1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-06-10 21:01:41 +03:00
Commit Graph

478 Commits

Author SHA1 Message Date
151f64283f Add parsing for Record Size Limit extension in TLS 1.3
Fixes #7007

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-03-14 08:41:25 +01:00
e4622a3436 Merge remote-tracking branch 'development/development' into development-restricted
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-13 17:49:32 +00:00
43cc127d3a Fix code style
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
b8b07aa24a Handle errors from functions that now return int
A few functions were changed from returning void to returning int three
commits ago. Make sure their callers check the return values.

This commits was basically a matter of declaring newly-int-returning
functions MBEDTLS_CHECK_RETURN_CRITICAL and then fixing the resulting
warnings. A few functions had to be made int in the process; they were
applied the same process as well.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
d89360b87b Fix and improve documentation, comments and logs
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-02-21 14:57:25 +01:00
25e9ec61f0 tls13: server: Select preferred cipher suite
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-02-20 11:42:19 +01:00
fc7ae87ad4 tls13: server: Check ciphersuite list length parity once
Check ciphersuite list length parity once,
mainly to enable the possibility of getting
out of the loop of the ciphersuites whenever
we want.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-02-20 11:42:19 +01:00
606671e06e tls13: server: Check mbedtls_ssl_set_hs_psk returned value
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-02-20 11:42:19 +01:00
52ad333040 simplify helper function name
Rename ssl_tls13_check_psk_mode_allowed_by_ticket to
ssl_tls13_ticket_permission_check

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-14 14:32:37 +08:00
934ce6f6a9 Rename the finalize_client{server}_hello()
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-02-08 05:47:48 +00:00
306a01da4d refactor: move ticket_flags check into a function
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-02 16:57:49 +08:00
766796839b Revert "TLS 1.3: SRV: Validate kex modes when parsing psk"
This reverts commit f8e50a9607.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-02 16:57:42 +08:00
dadeb20383 TLS 1.3: SRV: Don't select ephemeral mode on resumption
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-18 17:42:26 +08:00
f8e50a9607 TLS 1.3: SRV: Validate kex modes when parsing psk
On resumption, after the psk identity is matched, we
should check if psk and/or psk_ephemeral, which are
allowed by session ticket, are valid to be selected.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-18 17:42:12 +08:00
0b740bc85b TLS 1.3: SRV: Check ticket_flags in kex mode determination
When determining the key exchange mode, ticket_flags
should be checked so that the server won't select the
kex mode that is forbidden from session ticket.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-18 17:37:57 +08:00
e2f1dbf5ae update docs of ssl_client2 and improve code format
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 12:38:12 +08:00
4938a566bf refine ticket_flags printing helper
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 11:28:49 +08:00
3643fdbab9 refine the state setting in tls13_handshake_wrapup
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:06:02 +08:00
189465306d remove MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE error
Return MBEDTLS_ERR_ERROR_GENERIC_ERROR when ticket_flags
are not compatible with advertised key exchange mode.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:06:00 +08:00
80270b2151 rename ticket_flags helper functions to generic ones
Ticket flags is quite generic and may make sense in the
future versions of TLS or even in TLS 1.2 with new
extensions. This change remane the ticket_flags helper
functions with more generic `mbedtls_ssl_session` prefix
instead of `mbedtls_ssl_tls13_session`.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:59 +08:00
a1aa31b8b1 fix review comments
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:58 +08:00
9eacb44a5e improve code format and readability
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:57 +08:00
e6487fe3c2 guard tls13_kex_modes related function calls with macro
Handshake parameter field, tls13_kex_mode is only valid when
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED is set.
So, any functions / calls should be guarded by this macros.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:55 +08:00
3eb49be6a8 move kex mode check in ticket_flags to psks_check_identity_match_ticket
Move the kex mode check in ticket_flags to
ssl_tls13_offered_psks_check_identity_match_ticket and add new error
'MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE' to indicate the check
failure.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:55 +08:00
c7af2c4f8c tls13: send new session ticket only when client supports psk
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:54 +08:00
c55eeb682d tls13: check if the session ticket is compatible with key exchange modes
The server check if the ticket_flags is compatible with the advertised
key exchange modes in Pre-Shared Key Exchange Modes extension. The
incompatible ticket should be mark as not matched.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:53 +08:00
9f92695c8d tls13: set key exchange mode in ticket_flags on client/server
Set the ticket_flags when:
  - server: preparing NST (new session ticket) message
  - client: postprocessing NST message

Clear the ticket_flags when:
  - server: preparing NST message
  - client: parsing NST message

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:05:53 +08:00
449bd8303e Switch to the new code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:50:10 +01:00
141bbe7bee tls13: Adjust include files
- remove duplicate and unused included
- Adjust the order to system, mbedtls global, local.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-09 09:51:20 +08:00
1797b05602 Fix typos prior to release
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-04 17:19:59 +00:00
a8d3c5048f Rename new session ticket name for TLS 1.3
NewSessionTicket is different with TLS 1.2.
It should not share same state.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:35 +08:00
97be6a913e fix various issues
- typo error
- replace `ssl->hanshake` with handshake

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-09 22:43:31 +08:00
7de2ff0310 Refactor extension list print
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 23:51:39 +08:00
79aa721ade Rename ext print function and macro
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 23:51:39 +08:00
b95dd3683b Add missing mask set and tls13 unrecognized extension
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 23:51:38 +08:00
c437ee3bac fix wrong return value
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 21:04:15 +08:00
e5991328ff fix tls13 psk only test fail
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-08 16:16:29 +08:00
50e00e3ac6 Refactor server hello
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-06 11:54:22 +08:00
edab637b51 Refactor new session ticket
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-06 11:54:22 +08:00
63a459cde5 Refactor client_hello parser and writer
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-06 11:54:21 +08:00
4b8f2f7266 Refactor sent extension message output
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-06 11:54:21 +08:00
c4bf5d658e fix various issues
- Signature of
  - mbedtls_tls13_set_hs_sent_ext_mask
  - check_received_extension and issues
- Also fix comment issue.
- improve readablity.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-31 16:41:42 +08:00
0c354a211b introduce sent/recv extensions field
And remove `extensions_present`

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-31 16:41:42 +08:00
e18dc7eb9a Add forbidden extensions check for ClientHello
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-31 16:41:42 +08:00
471dee5a12 Add debug helpers to track extensions
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-31 16:41:42 +08:00
04e2133f45 Merge pull request #6482 from ronald-cron-arm/tls13-misc
TLS 1.3: Update documentation for the coming release and misc
2022-10-28 11:09:03 +02:00
eac00ad2a6 tls13: server: Note down client not being authenticated in SSL context
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-25 20:02:03 +02:00
744fd37d23 Merge pull request #6467 from davidhorstmann-arm/fix-unusual-macros-0
Fix unusual macros
2022-10-25 19:55:29 +02:00
766c0cdb1f tls13: Add missing kex guards
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
41a443a68d tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK.*ENABLED
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED to guard
code specific to one of the TLS 1.3 key exchange mode with
PSK.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00