From d89360b87bb5bcf09a21c74a799056c49260b260 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 21 Feb 2023 08:53:33 +0100 Subject: [PATCH] Fix and improve documentation, comments and logs Signed-off-by: Ronald Cron --- ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt | 7 ++++--- library/ssl_tls13_server.c | 5 +++++ tests/ssl-opt.sh | 5 ++++- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt b/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt index 948bc882a4..1d3406854d 100644 --- a/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt +++ b/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt @@ -1,11 +1,12 @@ Default behavior changes * The default priority order of TLS 1.3 cipher suites has been modified to follow the same rules as the TLS 1.2 cipher suites (see - ssl_ciphersuites.c). + ssl_ciphersuites.c). The preferred cipher suite is now + TLS_CHACHA20_POLY1305_SHA256. Bugfix - * In the TLS 1.3 server, select the prefered client cipher suite, not the - least prefered. The selection error was introduced in Mbed TLS 3.3.0. + * In the TLS 1.3 server, select the preferred client cipher suite, not the + least preferred. The selection error was introduced in Mbed TLS 3.3.0. * Fix TLS 1.3 session resumption when the established pre-shared key is 384 bits long. That is the length of pre-shared keys created under a session where the cipher suite is TLS_AES_256_GCM_SHA384. diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 8aff191115..005a1d7999 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1371,6 +1371,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, uint16_t cipher_suite; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + /* + * "cipher_suite_end - p is even" is an invariant of the loop. As + * cipher_suites_end - p > 0, we have cipher_suites_end - p >= 2 and + * it is thus safe to read two bytes. + */ cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0); ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl, cipher_suite); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 3b493ee391..b1ee654938 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13237,7 +13237,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -run_test "TLS 1.3: NewSessionTicket: Basic check" \ +run_test "TLS 1.3: NewSessionTicket: Basic check, G->m" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \ 0 \ @@ -13257,6 +13257,9 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +# Test the session resumption when the cipher suite for the original session is +# TLS1-3-AES-256-GCM-SHA384. In that case, the PSK is 384 bits long and not +# 256 bits long as with all the other TLS 1.3 cipher suites. requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384 run_test "TLS 1.3: NewSessionTicket: Basic check with AES-256-GCM only, G->m" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \