tls13: Add allowed extesions constants.
- And refactor check_received_extension
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 8bd98b3..8ffdccb 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -134,76 +134,83 @@
* not specified for the message in which it appears, it MUST abort the handshake
* with an "illegal_parameter" alert.
*/
-#define MBEDTLS_SSL_EXT_UNRECOGNIZED ( 1U << 31 )
+
+/* Extensions that not recognized by TLS 1.3 */
+#define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED \
+ ( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS ) | \
+ MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC ) | \
+ MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET ) | \
+ MBEDTLS_SSL_EXT_MASK( SESSION_TICKET ) | \
+ MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) )
/* RFC 8446 section 4.2. Allowed extensions for ClienHello */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
- ( MBEDTLS_SSL_EXT_SERVERNAME | \
- MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \
- MBEDTLS_SSL_EXT_STATUS_REQUEST | \
- MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \
- MBEDTLS_SSL_EXT_SIG_ALG | \
- MBEDTLS_SSL_EXT_USE_SRTP | \
- MBEDTLS_SSL_EXT_HEARTBEAT | \
- MBEDTLS_SSL_EXT_ALPN | \
- MBEDTLS_SSL_EXT_SCT | \
- MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \
- MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \
- MBEDTLS_SSL_EXT_PADDING | \
- MBEDTLS_SSL_EXT_KEY_SHARE | \
- MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \
- MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES | \
- MBEDTLS_SSL_EXT_EARLY_DATA | \
- MBEDTLS_SSL_EXT_COOKIE | \
- MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS | \
- MBEDTLS_SSL_EXT_CERT_AUTH | \
- MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH | \
- MBEDTLS_SSL_EXT_SIG_ALG_CERT | \
- MBEDTLS_SSL_EXT_UNRECOGNIZED )
+ ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \
+ MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \
+ MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
+ MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \
+ MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \
+ MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \
+ MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \
+ MBEDTLS_SSL_EXT_MASK( ALPN ) | \
+ MBEDTLS_SSL_EXT_MASK( SCT ) | \
+ MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \
+ MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \
+ MBEDTLS_SSL_EXT_MASK( PADDING ) | \
+ MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
+ MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \
+ MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) | \
+ MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \
+ MBEDTLS_SSL_EXT_MASK( COOKIE ) | \
+ MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) | \
+ MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \
+ MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH ) | \
+ MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \
+ MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
/* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
- ( MBEDTLS_SSL_EXT_SERVERNAME | \
- MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH | \
- MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | \
- MBEDTLS_SSL_EXT_USE_SRTP | \
- MBEDTLS_SSL_EXT_HEARTBEAT | \
- MBEDTLS_SSL_EXT_ALPN | \
- MBEDTLS_SSL_EXT_CLI_CERT_TYPE | \
- MBEDTLS_SSL_EXT_SERV_CERT_TYPE | \
- MBEDTLS_SSL_EXT_EARLY_DATA )
+ ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \
+ MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \
+ MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \
+ MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \
+ MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \
+ MBEDTLS_SSL_EXT_MASK( ALPN ) | \
+ MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \
+ MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \
+ MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) )
/* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
- ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \
- MBEDTLS_SSL_EXT_SIG_ALG | \
- MBEDTLS_SSL_EXT_SCT | \
- MBEDTLS_SSL_EXT_CERT_AUTH | \
- MBEDTLS_SSL_EXT_OID_FILTERS | \
- MBEDTLS_SSL_EXT_SIG_ALG_CERT | \
- MBEDTLS_SSL_EXT_UNRECOGNIZED )
+ ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
+ MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \
+ MBEDTLS_SSL_EXT_MASK( SCT ) | \
+ MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \
+ MBEDTLS_SSL_EXT_MASK( OID_FILTERS ) | \
+ MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \
+ MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
/* RFC 8446 section 4.2. Allowed extensions for Certificate */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
- ( MBEDTLS_SSL_EXT_STATUS_REQUEST | \
- MBEDTLS_SSL_EXT_SCT )
+ ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
+ MBEDTLS_SSL_EXT_MASK( SCT ) )
/* RFC 8446 section 4.2. Allowed extensions for ServerHello */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
- ( MBEDTLS_SSL_EXT_KEY_SHARE | \
- MBEDTLS_SSL_EXT_PRE_SHARED_KEY | \
- MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
+ ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
+ MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \
+ MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
/* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
- ( MBEDTLS_SSL_EXT_KEY_SHARE | \
- MBEDTLS_SSL_EXT_COOKIE | \
- MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS )
+ ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
+ MBEDTLS_SSL_EXT_MASK( COOKIE ) | \
+ MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
/* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
#define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
- ( MBEDTLS_SSL_EXT_EARLY_DATA | \
- MBEDTLS_SSL_EXT_UNRECOGNIZED )
+ ( MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \
+ MBEDTLS_SSL_TLS1_3_EXT_MASK_UNREOGNIZED )
/*
* Helper macros for function call with return check.
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a52b4ca..1bbd7f0 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1685,28 +1685,22 @@
* with an "illegal_parameter" alert.
*
*/
-
int mbedtls_ssl_tls13_check_received_extension(
mbedtls_ssl_context *ssl,
int hs_msg_type,
unsigned int received_extension_type,
uint32_t hs_msg_allowed_extensions_mask )
{
-#if defined(MBEDTLS_DEBUG_C)
- const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type );
-#endif
- uint32_t extension_mask = mbedtls_tls13_get_extension_mask( received_extension_type );
+ uint32_t extension_mask = mbedtls_ssl_get_extension_mask(
+ received_extension_type );
- MBEDTLS_SSL_DEBUG_MSG( 3,
- ( "%s : received %s(%x) extension",
- hs_msg_name,
- mbedtls_tls13_get_extension_name( received_extension_type ),
- (unsigned int)received_extension_type ) );
+ MBEDTLS_SSL_PRINT_EXT_TYPE(
+ 3, hs_msg_type, received_extension_type, "received" );
if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 )
{
- MBEDTLS_SSL_DEBUG_MSG(
- 3, ( "%s : forbidden extension received.", hs_msg_name ) );
+ MBEDTLS_SSL_PRINT_EXT_TYPE(
+ 3, hs_msg_type, received_extension_type, "is illegal" );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
@@ -1721,7 +1715,7 @@
switch( hs_msg_type )
{
case MBEDTLS_SSL_HS_SERVER_HELLO:
- case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value.
+ case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
case MBEDTLS_SSL_HS_CERTIFICATE:
/* Check if the received extension is sent by peer message.*/
@@ -1732,8 +1726,8 @@
return( 0 );
}
- MBEDTLS_SSL_DEBUG_MSG(
- 3, ( "%s : unexpected extension received.", hs_msg_name ) );
+ MBEDTLS_SSL_PRINT_EXT_TYPE(
+ 3, hs_msg_type, received_extension_type, "is unsupported" );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
@@ -1741,3 +1735,4 @@
}
#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
+