commit 1c9247cff4292894af7c7ab931f7c1b82bc59b8d
author Jerry Yu <jerry.h.yu@arm.com> Thu Jul 21 12:37:39 2022 +0800
committer Jerry Yu <jerry.h.yu@arm.com> Thu Jul 21 16:19:50 2022 +0800
tree 05c80b6218c3fdd3bc961859d3c853aec3431cc8
parent 352cd7db59d431437ec9f780cd1ecd3da69e6856

TLS 1.3: Add pre_share_key last ext check

From RFC, pre_share_key must be the last one.
Add check for it. And with/without psk, it should
be check

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

library/ssl_tls13_server.c

diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 89a718b..d095fca 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1037,6 +1037,23 @@
         size_t extension_data_len;
         const unsigned char *extension_data_end;
 
+        /* RFC 8446, page 57
+         *
+         * The "pre_shared_key" extension MUST be the last extension in the
+         * ClientHello (this facilitates implementation as described below).
+         * Servers MUST check that it is the last extension and otherwise fail
+         * the handshake with an "illegal_parameter" alert.
+         */
+        if( ssl->handshake->extensions_present & MBEDTLS_SSL_EXT_PRE_SHARED_KEY )
+        {
+            MBEDTLS_SSL_DEBUG_MSG(
+                3, ( "pre_shared_key is not last extension." ) );
+            MBEDTLS_SSL_PEND_FATAL_ALERT(
+                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        }
+
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
         extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
         extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
@@ -1146,19 +1163,18 @@
                 break;
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
             case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension" ) );
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
                 /* Delay processing of the PSK identity once we have
                  * found out which algorithms to use. We keep a pointer
                  * to the buffer and the size for later processing.
                  */
                 pre_shared_key_ext_start = p;
                 pre_shared_key_ext_end = extension_data_end;
-
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
                 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
                 break;
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 
 #if defined(MBEDTLS_SSL_ALPN)
             case MBEDTLS_TLS_EXT_ALPN:
@@ -1231,13 +1247,6 @@
                                    ret );
             return( ret );
         }
-        /* If pre_shared_key is not last extension */
-        if( p - pre_shared_key_ext_end )
-        {
-            ssl->handshake->update_checksum( ssl,
-                                             pre_shared_key_ext_end,
-                                             p - pre_shared_key_ext_end );
-        }
     }
     else
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */