search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.54k stars 2.6k forks source link

Server Key Exchange should process PSK Identity as per RFC #4279 #2508

Closed ManojKrSrivastava closed 2 years ago

ManojKrSrivastava commented 5 years ago

Description

As per section #5 of RFC #4279, Server key exchange should process PSK identity hint provided in Client Hello. I have seen the ssl_srv.c code and it's having a check and it's returning error as MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE instead of processing PSK identity hint provided in Client Hello. This is an essential requirement considering increasing Use Cases of IoT.

Bug

OS
Mbed OS|linux|windows|

mbed TLS build:
Version: x.x.x or git commit id
OS version: x.x.x
Configuration: please attach config.h file where possible
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:

Peer device TLS stack and version
OpenSSL|GnuTls|Chrome|NSS(Firefox)|SecureChannel (IIS/Internet Explorer/Edge)|Other
Version:

Expected behavior

Actual behavior

Steps to reproduce

Enhancement\Feature Request

Justification - why does the library need this feature?

Suggested enhancement

Question

Please first check for answers in the Mbed TLS knowledge Base, and preferably file an issue in the Mbed TLS support forum

RonEld commented 5 years ago

@ManojKrSrivastava Thank you for reporting this issue! Could you provide more information? What is the Mbed TLS version you are using?

AFAIK, the server parse the PSK identity in ssl_parse_client_psk_identity().

Is the negotiated cipher suite PSK based? Did you supply in your server configuration your own psk parsing callback or used the default psk_callback as shown in the example?

Regards, Mbed TLS Team member Ron

ManojKrSrivastava commented 5 years ago

@RonEld Thank you for your reply and query. Currently we are using older version mbedtls-1.3.16 but we will be migrating to newer version v2.x.x. To give the brief about the requirement, please refer following description: Support required for following activities:- A) Introduction of ServerKeyExchange(optional) message during TLS/Http Handshake procedure:- As per "3GPP TS 33.222 version 13.0.0 Release 13" section "5.4.0 Procedures" :

  1. If the NAF server is willing to establish a TLS tunnel using a PSK-based ciphersuite, it shall select one of the PSKbased ciphersuites offered by the UE, and send the selected ciphersuite to the UE in the ServerHello message. Otherwise, the NAF shall send the ServerKeyExchange message with a list of PSK-identity hints. A constant string "3GPPbootstrapping" is used as PSK-identity hint to indicate the local configuration in the NAF server. For support of Http-GBA feature, ServerKeyExchange message is mandatory as it supplies the "PSK-identity hints" to the Client and based on which TLS tunnel using GBA-based shared secret can be established. There has to be a mechanism provided by MbedTLS by which user can turn on ServerKeyExchange during Http/TLS handshake with setting specific "PSK-identity hints".

Yes, it is parsing PSK identity in ssl_parse_client_psk_identity() but it is failing during /* Identity is not a big secret since clients send it in the clear,

Negotiated cipher suite is not PSK based. As per my understanding changes are required for above said requirement in the following functions:

  1. ssl_parse_servername_ext()
  2. ssl_parse_client_hello()
  3. ssl_write_server_key_exchange()
  4. ssl_parse_client_psk_identity()

Please let me know if clarification required.

Best Regards, Manoj Srivastava

RonEld commented 5 years ago

Hi @ManojKrSrivastava Thank you for your clarification.

Please note that version 1.3 has reached End Of Life about a year ago, and not supported anymore. Please try to reproduce this issue on one of our LTS versions, as many bugs and security defects have been fixed since the version you are working on.

Have you called mbedtls_ssl_conf_psk() in your server application?

ManojKrSrivastava commented 5 years ago

Hi @RonEld, Thank you for your reply and clarification. I will try the same with latest version and if encounter any issue then I will get back to you on the same.

Best Regards, Manoj Srivastava

ManojKrSrivastava commented 5 years ago

Hi @RonEld , I just migrated to mbedtls-2.16.2 and observed that reported issue is still present. Yes, I called mbedtls_ssl_conf_psk() in my server application.

In 'ssl_parse_server_psk_hint()' function, there is note mentioning followings: /*

I think support for PSK identity hint is not available. Can anyone please look into it and confirm the status?

Best Regards, Manoj Srivastava

ManojKrSrivastava commented 5 years ago

Hi @RonEld,

Can you please let me know which branch I should refer for TLS v1.3 development? In one of the blog, I got the information that the development is ongoing. If I you share the branch details then it will be helpful for me.

Best Regards, Manoj Srivastava

daverodgman commented 2 years ago

TLS 1.3 is currently supported on development, and an initial version has been released in Mbed TLS 3.1. Work is currently continuing to support more features of TLS 1.3 (e.g., PSK support is planned for Q2/Q3 timeframe - please see https://github.com/orgs/Mbed-TLS/projects/1#column-17950145 ).