From a29db7da2ee19ba2b8d43c114fdb69af3780d730 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 30 Nov 2023 14:06:14 +0800 Subject: [PATCH] tls13: early_data: cli: assign ciphersuite properly When early_data extension is enabled and sent in ClientHello, the client does not know if the server will accept early data and select the first proposed pre-shared key with a ciphersuite that is different from the ciphersuite associated to the selected pre-shared key. To address aforementioned case, we do associated verification when parsing early_data ext in EncryptedExtensions. Therefore we have to assign the ciphersuite in current handshake to session_negotiate later than the associated verification. This won't impact decryption of EncryptedExtensions since we compute handshake keys by the ciphersuite in handshake not via the one in session_negotiate. Signed-off-by: Yanray Wang --- library/ssl_tls13_client.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 44814b99f0..d9a4b3e09a 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1925,7 +1925,6 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake); MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic")); - ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id; ssl->session_in = ssl->session_negotiate; cleanup: @@ -2203,6 +2202,20 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl) } #endif + /* + * When early_data extension is enabled and sent in ClientHello, the client + * does not know if the server will accept early data and select the first + * proposed pre-shared key with a ciphersuite that is different from the + * ciphersuite associated to the selected pre-shared key. To address + * aforementioned case, we do associated verification when parsing + * early_data ext in EncryptedExtensions. Therefore we have to assign + * the ciphersuite in current handshake to session_negotiate later than + * the associated verification. This won't impact decryption of + * EncryptedExtensions since we compute handshake keys by the ciphersuite + * in handshake not via the one in session_negotiate. + */ + ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id; + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, buf_len));