Skip to content

Backport 3.6: Incremental TLS handshake defragmentation #10030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Mar 7, 2025
Merged

Backport 3.6: Incremental TLS handshake defragmentation #10030

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
b6102b6
Fix Doxygen markup
gilles-peskine-arm Feb 12, 2025
3d490a9
Tweak "waiting for more handshake fragments" log message
gilles-peskine-arm Feb 28, 2025
1e81d34
Tweak handshake fragment log message
gilles-peskine-arm Mar 3, 2025
af0c461
mbedtls_ssl_prepare_handshake_record(): refactor first fragment prep
gilles-peskine-arm Feb 28, 2025
22c51b9
mbedtls_ssl_prepare_handshake_record(): log offsets after decryption
gilles-peskine-arm Feb 28, 2025
cc856a2
Handshake defragmentation: reassemble incrementally
gilles-peskine-arm Feb 28, 2025
302f37b
Fix dodgy printf calls
gilles-peskine-arm Feb 25, 2025
58c3301
Make conversion explicit to silence MSVC warning
gilles-peskine-arm Mar 4, 2025
7719169
Update framework
gilles-peskine-arm Mar 3, 2025
3175fc3
Fix end check before memmove
gilles-peskine-arm Mar 6, 2025
b888cca
Fix handshake defragmentation when the record has multiple messages
gilles-peskine-arm Mar 6, 2025
0a467cc
Unify handshake fragment log messages
gilles-peskine-arm Mar 6, 2025
dee9263
Pacify uncrustify
gilles-peskine-arm Mar 6, 2025
229e200
Note unused variables when debugging is disabled
gilles-peskine-arm Mar 6, 2025
c22e315
Fix a log message
gilles-peskine-arm Mar 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion framework
Open in desktop
Submodule framework updated 1 files
+59 −19 scripts/generate_tls_handshake_tests.py
175 changes: 110 additions & 65 deletions library/ssl_msg.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3221,23 +3221,34 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)

int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
{
/* First handshake fragment must at least include the header. */
if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
if (ssl->badmac_seen_or_in_hsfraglen == 0) {
/* The handshake message must at least include the header.
* We may not have the full message yet in case of fragmentation.
* To simplify the code, we insist on having the header (and in
* particular the handshake message length) in the first
* fragment. */
if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}

if (ssl->in_hslen == 0) {
ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
ssl->badmac_seen_or_in_hsfraglen = 0;
}

MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
" %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %"
MBEDTLS_PRINTF_SIZET,
ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen));

if (ssl->transform_in != NULL) {
MBEDTLS_SSL_DEBUG_MSG(4, ("decrypted handshake message:"
" iv-buf=%d hdr-buf=%d hdr-buf=%d",
(int) (ssl->in_iv - ssl->in_buf),
(int) (ssl->in_hdr - ssl->in_buf),
(int) (ssl->in_msg - ssl->in_buf)));
}

#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Expand Down Expand Up @@ -3297,67 +3308,103 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
}
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
if (ssl->badmac_seen_or_in_hsfraglen <= ssl->in_hslen) {
int ret;
{
unsigned char *const reassembled_record_start =
ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
unsigned char *const payload_start =
reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl);
unsigned char *payload_end = payload_start + ssl->badmac_seen_or_in_hsfraglen;
/* How many more bytes we want to have a complete handshake message. */
const size_t hs_remain = ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen;
/* How many bytes of the current record are part of the first
* handshake message. There may be more handshake messages (possibly
* incomplete) in the same record; if so, we leave them after the
* current record, and ssl_consume_current_message() will take
* care of consuming the next handshake message. */
const size_t hs_this_fragment_len =
ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen;
(void) hs_this_fragment_len;

MBEDTLS_SSL_DEBUG_MSG(3,
("handshake fragment: %u .. %"
MBEDTLS_PRINTF_SIZET " of %"
MBEDTLS_PRINTF_SIZET " msglen %" MBEDTLS_PRINTF_SIZET,
("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET
", %u..%u of %" MBEDTLS_PRINTF_SIZET,
(ssl->badmac_seen_or_in_hsfraglen != 0 ?
"subsequent" :
hs_this_fragment_len == ssl->in_hslen ?
"sole" :
"initial"),
ssl->in_msglen,
ssl->badmac_seen_or_in_hsfraglen,
(size_t) ssl->badmac_seen_or_in_hsfraglen +
(hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen),
ssl->in_hslen, ssl->in_msglen));
if (ssl->in_msglen < hs_remain) {
/* ssl->in_msglen is a 25-bit value since it is the sum of the
* header length plus the payload length, the header length is 4
* and the payload length was received on the wire encoded as
* 3 octets. We don't support 16-bit platforms; more specifically,
* we assume that both unsigned and size_t are at least 32 bits.
* Therefore there is no possible integer overflow here.
*/
ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen;
ssl->in_hdr = ssl->in_msg + ssl->in_msglen;
ssl->badmac_seen_or_in_hsfraglen +
(unsigned) hs_this_fragment_len,
ssl->in_hslen));

/* Move the received handshake fragment to have the whole message
* (at least the part received so far) in a single segment at a
* known offset in the input buffer.
* - When receiving a non-initial handshake fragment, append it to
* the initial segment.
* - Even the initial handshake fragment is moved, if it was
* encrypted with an explicit IV: decryption leaves the payload
* after the explicit IV, but here we move it to start where the
* IV was.
*/
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t const in_buf_len = ssl->in_buf_len;
#else
size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
#endif
if (payload_end + ssl->in_msglen > ssl->in_buf + in_buf_len) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Shouldn't happen: no room to move handshake fragment %"
MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%"
MBEDTLS_PRINTF_SIZET ")",
ssl->in_msglen,
(void *) ssl->in_msg, (void *) payload_end,
(void *) ssl->in_buf, in_buf_len));
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
memmove(payload_end, ssl->in_msg, ssl->in_msglen);

ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen;
payload_end += ssl->in_msglen;

if (ssl->badmac_seen_or_in_hsfraglen < ssl->in_hslen) {
MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments "
"%u/%" MBEDTLS_PRINTF_SIZET,
ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen));
ssl->in_hdr = payload_end;
ssl->in_msglen = 0;
mbedtls_ssl_update_in_pointers(ssl);
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
}
if (ssl->badmac_seen_or_in_hsfraglen > 0) {
/*
* At in_first_hdr we have a sequence of records that cover the next handshake
* record, each with its own record header that we need to remove.
* Note that the reassembled record size may not equal the size of the message,
* there may be more messages after it, complete or partial.
*/
unsigned char *in_first_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
unsigned char *p = in_first_hdr, *q = NULL;
size_t merged_rec_len = 0;
do {
mbedtls_record rec;
ret = ssl_parse_record_header(ssl, p, mbedtls_ssl_in_hdr_len(ssl), &rec);
if (ret != 0) {
return ret;
}
merged_rec_len += rec.data_len;
p = rec.buf + rec.buf_len;
if (q != NULL) {
memmove(q, rec.buf + rec.data_offset, rec.data_len);
q += rec.data_len;
} else {
q = p;
}
} while (merged_rec_len < ssl->in_hslen);
ssl->in_hdr = in_first_hdr;
mbedtls_ssl_update_in_pointers(ssl);
ssl->in_msglen = merged_rec_len;
/* Adjust message length. */
MBEDTLS_PUT_UINT16_BE(merged_rec_len, ssl->in_len, 0);
} else {
ssl->in_msglen = ssl->badmac_seen_or_in_hsfraglen;
ssl->badmac_seen_or_in_hsfraglen = 0;
ssl->in_hdr = reassembled_record_start;
mbedtls_ssl_update_in_pointers(ssl);

/* Update the record length in the fully reassembled record */
if (ssl->in_msglen > 0xffff) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Shouldn't happen: in_hslen=%"
MBEDTLS_PRINTF_SIZET " > 0xffff",
ssl->in_msglen));
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);

size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen;
(void) record_len;
MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record",
ssl->in_hdr, mbedtls_ssl_in_hdr_len(ssl) + merged_rec_len);
ssl->in_hdr, record_len);
if (ssl->in_hslen < ssl->in_msglen) {
MBEDTLS_SSL_DEBUG_MSG(3,
("More handshake messages in the record: "
"%" MBEDTLS_PRINTF_SIZET " + %" MBEDTLS_PRINTF_SIZET,
ssl->in_hslen,
ssl->in_msglen - ssl->in_hslen));
}
}
} else {
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}

return 0;
Expand Down Expand Up @@ -4704,11 +4751,9 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl)

if (ssl->badmac_seen_or_in_hsfraglen != 0) {
/* Not all handshake fragments have arrived, do not consume. */
MBEDTLS_SSL_DEBUG_MSG(3,
("waiting for more fragments (%u of %"
MBEDTLS_PRINTF_SIZET ", %" MBEDTLS_PRINTF_SIZET " left)",
ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen,
ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen));
MBEDTLS_SSL_DEBUG_MSG(3, ("Consume: waiting for more handshake fragments "
"%u/%" MBEDTLS_PRINTF_SIZET,
ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen));
return 0;
}

Expand Down
4 changes: 2 additions & 2 deletions programs/ssl/ssl_test_lib.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,8 +243,8 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
* - free the provided PK context and re-initilize it as an opaque PK context
* wrapping the PSA key imported in the above step.
*
* \param[in/out] pk On input the non-opaque PK context which contains the
* key to be wrapped. On output the re-initialized PK
* \param[in,out] pk On input, the non-opaque PK context which contains the
* key to be wrapped. On output, the re-initialized PK
* context which represents the opaque version of the one
* provided as input.
* \param[in] psa_alg The primary algorithm that will be associated to the
Expand Down
7 changes: 0 additions & 7 deletions tests/scripts/analyze_outcomes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,13 +34,6 @@ def _has_word_re(words: typing.Iterable[str],
re.DOTALL)

IGNORED_TESTS = {
'handshake-generated': [
# Temporary disable Handshake defragmentation tests until mbedtls
# pr #10011 has been merged.
'Handshake defragmentation on client: len=4, TLS 1.2',
'Handshake defragmentation on client: len=5, TLS 1.2',
'Handshake defragmentation on client: len=13, TLS 1.2'
],
'ssl-opt': [
# We don't run ssl-opt.sh with Valgrind on the CI because
# it's extremely slow. We don't intend to change this.
Expand Down