From ac8195f4f7485ccffb116ede51de5ccf79e79f02 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 26 Sep 2022 04:01:06 +0000 Subject: [PATCH] Fix wrongly kex mode fallback issue in psk cases Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 22 ++++++++++++---- tests/opt-testcases/tls13-kex-modes.sh | 35 ++++---------------------- 2 files changed, 22 insertions(+), 35 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 714acb95c..8af703504 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1687,19 +1687,16 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl ) /* Only the pre_shared_key extension was received */ case MBEDTLS_SSL_EXT_PRE_SHARED_KEY: handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) ); break; /* Only the key_share extension was received */ case MBEDTLS_SSL_EXT_KEY_SHARE: handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) ); break; /* Both the pre_shared_key and key_share extensions were received */ case ( MBEDTLS_SSL_EXT_PRE_SHARED_KEY | MBEDTLS_SSL_EXT_KEY_SHARE ): handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk_ephemeral" ) ); break; /* Neither pre_shared_key nor key_share extension was received */ @@ -1711,10 +1708,25 @@ static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "Server selected key exchange mode: %s", - handshake->key_exchange_mode == 1 ? "psk" : - (handshake->key_exchange_mode == 2 ? "ephemeral" : + handshake->key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ? "psk" : + (handshake->key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ? "ephemeral" : "psk_ephemeral")) ); + if( !mbedtls_ssl_conf_tls13_check_kex_modes( ssl, handshake->key_exchange_mode ) ) + { + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + MBEDTLS_SSL_DEBUG_MSG( 2, + ( "Not supported kex mode in client: %s", + handshake->key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ? "psk" : + (handshake->key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ? "ephemeral" : + "psk_ephemeral")) ); + goto cleanup; + } + /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. * * TODO: We don't have to do this in case we offered 0-RTT and the diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 629a99818..d949b5366 100755 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -1835,15 +1835,6 @@ run_test "TLS 1.3: m->m: psk_ephemeral/psk_ephemeral, fail - no common psk" \ -c "client hello, adding PSK binder list" \ -s "Invalid binder." -""" - Currently server side will not check whether client - support ephemeral mode or not, it will cause improper - fallback. It's a bit complicated cause there is no good - way to pass the ephemeral kex mode from client to server, - will create one issue to solve the bug. - Skip this test case temporarily. -""" -SKIP_NEXT="YES" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -1856,8 +1847,7 @@ run_test "TLS 1.3: m->m: psk_ephemeral/ephemeral, fail - no common kex mode" 1 \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ - -c "client hello, adding PSK binder list" \ - -s "ClientHello message misses mandatory extensions." + -c "client hello, adding PSK binder list" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1872,8 +1862,6 @@ run_test "TLS 1.3: m->m: psk_ephemeral/ephemeral_all, good" \ -c "Server selected key exchange mode: psk_ephemeral" \ -c "HTTP/1.0 200 OK" -# Skip this test case temporarily. -SKIP_NEXT="YES" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1887,8 +1875,7 @@ run_test "TLS 1.3: m->m: psk_ephemeral/ephemeral_all, fail - no common id" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ - -s "ClientHello message misses mandatory extensions." + -s "No matched PSK or ticket" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -1953,8 +1940,6 @@ run_test "TLS 1.3: m->m: psk_ephemeral/all, good" \ -c "Server selected key exchange mode: psk_ephemeral" \ -c "HTTP/1.0 200 OK" -# Skip this test case temporarily. -SKIP_NEXT="YES" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -1966,7 +1951,6 @@ run_test "TLS 1.3: m->m: psk_ephemeral/all, fail - no common id" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ -s "No matched PSK or ticket" \ - -s "ClientHello message misses mandatory extensions." requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2292,8 +2276,6 @@ run_test "TLS 1.3: m->m: psk_all/psk_ephemeral, fail - no common psk" \ -c "client hello, adding psk_key_exchange_modes extension" \ -s "ClientHello message misses mandatory extensions." -# Skip this test case temporarily. -SKIP_NEXT="YES" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -2303,8 +2285,7 @@ run_test "TLS 1.3: m->m: psk_all/ephemeral, fail - no common kex mode" \ 1 \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ - -c "client hello, adding PSK binder list" \ - -s "ClientHello message misses mandatory extensions." + -c "client hello, adding PSK binder list" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2319,8 +2300,6 @@ run_test "TLS 1.3: m->m: psk_all/ephemeral_all, good" \ -c "Server selected key exchange mode: psk_ephemeral" \ -c "HTTP/1.0 200 OK" -# Skip this test case temporarily. -SKIP_NEXT="YES" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -2331,8 +2310,7 @@ run_test "TLS 1.3: m->m: psk_all/ephemeral_all, fail - no common id" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ - -s "ClientHello message misses mandatory extensions." + -s "No matched PSK or ticket" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C @@ -2397,8 +2375,6 @@ run_test "TLS 1.3: m->m: psk_all/all, good" \ -c "Server selected key exchange mode: psk_ephemeral" \ -c "HTTP/1.0 200 OK" -# Skip this test case temporarily. -SKIP_NEXT="YES" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -2409,8 +2385,7 @@ run_test "TLS 1.3: m->m: psk_all/all, fail - no common id" \ -c "client hello, adding pre_shared_key extension, omitting PSK binder list" \ -c "client hello, adding psk_key_exchange_modes extension" \ -c "client hello, adding PSK binder list" \ - -s "No matched PSK or ticket" \ - -s "ClientHello message misses mandatory extensions." + -s "No matched PSK or ticket" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_SRV_C