search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.4k stars 2.58k forks source link

Client random changes in second flight, upon receiving a Hello Retry Request #9450

Closed skrulj closed 2 months ago

skrulj commented 2 months ago

Summary

We have noticed some connection issues with certain servers when using MbedTLS 1.3 client functionality. A wireshark analysis has shown that the problem at hand is a changing client random between the first and 2nd "Client Hello".

RFC8446 does not explicitly allow a change of this field, but states the message must not change, except for the "key_share", "early_data" and "cookie" extensions in defined circumstances. https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2

Some strict server implementations (e.g. picotls) are known for rejecting connections if the "client random" changes in second flight.

System information

Bare Metal STM32F427VI with DP83848K PHY and LWIP for the IP layer

Mbed TLS version (number or commit id): 3.5.1

Operating system and version: Bare metal Configuration (if not default, please attach mbedtls_config.h): 

$ diff mbedtls_config.h mbedtls_config.h.orig
131c131
< //#define MBEDTLS_HAVE_TIME
---
> #define MBEDTLS_HAVE_TIME
152c152
< //#define MBEDTLS_HAVE_TIME_DATE
---
> #define MBEDTLS_HAVE_TIME_DATE
543c543
< #define MBEDTLS_ENTROPY_HARDWARE_ALT
---
> //#define MBEDTLS_ENTROPY_HARDWARE_ALT
1186c1186
< //#define MBEDTLS_FS_IO
---
> #define MBEDTLS_FS_IO
1209c1209
< #define MBEDTLS_NO_PLATFORM_ENTROPY
---
> //#define MBEDTLS_NO_PLATFORM_ENTROPY
1551c1551
< //#define MBEDTLS_SSL_DTLS_CONNECTION_ID
---
> #define MBEDTLS_SSL_DTLS_CONNECTION_ID
1574c1574
< //#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
---
> #define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0
1647c1647
< //#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
---
> #define MBEDTLS_SSL_ENCRYPT_THEN_MAC
1663c1663
< //#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
---
> #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
1711c1711
< //#define MBEDTLS_SSL_RENEGOTIATION
---
> #define MBEDTLS_SSL_RENEGOTIATION
1720c1720
< //#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
---
> #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1777c1777
< #define MBEDTLS_SSL_PROTO_TLS1_3
---
> //#define MBEDTLS_SSL_PROTO_TLS1_3
1799c1799
< #define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
---
> //#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
1877c1877
< //#define MBEDTLS_SSL_PROTO_DTLS
---
> #define MBEDTLS_SSL_PROTO_DTLS
1886c1886
< //#define MBEDTLS_SSL_ALPN
---
> #define MBEDTLS_SSL_ALPN
1901c1901
< //#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
---
> #define MBEDTLS_SSL_DTLS_ANTI_REPLAY
1919c1919
< //#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
---
> #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
1966c1966
< //#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
---
> #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
2630c2630
< //#define MBEDTLS_DES_C
---
> #define MBEDTLS_DES_C
2921c2921
< //#define MBEDTLS_NET_C
---
> #define MBEDTLS_NET_C
2958c2958
< //#define MBEDTLS_PADLOCK_C
---
> #define MBEDTLS_PADLOCK_C
2996c2996
< //#define MBEDTLS_PEM_WRITE_C
---
> #define MBEDTLS_PEM_WRITE_C
3169c3169
< //#define MBEDTLS_PSA_CRYPTO_STORAGE_C
---
> #define MBEDTLS_PSA_CRYPTO_STORAGE_C
3181c3181
< //#define MBEDTLS_PSA_ITS_FILE_C
---
> #define MBEDTLS_PSA_ITS_FILE_C
3450c3450
< //#define MBEDTLS_SSL_TICKET_C
---
> #define MBEDTLS_SSL_TICKET_C
3540c3540
< //#define MBEDTLS_TIMING_C
---
> #define MBEDTLS_TIMING_C
3970c3970
< #define MBEDTLS_SSL_IN_CONTENT_LEN 5000
---
> //#define MBEDTLS_SSL_IN_CONTENT_LEN              16384
4020c4020
< #define MBEDTLS_SSL_OUT_CONTENT_LEN             1500
---
> //#define MBEDTLS_SSL_OUT_CONTENT_LEN             16384
4091c4091
< #define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000
---
> //#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000
4100c4100
< #define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32
---
> //#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32

Compiler and options (if you used a pre-built binary, please indicate how you obtained it): gcc-arm-none-eabi-10.3-2021.10 With the following flags:

set(GCC_ARM_EABI_CFLAGS
    -ffunction-sections
    -fdata-sections

    -Wa,-L
    -Wall
    -Wno-unused
    -mthumb
    -mcpu=cortex-m4
    -c
    -g
    -nolibc
    -nostdlib
    -fno-builtin
    -pipe
    -fshort-enums
    -mabi=aapcs
    -mthumb-interwork
    -Wextra
    -Wno-comment
    -mlittle-endian
    -march=armv7e-m
    -mfpu=fpv4-sp-d16
    -mfloat-abi=hard
    -MD
    -MP
    -Os
)

set(GCC_ARM_EABI_LFLAGS
    --specs=nosys.specs
    -fshort-enums

    -mfloat-abi=hard
    -mfpu=fpv4-sp-d16
    -march=armv7e-m
    -flto
    -Wl,--gc-sections
)

Additional environment information:

Expected behavior

The client random in the 2nd "Client Hello" should be the same as in the first "Client Hello" after a "Hello Retry Request"

Actual behavior

The client random differs

Steps to reproduce

Additional information

A wireshark capture: First Client Hello:

Transport Layer Security
    TLSv1.3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 258
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 254
            Version: TLS 1.2 (0x0303)
            Random: ab2fbef2a704f824008923f44e97eeee143d8abefcff66ed3300ebf5481151d4
            Session ID Length: 32
            Session ID: 63409a580bc6ecd03f288b17f2bdc86f921b29de186e9b6652fad021e8723aad
            Cipher Suites Length: 12
            Cipher Suites (6 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 169
            Extension: server_name (len=35) name=iot.server.gway.app.server.net
            Extension: supported_versions (len=3) TLS 1.3
            Extension: key_share (len=62) x448
            Extension: psk_key_exchange_modes (len=3)
            Extension: supported_groups (len=22)
            Extension: signature_algorithms (len=20)
            [JA4: t13d060600_a150a9413979_3fb95f9de270]
            [JA4_r: t13d060600_00ff,1301,1302,1303,1304,1305_000a,000d,002b,002d,0033_0403,0503,0603,0806,0805,0804,0601,0501,0401]
            [JA3 Fullstring: 771,4867-4866-4865-4868-4869-255,0-43-51-45-10-13,30-23-29-256-257-258-259-260-25-24,]
            [JA3: 23b899bac52193d9de8f6df682fcf2d0]

Hello Retry Request

Transport Layer Security
    TLSv1.3 Record Layer: Handshake Protocol: Hello Retry Request
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 88
        Handshake Protocol: Hello Retry Request
            Handshake Type: Server Hello (2)
            Length: 84
            Version: TLS 1.2 (0x0303)
            Random: cf21ad74e59a6111be1d8c021e65b891c2a211167abb8c5e079e09e2c8a8339c (HelloRetryRequest magic)
            Session ID Length: 32
            Session ID: 63409a580bc6ecd03f288b17f2bdc86f921b29de186e9b6652fad021e8723aad
            Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
            Compression Method: null (0)
            Extensions Length: 12
            Extension: supported_versions (len=2) TLS 1.3
            Extension: key_share (len=2) secp384r1
            [JA3S Fullstring: 771,4866,43-51]
            [JA3S: 15af977ce25de452b96affa2addb1036]
    TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.2 (0x0303)
        Length: 1
        Change Cipher Spec Message

2nd Client Hello

Transport Layer Security
    TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
        Content Type: Change Cipher Spec (20)
        Version: TLS 1.2 (0x0303)
        Length: 1
        Change Cipher Spec Message
    TLSv1.3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 299
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 295
            Version: TLS 1.2 (0x0303)
            Random: 5969c4095d5c4e463d73725dff7e53d0012bbe25a8a654bf932c64d8aa489a5a
            Session ID Length: 32
            Session ID: 63409a580bc6ecd03f288b17f2bdc86f921b29de186e9b6652fad021e8723aad
            Cipher Suites Length: 12
            Cipher Suites (6 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 210
            Extension: server_name (len=35) name=gw.iot.svc.dev1.dev.tapkey.net
            Extension: supported_versions (len=3) TLS 1.3
            Extension: key_share (len=103) secp384r1
            Extension: psk_key_exchange_modes (len=3)
            Extension: supported_groups (len=22)
            Extension: signature_algorithms (len=20)
            [JA4: t13d060600_a150a9413979_3fb95f9de270]
            [JA4_r: t13d060600_00ff,1301,1302,1303,1304,1305_000a,000d,002b,002d,0033_0403,0503,0603,0806,0805,0804,0601,0501,0401]
            [JA3 Fullstring: 771,4867-4866-4865-4868-4869-255,0-43-51-45-10-13,30-23-29-256-257-258-259-260-25-24,]
            [JA3: 23b899bac52193d9de8f6df682fcf2d0]
gilles-peskine-arm commented 2 months ago

I think I've seen this before. It seems to be the same bug as https://github.com/Mbed-TLS/mbedtls/issues/8669, which is fixed in Mbed TLS 3.6.0. Please try upgrading Mbed TLS. Let us know if that doesn't fix the problem and we can reopen this issue.

skrulj commented 2 months ago

Thank you for your reply. Update has indeed fixed the issue.