46:50 -04:00
Andrzej Kurek
a242e83b21
Rename the sha384 checksum context to reflect its purpose
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com >
2022-08-22 17:02:04 -04:00
Jerry Yu
9f7f646b11
Revert "remove psk key when ephemeral selected"
...
This reverts commit 5c28e7aa0e
.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-08-21 12:59:17 +08:00
Jerry Yu
24b8c813c4
fix comments and wrong initial value issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-08-21 12:55:45 +08:00
Jerry Yu
5d01c05d93
fix various issues
...
- wrong typo in comments
- replace psk null check with key_exchange_mode check
- set psk NULL when error return in export hs psk
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-08-21 12:55:01 +08:00
Jerry Yu
6cf6b47b5c
fix format and comment issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-08-21 12:54:53 +08:00
Leonid Rozenboim
19e5973566
mbedtls_ssl_check_curve prevent potential NULL pointer dereferencing
...
Avoid the shorthand practice of the form 'x = func(foo)->bar' which
exposes the code to NULL pointer de-referencing when the 'func()'
returns a NULL pointer.
The first chunk is for when the curve group code is not recognized by
the library, and is cleanly rejected if offered.
The second chunk addresses the unlikely case of an internal error:
if 'mbedtls_pk_can_do()' returns TRUE, it should rule out
'mbedtls_pk_ec()' returning a NULL, unless there is a regression.
Signed-off-by: Leonid Rozenboim <leonid.rozenboim@oracle.com >
2022-08-19 11:49:22 -07:00
Jerry Yu
e28d9745a1
fix coding style issues
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-08-18 15:44:03 +08:00
Jerry Yu
3419107e8d
Add checks for ticket and resumption_key fields
...
From RFC 8446 and the definition of session, we
should check the length.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-08-18 11:28:41 +08:00
Jerry Yu
e36fdd676c
Change signature of tls13_session_save
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-08-17 21:50:25 +08:00
Jerry Yu
5c28e7aa0e
remove psk key when ephemeral selected
...
ephemeral is selected, `handshake->psk` must be removed.
Otherwise the encrypt key will be caculate fail.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-08-11 21:25:35 +08:00
Jerry Yu
ccc68a466e
change handshake psk key type for tls13
...
PSK key type of TLS1.3 must be HKDF_EXTRACT and the algo is
decided when create binder
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2022-08-11 21:25:35 +08:00