commit 7c14afcaaaa2a4045e1b3cca840711ffa603c561
author Ronald Cron <ronald.cron@arm.com> Thu Jan 11 13:34:09 2024 +0000
committer GitHub <noreply@github.com> Thu Jan 11 13:34:09 2024 +0000
tree 3f4b1ba7644d3509ec28344c1ba97b6e3fc565a1
parent eeb96ac9fe4b9a35dfda929cdaedc8f3322c3bd6
parent e9be2a259e831e6de4eec5808d0c328a5f9e5258

Merge pull request #8595 from yanrayw/issue/8593/srv-CH-fix-version-check

TLS1.3: SRV: check `min_tls_version` when parsing ClientHello

ChangeLog.d/fix-tls13-server-min-version-check.txt

diff --git a/ChangeLog.d/fix-tls13-server-min-version-check.txt b/ChangeLog.d/fix-tls13-server-min-version-check.txt
new file mode 100644
index 0000000..258ec6d
--- /dev/null
+++ b/ChangeLog.d/fix-tls13-server-min-version-check.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
+     is disabled at runtime. Fixes #8593.

library/ssl_tls13_server.c

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index a7c266b..631101e 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1925,13 +1925,23 @@
                                    * by MBEDTLS_SSL_PROC_CHK_NEG. */
 
     /*
-     * Version 1.2 of the protocol has been chosen, set the
+     * Version 1.2 of the protocol has to be used for the handshake.
+     * If TLS 1.2 is not supported, abort the handshake. Otherwise, set the
      * ssl->keep_current_message flag for the ClientHello to be kept and parsed
      * as a TLS 1.2 ClientHello. We also change ssl->tls_version to
      * MBEDTLS_SSL_VERSION_TLS1_2 thus from now on mbedtls_ssl_handshake_step()
      * will dispatch to the TLS 1.2 state machine.
      */
     if (SSL_CLIENT_HELLO_TLS1_2 == parse_client_hello_ret) {
+        /* Check if server supports TLS 1.2 */
+        if (!mbedtls_ssl_conf_is_tls12_enabled(ssl->conf)) {
+            MBEDTLS_SSL_DEBUG_MSG(
+                1, ("TLS 1.2 not supported."));
+            MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
+                MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION);
+            return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
+        }
         ssl->keep_current_message = 1;
         ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
         return 0;

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 92b3e17..2d34f90 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -11756,6 +11756,21 @@
             -S "Version: TLS1.2" \
             -C "Protocol  : TLSv1.2"
 
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_SRV_C
+run_test "TLS 1.3 m->m: Not supported version check: cli TLS 1.2 only, srv TLS 1.3 only, fail" \
+         "$P_SRV debug_level=4 max_version=tls13 min_version=tls13" \
+         "$P_CLI debug_level=4 max_version=tls12 min_version=tls12" \
+         1 \
+         -c "The SSL configuration is tls12 only"                   \
+         -c "supported_versions(43) extension does not exist."      \
+         -c "A fatal alert message was received from our peer"      \
+         -s "The SSL configuration is tls13 only"                   \
+         -s "TLS 1.2 not supported."
+
 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C