From fb0f47b1f8c7dc79a4ac550747796f02b76949b9 Mon Sep 17 00:00:00 2001
From: Yanray Wang <yanray.wang@arm.com>
Date: Mon, 4 Dec 2023 15:27:28 +0800
Subject: [PATCH 1/8] tls13: srv: check tls version in ClientHello with
 min_tls_version

When server is configured as TLS 1.3 only and receives ClientHello
from a TLS 1.2 only client, it's expected to abort the handshake
instead of downgrading protocol to TLS 1.2 and continuing handshake.
This commit adds a check to make sure server min_tls_version always
larger than received version in ClientHello.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
---
 library/ssl_tls13_server.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index d983a00395..b3f25b5e87 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1920,6 +1920,15 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
      * will dispatch to the TLS 1.2 state machine.
      */
     if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
+        /* Check if server supports TLS 1.2 */
+        if (ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2) {
+            MBEDTLS_SSL_DEBUG_MSG(
+                1, ("Unsupported version of TLS 1.2 was received"));
+            MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+            return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+        }
         ssl->keep_current_message = 1;
         ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
         return 0;

From 3d82ffce5bd6c00d3b96f214326b8c3c0b91c6ec Mon Sep 17 00:00:00 2001
From: Yanray Wang <yanray.wang@arm.com>
Date: Mon, 4 Dec 2023 15:32:20 +0800
Subject: [PATCH 2/8] ssl-opt: test handshake for TLS 1.2 only cli with TLS 1.3
 only srv

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
---
 tests/ssl-opt.sh | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 4762285b00..e67cf02f08 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -11613,6 +11613,22 @@ run_test    "TLS 1.3: Not supported version check:openssl: srv max TLS 1.2" \
             -S "Version: TLS1.2" \
             -C "Protocol  : TLSv1.2"
 
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1.3 only, fail" \
+         "$P_SRV debug_level=4 max_version=tls13 min_version=tls13" \
+         "$P_CLI debug_level=4 max_version=tls12 min_version=tls12" \
+         1 \
+         -c "The SSL configuration is tls12 only"                   \
+         -c "supported_versions(43) extension does not exist."      \
+         -c "A fatal alert message was received from our peer"      \
+         -s "The SSL configuration is tls13 only"                   \
+         -s "Unsupported version of TLS 1.2 was received"           \
+         -s "! mbedtls_ssl_handshake returned"
+
 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C

From 631e6bd221a75bf46cc9baaaaf5a9feefff56a49 Mon Sep 17 00:00:00 2001
From: Yanray Wang <yanray.wang@arm.com>
Date: Tue, 5 Dec 2023 15:34:49 +0800
Subject: [PATCH 3/8] ChangeLog: add fix-tls13-server-min-version-check.txt

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
---
 ChangeLog.d/fix-tls13-server-min-version-check.txt | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 ChangeLog.d/fix-tls13-server-min-version-check.txt

diff --git a/ChangeLog.d/fix-tls13-server-min-version-check.txt b/ChangeLog.d/fix-tls13-server-min-version-check.txt
new file mode 100644
index 0000000000..b05ad7c542
--- /dev/null
+++ b/ChangeLog.d/fix-tls13-server-min-version-check.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * Add missing check for `min_tls_version` in TLS 1.3 server-side.
+     Without this, TLS 1.3 server may downgrade protocol to a TLS version
+     below its supported minimum TLS version. Fixes #8593.

From 408ba6f7b8cdd8180972e2ed2af8fad234a36416 Mon Sep 17 00:00:00 2001
From: Yanray Wang <yanray.wang@arm.com>
Date: Fri, 8 Dec 2023 10:18:03 +0800
Subject: [PATCH 4/8] tls13: srv: replace with internal API to check
 is_tls12_enabled

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
---
 library/ssl_tls13_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index b3f25b5e87..eb0b5281af 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1921,7 +1921,7 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
      */
     if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
         /* Check if server supports TLS 1.2 */
-        if (ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2) {
+        if (!mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
             MBEDTLS_SSL_DEBUG_MSG(
                 1, ("Unsupported version of TLS 1.2 was received"));
             MBEDTLS_SSL_PEND_FATAL_ALERT(

From 177e49ad7a2e1827089ff28484b985068a626985 Mon Sep 17 00:00:00 2001
From: Yanray Wang <yanray.wang@arm.com>
Date: Fri, 8 Dec 2023 10:51:04 +0800
Subject: [PATCH 5/8] tls13: srv: improve DEBUG_MSG in case of TLS 1.2 disabled

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
---
 library/ssl_tls13_server.c | 2 +-
 tests/ssl-opt.sh           | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index eb0b5281af..52d2db6e77 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1923,7 +1923,7 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
         /* Check if server supports TLS 1.2 */
         if (!mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
             MBEDTLS_SSL_DEBUG_MSG(
-                1, ("Unsupported version of TLS 1.2 was received"));
+                1, ("TLS 1.2 not supported."));
             MBEDTLS_SSL_PEND_FATAL_ALERT(
                 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
                 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index e67cf02f08..764fb4a948 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -11626,8 +11626,7 @@ run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1
          -c "supported_versions(43) extension does not exist."      \
          -c "A fatal alert message was received from our peer"      \
          -s "The SSL configuration is tls13 only"                   \
-         -s "Unsupported version of TLS 1.2 was received"           \
-         -s "! mbedtls_ssl_handshake returned"
+         -s "TLS 1.2 not supported."
 
 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_DEBUG_C

From 2bef917a3c11090d063aa2ebd59d445e185dbdb7 Mon Sep 17 00:00:00 2001
From: Yanray Wang <yanray.wang@arm.com>
Date: Fri, 8 Dec 2023 10:21:53 +0800
Subject: [PATCH 6/8] tls13: srv: return BAD_PROTOCOL_VERSION if chosen
 unsupported version

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
---
 library/ssl_tls13_server.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 52d2db6e77..3baff36e7d 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1925,9 +1925,9 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
             MBEDTLS_SSL_DEBUG_MSG(
                 1, ("TLS 1.2 not supported."));
             MBEDTLS_SSL_PEND_FATAL_ALERT(
-                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
-            return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+                MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
+                MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
+            return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
         }
         ssl->keep_current_message = 1;
         ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;

From 90acdc65e582151a58189ac0651036568316155e Mon Sep 17 00:00:00 2001
From: Yanray Wang <yanray.wang@arm.com>
Date: Fri, 8 Dec 2023 10:29:42 +0800
Subject: [PATCH 7/8] tl13: srv: improve comment

Improve comment when received version 1.2 of the protocol while TLS
1.2 is disabled on server side.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
---
 library/ssl_tls13_server.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 3baff36e7d..67bf6daaee 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1913,7 +1913,8 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
                                    * by MBEDTLS_SSL_PROC_CHK_NEG. */
 
     /*
-     * Version 1.2 of the protocol has been chosen, set the
+     * Version 1.2 of the protocol has to be used for the handshake.
+     * If TLS 1.2 is not supported, abort the handshake. Otherwise, set the
      * ssl->keep_current_message flag for the ClientHello to be kept and parsed
      * as a TLS 1.2 ClientHello. We also change ssl->tls_version to
      * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()

From e9be2a259e831e6de4eec5808d0c328a5f9e5258 Mon Sep 17 00:00:00 2001
From: Yanray Wang <yanray.wang@arm.com>
Date: Fri, 8 Dec 2023 10:38:13 +0800
Subject: [PATCH 8/8] fix-tls13-server-min-version-check.txt: rephrase
 ChangeLog

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
---
 ChangeLog.d/fix-tls13-server-min-version-check.txt | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ChangeLog.d/fix-tls13-server-min-version-check.txt b/ChangeLog.d/fix-tls13-server-min-version-check.txt
index b05ad7c542..258ec6d38c 100644
--- a/ChangeLog.d/fix-tls13-server-min-version-check.txt
+++ b/ChangeLog.d/fix-tls13-server-min-version-check.txt
@@ -1,4 +1,3 @@
 Bugfix
-   * Add missing check for `min_tls_version` in TLS 1.3 server-side.
-     Without this, TLS 1.3 server may downgrade protocol to a TLS version
-     below its supported minimum TLS version. Fixes #8593.
+   * Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
+     is disabled at runtime. Fixes #8593.