From 7d3186d18ad9e1ad9755514ded08dd79670db7e3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Aug 2022 22:43:18 +0200 Subject: [PATCH 1/3] Disable MBEDTLS_SSL_RENEGOTIATION in tls13-only configuration There's no renegotiation in TLS 1.3, so this option should have no effect. Insist on having it disabled, to avoid the risk of accidentally having different behavior in TLS 1.3 if the option is enabled (as happened in https://github.com/Mbed-TLS/mbedtls/issues/6200). Signed-off-by: Gilles Peskine --- include/mbedtls/check_config.h | 5 +++++ tests/configs/tls13-only.h | 1 + 2 files changed, 6 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ac374d2a4b..2d2fae5812 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -936,6 +936,11 @@ #error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_RENEGOTIATION) && \ + !defined(MBEDTLS_SSL_PROTO_TLS1_2) +#error "MBEDTLS_SSL_RENEGOTIATION defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_SSL_TICKET_C) && ( !defined(MBEDTLS_CIPHER_C) && \ !defined(MBEDTLS_USE_PSA_CRYPTO) ) #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index 963086f316..1f212e7d8f 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -29,6 +29,7 @@ /* Disable TLS 1.2 and 1.2-specific features */ #undef MBEDTLS_SSL_ENCRYPT_THEN_MAC #undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#undef MBEDTLS_SSL_RENEGOTIATION #undef MBEDTLS_SSL_PROTO_TLS1_2 #undef MBEDTLS_SSL_PROTO_DTLS #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY From 136d25c416e2364b433e4b894fa5fb225624a42f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Aug 2022 22:49:12 +0200 Subject: [PATCH 2/3] Explicitly disable all DTLS options in tls13-only.h This makes no difference when starting from the default configuration. It allows tls13-only.h to be used with other base configurations such as `full`. Signed-off-by: Gilles Peskine --- tests/configs/tls13-only.h | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index 1f212e7d8f..38286d1fd6 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -34,6 +34,7 @@ #undef MBEDTLS_SSL_PROTO_DTLS #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY +#undef MBEDTLS_SSL_DTLS_SRTP #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE #undef MBEDTLS_SSL_DTLS_CONNECTION_ID #undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT From cc29bfd92aaa586ff681757f0f9c9b23e478e575 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Aug 2022 23:12:35 +0200 Subject: [PATCH 3/3] Bug fixes from the split of ssl_handle_hs_message_post_handshake The split of ssl_handle_hs_message_post_handshake() into ssl_tls12_handle_hs_message_post_handshake() and ssl_tls13_handle_hs_message_post_handshake() fixed some user-visible bugs. Add a changelog entry for those bugs. Signed-off-by: Gilles Peskine --- ChangeLog.d/tls13-only-renegotiation.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/tls13-only-renegotiation.txt diff --git a/ChangeLog.d/tls13-only-renegotiation.txt b/ChangeLog.d/tls13-only-renegotiation.txt new file mode 100644 index 0000000000..f463de1af2 --- /dev/null +++ b/ChangeLog.d/tls13-only-renegotiation.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix the handling of renegotiation attempts in TLS 1.3. They are now + systematically rejected. + * Fix an unused-variable warning in TLS 1.3-only builds if + MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.