wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 04:04:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3249 from SparkiDev/tls13_early_data_fix

Browse Source 
TLS 1.3 Early Data: fix
This commit is contained in:
toddouska
2020-09-03 14:49:39 -07:00
committed by GitHub
parent db805524de db864be6a4
commit 9901eb9272
3 changed files with 100 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
examples/client/client.c
View File

@@ -978,7 +978,9 @@ static const char* client_usage_msg[][59] = {
#endif #endif
"-B <num> Benchmark throughput" "-B <num> Benchmark throughput"
" using <num> bytes and print stats\n", /* 15 */ " using <num> bytes and print stats\n", /* 15 */
#ifndef NO_PSK
"-s Use pre Shared keys\n", /* 16 */ "-s Use pre Shared keys\n", /* 16 */
#endif
"-d Disable peer checks\n", /* 17 */ "-d Disable peer checks\n", /* 17 */
"-D Override Date Errors example\n", /* 18 */ "-D Override Date Errors example\n", /* 18 */
"-e List Every cipher suite available, \n", /* 19 */ "-e List Every cipher suite available, \n", /* 19 */
@@ -1138,7 +1140,9 @@ static const char* client_usage_msg[][59] = {
#endif #endif
"-B <num> <num> バイトを用いてのベンチマーク・スループット測定" "-B <num> <num> バイトを用いてのベンチマーク・スループット測定"
"と結果を出力する\n", /* 15 */ "と結果を出力する\n", /* 15 */
#ifndef NO_PSK
"-s 事前共有鍵を使用する\n", /* 16 */ "-s 事前共有鍵を使用する\n", /* 16 */
#endif
"-d ピア確認を無効とする\n", /* 17 */ "-d ピア確認を無効とする\n", /* 17 */
"-D 日付エラー用コールバック例の上書きを行う\n", /* 18 */ "-D 日付エラー用コールバック例の上書きを行う\n", /* 18 */
"-e 利用可能な全ての暗号スイートをリスト, \n", /* 19 */ "-e 利用可能な全ての暗号スイートをリスト, \n", /* 19 */

78
scripts/tls13.test
View File

@@ -15,6 +15,10 @@ counter=0
# per source tree # per source tree
ready_file=`pwd`/wolfssl_tls13_ready$$ ready_file=`pwd`/wolfssl_tls13_ready$$
client_file=`pwd`/wolfssl_tls13_client$$ client_file=`pwd`/wolfssl_tls13_client$$
# Server output
server_out_file=`pwd`/wolfssl_tls13_server_out$$
# Client output
client_out_file=`pwd`/wolfssl_tls13_client_out$$
echo "ready file $ready_file" echo "ready file $ready_file"
@@ -53,12 +57,21 @@ do_cleanup() {
then then
echo "killing server" echo "killing server"
kill -9 $server_pid kill -9 $server_pid
server_pid=$no_pid
fi fi
remove_ready_file remove_ready_file
if [ -e $client_file ]; then if [ -e $client_file ]; then
echo -e "removing existing client file" echo -e "removing existing client file"
rm $client_file rm $client_file
fi fi
if [ -e $server_out_file ]; then
echo -e "removing existing server output file"
rm $server_out_file
fi
if [ -e $client_out_file ]; then
echo -e "removing existing client output file"
rm $client_out_file
fi
} }
do_trap() { do_trap() {
@@ -106,6 +119,7 @@ RESULT=$?
remove_ready_file remove_ready_file
if [ $RESULT -eq 0 ]; then if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites" echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites"
do_cleanup
exit 1 exit 1
fi fi
do_cleanup do_cleanup
@@ -124,12 +138,14 @@ if [ $? -ne 0 ]; then
remove_ready_file remove_ready_file
if [ $RESULT -eq 0 ]; then if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with requiring mutual authentication" echo -e "\n\nIssue with requiring mutual authentication"
do_cleanup
exit 1 exit 1
fi fi
do_cleanup do_cleanup
echo "" echo ""
fi fi
# Check for TLS 1.2 support
./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version'
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
# TLS 1.3 server / TLS 1.2 client. # TLS 1.3 server / TLS 1.2 client.
@@ -143,6 +159,7 @@ if [ $? -ne 0 ]; then
remove_ready_file remove_ready_file
if [ $RESULT -eq 0 ]; then if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2" echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2"
do_cleanup
exit 1 exit 1
fi fi
do_cleanup do_cleanup
@@ -159,6 +176,7 @@ if [ $? -ne 0 ]; then
remove_ready_file remove_ready_file
if [ $RESULT -eq 0 ]; then if [ $RESULT -eq 0 ]; then
echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3" echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3"
do_cleanup
exit 1 exit 1
fi fi
do_cleanup do_cleanup
@@ -189,6 +207,7 @@ if [ $? -ne 0 ]; then
remove_ready_file remove_ready_file
if [ $RESULT -eq 0 ]; then if [ $RESULT -eq 0 ]; then
echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers" echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
do_cleanup
exit 1 exit 1
fi fi
do_cleanup do_cleanup
@@ -198,6 +217,65 @@ if [ $? -ne 0 ]; then
fi fi
fi fi
# Check for EarlyData support
./examples/client/client -? 2>&1 | grep -- 'Early data'
if [ $? -eq 0 ]; then
early_data=yes
fi
./examples/client/client -? 2>&1 | grep -- 'Shared keys'
if [ $? -eq 0 ]; then
psk=yes
fi
if [ "$early_data" = "yes" ]; then
echo -e "\n\nTLS v1.3 Early Data - session ticket"
port=0
(./examples/server/server -v 4 -r -0 -R $ready_file -p $port 2>&1 | \
tee $server_out_file) &
server_pid=$!
create_port
./examples/client/client -v 4 -r -0 -p $port 2>&1 >$client_out_file
RESULT=$?
cat $client_out_file
remove_ready_file
grep 'Session Ticket' $client_out_file
session_ticket=$?
early_data_cnt=`grep 'Early Data' $server_out_file | wc -l`
if [ $session_ticket -eq 0 -a $early_data_cnt -ne 2 ]; then
RESULT=1
fi
if [ $RESULT -ne 0 ]; then
echo -e "\n\nIssue with TLS v1.3 Early DAta - session ticket"
do_cleanup
exit 1
fi
do_cleanup
echo ""
fi
if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then
echo -e "\n\nTLS v1.3 Early Data - PSK"
port=0
(./examples/server/server -v 4 -s -0 -R $ready_file -p $port 2>&1 | \
tee $server_out_file) &
server_pid=$!
create_port
./examples/client/client -v 4 -s -0 -p $port
RESULT=$?
remove_ready_file
early_data_cnt=`grep 'Early Data' $server_out_file | wc -l`
if [ $early_data_cnt -ne 2 ]; then
RESULT=1
fi
if [ $RESULT -ne 0 ]; then
echo -e "\n\nIssue with TLS v1.3 Early DAta - session ticket"
do_cleanup
exit 1
fi
else
echo "Early data not available"
fi
do_cleanup do_cleanup
echo -e "\nALL Tests Passed" echo -e "\nALL Tests Passed"

23
src/internal.c
View File

@@ -14513,18 +14513,31 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx)
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
if (ssl->options.tls1_3 && ssl->options.handShakeDone == 0) { if (ssl->options.tls1_3 && ssl->options.handShakeDone == 0) {
if (ssl->options.side == WOLFSSL_SERVER_END && int process = 0;
ssl->earlyData != no_early_data &&
ssl->options.clientState < CLIENT_FINISHED_COMPLETE) { if (ssl->options.side == WOLFSSL_SERVER_END) {
ssl->earlyDataSz += ssl->curSize; ssl->earlyDataSz += ssl->curSize;
if (ssl->earlyDataSz <= ssl->options.maxEarlyDataSz) { if ((ssl->earlyData != no_early_data) &&
(ssl->options.clientState == CLIENT_HELLO_COMPLETE)) {
process = 1;
}
if (!process && (ssl->earlyDataSz <= ssl->options.maxEarlyDataSz)) {
WOLFSSL_MSG("Ignoring EarlyData!"); WOLFSSL_MSG("Ignoring EarlyData!");
*inOutIdx = ssl->buffers.inputBuffer.length; *inOutIdx = ssl->buffers.inputBuffer.length;
return 0; return 0;
} }
WOLFSSL_MSG("Too much EarlyData!"); if (ssl->earlyDataSz > ssl->options.maxEarlyDataSz) {
WOLFSSL_MSG("Too much EarlyData!");
process = 0;
}
}
if (!process) {
WOLFSSL_MSG("Received App data before a handshake completed");
SendAlert(ssl, alert_fatal, unexpected_message);
return OUT_OF_ORDER_E;
} }
} }
else
#endif #endif
if (ssl->options.handShakeDone == 0) { if (ssl->options.handShakeDone == 0) {
WOLFSSL_MSG("Received App data before a handshake completed"); WOLFSSL_MSG("Received App data before a handshake completed");