From 2d8b7ac8985416a209683e6f602d04f226e48620 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 20 Jul 2022 16:21:43 +0200 Subject: [PATCH 1/5] TLS 1.3: Fix selected key exchange mode check ECDHE operations have to be done in ephemeral and PSK-ephemeral key exchange mode, not just ephemeral key exhange mode. Signed-off-by: Ronald Cron --- library/ssl_tls13_keys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 51743bb39..aeaeb3dd9 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1237,7 +1237,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl ) * client_handshake_traffic_secret and server_handshake_traffic_secret * are derived in the handshake secret derivation stage. */ - if( mbedtls_ssl_tls13_ephemeral_enabled( ssl ) ) + if( mbedtls_ssl_tls13_some_ephemeral_enabled( ssl ) ) { if( mbedtls_ssl_tls13_named_group_is_ecdhe( handshake->offered_group_id ) ) { From 7f9ccfeccce3b5e2e729f73152c2e53f1b5269bb Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 20 Jul 2022 17:07:59 +0200 Subject: [PATCH 2/5] TLS 1.3: Remove unnecessary key exchange mode check If there is a PSK involved in the key exchange and thus no certificate we do not go through the MBEDTLS_SSL_CERTIFICATE_REQUEST state thus there is no reason to check that in the coordination function of that state. Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 183b6ee06..50daa2f86 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1512,12 +1512,6 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= skip parse certificate request" ) ); - return( SSL_CERTIFICATE_REQUEST_SKIP ); - } - if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); From 853854958fe926c896734b5a5df79dea63bb6628 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 20 Jul 2022 16:44:00 +0200 Subject: [PATCH 3/5] TLS 1.3: Add selected key exchange mode field Signed-off-by: Ronald Cron --- library/ssl_misc.h | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 39a47cac7..2ad5965fd 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -611,7 +611,8 @@ struct mbedtls_ssl_handshake_params * Handshake specific crypto variables */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */ + uint8_t key_exchange_mode; /*!< Selected key exchange mode */ + uint8_t tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */ /** Number of HelloRetryRequest messages received/sent from/to the server. */ int hello_retry_request_count; @@ -1816,6 +1817,29 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +/* + * Helper functions to check the selected key exchange mode. + */ +static inline int mbedtls_ssl_tls13_key_exchange_mode_check( + mbedtls_ssl_context *ssl, int kex_mask ) +{ + return( ( ssl->handshake->key_exchange_mode & kex_mask ) != 0 ); +} + +static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk( + mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); +} + +static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( + mbedtls_ssl_context *ssl ) +{ + return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl, + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); +} + /* * Fetch TLS 1.3 handshake message header */ From 799077177b20f0a563eff235159792d96e0649cc Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 20 Jul 2022 17:05:29 +0200 Subject: [PATCH 4/5] TLS 1.3: Use selected key exchange mode field Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 8 ++++---- library/ssl_tls13_keys.c | 2 +- library/ssl_tls13_server.c | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 50daa2f86..e38f1179b 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1218,17 +1218,17 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl ) { /* Only the pre_shared_key extension was received */ case MBEDTLS_SSL_EXT_PRE_SHARED_KEY: - handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; break; /* Only the key_share extension was received */ case MBEDTLS_SSL_EXT_KEY_SHARE: - handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; + handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; break; /* Both the pre_shared_key and key_share extensions were received */ case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ): - handshake->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; break; /* Neither pre_shared_key nor key_share extension was received */ @@ -1477,7 +1477,7 @@ static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl ) buf, buf_len ); #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) + if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index aeaeb3dd9..c306d3cba 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1237,7 +1237,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl ) * client_handshake_traffic_secret and server_handshake_traffic_secret * are derived in the handshake secret derivation stage. */ - if( mbedtls_ssl_tls13_some_ephemeral_enabled( ssl ) ) + if( mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) ) { if( mbedtls_ssl_tls13_named_group_is_ecdhe( handshake->offered_group_id ) ) { diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 7c28c578c..02a2850ed 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -397,7 +397,7 @@ static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) ) return( 0 ); - ssl->handshake->tls13_kex_modes = + ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; return( 1 ); } @@ -1167,7 +1167,7 @@ static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, * of the HRR is then to transmit a cookie to force the client to demonstrate * reachability at their apparent network address (primarily useful for DTLS). */ - if( ! mbedtls_ssl_tls13_some_ephemeral_enabled( ssl ) ) + if( ! mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( ssl ) ) return( 0 ); /* We should only send the key_share extension if the client's initial @@ -1555,7 +1555,7 @@ static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl ) ssl, buf_len, msg_len ) ); #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) + if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED ); else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST ); From bc817bac761d56b2bb50ba0d7e3197e65d224460 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 21 Jul 2022 09:35:20 +0200 Subject: [PATCH 5/5] TLS 1.3: Limit scope of tls13_kex_modes handshake field Signed-off-by: Ronald Cron --- library/ssl_misc.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 2ad5965fd..d16b254fc 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -612,14 +612,18 @@ struct mbedtls_ssl_handshake_params */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) uint8_t key_exchange_mode; /*!< Selected key exchange mode */ - uint8_t tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */ /** Number of HelloRetryRequest messages received/sent from/to the server. */ int hello_retry_request_count; + #if defined(MBEDTLS_SSL_SRV_C) /** selected_group of key_share extension in HelloRetryRequest message. */ uint16_t hrr_selected_group; +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ +#endif #endif /* MBEDTLS_SSL_SRV_C */ + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) @@ -1770,6 +1774,7 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /** * Given a list of key exchange modes, check if at least one of them is * supported. @@ -1816,6 +1821,7 @@ static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl ) return( ! mbedtls_ssl_tls13_check_kex_modes( ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ /* * Helper functions to check the selected key exchange mode.