commit ad736991bb59211118a29fe115367c24495300c2
author Janos Follath <janos.follath@arm.com> Fri Feb 09 16:04:59 2024 +0000
committer GitHub <noreply@github.com> Fri Feb 09 16:04:59 2024 +0000
tree 0e99d12bf78d1a2b97b72b548127bc23c116c5fa
parent 2f387e98a01eabb9ea39feb205e0d885855330ac
parent c522255e33e378a5fe8d92d931ee3eada4a989e1

Merge pull request #1177 from ronald-cron-arm/tls-max-version-reset

Reset properly the TLS maximum negotiable version

ChangeLog.d/tls-max-version-reset.txt

diff --git a/ChangeLog.d/tls-max-version-reset.txt b/ChangeLog.d/tls-max-version-reset.txt
new file mode 100644
index 0000000..2fa5816
--- /dev/null
+++ b/ChangeLog.d/tls-max-version-reset.txt
@@ -0,0 +1,6 @@
+Security
+   * Restore the maximum TLS version to be negotiated to the configured one
+     when an SSL context is reset with the mbedtls_ssl_session_reset() API.
+     An attacker was able to prevent an Mbed TLS server from establishing any
+     TLS 1.3 connection potentially resulting in a Denial of Service or forced
+     version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0bc18f1..0071b06 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1540,6 +1540,7 @@
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+    ssl->tls_version = ssl->conf->max_tls_version;
 
     mbedtls_ssl_session_reset_msg_layer(ssl, partial);
 

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 26c5a79..028a0f4 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -11700,6 +11700,30 @@
             -s "ECDH/FFDH group: " \
             -s "selected signature algorithm ecdsa_secp256r1_sha256"
 
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Establish TLS 1.2 then TLS 1.3 session" \
+            "$P_SRV" \
+            "( $P_CLI force_version=tls12; \
+               $P_CLI force_version=tls13 )" \
+            0 \
+            -s "Protocol is TLSv1.2" \
+            -s "Protocol is TLSv1.3" \
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Establish TLS 1.3 then TLS 1.2 session" \
+            "$P_SRV" \
+            "( $P_CLI force_version=tls13; \
+               $P_CLI force_version=tls12 )" \
+            0 \
+            -s "Protocol is TLSv1.3" \
+            -s "Protocol is TLSv1.2" \
+
 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C