From b5352f04894ce102707bdd3c9371409b6110a1f2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 16 May 2019 12:39:07 +0100 Subject: [PATCH 01/13] Add Mbed TLS version to SSL sessions The format of serialized SSL sessions depends on the version and the configuration of Mbed TLS; attempts to restore sessions established in different versions and/or configurations lead to undefined behaviour. This commit adds an 3-byte version header to the serialized session generated and cleanly fails ticket parsing in case a session from a non-matching version of Mbed TLS is presented. --- library/ssl_tls.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 876457c4f..91a979356 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -47,6 +47,7 @@ #include "mbedtls/ssl.h" #include "mbedtls/ssl_internal.h" #include "mbedtls/platform_util.h" +#include "mbedtls/version.h" #include @@ -8775,10 +8776,22 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co return( ssl->session ); } +/* + * Define ticket header determining Mbed TLS version + * and structure of the ticket. + */ + + static unsigned char ssl_serialized_session_header[] = { + MBEDTLS_VERSION_MAJOR, + MBEDTLS_VERSION_MINOR, + MBEDTLS_VERSION_PATCH, + }; + /* * Serialize a session in the following format: * (in the presentation language of TLS, RFC 8446 section 3) * + * opaque mbedtls_version[3]; // major, minor, patch * uint64 start_time; * uint8 ciphersuite[2]; // defined by the standard * uint8 compression; // 0 or 1 @@ -8811,6 +8824,19 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session, size_t cert_len; #endif + /* + * Add version identifier + */ + + used += sizeof( ssl_serialized_session_header ); + + if( used <= buf_len ) + { + memcpy( p, ssl_serialized_session_header, + sizeof( ssl_serialized_session_header ) ); + p += sizeof( ssl_serialized_session_header ); + } + /* * Time */ @@ -8964,6 +8990,21 @@ static int ssl_session_load( mbedtls_ssl_session *session, size_t cert_len; #endif /* MBEDTLS_X509_CRT_PARSE_C */ + /* + * Check version identifier + */ + + if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) ) + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + + if( memcmp( p, ssl_serialized_session_header, + sizeof( ssl_serialized_session_header ) ) != 0 ) + { + /* A more specific error code might be used here. */ + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + p += sizeof( ssl_serialized_session_header ); + /* * Time */ From 557fe9ffdeea8a358f89356ea462b492d2c7bc32 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 16 May 2019 12:41:07 +0100 Subject: [PATCH 02/13] Add configuration identifier to serialized SSL sessions This commit adds space for two bytes in the header of serizlied SSL sessions which can be used to determine the structure of the remaining serialized session in the respective version of Mbed TLS. Specifically, if parts of the session depend on whether specific compile-time options are set or not, the setting of these options can be encoded in the added space. This commit doesn't yet make use of the fields. --- library/ssl_tls.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 91a979356..e5bfff3ea 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8781,17 +8781,26 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co * and structure of the ticket. */ - static unsigned char ssl_serialized_session_header[] = { - MBEDTLS_VERSION_MAJOR, - MBEDTLS_VERSION_MINOR, - MBEDTLS_VERSION_PATCH, - }; +static unsigned char ssl_serialized_session_header[] = { + MBEDTLS_VERSION_MAJOR, + MBEDTLS_VERSION_MINOR, + MBEDTLS_VERSION_PATCH, + 0xFF /* TBD */, + 0xFF /* TBD */ +}; /* * Serialize a session in the following format: * (in the presentation language of TLS, RFC 8446 section 3) * * opaque mbedtls_version[3]; // major, minor, patch + * opaque session_format[2]; // version-specific 16-bit field determining + * // the format of the remaining serialized + * // data. For example, it could be a bitfield + * // indicating the setting of those compile- + * // time configuration options influencing + * // the format of the serialized data. + * // Unused so far. * uint64 start_time; * uint8 ciphersuite[2]; // defined by the standard * uint8 compression; // 0 or 1 From 41527624f63a9804b8e46913e84c13803f084a5c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 16 May 2019 12:50:45 +0100 Subject: [PATCH 03/13] Encode relevant parts of the config in serialized session header This commit makes use of the added space in the session header to encode the state of those parts of the compile-time configuration which influence the structure of the serialized session in the present version of Mbed TLS. Specifically, these are - the options which influence the presence/omission of fields from mbedtls_ssl_session (which is currently shallow-copied into the serialized session) - the setting of MBEDTLS_X509_CRT_PARSE_C, which determines whether the serialized session contains a CRT-length + CRT-value pair after the shallow-copied mbedtls_ssl_session instance. - the setting of MBEDTLS_SSL_SESSION_TICKETS, which determines whether the serialized session contains a session ticket. --- library/ssl_tls.c | 96 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 90 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e5bfff3ea..df5247cf3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8781,12 +8781,81 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co * and structure of the ticket. */ +/* + * Define bitflag determining structure of mbedtls_ssl_session. + */ + +#if defined(MBEDTLS_HAVE_TIME) +#define SSL_SERIALIZED_SESSION_STRUCT_TIME_BIT 1 +#else +#define SSL_SERIALIZED_SESSION_STRUCT_TIME_BIT 0 +#endif /* MBEDTLS_HAVE_TIME */ + +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#define SSL_SERIALIZED_SESSION_STRUCT_CRT_BIT 1 +#else +#define SSL_SERIALIZED_SESSION_STRUCT_CRT_BIT 0 +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) +#define SSL_SERIALIZED_SESSION_STRUCT_CLIENT_BIT 1 +#else +#define SSL_SERIALIZED_SESSION_STRUCT_CLIENT_BIT 0 +#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */ + +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) +#define SSL_SERIALIZED_SESSION_STRUCT_MFL_BIT 1 +#else +#define SSL_SERIALIZED_SESSION_STRUCT_MFL_BIT 0 +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ + +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) +#define SSL_SERIALIZED_SESSION_STRUCT_TRUNC_HMAC_BIT 1 +#else +#define SSL_SERIALIZED_SESSION_STRUCT_TRUNC_HMAC_BIT 0 +#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ + +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#define SSL_SERIALIZED_SESSION_STRUCT_ETM_BIT 1 +#else +#define SSL_SERIALIZED_SESSION_STRUCT_ETM_BIT 0 +#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ + +#define SSL_SERIALIZED_SESSION_STRUCT_BYTE \ + ( (uint8_t) ( ( SSL_SERIALIZED_SESSION_STRUCT_TIME_BIT << 0 ) | \ + ( SSL_SERIALIZED_SESSION_STRUCT_CRT_BIT << 1 ) | \ + ( SSL_SERIALIZED_SESSION_STRUCT_CLIENT_BIT << 2 ) | \ + ( SSL_SERIALIZED_SESSION_STRUCT_MFL_BIT << 3 ) | \ + ( SSL_SERIALIZED_SESSION_STRUCT_TRUNC_HMAC_BIT << 4 ) | \ + ( SSL_SERIALIZED_SESSION_STRUCT_ETM_BIT << 5 ) ) ) + +/* + * Define bitflag determining compile-time settings influencing + * structure of the ticket outside of the session structure. + */ + +#if defined(MBEDTLS_X509_CRT_PARSE_C) +#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + +#define SSL_SERIALIZED_SESSION_CONFIG_BYTE \ + ( (uint8_t) ( ( SSL_SERIALIZED_SESSION_CONFIG_CRT << 0 ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << 1 ) ) ) + static unsigned char ssl_serialized_session_header[] = { - MBEDTLS_VERSION_MAJOR, - MBEDTLS_VERSION_MINOR, - MBEDTLS_VERSION_PATCH, - 0xFF /* TBD */, - 0xFF /* TBD */ + MBEDTLS_VERSION_MAJOR, + MBEDTLS_VERSION_MINOR, + MBEDTLS_VERSION_PATCH, + SSL_SERIALIZED_SESSION_STRUCT_BYTE, + SSL_SERIALIZED_SESSION_CONFIG_BYTE }; /* @@ -8800,7 +8869,22 @@ static unsigned char ssl_serialized_session_header[] = { * // indicating the setting of those compile- * // time configuration options influencing * // the format of the serialized data. - * // Unused so far. + * // + * // In this version, we use: + * // - Bits 8-15 (second byte) + * // Bitflag determining structure of + * // mbedtls_ssl_session + * // - Bit 0: + * // 0/1 depending on state of + * // MBEDTLS_X509_CRT_PARSE_C. + * // This determines whether the session + * // is followed by a certificate. + * // - Bit 1: + * // 0/1 depending on state of + * // MBEDTLS_SSL_SESSION_TICKETS + * // This determines whether the certificate + * // is followed by a session ticket. + * // - Bits 2-7: Unused so far * uint64 start_time; * uint8 ciphersuite[2]; // defined by the standard * uint8 compression; // 0 or 1 From f99ec2618da85e0b137be97eb2f2725758b672c6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 May 2019 16:39:30 +0100 Subject: [PATCH 04/13] Add negative tests for unexpected ver/cfg in session deserialization --- tests/suites/test_suite_ssl.data | 12 +++++++ tests/suites/test_suite_ssl.function | 50 ++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index aca26a9cc..a1a62d03f 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -58,6 +58,18 @@ ssl_dtls_replay:"abcd12340000abcd12340100":"abcd123400ff":0 SSL SET_HOSTNAME memory leak: call ssl_set_hostname twice ssl_set_hostname_twice:"server0":"server1" +SSL session serialization: Wrong major version +ssl_session_serialize_version_check:1:0:0:0 + +SSL session serialization: Wrong minor version +ssl_session_serialize_version_check:1:0:0:0 + +SSL session serialization: Wrong patch version +ssl_session_serialize_version_check:1:0:0:0 + +SSL session serialization: Wrong config +ssl_session_serialize_version_check:1:0:0:0 + Record crypt, AES-128-CBC, 1.2, SHA-384 depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA512_C ssl_crypt_record:MBEDTLS_CIPHER_AES_128_CBC:MBEDTLS_MD_SHA384:0:0:MBEDTLS_SSL_MINOR_VERSION_3:0:0 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 1b5501848..a776fdf91 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -851,3 +851,53 @@ exit: mbedtls_free( bad_buf ); } /* END_CASE */ + +/* BEGIN_CASE depends_on:!MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY */ +void ssl_session_serialize_version_check( int corrupt_major, + int corrupt_minor, + int corrupt_patch, + int corrupt_config ) +{ + unsigned char serialized_session[ 2048 ]; + size_t serialized_session_len; + + mbedtls_ssl_session session; + mbedtls_ssl_session_init( &session ); + + /* Infer length of serialized session. */ + TEST_ASSERT( mbedtls_ssl_session_save( &session, + serialized_session, + sizeof( serialized_session ), + &serialized_session_len ) == 0 ); + + mbedtls_ssl_session_free( &session ); + + /* Without any modification, we should be able to successfully + * de-serialize the session - double-check that. */ + TEST_ASSERT( mbedtls_ssl_session_load( &session, + serialized_session, + serialized_session_len ) == 0 ); + mbedtls_ssl_session_free( &session ); + + if( corrupt_major ) + serialized_session[0] ^= (uint8_t) 0x1; + + if( corrupt_minor ) + serialized_session[1] ^= (uint8_t) 0x1; + + if( corrupt_patch ) + serialized_session[2] ^= (uint8_t) 0x1; + + if( corrupt_config ) + { + serialized_session[3] ^= (uint8_t) 0x1; + serialized_session[4] ^= (uint8_t) 0x1; + serialized_session[5] ^= (uint8_t) 0x1; + } + + TEST_ASSERT( mbedtls_ssl_session_load( &session, + serialized_session, + serialized_session_len ) == + MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); +} +/* END_CASE */ From cb9ba0f43c3379cedc24b0ee44c3a8ca8922614b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 28 May 2019 13:58:14 +0100 Subject: [PATCH 05/13] Use consistent spelling of 'serialise/serialize' in SSL test suite --- tests/suites/test_suite_ssl.data | 14 +++++----- tests/suites/test_suite_ssl.function | 38 ++++++++++++++-------------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index a1a62d03f..819162943 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -59,16 +59,16 @@ SSL SET_HOSTNAME memory leak: call ssl_set_hostname twice ssl_set_hostname_twice:"server0":"server1" SSL session serialization: Wrong major version -ssl_session_serialize_version_check:1:0:0:0 +ssl_session_serialise_version_check:1:0:0:0 -SSL session serialization: Wrong minor version -ssl_session_serialize_version_check:1:0:0:0 +SSL session serialisation: Wrong minor version +ssl_session_serialise_version_check:0:1:0:0 -SSL session serialization: Wrong patch version -ssl_session_serialize_version_check:1:0:0:0 +SSL session serialisation: Wrong patch version +ssl_session_serialise_version_check:0:0:1:0 -SSL session serialization: Wrong config -ssl_session_serialize_version_check:1:0:0:0 +SSL session serialisation: Wrong config +ssl_session_serialise_version_check:0:0:0:1 Record crypt, AES-128-CBC, 1.2, SHA-384 depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA512_C diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index a776fdf91..64a534c33 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -852,52 +852,52 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:!MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY */ -void ssl_session_serialize_version_check( int corrupt_major, +/* BEGIN_CASE depends_on */ +void ssl_session_serialise_version_check( int corrupt_major, int corrupt_minor, int corrupt_patch, int corrupt_config ) { - unsigned char serialized_session[ 2048 ]; - size_t serialized_session_len; + unsigned char serialised_session[ 2048 ]; + size_t serialised_session_len; mbedtls_ssl_session session; mbedtls_ssl_session_init( &session ); - /* Infer length of serialized session. */ + /* Infer length of serialised session. */ TEST_ASSERT( mbedtls_ssl_session_save( &session, - serialized_session, - sizeof( serialized_session ), - &serialized_session_len ) == 0 ); + serialised_session, + sizeof( serialised_session ), + &serialised_session_len ) == 0 ); mbedtls_ssl_session_free( &session ); /* Without any modification, we should be able to successfully - * de-serialize the session - double-check that. */ + * de-serialise the session - double-check that. */ TEST_ASSERT( mbedtls_ssl_session_load( &session, - serialized_session, - serialized_session_len ) == 0 ); + serialised_session, + serialised_session_len ) == 0 ); mbedtls_ssl_session_free( &session ); if( corrupt_major ) - serialized_session[0] ^= (uint8_t) 0x1; + serialised_session[0] ^= (uint8_t) 0x1; if( corrupt_minor ) - serialized_session[1] ^= (uint8_t) 0x1; + serialised_session[1] ^= (uint8_t) 0x1; if( corrupt_patch ) - serialized_session[2] ^= (uint8_t) 0x1; + serialised_session[2] ^= (uint8_t) 0x1; if( corrupt_config ) { - serialized_session[3] ^= (uint8_t) 0x1; - serialized_session[4] ^= (uint8_t) 0x1; - serialized_session[5] ^= (uint8_t) 0x1; + serialised_session[3] ^= (uint8_t) 0x1; + serialised_session[4] ^= (uint8_t) 0x1; + serialised_session[5] ^= (uint8_t) 0x1; } TEST_ASSERT( mbedtls_ssl_session_load( &session, - serialized_session, - serialized_session_len ) == + serialised_session, + serialised_session_len ) == MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } /* END_CASE */ From 1d8b6d7b1286b045b14c0d859474d39525e90395 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 28 May 2019 13:59:44 +0100 Subject: [PATCH 06/13] Session serialization: Fail with BAD_INPUT_DATA if buffer too small --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index df5247cf3..ebdc1d093 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -9088,7 +9088,7 @@ static int ssl_session_load( mbedtls_ssl_session *session, */ if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) ) - return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); if( memcmp( p, ssl_serialized_session_header, sizeof( ssl_serialized_session_header ) ) != 0 ) From 26829e99b2282fc8088f6318a565808226a65555 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 28 May 2019 14:30:45 +0100 Subject: [PATCH 07/13] Improve doc'n of config-identifying bitfield in serialized session --- library/ssl_tls.c | 121 +++++++++++++++++++--------------------------- 1 file changed, 51 insertions(+), 70 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ebdc1d093..ceff3596d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8782,122 +8782,103 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co */ /* - * Define bitflag determining structure of mbedtls_ssl_session. + * Define bitflag determining compile-time settings influencing + * structure of serialized SSL sessions. */ -#if defined(MBEDTLS_HAVE_TIME) -#define SSL_SERIALIZED_SESSION_STRUCT_TIME_BIT 1 +#if defined(MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY) +#define SSL_SERIALIZED_SESSION_CONFIG_LOCAL 1 #else -#define SSL_SERIALIZED_SESSION_STRUCT_TIME_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_LOCAL 0 +#endif /* MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY */ + +#if defined(MBEDTLS_HAVE_TIME) +#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 1 +#else +#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 #endif /* MBEDTLS_HAVE_TIME */ #if defined(MBEDTLS_X509_CRT_PARSE_C) -#define SSL_SERIALIZED_SESSION_STRUCT_CRT_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 #else -#define SSL_SERIALIZED_SESSION_STRUCT_CRT_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 0 #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#define SSL_SERIALIZED_SESSION_STRUCT_CLIENT_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 1 #else -#define SSL_SERIALIZED_SESSION_STRUCT_CLIENT_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 0 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -#define SSL_SERIALIZED_SESSION_STRUCT_MFL_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 1 #else -#define SSL_SERIALIZED_SESSION_STRUCT_MFL_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 0 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) -#define SSL_SERIALIZED_SESSION_STRUCT_TRUNC_HMAC_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 1 #else -#define SSL_SERIALIZED_SESSION_STRUCT_TRUNC_HMAC_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 0 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) -#define SSL_SERIALIZED_SESSION_STRUCT_ETM_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 1 #else -#define SSL_SERIALIZED_SESSION_STRUCT_ETM_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 0 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ -#define SSL_SERIALIZED_SESSION_STRUCT_BYTE \ - ( (uint8_t) ( ( SSL_SERIALIZED_SESSION_STRUCT_TIME_BIT << 0 ) | \ - ( SSL_SERIALIZED_SESSION_STRUCT_CRT_BIT << 1 ) | \ - ( SSL_SERIALIZED_SESSION_STRUCT_CLIENT_BIT << 2 ) | \ - ( SSL_SERIALIZED_SESSION_STRUCT_MFL_BIT << 3 ) | \ - ( SSL_SERIALIZED_SESSION_STRUCT_TRUNC_HMAC_BIT << 4 ) | \ - ( SSL_SERIALIZED_SESSION_STRUCT_ETM_BIT << 5 ) ) ) - -/* - * Define bitflag determining compile-time settings influencing - * structure of the ticket outside of the session structure. - */ - -#if defined(MBEDTLS_X509_CRT_PARSE_C) -#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 -#endif /* MBEDTLS_X509_CRT_PARSE_C */ - #if defined(MBEDTLS_SSL_SESSION_TICKETS) #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1 #else #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#define SSL_SERIALIZED_SESSION_CONFIG_BYTE \ - ( (uint8_t) ( ( SSL_SERIALIZED_SESSION_CONFIG_CRT << 0 ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << 1 ) ) ) +#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ + ( (uint16_t) ( ( SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT << 0 ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT << 1 ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT << 2 ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT << 3 ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT << 4 ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT << 5 ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_CRT << 6 ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << 7 ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_LOCAL << 8 ) ) ) static unsigned char ssl_serialized_session_header[] = { MBEDTLS_VERSION_MAJOR, MBEDTLS_VERSION_MINOR, MBEDTLS_VERSION_PATCH, - SSL_SERIALIZED_SESSION_STRUCT_BYTE, - SSL_SERIALIZED_SESSION_CONFIG_BYTE + ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8 ) & 0xFF, + ( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0 ) & 0xFF, }; /* * Serialize a session in the following format: * (in the presentation language of TLS, RFC 8446 section 3) * - * opaque mbedtls_version[3]; // major, minor, patch - * opaque session_format[2]; // version-specific 16-bit field determining - * // the format of the remaining serialized - * // data. For example, it could be a bitfield - * // indicating the setting of those compile- - * // time configuration options influencing - * // the format of the serialized data. - * // - * // In this version, we use: - * // - Bits 8-15 (second byte) - * // Bitflag determining structure of - * // mbedtls_ssl_session - * // - Bit 0: - * // 0/1 depending on state of - * // MBEDTLS_X509_CRT_PARSE_C. - * // This determines whether the session - * // is followed by a certificate. - * // - Bit 1: - * // 0/1 depending on state of - * // MBEDTLS_SSL_SESSION_TICKETS - * // This determines whether the certificate - * // is followed by a session ticket. - * // - Bits 2-7: Unused so far + * opaque mbedtls_version[3]; // major, minor, patch + * opaque session_format[2]; // version-specific 16-bit field determining + * // the format of the remaining + * // serialized data. + * // In this version, this indicates whether + * // MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY + * // is set, plus the setting of those compile- + * // time configuration options which influence + * // the structure of mbedtls_ssl_session. * uint64 start_time; - * uint8 ciphersuite[2]; // defined by the standard - * uint8 compression; // 0 or 1 - * uint8 session_id_len; // at most 32 + * uint8 ciphersuite[2]; // defined by the standard + * uint8 compression; // 0 or 1 + * uint8 session_id_len; // at most 32 * opaque session_id[32]; - * opaque master[48]; // fixed length in the standard + * opaque master[48]; // fixed length in the standard * uint32 verify_result; - * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert - * opaque ticket<0..2^24-1>; // length 0 means no ticket + * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert + * opaque ticket<0..2^24-1>; // length 0 means no ticket * uint32 ticket_lifetime; - * uint8 mfl_code; // up to 255 according to standard - * uint8 trunc_hmac; // 0 or 1 - * uint8 encrypt_then_mac; // 0 or 1 + * uint8 mfl_code; // up to 255 according to standard + * uint8 trunc_hmac; // 0 or 1 + * uint8 encrypt_then_mac; // 0 or 1 * * The order is the same as in the definition of the structure, except * verify_result is put before peer_cert so that all mandatory fields come From b36db4f36855ac4f6292f0597fdcf6bfd6bde30d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 29 May 2019 11:08:00 +0100 Subject: [PATCH 08/13] Note that ver+fmt bytes in serialized data must not be removed --- library/ssl_tls.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ceff3596d..26d3b589d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8861,7 +8861,12 @@ static unsigned char ssl_serialized_session_header[] = { * opaque session_format[2]; // version-specific 16-bit field determining * // the format of the remaining * // serialized data. - * // In this version, this indicates whether + * + * Note: When updating the format, remember to keep + * these version+format bytes. + * + * // In this version, `session_format` + * // indicates whether * // MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY * // is set, plus the setting of those compile- * // time configuration options which influence From baf968cf69a40d0008b5dd3e0da8d9882f2d8ffb Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 29 May 2019 11:10:18 +0100 Subject: [PATCH 09/13] Use def'n consts for bits in config-identifier of serialized data --- library/ssl_tls.c | 51 ++++++++++++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 26d3b589d..cc4217171 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8793,39 +8793,39 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co #endif /* MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY */ #if defined(MBEDTLS_HAVE_TIME) -#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1 #else -#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0 #endif /* MBEDTLS_HAVE_TIME */ #if defined(MBEDTLS_X509_CRT_PARSE_C) -#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1 #else -#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) -#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1 #else -#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1 #else -#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) -#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 1 #else -#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 0 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) -#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1 #else -#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) @@ -8834,16 +8834,25 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 +#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 +#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2 +#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3 +#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 4 +#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 5 +#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 6 +#define SSL_SERIALIZED_SESSION_CONFIG_LOCAL_BIT 7 + #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ - ( (uint16_t) ( ( SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT << 0 ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT << 1 ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT << 2 ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT << 3 ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT << 4 ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT << 5 ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_CRT << 6 ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << 7 ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_LOCAL << 8 ) ) ) + ( (uint16_t) ( \ + ( SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC << SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT ) | \ + ( SSL_SERIALIZED_SESSION_CONFIG_LOCAL << SSL_SERIALIZED_SESSION_CONFIG_LOCAL_BIT ) ) ) static unsigned char ssl_serialized_session_header[] = { MBEDTLS_VERSION_MAJOR, From 08ec129dd89f0ea11fbf4e82b815ec59c0bc0775 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 29 May 2019 12:44:28 +0100 Subject: [PATCH 10/13] Use US spelling 'serialize' instead of UK spelling 'serialise' --- tests/suites/test_suite_ssl.data | 14 ++++---- tests/suites/test_suite_ssl.function | 52 ++++++++++++++-------------- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 819162943..edb87d888 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -59,16 +59,16 @@ SSL SET_HOSTNAME memory leak: call ssl_set_hostname twice ssl_set_hostname_twice:"server0":"server1" SSL session serialization: Wrong major version -ssl_session_serialise_version_check:1:0:0:0 +ssl_session_serialize_version_check:1:0:0:0 -SSL session serialisation: Wrong minor version -ssl_session_serialise_version_check:0:1:0:0 +SSL session serialization: Wrong minor version +ssl_session_serialize_version_check:0:1:0:0 -SSL session serialisation: Wrong patch version -ssl_session_serialise_version_check:0:0:1:0 +SSL session serialization: Wrong patch version +ssl_session_serialize_version_check:0:0:1:0 -SSL session serialisation: Wrong config -ssl_session_serialise_version_check:0:0:0:1 +SSL session serialization: Wrong config +ssl_session_serialize_version_check:0:0:0:1 Record crypt, AES-128-CBC, 1.2, SHA-384 depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA512_C diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 64a534c33..bc371ac8f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -852,52 +852,52 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on */ -void ssl_session_serialise_version_check( int corrupt_major, +/* BEGIN_CASE */ +void ssl_session_serialize_version_check( int corrupt_major, int corrupt_minor, int corrupt_patch, int corrupt_config ) { - unsigned char serialised_session[ 2048 ]; - size_t serialised_session_len; + unsigned char serialized_session[ 2048 ]; + size_t serialized_session_len; mbedtls_ssl_session session; mbedtls_ssl_session_init( &session ); - /* Infer length of serialised session. */ + /* Infer length of serialized session. */ TEST_ASSERT( mbedtls_ssl_session_save( &session, - serialised_session, - sizeof( serialised_session ), - &serialised_session_len ) == 0 ); + serialized_session, + sizeof( serialized_session ), + &serialized_session_len ) == 0 ); - mbedtls_ssl_session_free( &session ); + mbedtls_ssl_session_free( &session ); - /* Without any modification, we should be able to successfully - * de-serialise the session - double-check that. */ + /* Without any modification, we should be able to successfully + * de-serialize the session - double-check that. */ TEST_ASSERT( mbedtls_ssl_session_load( &session, - serialised_session, - serialised_session_len ) == 0 ); + serialized_session, + serialized_session_len ) == 0 ); mbedtls_ssl_session_free( &session ); - if( corrupt_major ) - serialised_session[0] ^= (uint8_t) 0x1; + if( corrupt_major ) + serialized_session[0] ^= (uint8_t) 0x1; - if( corrupt_minor ) - serialised_session[1] ^= (uint8_t) 0x1; + if( corrupt_minor ) + serialized_session[1] ^= (uint8_t) 0x1; - if( corrupt_patch ) - serialised_session[2] ^= (uint8_t) 0x1; + if( corrupt_patch ) + serialized_session[2] ^= (uint8_t) 0x1; - if( corrupt_config ) + if( corrupt_config ) { - serialised_session[3] ^= (uint8_t) 0x1; - serialised_session[4] ^= (uint8_t) 0x1; - serialised_session[5] ^= (uint8_t) 0x1; + serialized_session[3] ^= (uint8_t) 0x1; + serialized_session[4] ^= (uint8_t) 0x1; + serialized_session[5] ^= (uint8_t) 0x1; } - TEST_ASSERT( mbedtls_ssl_session_load( &session, - serialised_session, - serialised_session_len ) == + TEST_ASSERT( mbedtls_ssl_session_load( &session, + serialized_session, + serialized_session_len ) == MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } /* END_CASE */ From f78af3779a5f997d48b6ade7f896e0fb12d2065d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 29 May 2019 12:45:21 +0100 Subject: [PATCH 11/13] Improve test for detection of ver/cfg corruption in serialized data This commit improves the test exercising the behaviour of session deserialization when facing an unexpected version or config, by testing ver/cfg corruption at any bit in the ver/cfg header of the serialized data; previously, it had only tested the first bit of each byte. --- tests/suites/test_suite_ssl.function | 55 +++++++++++++++++----------- 1 file changed, 34 insertions(+), 21 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index bc371ac8f..a848455a6 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -860,44 +860,57 @@ void ssl_session_serialize_version_check( int corrupt_major, { unsigned char serialized_session[ 2048 ]; size_t serialized_session_len; - + unsigned cur_byte; mbedtls_ssl_session session; + uint8_t should_corrupt_byte[] = { corrupt_major == 1, + corrupt_minor == 1, + corrupt_patch == 1, + corrupt_config == 1, + corrupt_config == 1 }; + mbedtls_ssl_session_init( &session ); - /* Infer length of serialized session. */ + /* Infer length of serialized session. */ TEST_ASSERT( mbedtls_ssl_session_save( &session, serialized_session, sizeof( serialized_session ), &serialized_session_len ) == 0 ); - mbedtls_ssl_session_free( &session ); + mbedtls_ssl_session_free( &session ); - /* Without any modification, we should be able to successfully + /* Without any modification, we should be able to successfully * de-serialize the session - double-check that. */ TEST_ASSERT( mbedtls_ssl_session_load( &session, serialized_session, serialized_session_len ) == 0 ); mbedtls_ssl_session_free( &session ); - if( corrupt_major ) - serialized_session[0] ^= (uint8_t) 0x1; - - if( corrupt_minor ) - serialized_session[1] ^= (uint8_t) 0x1; - - if( corrupt_patch ) - serialized_session[2] ^= (uint8_t) 0x1; - - if( corrupt_config ) + /* Go through the bytes in the serialized session header and + * corrupt them bit-by-bit. */ + for( cur_byte = 0; cur_byte < sizeof( should_corrupt_byte ); cur_byte++ ) { - serialized_session[3] ^= (uint8_t) 0x1; - serialized_session[4] ^= (uint8_t) 0x1; - serialized_session[5] ^= (uint8_t) 0x1; + int cur_bit; + unsigned char * const byte = &serialized_session[ cur_byte ]; + + if( should_corrupt_byte[ cur_byte ] == 0 ) + continue; + + for( cur_bit = 0; cur_bit < CHAR_BIT; cur_bit++ ) + { + unsigned char const corrupted_bit = 0x1u << cur_bit; + /* Modify a single bit in the serialized session. */ + *byte ^= corrupted_bit; + + /* Attempt to deserialize */ + TEST_ASSERT( mbedtls_ssl_session_load( &session, + serialized_session, + serialized_session_len ) == + MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + /* Undo the change */ + *byte ^= corrupted_bit; + } } - TEST_ASSERT( mbedtls_ssl_session_load( &session, - serialized_session, - serialized_session_len ) == - MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } /* END_CASE */ From 5dbcc9f441780ad1b1beaf55bb6515f628aa6493 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 3 Jun 2019 12:58:39 +0100 Subject: [PATCH 12/13] Introduce specific error for ver/cfg mismatch on deserialization This commit introduces a new SSL error code `MBEDTLS_ERR_SSL_VERSION_MISMATCH` which can be used to indicate operation failure due to a mismatch of version or configuration. It is put to use in the implementation of `mbedtls_ssl_session_load()` to signal the attempt to de-serialize a session which has been serialized in a build of Mbed TLS using a different version or configuration. --- include/mbedtls/error.h | 1 + include/mbedtls/ssl.h | 4 ++++ library/error.c | 2 ++ library/ssl_tls.c | 3 +-- tests/suites/test_suite_ssl.function | 2 +- 5 files changed, 9 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 765fd42f8..31f294f70 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -100,6 +100,7 @@ * ECP 4 10 (Started from top) * MD 5 5 * HKDF 5 1 (Started from top) + * SSL 5 1 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) * SSL 6 24 (Started from top, plus 0x6000) * SSL 7 32 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d435a694b..df620692f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -123,6 +123,7 @@ #define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS -0x6500 /**< The asynchronous operation is not completed yet. */ #define MBEDTLS_ERR_SSL_EARLY_MESSAGE -0x6480 /**< Internal-only message signaling that a message arrived early. */ #define MBEDTLS_ERR_SSL_UNEXPECTED_CID -0x6000 /**< An encrypted DTLS-frame with an unexpected CID was received. */ +#define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00 /**< An operation failed due to an unexpected version or configuration. */ #define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000 /**< A cryptographic operation is in progress. Try again later. */ /* @@ -2179,6 +2180,9 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session * \return \c 0 if successful. * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed. * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. + * \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data + * was generated in a different version or configuration of + * Mbed TLS. * \return Another negative value for other kinds of errors (for * example, unsupported features in the embedded certificate). */ diff --git a/library/error.c b/library/error.c index 0a9baebb2..546fa49df 100644 --- a/library/error.c +++ b/library/error.c @@ -525,6 +525,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" ); if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_CID) ) mbedtls_snprintf( buf, buflen, "SSL - An encrypted DTLS-frame with an unexpected CID was received" ); + if( use_ret == -(MBEDTLS_ERR_SSL_VERSION_MISMATCH) ) + mbedtls_snprintf( buf, buflen, "SSL - An operation failed due to an unexpected version or configuration" ); if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) ) mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" ); #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index cc4217171..39ee494eb 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -9088,8 +9088,7 @@ static int ssl_session_load( mbedtls_ssl_session *session, if( memcmp( p, ssl_serialized_session_header, sizeof( ssl_serialized_session_header ) ) != 0 ) { - /* A more specific error code might be used here. */ - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + return( MBEDTLS_ERR_SSL_VERSION_MISMATCH ); } p += sizeof( ssl_serialized_session_header ); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index a848455a6..65f585274 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -905,7 +905,7 @@ void ssl_session_serialize_version_check( int corrupt_major, TEST_ASSERT( mbedtls_ssl_session_load( &session, serialized_session, serialized_session_len ) == - MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_ERR_SSL_VERSION_MISMATCH ); /* Undo the change */ *byte ^= corrupted_bit; From 7bf7710f40b1619163c3909c431c5fa2fb4dccf8 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 4 Jun 2019 09:43:16 +0100 Subject: [PATCH 13/13] Remove reference to outdated compile-time option --- library/ssl_tls.c | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 39ee494eb..b61453fe5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8786,12 +8786,6 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co * structure of serialized SSL sessions. */ -#if defined(MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY) -#define SSL_SERIALIZED_SESSION_CONFIG_LOCAL 1 -#else -#define SSL_SERIALIZED_SESSION_CONFIG_LOCAL 0 -#endif /* MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY */ - #if defined(MBEDTLS_HAVE_TIME) #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1 #else @@ -8841,7 +8835,6 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co #define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 4 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 5 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 6 -#define SSL_SERIALIZED_SESSION_CONFIG_LOCAL_BIT 7 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ ( (uint16_t) ( \ @@ -8851,8 +8844,7 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co ( SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT ) | \ ( SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC << SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT ) | \ ( SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT ) | \ - ( SSL_SERIALIZED_SESSION_CONFIG_LOCAL << SSL_SERIALIZED_SESSION_CONFIG_LOCAL_BIT ) ) ) + ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT ) ) ) static unsigned char ssl_serialized_session_header[] = { MBEDTLS_VERSION_MAJOR, @@ -8874,11 +8866,9 @@ static unsigned char ssl_serialized_session_header[] = { * Note: When updating the format, remember to keep * these version+format bytes. * - * // In this version, `session_format` - * // indicates whether - * // MBEDTLS_SSL_SERIALIZED_STRUCTURES_LOCAL_ONLY - * // is set, plus the setting of those compile- - * // time configuration options which influence + * // In this version, `session_format` determines + * // the setting of those compile-time + * // configuration options which influence * // the structure of mbedtls_ssl_session. * uint64 start_time; * uint8 ciphersuite[2]; // defined by the standard