From 6dcd18d55bb3560c023e09f5d24cd65f5426d855 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 10 Jul 2022 06:32:05 +0000 Subject: [PATCH 01/19] export hdr checksum function Signed-off-by: Jerry Yu --- library/ssl_misc.h | 4 ++++ library/ssl_tls.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d16b254fc7..381f0c4bfa 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1349,6 +1349,10 @@ void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, unsigned char const *msg, size_t msg_len ); +void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + size_t total_hs_len ); + #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if !defined(MBEDTLS_USE_PSA_CRYPTO) MBEDTLS_CHECK_RETURN_CRITICAL diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e60b82fa5f..5a72fede49 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -532,9 +532,9 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, } } -static void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, - unsigned hs_type, - size_t total_hs_len ) +void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl, + unsigned hs_type, + size_t total_hs_len ) { unsigned char hs_hdr[4]; From 1c105560b426272cae25c12fa1a90dcc320d65cb Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 10 Jul 2022 06:32:38 +0000 Subject: [PATCH 02/19] add offered psks parser Signed-off-by: Jerry Yu --- library/ssl_tls.c | 3 +- library/ssl_tls13_server.c | 327 ++++++++++++++++++++++++++++++++++++- 2 files changed, 322 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5a72fede49..cf9583ccb7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1710,7 +1710,8 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, else alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); - psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_usage_flags( &key_attributes, + PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT ); psa_set_key_algorithm( &key_attributes, alg ); psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE ); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 02a2850edf..104d5b62b9 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -24,6 +24,7 @@ #include "mbedtls/debug.h" #include "mbedtls/error.h" #include "mbedtls/platform.h" +#include "mbedtls/constant_time.h" #include "ssl_misc.h" #include "ssl_tls13_keys.h" @@ -97,6 +98,269 @@ static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl, ssl->handshake->tls13_kex_modes = ke_modes; return( 0 ); } + +#define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 0 +#define SSL_TLS1_3_OFFERED_PSK_MATCH 1 +static int ssl_tls13_offered_psks_check_identity_match( + mbedtls_ssl_context *ssl, + const unsigned char *identity, + uint16_t identity_len ) +{ + /* Check identity with external configured function */ + if( ssl->conf->f_psk != NULL ) + { + if( ssl->conf->f_psk( + ssl->conf->p_psk, ssl, identity, identity_len ) == 0 ) + { + return( SSL_TLS1_3_OFFERED_PSK_MATCH ); + } + return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); + } + + /* Check identity with pre-configured psk */ + if( identity_len == ssl->conf->psk_identity_len && + mbedtls_ct_memcmp( ssl->conf->psk_identity, + identity, identity_len ) == 0 ) + { + mbedtls_ssl_set_hs_psk( ssl, ssl->conf->psk, ssl->conf->psk_len ); + return( SSL_TLS1_3_OFFERED_PSK_MATCH ); + } + + /* Add session ticket here */ + + return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); +} + +static int ssl_tls13_offered_psks_check_binder_match( + mbedtls_ssl_context *ssl, + const unsigned char *binder, + uint16_t binder_len, + const unsigned char *psk, + size_t psk_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + int psk_type; + mbedtls_md_type_t md_alg = + binder_len == 32 ? MBEDTLS_MD_SHA256 : MBEDTLS_MD_SHA384 ; + psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); + unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; + size_t transcript_len; + unsigned char server_computed_binder[MBEDTLS_MD_MAX_SIZE]; + + if( ssl->handshake->resume == 1 ) + psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; + else + psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; + + /* Get current state of handshake transcript. */ + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_alg, + transcript, sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_create_psk_binder( ssl, psa_md_alg, + psk, psk_len, psk_type, + transcript, + server_computed_binder ); + /* We do not check for multiple binders */ + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "PSK binder calculation failed." ) ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( computed ): ", + server_computed_binder, binder_len ); + MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", binder, binder_len ); + + if( mbedtls_ct_memcmp( server_computed_binder, binder, binder_len ) == 0 ) + { + return( SSL_TLS1_3_OFFERED_PSK_MATCH ); + } + + return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); +} +/* Parser for pre_shared_key extension in client hello + * struct { + * opaque identity<1..2^16-1>; + * uint32 obfuscated_ticket_age; + * } PskIdentity; + * + * opaque PskBinderEntry<32..255>; + * + * struct { + * PskIdentity identities<7..2^16-1>; + * PskBinderEntry binders<33..2^16-1>; + * } OfferedPsks; + * + * struct { + * select (Handshake.msg_type) { + * case client_hello: OfferedPsks; + * .... + * }; + * } PreSharedKeyExtension; + */ +static int ssl_tls13_parse_offered_psks_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const unsigned char *p = buf; + uint16_t identities_len; + const unsigned char *identities_end; + uint32_t identity_matched = SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; + uint16_t binders_len; + const unsigned char *binders_end; + unsigned char *psk = NULL; + size_t psk_len = 0; + int binder_matched = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extesion", buf, end - buf ); + + /* identities >= 7 bytes */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 7 ); + + identities_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, identities_len ); + identities_end = p + identities_len; + + while( p < identities_end ) + { + uint16_t identity_len; + const unsigned char *identity; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, identities_end, 2 ); + identity_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + identity = p; + p += identity_len; + p += 4; // skip obfuscated_ticket_age + MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, identities_end, identity_len ); + + if( identity_matched == SSL_TLS1_3_OFFERED_PSK_MATCH ) + continue; + + MBEDTLS_SSL_DEBUG_BUF( 3, "received psk identity", + identity, identity_len ); + identity_matched = ssl_tls13_offered_psks_check_identity_match( + ssl, identity, identity_len ); + } + + if( identity_matched != SSL_TLS1_3_OFFERED_PSK_MATCH ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ); + return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); + } + + if( p != identities_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + + ssl->handshake->update_checksum( ssl, buf, p - buf ); + + /* binders >= 33 bytes */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 33 ); + binders_len = MBEDTLS_GET_UINT16_BE( p, 0 ); + p += 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, binders_len ); + binders_end = p + binders_len; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + status = psa_get_key_attributes( ssl->handshake->psk_opaque, + &key_attributes ); + if( status != PSA_SUCCESS) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits( &key_attributes ) ); + psk = mbedtls_calloc( 1, psk_len ); + if( psk == NULL ) + { + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + status = psa_export_key(ssl->handshake->psk_opaque, psk, psk_len, &psk_len ); + if( status != PSA_SUCCESS) + { + ret = psa_ssl_status_to_mbedtls( status ); + goto exit_failue; + } +#else + psk = ssl->handshake->psk; + psk_len = ssl->handshake->psk_len; +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ + + while( p < binders_end ) + { + uint8_t binder_len; + const unsigned char *binder; + + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 ); + binder_len = *p++; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, binder_len ); + binder = p; + p += binder_len; + + if( binder_matched == SSL_TLS1_3_OFFERED_PSK_MATCH) + continue; + + binder_matched = ssl_tls13_offered_psks_check_binder_match( + ssl, binder, binder_len, psk, psk_len ); + if( binder_matched < 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "ssl_tls13_offered_psks_check_binder_match" , binder_matched ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + ret = binder_matched; + goto exit_failue; + } + } + + if( binder_matched != SSL_TLS1_3_OFFERED_PSK_MATCH ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "Received psk binder does not match computed psk binder." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto exit_failue; + } + + if( p != binders_end ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + ret = MBEDTLS_ERR_SSL_DECODE_ERROR; + goto exit_failue; + } + + /* Update the handshake transcript with the binder list. */ + ssl->handshake->update_checksum( ssl, + identities_end, + (size_t)( p - identities_end ) ); + ret = 0; + +exit_failue: +#if defined(MBEDTLS_USE_PSA_CRYPTO) + mbedtls_free( (void *)psk ); +#endif + return( ret ); +} #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ /* From RFC 8446: @@ -540,6 +804,10 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, int hrr_required = 0; const mbedtls_ssl_ciphersuite_t* ciphersuite_info; +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + const unsigned char *pre_shared_key_ext_start = NULL; + const unsigned char *pre_shared_key_ext_end = NULL; +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; @@ -825,6 +1093,20 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, break; #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); + /* Delay processing of the PSK identity once we have + * found out which algorithms to use. We keep a pointer + * to the buffer and the size for later processing. + */ + pre_shared_key_ext_start = p; + pre_shared_key_ext_end = extension_data_end; + + ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; + break; +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + #if defined(MBEDTLS_SSL_ALPN) case MBEDTLS_TLS_EXT_ALPN: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); @@ -866,17 +1148,48 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, p += extension_data_len; } + +#if defined(MBEDTLS_DEBUG_C) + /* List all the extensions we have received */ + ssl_tls13_debug_print_client_hello_exts( ssl ); +#endif /* MBEDTLS_DEBUG_C */ + + mbedtls_ssl_add_hs_hdr_to_checksum( ssl, + MBEDTLS_SSL_HS_CLIENT_HELLO, + p - buf ); +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /* Update checksum with either * - The entire content of the CH message, if no PSK extension is present * - The content up to but excluding the PSK extension, if present. */ - mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, - buf, p - buf ); - - /* List all the extensions we have received */ -#if defined(MBEDTLS_DEBUG_C) - ssl_tls13_debug_print_client_hello_exts( ssl ); -#endif /* MBEDTLS_DEBUG_C */ + /* If we've settled on a PSK-based exchange, parse PSK identity ext */ + if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && + ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) ) + { + ssl->handshake->update_checksum( ssl, buf, + pre_shared_key_ext_start - buf ); + ret = ssl_tls13_parse_offered_psks_ext( ssl, + pre_shared_key_ext_start, + pre_shared_key_ext_end ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_offered_psks_ext" ), + ret ); + return( ret ); + } + /* If pre_shared_key is not last extension */ + if( p - pre_shared_key_ext_end ) + { + ssl->handshake->update_checksum( ssl, + pre_shared_key_ext_end, + p - pre_shared_key_ext_end ); + } + } + else +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + { + ssl->handshake->update_checksum( ssl, buf, p - buf ); + } return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK ); } From 36847820fa8689045d3fb465efcd3551eda48667 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 10 Jul 2022 06:35:06 +0000 Subject: [PATCH 03/19] add tests for offered psk parser Signed-off-by: Jerry Yu --- tests/ssl-opt.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 942d705242..20b4da9c93 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2283,6 +2283,8 @@ run_test "TLS 1.3: key exchange mode parameter passing: All" \ "$P_CLI tls13_kex_modes=all" \ 0 +# FIXME: force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 should be removed in future +# Without it, the binder will generate wrong value. requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE @@ -2296,6 +2298,8 @@ run_test "TLS 1.3: psk_key_exchange_modes: basic check, O->m" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" +# FIXME: force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 should be removed in future +# Without it, the binder will generate wrong value. requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE From 032b15ce5e56af8f97d10e652e995bf4fb19cad5 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 11 Jul 2022 06:10:03 +0000 Subject: [PATCH 04/19] Add write selected_identity Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 71 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 104d5b62b9..eff79ba815 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -361,6 +361,61 @@ exit_failue: #endif return( ret ); } + +/* + * struct { + * select ( Handshake.msg_type ) { + * .... + * case server_hello: + * uint16 selected_identity; + * } + * } PreSharedKeyExtension; + */ +static int ssl_tls13_write_selected_identity_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *olen ) +{ + unsigned char *p = (unsigned char*)buf; + size_t selected_identity; + + *olen = 0; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) +#else + if( ssl->handshake->psk == NULL ) +#endif + { + /* We shouldn't have called this extension writer unless we've + * chosen to use a PSK. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding pre_shared_key extension" ) ); + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); + + /* Extension Type */ + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 ); + + /* Extension Length */ + MBEDTLS_PUT_UINT16_BE( 2, p, 2 ); + + /* NOTE: This will need to be adjusted once we support multiple PSKs + * being offered by the client. */ + selected_identity = 0; + + /* Write selected_identity */ + MBEDTLS_PUT_UINT16_BE( selected_identity, p, 4 ); + + *olen = 6; + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %" MBEDTLS_PRINTF_SIZET, + selected_identity ) ); + + return( 0 ); +} + #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ /* From RFC 8446: @@ -1157,6 +1212,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, p - buf ); + #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /* Update checksum with either * - The entire content of the CH message, if no PSK extension is present @@ -1645,6 +1701,21 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, p += output_len; } +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + MBEDTLS_SSL_DEBUG_MSG( 2,( " mbedtls_ssl_tls13_some_psk_enabled %d", mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) ); + if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) + { + ret = ssl_tls13_write_selected_identity_ext( ssl, p, end, &output_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_selected_identity_ext", + ret ); + return( ret ); + } + p += output_len; + } +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + MBEDTLS_PUT_UINT16_BE( p - p_extensions_len - 2, p_extensions_len, 0 ); MBEDTLS_SSL_DEBUG_BUF( 4, "server hello extensions", From 997549353ed02a4ebe696af303bfd4ed0a396282 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 15 Jul 2022 15:01:08 +0800 Subject: [PATCH 05/19] fix various code format issues Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index eff79ba815..ec1df2a781 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -372,9 +372,9 @@ exit_failue: * } PreSharedKeyExtension; */ static int ssl_tls13_write_selected_identity_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, - unsigned char *end, - size_t *olen ) + unsigned char *buf, + unsigned char *end, + size_t *olen ) { unsigned char *p = (unsigned char*)buf; size_t selected_identity; @@ -395,17 +395,12 @@ static int ssl_tls13_write_selected_identity_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding pre_shared_key extension" ) ); MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); - /* Extension Type */ MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 ); - - /* Extension Length */ MBEDTLS_PUT_UINT16_BE( 2, p, 2 ); /* NOTE: This will need to be adjusted once we support multiple PSKs * being offered by the client. */ selected_identity = 0; - - /* Write selected_identity */ MBEDTLS_PUT_UINT16_BE( selected_identity, p, 4 ); *olen = 6; @@ -702,9 +697,9 @@ static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) { return( ssl_tls13_client_hello_has_exts( ssl, - MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | - MBEDTLS_SSL_EXT_KEY_SHARE | - MBEDTLS_SSL_EXT_SIG_ALG ) ); + MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | + MBEDTLS_SSL_EXT_KEY_SHARE | + MBEDTLS_SSL_EXT_SIG_ALG ) ); } MBEDTLS_CHECK_RETURN_CRITICAL @@ -1702,7 +1697,8 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - MBEDTLS_SSL_DEBUG_MSG( 2,( " mbedtls_ssl_tls13_some_psk_enabled %d", mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( " mbedtls_ssl_tls13_some_psk_enabled %d", + mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) ); if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) { ret = ssl_tls13_write_selected_identity_ext( ssl, p, end, &output_len ); From 4a2ea16aedc53591a195301b44edcb7d7b9a8490 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 15 Jul 2022 15:01:26 +0800 Subject: [PATCH 06/19] remove forcecipher for psk test Signed-off-by: Jerry Yu --- tests/ssl-opt.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 20b4da9c93..942d705242 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2283,8 +2283,6 @@ run_test "TLS 1.3: key exchange mode parameter passing: All" \ "$P_CLI tls13_kex_modes=all" \ 0 -# FIXME: force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 should be removed in future -# Without it, the binder will generate wrong value. requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE @@ -2298,8 +2296,6 @@ run_test "TLS 1.3: psk_key_exchange_modes: basic check, O->m" \ -s "Found PSK_EPHEMERAL KEX MODE" \ -s "Found PSK KEX MODE" -# FIXME: force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 should be removed in future -# Without it, the binder will generate wrong value. requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE From 6e74a7e3c7132b892d6a21200014b66ad64338be Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 20 Jul 2022 20:49:32 +0800 Subject: [PATCH 07/19] Add check return flags Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index ec1df2a781..6280f72eb3 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -54,6 +54,7 @@ * PskKeyExchangeMode ke_modes<1..255>; * } PskKeyExchangeModes; */ +MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end ) @@ -101,6 +102,7 @@ static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl, #define SSL_TLS1_3_OFFERED_PSK_NOT_MATCH 0 #define SSL_TLS1_3_OFFERED_PSK_MATCH 1 +MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_offered_psks_check_identity_match( mbedtls_ssl_context *ssl, const unsigned char *identity, @@ -131,6 +133,7 @@ static int ssl_tls13_offered_psks_check_identity_match( return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); } +MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl, const unsigned char *binder, @@ -201,6 +204,7 @@ static int ssl_tls13_offered_psks_check_binder_match( * }; * } PreSharedKeyExtension; */ +MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_parse_offered_psks_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end ) From bb852029f4d18290be111c943b290d173d72d09b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 20 Jul 2022 21:10:44 +0800 Subject: [PATCH 08/19] fix naming issues Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 6280f72eb3..4d8302bc0b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -205,9 +205,9 @@ static int ssl_tls13_offered_psks_check_binder_match( * } PreSharedKeyExtension; */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_parse_offered_psks_ext( mbedtls_ssl_context *ssl, - const unsigned char *buf, - const unsigned char *end ) +static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, + const unsigned char *buf, + const unsigned char *end ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; const unsigned char *p = buf; @@ -238,6 +238,7 @@ static int ssl_tls13_parse_offered_psks_ext( mbedtls_ssl_context *ssl, { uint16_t identity_len; const unsigned char *identity; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, identities_end, 2 ); identity_len = MBEDTLS_GET_UINT16_BE( p, 0 ); p += 2; @@ -375,10 +376,10 @@ exit_failue: * } * } PreSharedKeyExtension; */ -static int ssl_tls13_write_selected_identity_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, - unsigned char *end, - size_t *olen ) +static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *olen ) { unsigned char *p = (unsigned char*)buf; size_t selected_identity; @@ -1223,12 +1224,12 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, { ssl->handshake->update_checksum( ssl, buf, pre_shared_key_ext_start - buf ); - ret = ssl_tls13_parse_offered_psks_ext( ssl, - pre_shared_key_ext_start, - pre_shared_key_ext_end ); + ret = ssl_tls13_parse_pre_shared_key_ext( ssl, + pre_shared_key_ext_start, + pre_shared_key_ext_end ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_offered_psks_ext" ), + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ), ret ); return( ret ); } @@ -1705,10 +1706,10 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) ); if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) { - ret = ssl_tls13_write_selected_identity_ext( ssl, p, end, &output_len ); + ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_selected_identity_ext", + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_server_pre_shared_key_ext", ret ); return( ret ); } From daf375aa8be4658a92e3b917fef353ac4a47d750 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 20 Jul 2022 21:31:43 +0800 Subject: [PATCH 09/19] fix issues of check_binder_match Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 4d8302bc0b..c50b20265a 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -146,14 +146,11 @@ static int ssl_tls13_offered_psks_check_binder_match( mbedtls_md_type_t md_alg = binder_len == 32 ? MBEDTLS_MD_SHA256 : MBEDTLS_MD_SHA384 ; psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); - unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; + unsigned char transcript[PSA_HASH_MAX_SIZE]; size_t transcript_len; - unsigned char server_computed_binder[MBEDTLS_MD_MAX_SIZE]; + unsigned char server_computed_binder[PSA_HASH_MAX_SIZE]; - if( ssl->handshake->resume == 1 ) - psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION; - else - psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; + psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; /* Get current state of handshake transcript. */ ret = mbedtls_ssl_get_handshake_transcript( ssl, md_alg, @@ -182,6 +179,8 @@ static int ssl_tls13_offered_psks_check_binder_match( return( SSL_TLS1_3_OFFERED_PSK_MATCH ); } + mbedtls_platform_zeroize( server_computed_binder, + sizeof( server_computed_binder ) ); return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); } /* Parser for pre_shared_key extension in client hello From 352cd7db59d431437ec9f780cd1ecd3da69e6856 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 20 Jul 2022 22:11:00 +0800 Subject: [PATCH 10/19] fix various issues Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index c50b20265a..89a718b4d4 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -128,8 +128,6 @@ static int ssl_tls13_offered_psks_check_identity_match( return( SSL_TLS1_3_OFFERED_PSK_MATCH ); } - /* Add session ticket here */ - return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); } @@ -242,9 +240,10 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, identity_len = MBEDTLS_GET_UINT16_BE( p, 0 ); p += 2; identity = p; - p += identity_len; - p += 4; // skip obfuscated_ticket_age - MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, identities_end, identity_len ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, + identities_end, + identity_len + 4 ); + p += identity_len + 4; if( identity_matched == SSL_TLS1_3_OFFERED_PSK_MATCH ) continue; @@ -258,8 +257,8 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, if( identity_matched != SSL_TLS1_3_OFFERED_PSK_MATCH ) { MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY ); + MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY, + MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); } @@ -298,7 +297,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, if( status != PSA_SUCCESS) { ret = psa_ssl_status_to_mbedtls( status ); - goto exit_failue; + goto exit_failure; } #else psk = ssl->handshake->psk; @@ -310,9 +309,9 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, uint8_t binder_len; const unsigned char *binder; - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, binders_end, 1 ); binder_len = *p++; - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, binder_len ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, binders_end, binder_len ); binder = p; p += binder_len; @@ -326,10 +325,10 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_offered_psks_check_binder_match" , binder_matched ); MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, + MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); ret = binder_matched; - goto exit_failue; + goto exit_failure; } } @@ -341,7 +340,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto exit_failue; + goto exit_failure; } if( p != binders_end ) @@ -350,7 +349,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, MBEDTLS_ERR_SSL_DECODE_ERROR ); ret = MBEDTLS_ERR_SSL_DECODE_ERROR; - goto exit_failue; + goto exit_failure; } /* Update the handshake transcript with the binder list. */ @@ -359,7 +358,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, (size_t)( p - identities_end ) ); ret = 0; -exit_failue: +exit_failure: #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_free( (void *)psk ); #endif From 1c9247cff4292894af7c7ab931f7c1b82bc59b8d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 21 Jul 2022 12:37:39 +0800 Subject: [PATCH 11/19] TLS 1.3: Add pre_share_key last ext check From RFC, pre_share_key must be the last one. Add check for it. And with/without psk, it should be check Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 89a718b4d4..d095fcae62 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1037,6 +1037,23 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, size_t extension_data_len; const unsigned char *extension_data_end; + /* RFC 8446, page 57 + * + * The "pre_shared_key" extension MUST be the last extension in the + * ClientHello (this facilitates implementation as described below). + * Servers MUST check that it is the last extension and otherwise fail + * the handshake with an "illegal_parameter" alert. + */ + if( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) + { + MBEDTLS_SSL_DEBUG_MSG( + 3, ( "pre_shared_key is not last extension." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 ); @@ -1146,19 +1163,18 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, break; #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /* Delay processing of the PSK identity once we have * found out which algorithms to use. We keep a pointer * to the buffer and the size for later processing. */ pre_shared_key_ext_start = p; pre_shared_key_ext_end = extension_data_end; - +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY; break; -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #if defined(MBEDTLS_SSL_ALPN) case MBEDTLS_TLS_EXT_ALPN: @@ -1231,13 +1247,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ret ); return( ret ); } - /* If pre_shared_key is not last extension */ - if( p - pre_shared_key_ext_end ) - { - ssl->handshake->update_checksum( ssl, - pre_shared_key_ext_end, - p - pre_shared_key_ext_end ); - } } else #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ From 96a2e368dcc28056f240d88e5bc2195973ebf8a8 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 21 Jul 2022 15:11:34 +0800 Subject: [PATCH 12/19] TLS 1.3: Add pre-shared-key multiple psk parser Signed-off-by: Jerry Yu --- library/ssl_misc.h | 1 + library/ssl_tls13_server.c | 271 ++++++++++++++++++------------------- tests/ssl-opt.sh | 26 ++-- 3 files changed, 148 insertions(+), 150 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 381f0c4bfa..ecc2a62afe 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -680,6 +680,7 @@ struct mbedtls_ssl_handshake_params unsigned char *psk; /*!< PSK from the callback */ size_t psk_len; /*!< Length of PSK from callback */ #endif /* MBEDTLS_USE_PSA_CRYPTO */ + uint16_t selected_identity; #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index d095fcae62..d67f4534a7 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -119,6 +119,7 @@ static int ssl_tls13_offered_psks_check_identity_match( return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); } + MBEDTLS_SSL_DEBUG_BUF( 5, "identity", identity, identity_len ); /* Check identity with pre-configured psk */ if( identity_len == ssl->conf->psk_identity_len && mbedtls_ct_memcmp( ssl->conf->psk_identity, @@ -132,20 +133,59 @@ static int ssl_tls13_offered_psks_check_identity_match( } MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_offered_psks_check_binder_match( - mbedtls_ssl_context *ssl, - const unsigned char *binder, - uint16_t binder_len, - const unsigned char *psk, - size_t psk_len ) +static int ssl_tls13_get_psk( mbedtls_ssl_context *ssl, + const unsigned char **psk, + size_t *psk_len ) +{ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status; + + *psk_len = 0; + *psk = NULL; + + status = psa_get_key_attributes( ssl->handshake->psk_opaque, &key_attributes ); + if( status != PSA_SUCCESS) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + *psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits( &key_attributes ) ); + *psk = mbedtls_calloc( 1, *psk_len ); + if( *psk == NULL ) + { + return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); + } + + status = psa_export_key( ssl->handshake->psk_opaque, + (uint8_t *)*psk, *psk_len, psk_len ); + if( status != PSA_SUCCESS) + { + mbedtls_free( (void *)*psk ); + return( psa_ssl_status_to_mbedtls( status ) ); + } +#else + *psk = ssl->handshake->psk; + *psk_len = ssl->handshake->psk_len; +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ + return( 0 ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl, + const unsigned char *binder, + uint16_t binder_len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int psk_type; + mbedtls_md_type_t md_alg = binder_len == 32 ? MBEDTLS_MD_SHA256 : MBEDTLS_MD_SHA384 ; psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); unsigned char transcript[PSA_HASH_MAX_SIZE]; size_t transcript_len; + const unsigned char *psk; + size_t psk_len; unsigned char server_computed_binder[PSA_HASH_MAX_SIZE]; psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; @@ -157,11 +197,17 @@ static int ssl_tls13_offered_psks_check_binder_match( if( ret != 0 ) return( ret ); + ret = ssl_tls13_get_psk( ssl, &psk, &psk_len ); + if( ret != 0 ) + return( ret ); + ret = mbedtls_ssl_tls13_create_psk_binder( ssl, psa_md_alg, psk, psk_len, psk_type, transcript, server_computed_binder ); - /* We do not check for multiple binders */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + mbedtls_free( (void*)psk ); +#endif if( ret != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "PSK binder calculation failed." ) ); @@ -181,6 +227,7 @@ static int ssl_tls13_offered_psks_check_binder_match( sizeof( server_computed_binder ) ); return( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH ); } + /* Parser for pre_shared_key extension in client hello * struct { * opaque identity<1..2^16-1>; @@ -206,63 +253,89 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end ) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const unsigned char *p = buf; + const unsigned char *next_identity = buf; uint16_t identities_len; const unsigned char *identities_end; - uint32_t identity_matched = SSL_TLS1_3_OFFERED_PSK_NOT_MATCH; + const unsigned char *next_binder; uint16_t binders_len; const unsigned char *binders_end; - unsigned char *psk = NULL; - size_t psk_len = 0; - int binder_matched = 0; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t status; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + int matched_identity = -1; + int identity_id = -1; MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extesion", buf, end - buf ); - /* identities >= 7 bytes */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 7 ); + /* identities_len 2 bytes + * identities_data >= 7 bytes + */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( next_identity, end, 7 + 2 ); + identities_len = MBEDTLS_GET_UINT16_BE( next_identity, 0 ); + next_identity += 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( next_identity, end, identities_len ); + identities_end = next_identity + identities_len; - identities_len = MBEDTLS_GET_UINT16_BE( p, 0 ); - p += 2; - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, identities_len ); - identities_end = p + identities_len; + /* binders_len 2 bytes + * binders >= 33 bytes + */ + next_binder = identities_end; + MBEDTLS_SSL_CHK_BUF_READ_PTR( next_binder, end, 33 ); + binders_len = MBEDTLS_GET_UINT16_BE( next_binder, 0 ); + next_binder += 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( next_binder, end, binders_len ); + binders_end = next_binder + binders_len; - while( p < identities_end ) + ssl->handshake->update_checksum( ssl, buf, identities_end - buf ); + + while( next_identity < identities_end && next_binder < binders_end ) { - uint16_t identity_len; const unsigned char *identity; + uint16_t identity_len; + const unsigned char *binder; + uint16_t binder_len; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, identities_end, 2 ); - identity_len = MBEDTLS_GET_UINT16_BE( p, 0 ); - p += 2; - identity = p; - MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, + MBEDTLS_SSL_CHK_BUF_READ_PTR( next_identity, identities_end, 2 ); + identity_len = MBEDTLS_GET_UINT16_BE( next_identity, 0 ); + next_identity += 2; + identity = next_identity; + MBEDTLS_SSL_CHK_BUF_READ_PTR( next_identity, identities_end, identity_len + 4 ); - p += identity_len + 4; + next_identity += identity_len + 4; - if( identity_matched == SSL_TLS1_3_OFFERED_PSK_MATCH ) + MBEDTLS_SSL_CHK_BUF_READ_PTR( next_binder, binders_end, 2 ); + + binder_len = *next_binder++; + binder = next_binder; + MBEDTLS_SSL_CHK_BUF_READ_PTR( next_binder, binders_end, binder_len ); + next_binder += binder_len; + + identity_id++; + if( matched_identity != -1 ) continue; - MBEDTLS_SSL_DEBUG_BUF( 3, "received psk identity", - identity, identity_len ); - identity_matched = ssl_tls13_offered_psks_check_identity_match( - ssl, identity, identity_len ); + ret = ssl_tls13_offered_psks_check_identity_match( + ssl, identity, identity_len ); + if( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH == ret ) + continue; + + ret = ssl_tls13_offered_psks_check_binder_match( + ssl, binder, binder_len ); + if( ret < 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "ssl_tls13_offered_psks_check_binder_match" , ret ); + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( ret ); + } + if( SSL_TLS1_3_OFFERED_PSK_NOT_MATCH == ret ) + continue; + + matched_identity = identity_id; } - if( identity_matched != SSL_TLS1_3_OFFERED_PSK_MATCH ) - { - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY, - MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); - return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); - } - - if( p != identities_end ) + if( next_identity != identities_end || next_binder != binders_end ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, @@ -270,99 +343,23 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } - ssl->handshake->update_checksum( ssl, buf, p - buf ); - - /* binders >= 33 bytes */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 33 ); - binders_len = MBEDTLS_GET_UINT16_BE( p, 0 ); - p += 2; - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, binders_len ); - binders_end = p + binders_len; - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - status = psa_get_key_attributes( ssl->handshake->psk_opaque, - &key_attributes ); - if( status != PSA_SUCCESS) + if( matched_identity == -1 ) { - return( psa_ssl_status_to_mbedtls( status ) ); - } - - psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits( &key_attributes ) ); - psk = mbedtls_calloc( 1, psk_len ); - if( psk == NULL ) - { - return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); - } - status = psa_export_key(ssl->handshake->psk_opaque, psk, psk_len, &psk_len ); - if( status != PSA_SUCCESS) - { - ret = psa_ssl_status_to_mbedtls( status ); - goto exit_failure; - } -#else - psk = ssl->handshake->psk; - psk_len = ssl->handshake->psk_len; -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ - - while( p < binders_end ) - { - uint8_t binder_len; - const unsigned char *binder; - - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, binders_end, 1 ); - binder_len = *p++; - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, binders_end, binder_len ); - binder = p; - p += binder_len; - - if( binder_matched == SSL_TLS1_3_OFFERED_PSK_MATCH) - continue; - - binder_matched = ssl_tls13_offered_psks_check_binder_match( - ssl, binder, binder_len, psk, psk_len ); - if( binder_matched < 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, - "ssl_tls13_offered_psks_check_binder_match" , binder_matched ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - ret = binder_matched; - goto exit_failure; - } - } - - if( binder_matched != SSL_TLS1_3_OFFERED_PSK_MATCH ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "Received psk binder does not match computed psk binder." ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "No matched pre shared key found" ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto exit_failure; + MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY, + MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); + return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); } - if( p != binders_end ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - ret = MBEDTLS_ERR_SSL_DECODE_ERROR; - goto exit_failure; - } + ssl->handshake->selected_identity = (uint16_t)matched_identity; + MBEDTLS_SSL_DEBUG_MSG( 3, ( "Pre shared key found" ) ); /* Update the handshake transcript with the binder list. */ ssl->handshake->update_checksum( ssl, identities_end, - (size_t)( p - identities_end ) ); - ret = 0; - -exit_failure: -#if defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_free( (void *)psk ); -#endif - return( ret ); + (size_t)( binders_end - identities_end ) ); + return( 0 ); } /* @@ -380,7 +377,6 @@ static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, size_t *olen ) { unsigned char *p = (unsigned char*)buf; - size_t selected_identity; *olen = 0; @@ -401,15 +397,12 @@ static int ssl_tls13_write_server_pre_shared_key_ext( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 ); MBEDTLS_PUT_UINT16_BE( 2, p, 2 ); - /* NOTE: This will need to be adjusted once we support multiple PSKs - * being offered by the client. */ - selected_identity = 0; - MBEDTLS_PUT_UINT16_BE( selected_identity, p, 4 ); + MBEDTLS_PUT_UINT16_BE( ssl->handshake->selected_identity, p, 4 ); *olen = 6; - MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %" MBEDTLS_PRINTF_SIZET, - selected_identity ) ); + MBEDTLS_SSL_DEBUG_MSG( 4, ( "sent selected_identity: %u", + ssl->handshake->selected_identity ) ); return( 0 ); } @@ -1709,9 +1702,7 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - MBEDTLS_SSL_DEBUG_MSG( 2, ( " mbedtls_ssl_tls13_some_psk_enabled %d", - mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) ); - if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) ) + if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) ) { ret = ssl_tls13_write_server_pre_shared_key_ext( ssl, p, end, &output_len ); if( ret != 0 ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 942d705242..24f14e3f54 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2286,30 +2286,36 @@ run_test "TLS 1.3: key exchange mode parameter passing: All" \ requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_DEBUG_C -run_test "TLS 1.3: psk_key_exchange_modes: basic check, O->m" \ - "$P_SRV force_version=tls13 debug_level=5" \ - "$O_NEXT_CLI -tls1_3 -psk 6162636465666768696a6b6c6d6e6f70 -allow_no_dhe_kex" \ - 0 \ +run_test "TLS 1.3: PSK: basic check, O->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk debug_level=5 psk=6162636465666768696a6b6c6d6e6f70" \ + "$O_NEXT_CLI -tls1_3 -psk 1234 -psk 6162636465666768696a6b6c6d6e6f70 -allow_no_dhe_kex" \ + 1 \ -s "found psk key exchange modes extension" \ + -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ - -s "Found PSK KEX MODE" + -s "Found PSK KEX MODE" \ + -s "Pre shared key found" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_DEBUG_C -run_test "TLS 1.3: psk_key_exchange_modes: basic check, G->m" \ - "$P_SRV force_version=tls13 debug_level=5" \ - "$G_NEXT_CLI --priority NORMAL:-VERS-ALL:+VERS-TLS1.3 \ +run_test "TLS 1.3: PSK: basic check, G->m" \ + "$P_SRV force_version=tls13 tls13_kex_modes=psk debug_level=5 psk=6162636465666768696a6b6c6d6e6f70" \ + "$G_NEXT_CLI --priority NORMAL:-VERS-ALL:+KX-ALL:+PSK:+DHE-PSK:+VERS-TLS1.3 \ --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70 \ localhost" \ - 0 \ + 1 \ -s "found psk key exchange modes extension" \ + -s "found pre_shared_key extension" \ -s "Found PSK_EPHEMERAL KEX MODE" \ - -s "Found PSK KEX MODE" + -s "Found PSK KEX MODE" \ + -s "Pre shared key found" # Tests for datagram packing requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From 77f0148e114877e8a53faf804567d84cc2715353 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 11 Jul 2022 07:03:24 +0000 Subject: [PATCH 13/19] Add psk/psk_ephemeral key exchange check Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 2 + library/ssl_tls13_server.c | 138 ++++++++++++++++++++++++++++++------- 2 files changed, 114 insertions(+), 26 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index e665ec1b7b..bc09e7a186 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -250,6 +250,8 @@ ( MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL | \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All ephemeral TLS 1.3 key exchanges */ +#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE ( 0 ) + /* * Various constants */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index d67f4534a7..bf49af21b4 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -692,24 +692,121 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) { - return( ssl_tls13_client_hello_has_exts( ssl, - MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | - MBEDTLS_SSL_EXT_KEY_SHARE | - MBEDTLS_SSL_EXT_SIG_ALG ) ); + return( ssl_tls13_client_hello_has_exts( + ssl, + MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | + MBEDTLS_SSL_EXT_KEY_SHARE | + MBEDTLS_SSL_EXT_SIG_ALG ) ); } +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_client_hello_has_exts_for_psk_key_exchange( + mbedtls_ssl_context *ssl ) +{ + return( ssl_tls13_client_hello_has_exts( + ssl, + MBEDTLS_SSL_EXT_PRE_SHARED_KEY | + MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) ); +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( + mbedtls_ssl_context *ssl ) +{ + return( ssl_tls13_client_hello_has_exts( + ssl, + MBEDTLS_SSL_EXT_SUPPORTED_GROUPS | + MBEDTLS_SSL_EXT_KEY_SHARE | + MBEDTLS_SSL_EXT_PRE_SHARED_KEY | + MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) { - if( !mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) ) - return( 0 ); + return( mbedtls_ssl_conf_tls13_ephemeral_enabled( ssl ) && + ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) ); +} - if( !ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange( ssl ) ) - return( 0 ); +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_check_psk_key_exchange( mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + return( mbedtls_ssl_conf_tls13_psk_enabled( ssl ) && + mbedtls_ssl_tls13_psk_enabled( ssl ) && + ssl_tls13_client_hello_has_exts_for_psk_key_exchange( ssl ) ); +#else + ((void) ssl); + return( 0 ); +#endif +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_check_psk_ephemeral_key_exchange( mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + return( mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( ssl ) && + mbedtls_ssl_tls13_psk_ephemeral_enabled( ssl ) && + ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange( ssl ) ); +#else + ((void) ssl); + return( 0 ); +#endif +} + +static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl ) +{ + /* + * Determine the key exchange algorithm to use. + * There are three types of key exchanges supported in TLS 1.3: + * - (EC)DH with ECDSA, + * - (EC)DH with PSK, + * - plain PSK. + * + * The PSK-based key exchanges may additionally be used with 0-RTT. + * + * Our built-in order of preference is + * 1 ) Plain PSK Mode ( psk ) + * 2 ) (EC)DHE-PSK Mode ( psk_ephemeral ) + * 3 ) Certificate Mode ( ephemeral ) + */ + + ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; + + if( ssl_tls13_check_psk_key_exchange( ssl ) ) + { + ssl->handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) ); + } + else + if( ssl_tls13_check_psk_ephemeral_key_exchange( ssl ) ) + { + ssl->handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk_ephemeral" ) ); + } + else + if( ssl_tls13_check_ephemeral_key_exchange( ssl ) ) + { + ssl->handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) ); + } + else + { + MBEDTLS_SSL_DEBUG_MSG( + 1, + ( "ClientHello message misses mandatory extensions." ) ); + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION , + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } + + return( 0 ); - ssl->handshake->key_exchange_mode = - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL; - return( 1 ); } #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ @@ -1216,6 +1313,9 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ssl_tls13_debug_print_client_hello_exts( ssl ); #endif /* MBEDTLS_DEBUG_C */ + ret = ssl_tls13_determine_key_exchange_mode( ssl ); + if( ret < 0 ) + return( ret ); mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, p - buf ); @@ -1226,8 +1326,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, * - The content up to but excluding the PSK extension, if present. */ /* If we've settled on a PSK-based exchange, parse PSK identity ext */ - if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) && - ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) ) + if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) ) { ssl->handshake->update_checksum( ssl, buf, pre_shared_key_ext_start - buf ); @@ -1257,19 +1356,6 @@ static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - /* - * Here we only support the ephemeral or (EC)DHE key echange mode - */ - if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) ) - { - MBEDTLS_SSL_DEBUG_MSG( - 1, - ( "ClientHello message misses mandatory extensions." ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_MISSING_EXTENSION , - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); - } - /* * Server certificate selection */ From 2f0abc94d86eb2091b7abd100d6ec9ecc7947dfc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 22 Jul 2022 19:34:48 +0800 Subject: [PATCH 14/19] fix typo/type/format issues Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index bf49af21b4..bbc8535790 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -106,7 +106,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_offered_psks_check_identity_match( mbedtls_ssl_context *ssl, const unsigned char *identity, - uint16_t identity_len ) + size_t identity_len ) { /* Check identity with external configured function */ if( ssl->conf->f_psk != NULL ) @@ -121,7 +121,8 @@ static int ssl_tls13_offered_psks_check_identity_match( MBEDTLS_SSL_DEBUG_BUF( 5, "identity", identity, identity_len ); /* Check identity with pre-configured psk */ - if( identity_len == ssl->conf->psk_identity_len && + if( ssl->conf->psk_identity != NULL && + identity_len == ssl->conf->psk_identity_len && mbedtls_ct_memcmp( ssl->conf->psk_identity, identity, identity_len ) == 0 ) { @@ -134,7 +135,7 @@ static int ssl_tls13_offered_psks_check_identity_match( MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_get_psk( mbedtls_ssl_context *ssl, - const unsigned char **psk, + unsigned char **psk, size_t *psk_len ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -150,7 +151,7 @@ static int ssl_tls13_get_psk( mbedtls_ssl_context *ssl, return( psa_ssl_status_to_mbedtls( status ) ); } - *psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits( &key_attributes ) ); + *psk_len = PSA_BITS_TO_BYTES( psa_get_key_bits( &key_attributes ) ); *psk = mbedtls_calloc( 1, *psk_len ); if( *psk == NULL ) { @@ -174,22 +175,32 @@ static int ssl_tls13_get_psk( mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl, const unsigned char *binder, - uint16_t binder_len ) + size_t binder_len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int psk_type; - mbedtls_md_type_t md_alg = - binder_len == 32 ? MBEDTLS_MD_SHA256 : MBEDTLS_MD_SHA384 ; - psa_algorithm_t psa_md_alg = mbedtls_psa_translate_md( md_alg ); + mbedtls_md_type_t md_alg; + psa_algorithm_t psa_md_alg; unsigned char transcript[PSA_HASH_MAX_SIZE]; size_t transcript_len; - const unsigned char *psk; + unsigned char *psk; size_t psk_len; unsigned char server_computed_binder[PSA_HASH_MAX_SIZE]; psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; - + switch( binder_len ) + { + case 32: + md_alg = MBEDTLS_MD_SHA256; + break; + case 48: + md_alg = MBEDTLS_MD_SHA384; + break; + default: + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + psa_md_alg = mbedtls_psa_translate_md( md_alg ); /* Get current state of handshake transcript. */ ret = mbedtls_ssl_get_handshake_transcript( ssl, md_alg, transcript, sizeof( transcript ), @@ -215,7 +226,7 @@ static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( computed ): ", - server_computed_binder, binder_len ); + server_computed_binder, transcript_len ); MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder ( received ): ", binder, binder_len ); if( mbedtls_ct_memcmp( server_computed_binder, binder, binder_len ) == 0 ) @@ -262,7 +273,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, int matched_identity = -1; int identity_id = -1; - MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extesion", buf, end - buf ); + MBEDTLS_SSL_DEBUG_BUF( 3, "pre_shared_key extension", buf, end - buf ); /* identities_len 2 bytes * identities_data >= 7 bytes From 568ec2502ab02c492c3c5b7a298a3ccb698e033e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 22 Jul 2022 21:27:34 +0800 Subject: [PATCH 15/19] fix format/name issues Signed-off-by: Jerry Yu --- library/ssl_tls.c | 4 ++ library/ssl_tls13_server.c | 81 +++++++++++++++++++------------------- 2 files changed, 44 insertions(+), 41 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index cf9583ccb7..292e931355 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1710,8 +1710,12 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, else alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT ); +#else + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); +#endif psa_set_key_algorithm( &key_attributes, alg ); psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE ); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index bbc8535790..c5aacc3df9 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -191,14 +191,14 @@ static int ssl_tls13_offered_psks_check_binder_match( mbedtls_ssl_context *ssl, psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL; switch( binder_len ) { - case 32: - md_alg = MBEDTLS_MD_SHA256; - break; - case 48: - md_alg = MBEDTLS_MD_SHA384; - break; - default: - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + case 32: + md_alg = MBEDTLS_MD_SHA256; + break; + case 48: + md_alg = MBEDTLS_MD_SHA384; + break; + default: + return( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR ); } psa_md_alg = mbedtls_psa_translate_md( md_alg ); /* Get current state of handshake transcript. */ @@ -264,11 +264,13 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end ) { - const unsigned char *next_identity = buf; - uint16_t identities_len; + const unsigned char *identities = buf; + const unsigned char *p_identity_len; + size_t identities_len; const unsigned char *identities_end; - const unsigned char *next_binder; - uint16_t binders_len; + const unsigned char *binders; + const unsigned char *p_binder_len; + size_t binders_len; const unsigned char *binders_end; int matched_identity = -1; int identity_id = -1; @@ -278,47 +280,44 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, /* identities_len 2 bytes * identities_data >= 7 bytes */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( next_identity, end, 7 + 2 ); - identities_len = MBEDTLS_GET_UINT16_BE( next_identity, 0 ); - next_identity += 2; - MBEDTLS_SSL_CHK_BUF_READ_PTR( next_identity, end, identities_len ); - identities_end = next_identity + identities_len; + MBEDTLS_SSL_CHK_BUF_READ_PTR( identities, end, 7 + 2 ); + identities_len = MBEDTLS_GET_UINT16_BE( identities, 0 ); + p_identity_len = identities + 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, end, identities_len ); + identities_end = p_identity_len + identities_len; /* binders_len 2 bytes * binders >= 33 bytes */ - next_binder = identities_end; - MBEDTLS_SSL_CHK_BUF_READ_PTR( next_binder, end, 33 ); - binders_len = MBEDTLS_GET_UINT16_BE( next_binder, 0 ); - next_binder += 2; - MBEDTLS_SSL_CHK_BUF_READ_PTR( next_binder, end, binders_len ); - binders_end = next_binder + binders_len; + binders = identities_end; + MBEDTLS_SSL_CHK_BUF_READ_PTR( binders, end, 33 ); + binders_len = MBEDTLS_GET_UINT16_BE( binders, 0 ); + p_binder_len = binders + 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, end, binders_len ); + binders_end = p_binder_len + binders_len; ssl->handshake->update_checksum( ssl, buf, identities_end - buf ); - while( next_identity < identities_end && next_binder < binders_end ) + while( p_identity_len < identities_end && p_binder_len < binders_end ) { const unsigned char *identity; - uint16_t identity_len; + size_t identity_len; const unsigned char *binder; - uint16_t binder_len; + size_t binder_len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - MBEDTLS_SSL_CHK_BUF_READ_PTR( next_identity, identities_end, 2 ); - identity_len = MBEDTLS_GET_UINT16_BE( next_identity, 0 ); - next_identity += 2; - identity = next_identity; - MBEDTLS_SSL_CHK_BUF_READ_PTR( next_identity, - identities_end, - identity_len + 4 ); - next_identity += identity_len + 4; + MBEDTLS_SSL_CHK_BUF_READ_PTR( p_identity_len, identities_end, 2 + 1 + 4 ); + identity_len = MBEDTLS_GET_UINT16_BE( p_identity_len, 0 ); + identity = p_identity_len + 2; + MBEDTLS_SSL_CHK_BUF_READ_PTR( identity, identities_end, identity_len + 4 ); + p_identity_len += identity_len + 6; - MBEDTLS_SSL_CHK_BUF_READ_PTR( next_binder, binders_end, 2 ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, binders_end, 1 + 32 ); + binder_len = *p_binder_len; + binder = p_binder_len + 1; + MBEDTLS_SSL_CHK_BUF_READ_PTR( binder, binders_end, binder_len ); + p_binder_len += binder_len + 1; - binder_len = *next_binder++; - binder = next_binder; - MBEDTLS_SSL_CHK_BUF_READ_PTR( next_binder, binders_end, binder_len ); - next_binder += binder_len; identity_id++; if( matched_identity != -1 ) @@ -331,7 +330,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, ret = ssl_tls13_offered_psks_check_binder_match( ssl, binder, binder_len ); - if( ret < 0 ) + if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_offered_psks_check_binder_match" , ret ); @@ -346,7 +345,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, matched_identity = identity_id; } - if( next_identity != identities_end || next_binder != binders_end ) + if( p_identity_len != identities_end || p_binder_len != binders_end ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key extesion decode error" ) ); MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, From ba9b6e9e5334a40104c03809c56355527ec0c4eb Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 22 Jul 2022 21:35:18 +0800 Subject: [PATCH 16/19] fix unkown identity case Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index c5aacc3df9..28e99d5d6f 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -356,9 +356,6 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, if( matched_identity == -1 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "No matched pre shared key found" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY, - MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY ); } @@ -1317,15 +1314,11 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, p += extension_data_len; } - #if defined(MBEDTLS_DEBUG_C) /* List all the extensions we have received */ ssl_tls13_debug_print_client_hello_exts( ssl ); #endif /* MBEDTLS_DEBUG_C */ - ret = ssl_tls13_determine_key_exchange_mode( ssl ); - if( ret < 0 ) - return( ret ); mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, p - buf ); @@ -1336,14 +1329,18 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, * - The content up to but excluding the PSK extension, if present. */ /* If we've settled on a PSK-based exchange, parse PSK identity ext */ - if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) ) + if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) && + ( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY ) ) { ssl->handshake->update_checksum( ssl, buf, pre_shared_key_ext_start - buf ); ret = ssl_tls13_parse_pre_shared_key_ext( ssl, pre_shared_key_ext_start, pre_shared_key_ext_end ); - if( ret != 0 ) + if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) + { + ssl->handshake->extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY; + }else if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ), ret ); @@ -1356,6 +1353,10 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, ssl->handshake->update_checksum( ssl, buf, p - buf ); } + ret = ssl_tls13_determine_key_exchange_mode( ssl ); + if( ret < 0 ) + return( ret ); + return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK ); } From ce6ed7076aade44e355dbf540c520bf68f661f57 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 22 Jul 2022 21:49:53 +0800 Subject: [PATCH 17/19] Change the order of key_exchange determine Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 28e99d5d6f..10e9bb7b0b 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -775,20 +775,13 @@ static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl ) * The PSK-based key exchanges may additionally be used with 0-RTT. * * Our built-in order of preference is - * 1 ) Plain PSK Mode ( psk ) - * 2 ) (EC)DHE-PSK Mode ( psk_ephemeral ) - * 3 ) Certificate Mode ( ephemeral ) + * 1 ) (EC)DHE-PSK Mode ( psk_ephemeral ) + * 2 ) Certificate Mode ( ephemeral ) + * 3 ) Plain PSK Mode ( psk ) */ ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE; - if( ssl_tls13_check_psk_key_exchange( ssl ) ) - { - ssl->handshake->key_exchange_mode = - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) ); - } - else if( ssl_tls13_check_psk_ephemeral_key_exchange( ssl ) ) { ssl->handshake->key_exchange_mode = @@ -803,6 +796,13 @@ static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: ephemeral" ) ); } else + if( ssl_tls13_check_psk_key_exchange( ssl ) ) + { + ssl->handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "key exchange mode: psk" ) ); + } + else { MBEDTLS_SSL_DEBUG_MSG( 1, From 6f1db3fc921373ff4e0147b1fc6acf285aecc2e9 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 22 Jul 2022 23:05:59 +0800 Subject: [PATCH 18/19] fix format and potential non-PSK fail issue Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 10e9bb7b0b..74471970ad 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -290,7 +290,7 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, * binders >= 33 bytes */ binders = identities_end; - MBEDTLS_SSL_CHK_BUF_READ_PTR( binders, end, 33 ); + MBEDTLS_SSL_CHK_BUF_READ_PTR( binders, end, 33 + 2 ); binders_len = MBEDTLS_GET_UINT16_BE( binders, 0 ); p_binder_len = binders + 2; MBEDTLS_SSL_CHK_BUF_READ_PTR( p_binder_len, end, binders_len ); @@ -353,6 +353,10 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } + /* Update the handshake transcript with the binder list. */ + ssl->handshake->update_checksum( ssl, + identities_end, + (size_t)( binders_end - identities_end ) ); if( matched_identity == -1 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "No matched pre shared key found" ) ); @@ -362,10 +366,6 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl, ssl->handshake->selected_identity = (uint16_t)matched_identity; MBEDTLS_SSL_DEBUG_MSG( 3, ( "Pre shared key found" ) ); - /* Update the handshake transcript with the binder list. */ - ssl->handshake->update_checksum( ssl, - identities_end, - (size_t)( binders_end - identities_end ) ); return( 0 ); } @@ -1340,7 +1340,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { ssl->handshake->extensions_present &= ~MBEDTLS_SSL_EXT_PRE_SHARED_KEY; - }else if( ret != 0 ) + } + else if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_tls13_parse_pre_shared_key_ext" ), ret ); From 13ab81d5ac5f2c69b05b18cca6515cb253826841 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 22 Jul 2022 23:17:11 +0800 Subject: [PATCH 19/19] Add handshake failure in pre_shared_key withou psk_kex_modes Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 74471970ad..dcefbceb9e 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1262,6 +1262,14 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) ); + if( ( ssl->handshake->extensions_present & + MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ) == 0 ) + { + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /* Delay processing of the PSK identity once we have * found out which algorithms to use. We keep a pointer