mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-09 21:44:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #8727 from ronald-cron-arm/tls13-ignore-early-data-when-rejected

Browse Source 
TLS 1.3: SRV: Ignore early data when rejected
This commit is contained in:
Manuel Pégourié-Gonnard 2024-02-06 13:16:03 +00:00 committed by GitHub
commit 5c9cc0b30f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 219 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
include/mbedtls/ssl.h
View File

@ -353,6 +353,26 @@
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN 1000
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX 60000
/*
* Whether early data record should be discarded or not and how.
*
* The client has indicated early data and the server has rejected them.
* The server has then to skip past early data by either:
* - attempting to deprotect received records using the handshake traffic
* key, discarding records which fail deprotection (up to the configured
* max_early_data_size). Once a record is deprotected successfully,
* it is treated as the start of the client's second flight and the
* server proceeds as with an ordinary 1-RTT handshake.
* - skipping all records with an external content type of
* "application_data" (indicating that they are encrypted), up to the
* configured max_early_data_size. This is the expected behavior if the
* server has sent an HelloRetryRequest message. The server ignores
* application data message before 2nd ClientHello.
*/
#define MBEDTLS_SSL_EARLY_DATA_NO_DISCARD 0
#define MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD 1
#define MBEDTLS_SSL_EARLY_DATA_DISCARD 2
/**
* \name SECTION: Module settings
*
@ -1782,6 +1802,16 @@ struct mbedtls_ssl_context {
* within a single datagram. */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
/*
* One of:
* MBEDTLS_SSL_EARLY_DATA_NO_DISCARD
* MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD
* MBEDTLS_SSL_EARLY_DATA_DISCARD
*/
uint8_t MBEDTLS_PRIVATE(discard_early_data_record);
#endif
/*
* Record layer (outgoing data)
*/

69
library/ssl_msg.c
View File

@ -3985,6 +3985,31 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
rec)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "ssl_decrypt_buf", ret);
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
/*
* Although the server rejected early data, it might receive early
* data as long as it has not received the client Finished message.
* It is encrypted with early keys and should be ignored as stated
* in section 4.2.10 of RFC 8446:
*
* "Ignore the extension and return a regular 1-RTT response. The
* server then skips past early data by attempting to deprotect
* received records using the handshake traffic key, discarding
* records which fail deprotection (up to the configured
* max_early_data_size). Once a record is deprotected successfully,
* it is treated as the start of the client's second flight and the
* server proceeds as with an ordinary 1-RTT handshake."
*/
if ((old_msg_type == MBEDTLS_SSL_MSG_APPLICATION_DATA) &&
(ssl->discard_early_data_record ==
MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) {
MBEDTLS_SSL_DEBUG_MSG(
3, ("EarlyData: deprotect and discard app data records."));
/* TODO: Add max_early_data_size check here, see issue 6347 */
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
}
#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
ssl->conf->ignore_unexpected_cid
@ -3994,9 +4019,27 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
/*
* The decryption of the record failed, no reason to ignore it,
* return in error with the decryption error code.
*/
return ret;
}
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
/*
* If the server were discarding protected records that it fails to
* deprotect because it has rejected early data, as we have just
* deprotected successfully a record, the server has to resume normal
* operation and fail the connection if the deprotection of a record
* fails.
*/
if (ssl->discard_early_data_record ==
MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD) {
ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
}
#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
if (old_msg_type != rec->type) {
MBEDTLS_SSL_DEBUG_MSG(4, ("record type after decrypt (before %d): %d",
old_msg_type, rec->type));
@ -4070,6 +4113,32 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
}
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
/*
* Although the server rejected early data because it needed to send an
* HelloRetryRequest message, it might receive early data as long as it has
* not received the client Finished message.
* The early data is encrypted with early keys and should be ignored as
* stated in section 4.2.10 of RFC 8446 (second case):
*
* "The server then ignores early data by skipping all records with an
* external content type of "application_data" (indicating that they are
* encrypted), up to the configured max_early_data_size. Ignore application
* data message before 2nd ClientHello when early_data was received in 1st
* ClientHello."
*/
if (ssl->discard_early_data_record == MBEDTLS_SSL_EARLY_DATA_DISCARD) {
if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
MBEDTLS_SSL_DEBUG_MSG(
3, ("EarlyData: Ignore application message before 2nd ClientHello"));
/* TODO: Add max_early_data_size check here, see issue 6347 */
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
} else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) {
ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
}
}
#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
mbedtls_ssl_dtls_replay_update(ssl);

7
library/ssl_tls.c
View File

@ -1098,9 +1098,14 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_EARLY_DATA)
#if defined(MBEDTLS_SSL_CLI_C)
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
#endif
#if defined(MBEDTLS_SSL_SRV_C)
ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
#endif
#endif /* MBEDTLS_SSL_EARLY_DATA */
/* Initialize structures */
mbedtls_ssl_session_init(ssl->session_negotiate);

3
library/ssl_tls13_client.c
View File

@ -1182,7 +1182,8 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_EARLY_DATA)
if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
ssl_tls13_early_data_has_valid_ticket(ssl) &&
ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED &&
ssl->handshake->hello_retry_request_count == 0) {
ret = mbedtls_ssl_tls13_write_early_data_ext(
ssl, 0, p, end, &ext_len);

58
library/ssl_tls13_server.c
View File

@ -1533,6 +1533,12 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
unsigned int extension_type;
size_t extension_data_len;
const unsigned char *extension_data_end;
uint32_t allowed_exts = MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH;
if (ssl->handshake->hello_retry_request_count > 0) {
/* Do not accept early data extension in 2nd ClientHello */
allowed_exts &= ~MBEDTLS_SSL_EXT_MASK(EARLY_DATA);
}
/* RFC 8446, section 4.2.11
*
@ -1560,7 +1566,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
ret = mbedtls_ssl_tls13_check_received_extension(
ssl, MBEDTLS_SSL_HS_CLIENT_HELLO, extension_type,
MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH);
allowed_exts);
if (ret != 0) {
return ret;
}
@ -1780,28 +1786,15 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl,
int hrr_required)
static int ssl_tls13_check_early_data_requirements(mbedtls_ssl_context *ssl)
{
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
if ((handshake->received_extensions &
MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) {
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: no early data extension received."));
return 0;
}
if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) {
MBEDTLS_SSL_DEBUG_MSG(
1,
("EarlyData: rejected, feature disabled in server configuration."));
return 0;
}
if (hrr_required) {
MBEDTLS_SSL_DEBUG_MSG(1, ("EarlyData: rejected, HRR required."));
return 0;
return -1;
}
if (!handshake->resume) {
@ -1810,7 +1803,7 @@ static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl,
resumption. */
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, not a session resumption."));
return 0;
return -1;
}
/* RFC 8446 4.2.10
@ -1833,7 +1826,7 @@ static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, the selected key in "
"`pre_shared_key` is not the first one."));
return 0;
return -1;
}
if (handshake->ciphersuite_info->id !=
@ -1841,7 +1834,7 @@ static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG(
1, ("EarlyData: rejected, the selected ciphersuite is not the one "
"of the selected pre-shared key."));
return 0;
return -1;
}
@ -1850,10 +1843,10 @@ static int ssl_tls13_is_early_data_accepted(mbedtls_ssl_context *ssl,
1,
("EarlyData: rejected, early_data not allowed in ticket "
"permission bits."));
return 0;
return -1;
}
return 1;
return 0;
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
@ -1885,15 +1878,22 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl,
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
ssl->handshake->early_data_accepted =
ssl_tls13_is_early_data_accepted(ssl, hrr_required);
if (ssl->handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) {
ssl->handshake->early_data_accepted =
(!hrr_required) && (ssl_tls13_check_early_data_requirements(ssl) == 0);
if (ssl->handshake->early_data_accepted) {
ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_tls13_compute_early_transform", ret);
return ret;
if (ssl->handshake->early_data_accepted) {
ret = mbedtls_ssl_tls13_compute_early_transform(ssl);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_tls13_compute_early_transform", ret);
return ret;
}
} else {
ssl->discard_early_data_record =
hrr_required ?
MBEDTLS_SSL_EARLY_DATA_DISCARD :
MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD;
}
}
#else

2
tests/opt-testcases/tls13-misc.sh
View File

@ -502,8 +502,8 @@ run_test "TLS 1.3 G->m: EarlyData: feature is enabled, good." \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL:+KX-ALL \
-d 10 -r --earlydata $EARLY_DATA_INPUT " \
0 \
-s "NewSessionTicket: early_data(42) extension exists." \
-s "Sent max_early_data_size=$EARLY_DATA_INPUT_LEN" \
-s "NewSessionTicket: early_data(42) extension exists." \
-s "ClientHello: early_data(42) extension exists." \
-s "EncryptedExtensions: early_data(42) extension exists." \
-s "$( head -1 $EARLY_DATA_INPUT )" \

10
tests/suites/test_suite_ssl.data
View File

@ -3274,5 +3274,11 @@ elliptic_curve_get_properties
TLS 1.3 resume session with ticket
tls13_resume_session_with_ticket
TLS 1.3 early data
tls13_early_data
TLS 1.3 early data, reference
tls13_early_data:TEST_EARLY_DATA_REFERENCE
TLS 1.3 early data, deprotect and discard
tls13_early_data:TEST_EARLY_DATA_DEPROTECT_AND_DISCARD
TLS 1.3 early data, discard after HRR
tls13_early_data:TEST_EARLY_DATA_DISCARD_AFTER_HRR

87
tests/suites/test_suite_ssl.function
View File

@ -12,7 +12,13 @@
#define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 }
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \
/* Mnemonics for the early data test scenarios */
#define TEST_EARLY_DATA_REFERENCE 0
#define TEST_EARLY_DATA_DEPROTECT_AND_DISCARD 1
#define TEST_EARLY_DATA_DISCARD_AFTER_HRR 2
#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \
defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \
defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \
@ -3661,8 +3667,13 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
void tls13_early_data()
/*
* The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is
* a temporary workaround to not run the test in Windows-2013 where there is
* an issue with mbedtls_vsnprintf().
*/
/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
void tls13_early_data(int scenario)
{
int ret = -1;
unsigned char buf[64];
@ -3672,6 +3683,12 @@ void tls13_early_data()
mbedtls_test_handshake_test_options client_options;
mbedtls_test_handshake_test_options server_options;
mbedtls_ssl_session saved_session;
mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
uint16_t group_list[3] = {
MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
MBEDTLS_SSL_IANA_TLS_GROUP_NONE
};
/*
* Test set-up
@ -3687,20 +3704,22 @@ void tls13_early_data()
client_options.pk_alg = MBEDTLS_PK_ECDSA;
ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
&client_options, NULL, NULL, NULL,
NULL);
group_list);
TEST_EQUAL(ret, 0);
mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED);
server_options.pk_alg = MBEDTLS_PK_ECDSA;
server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
server_options.srv_log_obj = &server_pattern;
ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
&server_options, NULL, NULL, NULL,
NULL);
group_list);
TEST_EQUAL(ret, 0);
mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED);
mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
mbedtls_test_ticket_write,
mbedtls_test_ticket_parse,
NULL);
mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED);
ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
&(server_ep.socket), 1024);
@ -3740,6 +3759,35 @@ void tls13_early_data()
ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
TEST_EQUAL(ret, 0);
switch (scenario) {
case TEST_EARLY_DATA_REFERENCE:
break;
case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD:
mbedtls_debug_set_threshold(3);
server_pattern.pattern =
"EarlyData: deprotect and discard app data records.";
mbedtls_ssl_conf_early_data(&server_ep.conf,
MBEDTLS_SSL_EARLY_DATA_DISABLED);
break;
case TEST_EARLY_DATA_DISCARD_AFTER_HRR:
mbedtls_debug_set_threshold(3);
server_pattern.pattern =
"EarlyData: Ignore application message before 2nd ClientHello";
mbedtls_ssl_conf_groups(&server_ep.conf, group_list + 1);
/*
* Need to reset again to reconstruct the group list in the
* handshake structure from the configured one.
*/
ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
TEST_EQUAL(ret, 0);
break;
default:
TEST_FAIL("Unknown scenario.");
}
TEST_EQUAL(mbedtls_test_move_handshake_to_state(
&(client_ep.ssl), &(server_ep.ssl),
MBEDTLS_SSL_SERVER_HELLO), 0);
@ -3751,14 +3799,26 @@ void tls13_early_data()
early_data_len);
TEST_EQUAL(ret, early_data_len);
TEST_EQUAL(mbedtls_test_move_handshake_to_state(
&(server_ep.ssl), &(client_ep.ssl),
MBEDTLS_SSL_CLIENT_FINISHED), MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
ret = mbedtls_test_move_handshake_to_state(
&(server_ep.ssl), &(client_ep.ssl),
MBEDTLS_SSL_HANDSHAKE_WRAPUP);
TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1);
TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), buf, sizeof(buf)),
early_data_len);
TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len);
switch (scenario) {
case TEST_EARLY_DATA_REFERENCE:
TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1);
TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl),
buf, sizeof(buf)), early_data_len);
TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len);
break;
case TEST_EARLY_DATA_DEPROTECT_AND_DISCARD: /* Intentional fallthrough */
case TEST_EARLY_DATA_DISCARD_AFTER_HRR:
TEST_EQUAL(ret, 0);
TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0);
TEST_EQUAL(server_pattern.counter, 1);
break;
}
TEST_EQUAL(mbedtls_test_move_handshake_to_state(
&(server_ep.ssl), &(client_ep.ssl),
@ -3770,6 +3830,7 @@ exit:
mbedtls_test_free_handshake_options(&client_options);
mbedtls_test_free_handshake_options(&server_options);
mbedtls_ssl_session_free(&saved_session);
mbedtls_debug_set_threshold(0);
PSA_DONE();
}
/* END_CASE */