Merge pull request #6069 from yuhaoth/pr/add-tls13-write-new-session-ticket
TLS 1.3:add tls13 write new session ticket
Validated by the internal CI and Travis.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a0d0aa7..bb86788 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -131,7 +131,10 @@
set(target "${CMAKE_CURRENT_SOURCE_DIR}/${base_name}")
endif()
- if (NOT EXISTS ${link})
+ # Linking to non-existent file is not desirable. At best you will have a
+ # dangling link, but when building in tree, this can create a symbolic link
+ # to itself.
+ if (EXISTS ${target} AND NOT EXISTS ${link})
if (CMAKE_HOST_UNIX)
set(command ln -s ${target} ${link})
else()
diff --git a/ChangeLog.d/fix-aes-shallow-copying.txt b/ChangeLog.d/fix-aes-shallow-copying.txt
new file mode 100644
index 0000000..0c119d6
--- /dev/null
+++ b/ChangeLog.d/fix-aes-shallow-copying.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
diff --git a/ChangeLog.d/fix_cmake_gen_files b/ChangeLog.d/fix_cmake_gen_files
new file mode 100644
index 0000000..3b2c099
--- /dev/null
+++ b/ChangeLog.d/fix_cmake_gen_files
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix an issue in releases with GEN_FILES turned off whereby missing
+ generated files could be turned into symlinks to themselves.
diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
index 144bd89..c359011 100644
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@@ -80,7 +80,8 @@
typedef struct mbedtls_aes_context
{
int MBEDTLS_PRIVATE(nr); /*!< The number of rounds. */
- uint32_t *MBEDTLS_PRIVATE(rk); /*!< AES round keys. */
+ size_t MBEDTLS_PRIVATE(rk_offset); /*!< The offset in array elements to AES
+ round keys in the buffer. */
uint32_t MBEDTLS_PRIVATE(buf)[68]; /*!< Unaligned data buffer. This buffer can
hold 32 extra Bytes, which can be used for
one of the following purposes:
diff --git a/library/aes.c b/library/aes.c
index bf5d432..ca94e0a 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -550,19 +550,19 @@
}
#endif
+ ctx->rk_offset = 0;
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
if( aes_padlock_ace == -1 )
aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
if( aes_padlock_ace )
- ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
- else
+ ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
#endif
- ctx->rk = RK = ctx->buf;
+ RK = ctx->buf + ctx->rk_offset;
#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
- return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
+ return( mbedtls_aesni_setkey_enc( (unsigned char *) RK, key, keybits ) );
#endif
for( i = 0; i < ( keybits >> 5 ); i++ )
@@ -654,15 +654,15 @@
mbedtls_aes_init( &cty );
+ ctx->rk_offset = 0;
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
if( aes_padlock_ace == -1 )
aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
if( aes_padlock_ace )
- ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
- else
+ ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
#endif
- ctx->rk = RK = ctx->buf;
+ RK = ctx->buf + ctx->rk_offset;
/* Also checks keybits */
if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
@@ -673,13 +673,13 @@
#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
{
- mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
- (const unsigned char *) cty.rk, ctx->nr );
+ mbedtls_aesni_inverse_key( (unsigned char *) RK,
+ (const unsigned char *) ( cty.buf + cty.rk_offset ), ctx->nr );
goto exit;
}
#endif
- SK = cty.rk + cty.nr * 4;
+ SK = cty.buf + cty.rk_offset + cty.nr * 4;
*RK++ = *SK++;
*RK++ = *SK++;
@@ -843,7 +843,7 @@
unsigned char output[16] )
{
int i;
- uint32_t *RK = ctx->rk;
+ uint32_t *RK = ctx->buf + ctx->rk_offset;
struct
{
uint32_t X[4];
@@ -907,7 +907,7 @@
unsigned char output[16] )
{
int i;
- uint32_t *RK = ctx->rk;
+ uint32_t *RK = ctx->buf + ctx->rk_offset;
struct
{
uint32_t X[4];
@@ -971,7 +971,6 @@
unsigned char output[16] )
{
AES_VALIDATE_RET( ctx != NULL );
- AES_VALIDATE_RET( ctx->rk != NULL );
AES_VALIDATE_RET( input != NULL );
AES_VALIDATE_RET( output != NULL );
AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
diff --git a/library/aesni.c b/library/aesni.c
index be226c9..87d818a 100644
--- a/library/aesni.c
+++ b/library/aesni.c
@@ -127,7 +127,7 @@
"3: \n\t"
"movdqu %%xmm0, (%4) \n\t" // export output
:
- : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output)
+ : "r" (ctx->nr), "r" (ctx->buf + ctx->rk_offset), "r" (mode), "r" (input), "r" (output)
: "memory", "cc", "xmm0", "xmm1" );
diff --git a/library/padlock.c b/library/padlock.c
index b8ba105..a128775 100644
--- a/library/padlock.c
+++ b/library/padlock.c
@@ -82,7 +82,11 @@
uint32_t *ctrl;
unsigned char buf[256];
- rk = ctx->rk;
+ rk = ctx->buf + ctx->rk_offset;
+
+ if( ( (long) rk & 15 ) != 0 )
+ return( MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED );
+
blk = MBEDTLS_PADLOCK_ALIGN16( buf );
memcpy( blk, input, 16 );
@@ -125,11 +129,13 @@
uint32_t *ctrl;
unsigned char buf[256];
+ rk = ctx->buf + ctx->rk_offset;
+
if( ( (long) input & 15 ) != 0 ||
- ( (long) output & 15 ) != 0 )
+ ( (long) output & 15 ) != 0 ||
+ ( (long) rk & 15 ) != 0 )
return( MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED );
- rk = ctx->rk;
iw = MBEDTLS_PADLOCK_ALIGN16( buf );
memcpy( iw, iv, 16 );
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 39a47ca..d16b254 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -611,14 +611,19 @@
* Handshake specific crypto variables
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */
+ uint8_t key_exchange_mode; /*!< Selected key exchange mode */
/** Number of HelloRetryRequest messages received/sent from/to the server. */
int hello_retry_request_count;
+
#if defined(MBEDTLS_SSL_SRV_C)
/** selected_group of key_share extension in HelloRetryRequest message. */
uint16_t hrr_selected_group;
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
+#endif
#endif /* MBEDTLS_SSL_SRV_C */
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
@@ -1769,6 +1774,7 @@
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
}
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
/**
* Given a list of key exchange modes, check if at least one of them is
* supported.
@@ -1815,6 +1821,30 @@
return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
}
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+
+/*
+ * Helper functions to check the selected key exchange mode.
+ */
+static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
+ mbedtls_ssl_context *ssl, int kex_mask )
+{
+ return( ( ssl->handshake->key_exchange_mode & kex_mask ) != 0 );
+}
+
+static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
+ mbedtls_ssl_context *ssl )
+{
+ return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
+}
+
+static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
+ mbedtls_ssl_context *ssl )
+{
+ return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
+}
/*
* Fetch TLS 1.3 handshake message header
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 183b6ee..e38f117 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1218,17 +1218,17 @@
{
/* Only the pre_shared_key extension was received */
case MBEDTLS_SSL_EXT_PRE_SHARED_KEY:
- handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
+ handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
break;
/* Only the key_share extension was received */
case MBEDTLS_SSL_EXT_KEY_SHARE:
- handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
+ handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
break;
/* Both the pre_shared_key and key_share extensions were received */
case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ):
- handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
+ handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
break;
/* Neither pre_shared_key nor key_share extension was received */
@@ -1477,7 +1477,7 @@
buf, buf_len );
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
- if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
+ if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
else
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
@@ -1512,12 +1512,6 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= skip parse certificate request" ) );
- return( SSL_CERTIFICATE_REQUEST_SKIP );
- }
-
if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 51743bb..c306d3c 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -1237,7 +1237,7 @@
* client_handshake_traffic_secret and server_handshake_traffic_secret
* are derived in the handshake secret derivation stage.
*/
- if( mbedtls_ssl_tls13_ephemeral_enabled( ssl ) )
+ if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
{
if( mbedtls_ssl_tls13_named_group_is_ecdhe( handshake->offered_group_id ) )
{
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 0159b02..4a0d6d9 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -397,7 +397,7 @@
if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) )
return( 0 );
- ssl->handshake->tls13_kex_modes =
+ ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
return( 1 );
}
@@ -1172,7 +1172,7 @@
* of the HRR is then to transmit a cookie to force the client to demonstrate
* reachability at their apparent network address (primarily useful for DTLS).
*/
- if( ! mbedtls_ssl_tls13_some_ephemeral_enabled( ssl ) )
+ if( ! mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) )
return( 0 );
/* We should only send the key_share extension if the client's initial
@@ -1560,7 +1560,7 @@
ssl, buf_len, msg_len ) );
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
- if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
+ if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
else
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
diff --git a/tests/suites/test_suite_aes.ecb.data b/tests/suites/test_suite_aes.ecb.data
index 6349034..b468ac3 100644
--- a/tests/suites/test_suite_aes.ecb.data
+++ b/tests/suites/test_suite_aes.ecb.data
@@ -228,3 +228,6 @@
AES-256-ECB Decrypt NIST KAT #12
aes_decrypt_ecb:"0000000000000000000000000000000000000000000000000000000000000000":"9b80eefb7ebe2d2b16247aa0efc72f5d":"e0000000000000000000000000000000":0
+
+AES-256-ECB Copy Context NIST KAT #1
+aes_ecb_copy_context:"c1cc358b449909a19436cfbb3f852ef8bcb5ed12ac7058325f56e6099aab1a1c":"00000000000000000000000000000000"
diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function
index 52af8e0..5ab265a 100644
--- a/tests/suites/test_suite_aes.function
+++ b/tests/suites/test_suite_aes.function
@@ -460,6 +460,36 @@
}
/* END_CASE */
+/* BEGIN_CASE */
+void aes_ecb_copy_context( data_t * key_str, data_t * src_str )
+{
+ unsigned char output1[16], output2[16], plain[16];
+ mbedtls_aes_context ctx1, ctx2, ctx3;
+
+ // Set key and encrypt with original context
+ mbedtls_aes_init( &ctx1 );
+ TEST_ASSERT( mbedtls_aes_setkey_enc( &ctx1, key_str->x,
+ key_str->len * 8 ) == 0 );
+ TEST_ASSERT( mbedtls_aes_crypt_ecb( &ctx1, MBEDTLS_AES_ENCRYPT,
+ src_str->x, output1 ) == 0 );
+
+ ctx2 = ctx1;
+ TEST_ASSERT( mbedtls_aes_setkey_dec( &ctx1, key_str->x,
+ key_str->len * 8 ) == 0 );
+ ctx3 = ctx1;
+ memset( &ctx1, 0, sizeof( ctx1 ) );
+
+ // Encrypt and decrypt with copied context
+ TEST_ASSERT( mbedtls_aes_crypt_ecb( &ctx2, MBEDTLS_AES_ENCRYPT,
+ src_str->x, output2 ) == 0 );
+ TEST_ASSERT( mbedtls_aes_crypt_ecb( &ctx3, MBEDTLS_AES_DECRYPT,
+ output1, plain ) == 0 );
+
+ TEST_ASSERT( mbedtls_test_hexcmp( output1, output2, 16, 16 ) == 0 );
+ TEST_ASSERT( mbedtls_test_hexcmp( src_str->x, plain, src_str->len, 16 ) == 0 );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
void aes_selftest( )
{