espressif/mbedtls
1
0
Fork 0
mirror of https://github.com/espressif/mbedtls.git synced 2025-05-10 03:39:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

Rename mbedtls_ssl_transform minor_ver to tls_version

Browse Source 
Store the TLS version in tls_version instead of minor version number.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This commit is contained in:
Glenn Strauss 2022-03-14 12:34:51 -04:00
parent dff84620a0
commit 07c641605e
5 changed files with 38 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
library/ssl_misc.h
View File

@ -947,7 +947,7 @@ typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
* and indicates the length of the static part of the IV which is * and indicates the length of the static part of the IV which is
* constant throughout the communication, and which is stored in * constant throughout the communication, and which is stored in
* the first fixed_ivlen bytes of the iv_{enc/dec} arrays. * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
* - minor_ver denotes the SSL/TLS version * - tls_version denotes the 2-byte TLS version
* - For stream/CBC transformations, maclen denotes the length of the * - For stream/CBC transformations, maclen denotes the length of the
* authentication tag, while taglen is unused and 0. * authentication tag, while taglen is unused and 0.
* - For AEAD transformations, taglen denotes the length of the * - For AEAD transformations, taglen denotes the length of the
@ -988,7 +988,7 @@ struct mbedtls_ssl_transform
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
int minor_ver; mbedtls_ssl_protocol_version tls_version;
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */ mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */

28
library/ssl_msg.c
View File

@ -382,7 +382,8 @@ static int ssl_parse_inner_plaintext( unsigned char const *content,
static void ssl_extract_add_data_from_record( unsigned char* add_data, static void ssl_extract_add_data_from_record( unsigned char* add_data,
size_t *add_data_len, size_t *add_data_len,
mbedtls_record *rec, mbedtls_record *rec,
unsigned minor_ver, mbedtls_ssl_protocol_version
tls_version,
size_t taglen ) size_t taglen )
{ {
/* Quoting RFC 5246 (TLS 1.2): /* Quoting RFC 5246 (TLS 1.2):
@ -421,7 +422,7 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data,
size_t ad_len_field = rec->data_len; size_t ad_len_field = rec->data_len;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{ {
/* In TLS 1.3, the AAD contains the length of the TLSCiphertext, /* In TLS 1.3, the AAD contains the length of the TLSCiphertext,
* which differs from the length of the TLSInnerPlaintext * which differs from the length of the TLSInnerPlaintext
@ -431,7 +432,7 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data,
else else
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
{ {
((void) minor_ver); ((void) tls_version);
((void) taglen); ((void) taglen);
memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
cur += sizeof( rec->ctr ); cur += sizeof( rec->ctr );
@ -596,7 +597,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
* is hence no risk of double-addition of the inner plaintext. * is hence no risk of double-addition of the inner plaintext.
*/ */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) if( transform->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{ {
size_t padding = size_t padding =
ssl_compute_padding_length( rec->data_len, ssl_compute_padding_length( rec->data_len,
@ -680,7 +681,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
ssl_extract_add_data_from_record( add_data, &add_data_len, rec, ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver, transform->tls_version,
transform->taglen ); transform->taglen );
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
@ -817,7 +818,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
* This depends on the TLS version. * This depends on the TLS version.
*/ */
ssl_extract_add_data_from_record( add_data, &add_data_len, rec, ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver, transform->tls_version,
transform->taglen ); transform->taglen );
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)", MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
@ -1050,7 +1051,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
} }
ssl_extract_add_data_from_record( add_data, &add_data_len, ssl_extract_add_data_from_record( add_data, &add_data_len,
rec, transform->minor_ver, rec, transform->tls_version,
transform->taglen ); transform->taglen );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
@ -1270,7 +1271,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
* This depends on the TLS version. * This depends on the TLS version.
*/ */
ssl_extract_add_data_from_record( add_data, &add_data_len, rec, ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver, transform->tls_version,
transform->taglen ); transform->taglen );
MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
add_data, add_data_len ); add_data, add_data_len );
@ -1412,7 +1413,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
* Further, we still know that data_len > minlen */ * Further, we still know that data_len > minlen */
rec->data_len -= transform->maclen; rec->data_len -= transform->maclen;
ssl_extract_add_data_from_record( add_data, &add_data_len, rec, ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver, transform->tls_version,
transform->taglen ); transform->taglen );
/* Calculate expected MAC. */ /* Calculate expected MAC. */
@ -1697,7 +1698,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
*/ */
rec->data_len -= transform->maclen; rec->data_len -= transform->maclen;
ssl_extract_add_data_from_record( add_data, &add_data_len, rec, ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver, transform->tls_version,
transform->taglen ); transform->taglen );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
@ -1775,7 +1776,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) if( transform->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{ {
/* Remove inner padding and infer true content type. */ /* Remove inner padding and infer true content type. */
ret = ssl_parse_inner_plaintext( data, &rec->data_len, ret = ssl_parse_inner_plaintext( data, &rec->data_len,
@ -3692,7 +3693,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
*/ */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( ssl->transform_in != NULL && if( ssl->transform_in != NULL &&
ssl->transform_in->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) ssl->transform_in->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{ {
if( rec->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) if( rec->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
done = 1; done = 1;
@ -4967,7 +4968,8 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
static size_t ssl_transform_get_explicit_iv_len( static size_t ssl_transform_get_explicit_iv_len(
mbedtls_ssl_transform const *transform ) mbedtls_ssl_transform const *transform )
{ {
if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) /* XXX: obsolete test? (earlier vers no longer supported?) */
if( transform->tls_version < MBEDTLS_SSL_VERSION_TLS1_2 )
return( 0 ); return( 0 );
return( transform->ivlen - transform->fixed_ivlen ); return( transform->ivlen - transform->fixed_ivlen );

18
library/ssl_tls.c
View File

@ -390,7 +390,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
MBEDTLS_SSL_SOME_SUITES_USE_MAC */ MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl_tls_prf_t tls_prf, ssl_tls_prf_t tls_prf,
const unsigned char randbytes[64], const unsigned char randbytes[64],
int minor_ver, mbedtls_ssl_protocol_version tls_version,
unsigned endpoint, unsigned endpoint,
const mbedtls_ssl_context *ssl ); const mbedtls_ssl_context *ssl );
@ -3660,7 +3660,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_SOME_SUITES_USE_MAC */ MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl_tls12prf_from_cs( ssl->session->ciphersuite ), ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
p, /* currently pointing to randbytes */ p, /* currently pointing to randbytes */
MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */ MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
ssl->conf->endpoint, ssl->conf->endpoint,
ssl ); ssl );
if( ret != 0 ) if( ret != 0 )
@ -5253,7 +5253,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_SOME_SUITES_USE_MAC */ MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl->handshake->tls_prf, ssl->handshake->tls_prf,
ssl->handshake->randbytes, ssl->handshake->randbytes,
ssl->minor_ver, ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4
? MBEDTLS_SSL_VERSION_TLS1_3
: MBEDTLS_SSL_VERSION_TLS1_2,
ssl->conf->endpoint, ssl->conf->endpoint,
ssl ); ssl );
if( ret != 0 ) if( ret != 0 )
@ -6826,7 +6828,7 @@ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
* - [in] compression * - [in] compression
* - [in] tls_prf: pointer to PRF to use for key derivation * - [in] tls_prf: pointer to PRF to use for key derivation
* - [in] randbytes: buffer holding ServerHello.random + ClientHello.random * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
* - [in] minor_ver: SSL/TLS minor version * - [in] tls_version: TLS version
* - [in] endpoint: client or server * - [in] endpoint: client or server
* - [in] ssl: used for: * - [in] ssl: used for:
* - ssl->conf->{f,p}_export_keys * - ssl->conf->{f,p}_export_keys
@ -6843,7 +6845,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
MBEDTLS_SSL_SOME_SUITES_USE_MAC */ MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl_tls_prf_t tls_prf, ssl_tls_prf_t tls_prf,
const unsigned char randbytes[64], const unsigned char randbytes[64],
int minor_ver, mbedtls_ssl_protocol_version tls_version,
unsigned endpoint, unsigned endpoint,
const mbedtls_ssl_context *ssl ) const mbedtls_ssl_context *ssl )
{ {
@ -6887,14 +6889,14 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
transform->encrypt_then_mac = encrypt_then_mac; transform->encrypt_then_mac = encrypt_then_mac;
#endif #endif
transform->minor_ver = minor_ver; transform->tls_version = tls_version;
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) ); memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) );
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{ {
/* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
* generation separate. This should never happen. */ * generation separate. This should never happen. */
@ -7064,7 +7066,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
- transform->maclen % cipher_info->block_size; - transform->maclen % cipher_info->block_size;
} }
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) if( tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
{ {
transform->minlen += transform->ivlen; transform->minlen += transform->ivlen;
} }

2
library/ssl_tls13_keys.c
View File

@ -1106,7 +1106,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
transform->ivlen = traffic_keys->iv_len; transform->ivlen = traffic_keys->iv_len;
transform->maclen = 0; transform->maclen = 0;
transform->fixed_ivlen = transform->ivlen; transform->fixed_ivlen = transform->ivlen;
transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4; transform->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
/* We add the true record content type (1 Byte) to the plaintext and /* We add the true record content type (1 Byte) to the plaintext and
* then pad to the configured granularity. The mimimum length of the * then pad to the configured granularity. The mimimum length of the

17
tests/suites/test_suite_ssl.function
View File

@ -1261,7 +1261,8 @@ static int psa_cipher_encrypt_helper( mbedtls_ssl_transform *transform,
static int build_transforms( mbedtls_ssl_transform *t_in, static int build_transforms( mbedtls_ssl_transform *t_in,
mbedtls_ssl_transform *t_out, mbedtls_ssl_transform *t_out,
int cipher_type, int hash_id, int cipher_type, int hash_id,
int etm, int tag_mode, int ver, int etm, int tag_mode,
mbedtls_ssl_protocol_version tls_version,
size_t cid0_len, size_t cid0_len,
size_t cid1_len ) size_t cid1_len )
{ {
@ -1438,8 +1439,8 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
((void) etm); ((void) etm);
#endif #endif
t_out->minor_ver = ver; t_out->tls_version = tls_version;
t_in->minor_ver = ver; t_in->tls_version = tls_version;
t_out->ivlen = ivlen; t_out->ivlen = ivlen;
t_in->ivlen = ivlen; t_in->ivlen = ivlen;
@ -1448,7 +1449,7 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
case MBEDTLS_MODE_GCM: case MBEDTLS_MODE_GCM:
case MBEDTLS_MODE_CCM: case MBEDTLS_MODE_CCM:
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( ver == MBEDTLS_SSL_MINOR_VERSION_4 ) if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{ {
t_out->fixed_ivlen = 12; t_out->fixed_ivlen = 12;
t_in->fixed_ivlen = 12; t_in->fixed_ivlen = 12;
@ -3425,6 +3426,7 @@ void ssl_crypt_record( int cipher_type, int hash_id,
USE_PSA_INIT( ); USE_PSA_INIT( );
ver |= 0x0300; /*(or substitute in tests)*/
mbedtls_ssl_init( &ssl ); mbedtls_ssl_init( &ssl );
mbedtls_ssl_transform_init( &t0 ); mbedtls_ssl_transform_init( &t0 );
mbedtls_ssl_transform_init( &t1 ); mbedtls_ssl_transform_init( &t1 );
@ -3504,7 +3506,7 @@ void ssl_crypt_record( int cipher_type, int hash_id,
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( t_enc->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) if( t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{ {
/* TLS 1.3 hides the real content type and /* TLS 1.3 hides the real content type and
* always uses Application Data as the content type * always uses Application Data as the content type
@ -3586,6 +3588,7 @@ void ssl_crypt_record_small( int cipher_type, int hash_id,
USE_PSA_INIT( ); USE_PSA_INIT( );
ver |= 0x0300; /*(or substitute in tests)*/
mbedtls_ssl_init( &ssl ); mbedtls_ssl_init( &ssl );
mbedtls_ssl_transform_init( &t0 ); mbedtls_ssl_transform_init( &t0 );
mbedtls_ssl_transform_init( &t1 ); mbedtls_ssl_transform_init( &t1 );
@ -3673,7 +3676,7 @@ void ssl_crypt_record_small( int cipher_type, int hash_id,
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( t_enc->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) if( t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{ {
/* TLS 1.3 hides the real content type and /* TLS 1.3 hides the real content type and
* always uses Application Data as the content type * always uses Application Data as the content type
@ -3758,7 +3761,7 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
/* Set up transforms with dummy keys */ /* Set up transforms with dummy keys */
ret = build_transforms( &t0, &t1, cipher_type, hash_id, ret = build_transforms( &t0, &t1, cipher_type, hash_id,
0, trunc_hmac, 0, trunc_hmac,
MBEDTLS_SSL_MINOR_VERSION_3, MBEDTLS_SSL_VERSION_TLS1_2,
0 , 0 ); 0 , 0 );
TEST_ASSERT( ret == 0 ); TEST_ASSERT( ret == 0 );