-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS 1.3: SessionTicket: Enable kex change mode check when resumption #6616
TLS 1.3: SessionTicket: Enable kex change mode check when resumption #6616
Conversation
ced68de
to
b67a13f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some comments
b67a13f
to
3c327a8
Compare
3c327a8
to
b262295
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the advertise kex mode is tls13_kex_mode
not key_exchange_mode
.
And ALLOW_*_RESUMPTION
are same with MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE*
, no translation code needed.
b262295
to
164e11c
Compare
164e11c
to
092b4cb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nitpick comments and one previous comment is not addressed.
Beside that, test cases are expected
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nitpick comments, others looks good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
library/ssl_tls13_server.c
Outdated
ret = MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE; | ||
MBEDTLS_SSL_DEBUG_TICKET_FLAGS( 4, session->ticket_flags ); | ||
if( mbedtls_ssl_tls13_check_kex_modes( ssl, | ||
mbedtls_ssl_tls13_session_get_ticket_flags( | ||
session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL ) ) ) | ||
{ | ||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "No suitable key exchange mode" ) ); | ||
goto exit; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this check and if we decide to go ahead with the ticket for session resumption, we do not ensure that the key exchange mode we are eventually going to select is compatible with the ticket. We can have a scenario where the server is configured to support psk_ephemeral and psk, the client claims that it supports both as well in the key exchange modes extension but the ticket (obtained from a previous session) is limited to psk. Then if the client sends the appropriate extensions, in ssl_tls13_determine_key_exchange_mode()
, we are going to select psk_ephemeral which is not allowed for the ticket.
Thus I think that:
- we should change
ssl_tls13_check_psk_ephemeral_key_exchange()
to something like:
static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
if( ( ! mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) ) ||
( ! mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) ) ||
( ! ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) ) )
return( 0 );
if( ssl->handshake->resume )
{
if( ! mbedtls_ssl_tls13_session_get_ticket_flags(
ssl->session_negotiate,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) )
return( 0 );
}
return( 1 );
#else
((void) ssl);
return( 0 );
#endif
}
-
Change to
ssl_tls13_check_psk_key_exchange
in a similar way. -
And finally here, do something like:
ticket_flags = mbedtls_ssl_session_get_ticket_flags(
session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) ) );
MBEDTLS_SSL_DEBUG_TICKET_FLAGS( 4, ticket_flags );
key_exchanges = 0;
if( ( ticket_flags & MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION ) &&
ssl_tls13_check_psk_ephemeral_key_exchange( ssl ) )
key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
}
if( ( ticket_flags & MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION ) &&
ssl_tls13_check_psk_key_exchange( ssl ) )
key_exchanges |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
}
if( key_exchanges == 0 )
{
ret = MBEDTLS_ERR_ERROR_GENERIC_ERROR;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "No suitable key exchange mode" ) );
goto exit;
}
Note that at this point ssl->handshake->resume
is equal to 0 and thus when calling ssl_tls13_check_psk(_ephemeral)_key_exchange
here the check on session_negotiate
are not done as it should be as session_negotiate
is not ready for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point! I have posted the same concern about this in #6551 (comment). I prefer to resolve it in another PR, how do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that's fine by me to do that in a follow-up PR. I guess with this in the "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk" tests the selected key exchange mode should be eventually psk and not psa_ephemeral as currently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly. In the test, the current selected key is psa_ephemeral, but should be psk eventually. I also found that psk/psk
and psk/psk_all
tests would select ephemeral
in the second flight. I think this should also be resolved in the follow-up PR.
Signed-off-by: Pengyu Lv <[email protected]>
Handshake parameter field, tls13_kex_mode is only valid when MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED is set. So, any functions / calls should be guarded by this macros. Signed-off-by: Pengyu Lv <[email protected]>
Signed-off-by: Pengyu Lv <[email protected]>
This commit add test cases to test if the check of kex change mode in SessionTicket works well. Signed-off-by: Pengyu Lv <[email protected]>
Signed-off-by: Pengyu Lv <[email protected]>
Signed-off-by: Pengyu Lv <[email protected]>
Signed-off-by: Pengyu Lv <[email protected]>
Signed-off-by: Pengyu Lv <[email protected]>
Ticket flags is quite generic and may make sense in the future versions of TLS or even in TLS 1.2 with new extensions. This change remane the ticket_flags helper functions with more generic `mbedtls_ssl_session` prefix instead of `mbedtls_ssl_tls13_session`. Signed-off-by: Pengyu Lv <[email protected]>
Return MBEDTLS_ERR_ERROR_GENERIC_ERROR when ticket_flags are not compatible with advertised key exchange mode. Signed-off-by: Pengyu Lv <[email protected]>
The debug helpers printing ticket_flags status are moved to ssl_tls.c and ssl_debug_helpers.h. Signed-off-by: Pengyu Lv <[email protected]>
Now the config dependencies used for ticket_flags test cases are TLS 1.2 specified. Correct them to MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_* Signed-off-by: Pengyu Lv <[email protected]>
Signed-off-by: Pengyu Lv <[email protected]>
49fc85a
to
3643fdb
Compare
Force push to due to coding style switch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks quite good to me. I am just proposing some minor adjustments.
library/ssl_tls13_server.c
Outdated
ret = MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE; | ||
MBEDTLS_SSL_DEBUG_TICKET_FLAGS( 4, session->ticket_flags ); | ||
if( mbedtls_ssl_tls13_check_kex_modes( ssl, | ||
mbedtls_ssl_tls13_session_get_ticket_flags( | ||
session, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL ) ) ) | ||
{ | ||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "No suitable key exchange mode" ) ); | ||
goto exit; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that's fine by me to do that in a follow-up PR. I guess with this in the "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk" tests the selected key exchange mode should be eventually psk and not psa_ephemeral as currently.
When ticket_flags used as parameter, use unsigned int, instead of uint8_t or mbedtls_ssl_tls13_ticket_flags.Also remove the definition of mbedtls_ssl_tls13_ticket_flags. Signed-off-by: Pengyu Lv <[email protected]>
Signed-off-by: Pengyu Lv <[email protected]>
Signed-off-by: Pengyu Lv <[email protected]>
Signed-off-by: Pengyu Lv <[email protected]>
This content of the function is moved to ssl_tls13_has_configured_ticket. Signed-off-by: Pengyu Lv <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me now. Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
xkqian comments are all resolved.
Description
Resolve: #6551
TODOS
In last flight connection, we should add below action
ticket_flags
of received tickets.In resumption connection,
Tests
Gatekeeper checklist