Merge pull request #8912 from Ryan-Everett-arm/double-destroy-key-bugfix
Fix threading bug when multiple destroy_key calls run on the same key
diff --git a/ChangeLog.d/8825.txt b/ChangeLog.d/8825.txt
new file mode 100644
index 0000000..914bd08
--- /dev/null
+++ b/ChangeLog.d/8825.txt
@@ -0,0 +1,6 @@
+Features
+ * mbedtls_psa_get_random() is always available as soon as
+ MBEDTLS_PSA_CRYPTO_CLIENT is enabled at build time and psa_crypto_init() is
+ called at runtime. This together with MBEDTLS_PSA_RANDOM_STATE can be
+ used as random number generator function (f_rng) and context (p_rng) in
+ legacy functions.
diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h
index 984f031..c78cc23 100644
--- a/include/mbedtls/psa_util.h
+++ b/include/mbedtls/psa_util.h
@@ -21,44 +21,24 @@
* otherwise error codes would be unknown in test_suite_psa_crypto_util.data.*/
#include <mbedtls/asn1write.h>
-#if defined(MBEDTLS_PSA_CRYPTO_C)
-
-/* Expose whatever RNG the PSA subsystem uses to applications using the
- * mbedtls_xxx API. The declarations and definitions here need to be
- * consistent with the implementation in library/psa_crypto_random_impl.h.
- * See that file for implementation documentation. */
-
-
-/* The type of a `f_rng` random generator function that many library functions
- * take.
- *
- * This type name is not part of the Mbed TLS stable API. It may be renamed
- * or moved without warning.
- */
-typedef int mbedtls_f_rng_t(void *p_rng, unsigned char *output, size_t output_size);
-
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
/** The random generator function for the PSA subsystem.
*
* This function is suitable as the `f_rng` random generator function
- * parameter of many `mbedtls_xxx` functions. Use #MBEDTLS_PSA_RANDOM_STATE
- * to obtain the \p p_rng parameter.
+ * parameter of many `mbedtls_xxx` functions.
*
* The implementation of this function depends on the configuration of the
* library.
*
- * \note Depending on the configuration, this may be a function or
- * a pointer to a function.
- *
* \note This function may only be used if the PSA crypto subsystem is active.
* This means that you must call psa_crypto_init() before any call to
* this function, and you must not call this function after calling
* mbedtls_psa_crypto_free().
*
- * \param p_rng The random generator context. This must be
- * #MBEDTLS_PSA_RANDOM_STATE. No other state is
- * supported.
+ * \param p_rng This parameter is only kept for backward compatibility
+ * reasons with legacy `f_rng` functions and it's ignored.
+ * Set to #MBEDTLS_PSA_RANDOM_STATE or NULL.
* \param output The buffer to fill. It must have room for
* \c output_size bytes.
* \param output_size The number of bytes to write to \p output.
@@ -80,32 +60,11 @@
/** The random generator state for the PSA subsystem.
*
- * This macro expands to an expression which is suitable as the `p_rng`
- * random generator state parameter of many `mbedtls_xxx` functions.
- * It must be used in combination with the random generator function
- * mbedtls_psa_get_random().
- *
- * The implementation of this macro depends on the configuration of the
- * library. Do not make any assumption on its nature.
+ * This macro always expands to NULL because the `p_rng` parameter is unused
+ * in mbedtls_psa_get_random(), but it's kept for interface's backward
+ * compatibility.
*/
-#define MBEDTLS_PSA_RANDOM_STATE NULL
-
-#else /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/ctr_drbg.h"
-typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t;
-static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_ctr_drbg_random;
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-#include "mbedtls/hmac_drbg.h"
-typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t;
-static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_hmac_drbg_random;
-#endif
-extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
-
-#define MBEDTLS_PSA_RANDOM_STATE mbedtls_psa_random_state
-
-#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+#define MBEDTLS_PSA_RANDOM_STATE NULL
/** \defgroup psa_tls_helpers TLS helper functions
* @{
@@ -180,7 +139,7 @@
{
return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK);
}
-#endif /* MBEDTLS_PSA_CRYPTO_C */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 78395d2..9a66663 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1859,7 +1859,8 @@
* within a single datagram. */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
-#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_EARLY_DATA)
+#if defined(MBEDTLS_SSL_SRV_C)
/*
* One of:
* MBEDTLS_SSL_EARLY_DATA_NO_DISCARD
@@ -1868,6 +1869,8 @@
*/
uint8_t MBEDTLS_PRIVATE(discard_early_data_record);
#endif
+ uint32_t MBEDTLS_PRIVATE(total_early_data_size); /*!< Number of received/written early data bytes */
+#endif /* MBEDTLS_SSL_EARLY_DATA */
/*
* Record layer (outgoing data)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 0fe1fbc..ec9d115 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -101,11 +101,6 @@
static psa_global_data_t global_data;
-#if !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state =
- &global_data.rng.drbg;
-#endif
-
#define GUARD_MODULE_INITIALIZED \
if (global_data.initialized == 0) \
return PSA_ERROR_BAD_STATE;
@@ -7114,7 +7109,7 @@
MBEDTLS_ENTROPY_SOURCE_STRONG);
#endif
- mbedtls_psa_drbg_init(MBEDTLS_PSA_RANDOM_STATE);
+ mbedtls_psa_drbg_init(&rng->drbg);
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
}
@@ -7125,7 +7120,7 @@
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
memset(rng, 0, sizeof(*rng));
#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
- mbedtls_psa_drbg_free(MBEDTLS_PSA_RANDOM_STATE);
+ mbedtls_psa_drbg_free(&rng->drbg);
rng->entropy_free(&rng->entropy);
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
}
@@ -7140,7 +7135,7 @@
return PSA_SUCCESS;
#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
const unsigned char drbg_seed[] = "PSA";
- int ret = mbedtls_psa_drbg_seed(&rng->entropy,
+ int ret = mbedtls_psa_drbg_seed(&rng->drbg, &rng->entropy,
drbg_seed, sizeof(drbg_seed) - 1);
return mbedtls_to_psa_error(ret);
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
@@ -7170,12 +7165,16 @@
#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
while (output_size > 0) {
+ int ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
size_t request_size =
(output_size > MBEDTLS_PSA_RANDOM_MAX_REQUEST ?
MBEDTLS_PSA_RANDOM_MAX_REQUEST :
output_size);
- int ret = mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE,
- output, request_size);
+#if defined(MBEDTLS_CTR_DRBG_C)
+ ret = mbedtls_ctr_drbg_random(&global_data.rng.drbg, output, request_size);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+ ret = mbedtls_hmac_drbg_random(&global_data.rng.drbg, output, request_size);
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
if (ret != 0) {
return mbedtls_to_psa_error(ret);
}
@@ -7186,39 +7185,6 @@
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
}
-/* Wrapper function allowing the classic API to use the PSA RNG.
- *
- * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls
- * `psa_generate_random(...)`. The state parameter is ignored since the
- * PSA API doesn't support passing an explicit state.
- *
- * In the non-external case, psa_generate_random() calls an
- * `mbedtls_xxx_drbg_random` function which has exactly the same signature
- * and semantics as mbedtls_psa_get_random(). As an optimization,
- * instead of doing this back-and-forth between the PSA API and the
- * classic API, psa_crypto_random_impl.h defines `mbedtls_psa_get_random`
- * as a constant function pointer to `mbedtls_xxx_drbg_random`.
- */
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-int mbedtls_psa_get_random(void *p_rng,
- unsigned char *output,
- size_t output_size)
-{
- /* This function takes a pointer to the RNG state because that's what
- * classic mbedtls functions using an RNG expect. The PSA RNG manages
- * its own state internally and doesn't let the caller access that state.
- * So we just ignore the state parameter, and in practice we'll pass
- * NULL. */
- (void) p_rng;
- psa_status_t status = psa_generate_random(output, output_size);
- if (status == PSA_SUCCESS) {
- return 0;
- } else {
- return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
- }
-}
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
size_t seed_size)
diff --git a/library/psa_crypto_random_impl.h b/library/psa_crypto_random_impl.h
index 64b8949..533fb2e 100644
--- a/library/psa_crypto_random_impl.h
+++ b/library/psa_crypto_random_impl.h
@@ -1,14 +1,6 @@
/** \file psa_crypto_random_impl.h
*
* \brief PSA crypto random generator implementation abstraction.
- *
- * The definitions here need to be consistent with the declarations
- * in include/psa_util_internal.h. This file contains some redundant
- * declarations to increase the chance that a compiler will detect
- * inconsistencies if one file is changed without updating the other,
- * but not all potential inconsistencies can be enforced, so make sure
- * to check the public declarations and contracts in
- * include/psa_util_internal.h if you modify this file.
*/
/*
* Copyright The Mbed TLS Contributors
@@ -22,22 +14,12 @@
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-#include <string.h>
-#include <mbedtls/entropy.h> // only for error codes
-#include <psa/crypto.h>
-
typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;
-/* Trivial wrapper around psa_generate_random(). */
-int mbedtls_psa_get_random(void *p_rng,
- unsigned char *output,
- size_t output_size);
-
-/* The PSA RNG API doesn't need any externally maintained state. */
-#define MBEDTLS_PSA_RANDOM_STATE NULL
-
#else /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
+#include "mbedtls/entropy.h"
+
/* Choose a DRBG based on configuration and availability */
#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
@@ -67,11 +49,37 @@
#error "No hash algorithm available for HMAC_DBRG."
#endif
-#else
+#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
+
#error "No DRBG module available for the psa_crypto module."
+
+#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+
+/* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */
+#if defined(MBEDTLS_CTR_DRBG_C)
+#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
#endif
-#include "mbedtls/entropy.h"
+#if defined(MBEDTLS_CTR_DRBG_C)
+typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t;
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t;
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+
+typedef struct {
+ void (* entropy_init)(mbedtls_entropy_context *ctx);
+ void (* entropy_free)(mbedtls_entropy_context *ctx);
+ mbedtls_entropy_context entropy;
+ mbedtls_psa_drbg_context_t drbg;
+} mbedtls_psa_random_context_t;
/** Initialize the PSA DRBG.
*
@@ -99,63 +107,6 @@
#endif
}
-/** The type of the PSA random generator context.
- *
- * The random generator context is composed of an entropy context and
- * a DRBG context.
- */
-typedef struct {
- void (* entropy_init)(mbedtls_entropy_context *ctx);
- void (* entropy_free)(mbedtls_entropy_context *ctx);
- mbedtls_entropy_context entropy;
- mbedtls_psa_drbg_context_t drbg;
-} mbedtls_psa_random_context_t;
-
-/* Defined in include/psa_util_internal.h so that it's visible to
- * application code. The declaration here is redundant, but included
- * as a safety net to make it more likely that a future change that
- * accidentally causes the implementation to diverge from the interface
- * will be noticed. */
-/* Do not include the declaration under MSVC because it doesn't accept it
- * ("error C2370: 'mbedtls_psa_get_random' : redefinition; different storage class").
- * Observed with Visual Studio 2013. A known bug apparently:
- * https://stackoverflow.com/questions/8146541/duplicate-external-static-declarations-not-allowed-in-visual-studio
- */
-#if !defined(_MSC_VER)
-static mbedtls_f_rng_t *const mbedtls_psa_get_random;
-#endif
-
-/** The maximum number of bytes that mbedtls_psa_get_random() is expected to
- * return.
- */
-#if defined(MBEDTLS_CTR_DRBG_C)
-#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-#define MBEDTLS_PSA_RANDOM_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
-#endif
-
-/** A pointer to the PSA DRBG state.
- *
- * This variable is only intended to be used through the macro
- * #MBEDTLS_PSA_RANDOM_STATE.
- */
-/* psa_crypto.c sets this variable to a pointer to the DRBG state in the
- * global PSA crypto state. */
-/* The type `mbedtls_psa_drbg_context_t` is defined in
- * include/psa_util_internal.h so that `mbedtls_psa_random_state` can be
- * declared there and be visible to application code. */
-extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
-
-/** A pointer to the PSA DRBG state.
- *
- * This macro expands to an expression that is suitable as the \c p_rng
- * parameter to pass to mbedtls_psa_get_random().
- *
- * This macro exists in all configurations where the psa_crypto module is
- * enabled. Its expansion depends on the configuration.
- */
-#define MBEDTLS_PSA_RANDOM_STATE mbedtls_psa_random_state
-
/** Seed the PSA DRBG.
*
* \param entropy An entropy context to read the seed from.
@@ -167,23 +118,15 @@
* \return \c 0 on success.
* \return An Mbed TLS error code (\c MBEDTLS_ERR_xxx) on failure.
*/
-static inline int mbedtls_psa_drbg_seed(
- mbedtls_entropy_context *entropy,
- const unsigned char *custom, size_t len)
+static inline int mbedtls_psa_drbg_seed(mbedtls_psa_drbg_context_t *drbg_ctx,
+ mbedtls_entropy_context *entropy,
+ const unsigned char *custom, size_t len)
{
#if defined(MBEDTLS_CTR_DRBG_C)
- return mbedtls_ctr_drbg_seed(MBEDTLS_PSA_RANDOM_STATE,
- mbedtls_entropy_func,
- entropy,
- custom, len);
+ return mbedtls_ctr_drbg_seed(drbg_ctx, mbedtls_entropy_func, entropy, custom, len);
#elif defined(MBEDTLS_HMAC_DRBG_C)
- const mbedtls_md_info_t *md_info =
- mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE);
- return mbedtls_hmac_drbg_seed(MBEDTLS_PSA_RANDOM_STATE,
- md_info,
- mbedtls_entropy_func,
- entropy,
- custom, len);
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE);
+ return mbedtls_hmac_drbg_seed(drbg_ctx, md_info, mbedtls_entropy_func, entropy, custom, len);
#endif
}
diff --git a/library/psa_util.c b/library/psa_util.c
index 125b173..4ccc5b0 100644
--- a/library/psa_util.c
+++ b/library/psa_util.c
@@ -18,7 +18,7 @@
#include "psa_util_internal.h"
-#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#include <psa/crypto.h>
@@ -46,6 +46,7 @@
#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
#include <mbedtls/cipher.h>
#endif
+#include <mbedtls/entropy.h>
/* PSA_SUCCESS is kept at the top of each error table since
* it's the most common status when everything functions properly. */
@@ -338,7 +339,31 @@
}
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
-#endif /* MBEDTLS_PSA_CRYPTO_C */
+/* Wrapper function allowing the classic API to use the PSA RNG.
+ *
+ * `mbedtls_psa_get_random(MBEDTLS_PSA_RANDOM_STATE, ...)` calls
+ * `psa_generate_random(...)`. The state parameter is ignored since the
+ * PSA API doesn't support passing an explicit state.
+ */
+int mbedtls_psa_get_random(void *p_rng,
+ unsigned char *output,
+ size_t output_size)
+{
+ /* This function takes a pointer to the RNG state because that's what
+ * classic mbedtls functions using an RNG expect. The PSA RNG manages
+ * its own state internally and doesn't let the caller access that state.
+ * So we just ignore the state parameter, and in practice we'll pass
+ * NULL. */
+ (void) p_rng;
+ psa_status_t status = psa_generate_random(output, output_size);
+ if (status == PSA_SUCCESS) {
+ return 0;
+ } else {
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+ }
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
diff --git a/library/psa_util_internal.h b/library/psa_util_internal.h
index 3e62d5f..70a08a0 100644
--- a/library/psa_util_internal.h
+++ b/library/psa_util_internal.h
@@ -16,7 +16,7 @@
#include "psa/crypto.h"
-#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
/*************************************************************************
* FFDH
@@ -96,5 +96,5 @@
sizeof(error_list)/sizeof(error_list[0]), \
fallback_f)
-#endif /* MBEDTLS_PSA_CRYPTO_C */
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
#endif /* MBEDTLS_PSA_UTIL_INTERNAL_H */
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index d8844fc..883b988 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2150,6 +2150,9 @@
unsigned char *buf,
const unsigned char *end,
size_t *out_len);
+
+int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
+ size_t early_data_len);
#endif /* MBEDTLS_SSL_EARLY_DATA */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 2a6d434..0c71157 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -4005,7 +4005,11 @@
MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) {
MBEDTLS_SSL_DEBUG_MSG(
3, ("EarlyData: deprotect and discard app data records."));
- /* TODO: Add max_early_data_size check here, see issue 6347 */
+
+ ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
+ if (ret != 0) {
+ return ret;
+ }
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
}
#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
@@ -4129,9 +4133,15 @@
*/
if (ssl->discard_early_data_record == MBEDTLS_SSL_EARLY_DATA_DISCARD) {
if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+
+ ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
+ if (ret != 0) {
+ return ret;
+ }
+
MBEDTLS_SSL_DEBUG_MSG(
3, ("EarlyData: Ignore application message before 2nd ClientHello"));
- /* TODO: Add max_early_data_size check here, see issue 6347 */
+
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
} else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) {
ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index aa967d8..1bfd180 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1101,6 +1101,7 @@
#if defined(MBEDTLS_SSL_SRV_C)
ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
#endif
+ ssl->total_early_data_size = 0;
#endif /* MBEDTLS_SSL_EARLY_DATA */
/* Initialize structures */
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index bc73704..d448a05 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1454,6 +1454,54 @@
return 0;
}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
+ size_t early_data_len)
+{
+ /*
+ * This function should be called only while an handshake is in progress
+ * and thus a session under negotiation. Add a sanity check to detect a
+ * misuse.
+ */
+ if (ssl->session_negotiate == NULL) {
+ return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ }
+
+ /* RFC 8446 section 4.6.1
+ *
+ * A server receiving more than max_early_data_size bytes of 0-RTT data
+ * SHOULD terminate the connection with an "unexpected_message" alert.
+ * Note that if it is still possible to send early_data_len bytes of early
+ * data, it means that early_data_len is smaller than max_early_data_size
+ * (type uint32_t) and can fit in an uint32_t. We use this further
+ * down.
+ */
+ if (early_data_len >
+ (ssl->session_negotiate->max_early_data_size -
+ ssl->total_early_data_size)) {
+
+ MBEDTLS_SSL_DEBUG_MSG(
+ 2, ("EarlyData: Too much early data received, %u + %" MBEDTLS_PRINTF_SIZET " > %u",
+ ssl->total_early_data_size, early_data_len,
+ ssl->session_negotiate->max_early_data_size));
+
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
+ MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+ return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+ }
+
+ /*
+ * early_data_len has been checked to be less than max_early_data_size
+ * that is uint32_t. Its cast to an uint32_t below is thus safe. We need
+ * the cast to appease some compilers.
+ */
+ ssl->total_early_data_size += (uint32_t) early_data_len;
+
+ return 0;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_EARLY_DATA */
/* Reset SSL context and update hash for handling HRR.
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 9ea581e..887c5c6 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -2906,17 +2906,14 @@
}
if (ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
- MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data"));
- /* RFC 8446 section 4.6.1
- *
- * A server receiving more than max_early_data_size bytes of 0-RTT data
- * SHOULD terminate the connection with an "unexpected_message" alert.
- *
- * TODO: Add received data size check here.
- */
if (ssl->in_offt == NULL) {
+ MBEDTLS_SSL_DEBUG_MSG(3, ("Received early data"));
/* Set the reading pointer */
ssl->in_offt = ssl->in_msg;
+ ret = mbedtls_ssl_tls13_check_early_data_len(ssl, ssl->in_msglen);
+ if (ret != 0) {
+ return ret;
+ }
}
return SSL_GOT_EARLY_DATA;
}
@@ -3134,6 +3131,7 @@
ssl->conf->max_early_data_size > 0) {
mbedtls_ssl_tls13_session_set_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
+ session->max_early_data_size = ssl->conf->max_early_data_size;
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index 110e2ed..335386b 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -114,6 +114,7 @@
void (*cli_log_fun)(void *, int, const char *, int, const char *);
int resize_buffers;
int early_data;
+ int max_early_data_size;
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context *cache;
#endif
diff --git a/tests/src/psa_crypto_stubs.c b/tests/src/psa_crypto_stubs.c
new file mode 100644
index 0000000..f3ca850
--- /dev/null
+++ b/tests/src/psa_crypto_stubs.c
@@ -0,0 +1,25 @@
+/** \file psa_crypto_stubs.c
+ *
+ * \brief Stub functions when MBEDTLS_PSA_CRYPTO_CLIENT is enabled but
+ * MBEDTLS_PSA_CRYPTO_C is disabled.
+ */
+
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#include <psa/crypto.h>
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
+
+psa_status_t psa_generate_random(uint8_t *output,
+ size_t output_size)
+{
+ (void) output;
+ (void) output_size;
+
+ return PSA_ERROR_COMMUNICATION_FAILURE;
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 045ed39..56e03f1 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -67,6 +67,7 @@
opts->legacy_renegotiation = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
opts->resize_buffers = 1;
opts->early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+ opts->max_early_data_size = -1;
#if defined(MBEDTLS_SSL_CACHE_C)
TEST_CALLOC(opts->cache, 1);
mbedtls_ssl_cache_init(opts->cache);
@@ -825,6 +826,13 @@
#if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_conf_early_data(&(ep->conf), options->early_data);
+#if defined(MBEDTLS_SSL_SRV_C)
+ if (endpoint_type == MBEDTLS_SSL_IS_SERVER &&
+ (options->max_early_data_size >= 0)) {
+ mbedtls_ssl_conf_max_early_data_size(&(ep->conf),
+ options->max_early_data_size);
+ }
+#endif
#endif
#if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SRV_C)
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 385682a..c0c816c 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3309,3 +3309,39 @@
TLS 1.3 write early data, hello retry request
tls13_write_early_data:TEST_EARLY_DATA_HRR
+
+TLS 1.3 srv, max early data size, dflt, wsz=96
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:96
+
+TLS 1.3 srv, max early data size, dflt, wsz=128
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:-1:128
+
+TLS 1.3 srv, max early data size, 3, wsz=2
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:2
+
+TLS 1.3 srv, max early data size, 3, wsz=3
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:3:3
+
+TLS 1.3 srv, max early data size, 98, wsz=23
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:98:23
+
+TLS 1.3 srv, max early data size, 98, wsz=49
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_ACCEPTED:98:49
+
+TLS 1.3 srv, max early data size, server rejects, dflt, wsz=128
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:-1:128
+
+TLS 1.3 srv, max early data size, server rejects, 3, wsz=3
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:3:3
+
+TLS 1.3 srv, max early data size, server rejects, 98, wsz=49
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_SERVER_REJECTS:98:49
+
+TLS 1.3 srv, max early data size, HRR, dflt, wsz=128
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:-1:128
+
+TLS 1.3 srv, max early data size, HRR, 3, wsz=3
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:3
+
+TLS 1.3 srv, max early data size, HRR, 98, wsz=49
+tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 2d124c5..6e95817 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -18,6 +18,47 @@
#define TEST_EARLY_DATA_SERVER_REJECTS 2
#define TEST_EARLY_DATA_HRR 3
+#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
+ defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \
+ defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \
+ defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \
+ defined(MBEDTLS_MD_CAN_SHA256) && \
+ defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \
+ defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+/*
+ * Test function to write early data for negative tests where
+ * mbedtls_ssl_write_early_data() cannot be used.
+ */
+static int write_early_data(mbedtls_ssl_context *ssl,
+ unsigned char *buf, size_t len)
+{
+ int ret = mbedtls_ssl_get_max_out_record_payload(ssl);
+
+ TEST_ASSERT(ret > 0);
+ TEST_LE_U(len, (size_t) ret);
+
+ ret = mbedtls_ssl_flush_output(ssl);
+ TEST_EQUAL(ret, 0);
+ TEST_EQUAL(ssl->out_left, 0);
+
+ ssl->out_msglen = len;
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+ if (len > 0) {
+ memcpy(ssl->out_msg, buf, len);
+ }
+
+ ret = mbedtls_ssl_write_record(ssl, 1);
+ TEST_EQUAL(ret, 0);
+
+ ret = len;
+
+exit:
+ return ret;
+}
+#endif
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -4168,6 +4209,10 @@
break;
case TEST_EARLY_DATA_HRR:
+ /*
+ * Remove server support for the group negotiated in
+ * mbedtls_test_get_tls13_ticket() forcing a HelloRetryRequest.
+ */
server_options.group_list = group_list + 1;
break;
@@ -4457,3 +4502,259 @@
PSA_DONE();
}
/* END_CASE */
+
+/*
+ * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is
+ * a temporary workaround to not run the test in Windows-2013 where there is
+ * an issue with mbedtls_vsnprintf().
+ */
+/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int write_size_arg)
+{
+ int ret = -1;
+ mbedtls_test_ssl_endpoint client_ep, server_ep;
+ mbedtls_test_handshake_test_options client_options;
+ mbedtls_test_handshake_test_options server_options;
+ mbedtls_ssl_session saved_session;
+ mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
+ uint16_t group_list[3] = {
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+ MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+ MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+ };
+ char pattern[128];
+ unsigned char *buf_write = NULL;
+ uint32_t write_size = (uint32_t) write_size_arg;
+ unsigned char *buf_read = NULL;
+ uint32_t read_size;
+ uint32_t expanded_early_data_chunk_size = 0;
+ uint32_t written_early_data_size = 0;
+ uint32_t max_early_data_size;
+
+ mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+ mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+ mbedtls_test_init_handshake_options(&client_options);
+ mbedtls_test_init_handshake_options(&server_options);
+ mbedtls_ssl_session_init(&saved_session);
+ PSA_INIT();
+
+ TEST_CALLOC(buf_write, write_size);
+
+ /*
+ * Allocate a smaller buffer for early data reading to exercise the reading
+ * of data in one record in multiple calls.
+ */
+ read_size = (write_size / 2) + 1;
+ TEST_CALLOC(buf_read, read_size);
+
+ /*
+ * Run first handshake to get a ticket from the server.
+ */
+
+ client_options.pk_alg = MBEDTLS_PK_ECDSA;
+ client_options.group_list = group_list;
+ client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+ server_options.pk_alg = MBEDTLS_PK_ECDSA;
+ server_options.group_list = group_list;
+ server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
+ server_options.max_early_data_size = max_early_data_size_arg;
+
+ ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
+ &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Prepare for handshake with the ticket.
+ */
+ server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
+ server_options.srv_log_obj = &server_pattern;
+ server_pattern.pattern = pattern;
+
+ switch (scenario) {
+ case TEST_EARLY_DATA_ACCEPTED:
+ break;
+
+ case TEST_EARLY_DATA_SERVER_REJECTS:
+ server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
+ ret = mbedtls_snprintf(pattern, sizeof(pattern),
+ "EarlyData: deprotect and discard app data records.");
+ TEST_ASSERT(ret < (int) sizeof(pattern));
+ mbedtls_debug_set_threshold(3);
+ break;
+
+ case TEST_EARLY_DATA_HRR:
+ /*
+ * Remove server support for the group negotiated in
+ * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest.
+ */
+ server_options.group_list = group_list + 1;
+ ret = mbedtls_snprintf(
+ pattern, sizeof(pattern),
+ "EarlyData: Ignore application message before 2nd ClientHello");
+ TEST_ASSERT(ret < (int) sizeof(pattern));
+ mbedtls_debug_set_threshold(3);
+ break;
+
+ default:
+ TEST_FAIL("Unknown scenario.");
+ }
+
+ ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+ &client_options, NULL, NULL, NULL);
+ TEST_EQUAL(ret, 0);
+
+ ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+ &server_options, NULL, NULL, NULL);
+ TEST_EQUAL(ret, 0);
+
+ mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+ mbedtls_test_ticket_write,
+ mbedtls_test_ticket_parse,
+ NULL);
+
+ ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+ &(server_ep.socket), 1024);
+ TEST_EQUAL(ret, 0);
+
+ max_early_data_size = saved_session.max_early_data_size;
+
+ ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+ TEST_EQUAL(ret, 0);
+
+ /*
+ * Start an handshake based on the ticket up to the point where early data
+ * can be sent from client side. Then send in a loop as much early data as
+ * possible without going over the maximum permitted size for the ticket.
+ * Finally, do a last writting to go past that maximum permitted size and
+ * check that we detect it.
+ */
+ TEST_EQUAL(mbedtls_test_move_handshake_to_state(
+ &(client_ep.ssl), &(server_ep.ssl),
+ MBEDTLS_SSL_SERVER_HELLO), 0);
+
+ TEST_ASSERT(client_ep.ssl.early_data_status !=
+ MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT);
+
+ ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
+
+ /*
+ * Write and if possible read as much as possible chunks of write_size
+ * bytes data without getting over the max_early_data_size limit.
+ */
+ do {
+ uint32_t read_early_data_size = 0;
+
+ /*
+ * The contents of the early data are not very important, write a
+ * pattern that varies byte-by-byte and is different for every chunk of
+ * early data.
+ */
+ if ((written_early_data_size + write_size) > max_early_data_size) {
+ break;
+ }
+
+ /*
+ * If the server rejected early data, base the determination of when
+ * to stop the loop on the expanded size (padding and encryption
+ * expansion) of early data on server side and the number of early data
+ * received so far by the server (multiple of the expanded size).
+ */
+ if ((expanded_early_data_chunk_size != 0) &&
+ ((server_ep.ssl.total_early_data_size +
+ expanded_early_data_chunk_size) > max_early_data_size)) {
+ break;
+ }
+
+ for (size_t i = 0; i < write_size; i++) {
+ buf_write[i] = (unsigned char) (written_early_data_size + i);
+ }
+
+ ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
+ TEST_EQUAL(ret, write_size);
+ written_early_data_size += write_size;
+
+ switch (scenario) {
+ case TEST_EARLY_DATA_ACCEPTED:
+ while (read_early_data_size < write_size) {
+ ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
+
+ ret = mbedtls_ssl_read_early_data(&(server_ep.ssl),
+ buf_read, read_size);
+ TEST_ASSERT(ret > 0);
+
+ TEST_MEMORY_COMPARE(buf_read, ret,
+ buf_write + read_early_data_size, ret);
+ read_early_data_size += ret;
+
+ TEST_EQUAL(server_ep.ssl.total_early_data_size,
+ written_early_data_size);
+ }
+ break;
+
+ case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
+ case TEST_EARLY_DATA_HRR:
+ ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+ /*
+ * In this write loop we try to always stay below the
+ * max_early_data_size limit but if max_early_data_size is very
+ * small we may exceed the max_early_data_size limit on the
+ * first write. In TEST_EARLY_DATA_SERVER_REJECTS/
+ * TEST_EARLY_DATA_HRR scenario, this is for sure the case if
+ * max_early_data_size is smaller than the smallest possible
+ * inner content/protected record. Take into account this
+ * possibility here but only for max_early_data_size values
+ * that are close to write_size. Below, '1' is for the inner
+ * type byte and '16' is to take into account some AEAD
+ * expansion (tag, ...).
+ */
+ if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) {
+ if (scenario == TEST_EARLY_DATA_SERVER_REJECTS) {
+ TEST_LE_U(max_early_data_size,
+ write_size + 1 +
+ MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
+ } else {
+ TEST_LE_U(max_early_data_size,
+ write_size + 1 + 16 +
+ MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
+ }
+ goto exit;
+ }
+
+ TEST_ASSERT(ret == MBEDTLS_ERR_SSL_WANT_READ);
+
+ TEST_EQUAL(server_pattern.counter, 1);
+ server_pattern.counter = 0;
+ if (expanded_early_data_chunk_size == 0) {
+ expanded_early_data_chunk_size = server_ep.ssl.total_early_data_size;
+ }
+ break;
+ }
+ TEST_LE_U(server_ep.ssl.total_early_data_size, max_early_data_size);
+ } while (1);
+
+ mbedtls_debug_set_threshold(3);
+ ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
+ TEST_EQUAL(ret, write_size);
+
+ ret = mbedtls_snprintf(pattern, sizeof(pattern),
+ "EarlyData: Too much early data received");
+ TEST_ASSERT(ret < (int) sizeof(pattern));
+
+ ret = mbedtls_ssl_handshake(&(server_ep.ssl));
+ TEST_EQUAL(ret, MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
+ TEST_EQUAL(server_pattern.counter, 1);
+
+exit:
+ mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+ mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+ mbedtls_test_free_handshake_options(&client_options);
+ mbedtls_test_free_handshake_options(&server_options);
+ mbedtls_ssl_session_free(&saved_session);
+ mbedtls_free(buf_write);
+ mbedtls_free(buf_read);
+ mbedtls_debug_set_threshold(0);
+ PSA_DONE();
+}
+/* END_CASE */