commit f57d14bed4dbefb7419cbd439afeddcd096058d2
author Jerry Yu <jerry.h.yu@arm.com> Wed Nov 15 16:40:09 2023 +0800
committer Ronald Cron <ronald.cron@arm.com> Fri Feb 02 17:31:20 2024 +0100
tree ca9fe2c15aa107258f89ca4e0aa71967c3ecc3d9
parent 263dbf71679c359be8549e111fcd0160a1ed1ed4

Ignore early data app msg before 2nd client hello

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>

library/ssl_msg.c

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index bf9a8ca..2fe084c 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -4109,6 +4109,32 @@
 
     }
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C)
+    /*
+     * Although the server rejected early data because it needed to send an
+     * HelloRetryRequest message, it might receive early data as long as it has
+     * not received the client Finished message.
+     * The early data is encrypted with early keys and should be ignored as
+     * stated in section 4.2.10 of RFC 8446 (second case):
+     *
+     * "The server then ignores early data by skipping all records with an
+     * external content type of "application_data" (indicating that they are
+     * encrypted), up to the configured max_early_data_size. Ignore application
+     * data message before 2nd ClientHello when early_data was received in 1st
+     * ClientHello."
+     */
+    if (ssl->discard_early_data_record == MBEDTLS_SSL_EARLY_DATA_DISCARD) {
+        if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
+            MBEDTLS_SSL_DEBUG_MSG(
+                3, ("EarlyData: Ignore application message before 2nd ClientHello"));
+            /* TODO: Add max_early_data_size check here. */
+            return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+        } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) {
+            ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
+        }
+    }
+#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */
+
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
     if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
         mbedtls_ssl_dtls_replay_update(ssl);

tests/suites/test_suite_ssl.data

diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 404818d..e5e4c1e 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3279,3 +3279,6 @@
 
 TLS 1.3 early data, deprotect and discard
 tls13_early_data:"deprotect and discard"
+
+TLS 1.3 early data, discard after HRR
+tls13_early_data:"discard after HRR"

tests/suites/test_suite_ssl.function

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 31a973b..949356a 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3674,6 +3674,11 @@
     mbedtls_test_handshake_test_options server_options;
     mbedtls_ssl_session saved_session;
     mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
+    uint16_t group_list[3] = {
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
+        MBEDTLS_SSL_IANA_TLS_GROUP_NONE
+    };
 
     /*
      * Determine scenario.
@@ -3682,6 +3687,8 @@
         scenario = 0;
     } else if (strcmp(scenario_string, "deprotect and discard") == 0) {
         scenario = 1;
+    } else if (strcmp(scenario_string, "discard after HRR") == 0) {
+        scenario = 2;
     } else {
         TEST_FAIL("Unknown scenario.");
     }
@@ -3700,7 +3707,7 @@
     client_options.pk_alg = MBEDTLS_PK_ECDSA;
     ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
                                          &client_options, NULL, NULL, NULL,
-                                         NULL);
+                                         group_list);
     TEST_EQUAL(ret, 0);
     mbedtls_ssl_conf_early_data(&client_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED);
 
@@ -3709,7 +3716,7 @@
     server_options.srv_log_obj = &server_pattern;
     ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
                                          &server_options, NULL, NULL, NULL,
-                                         NULL);
+                                         group_list);
     TEST_EQUAL(ret, 0);
     mbedtls_ssl_conf_early_data(&server_ep.conf, MBEDTLS_SSL_EARLY_DATA_ENABLED);
     mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
@@ -3763,6 +3770,19 @@
             mbedtls_ssl_conf_early_data(&server_ep.conf,
                                         MBEDTLS_SSL_EARLY_DATA_DISABLED);
             break;
+
+        case 2: /* discard after HRR */
+            mbedtls_debug_set_threshold(3);
+            server_pattern.pattern =
+                "EarlyData: Ignore application message before 2nd ClientHello";
+            mbedtls_ssl_conf_groups(&server_ep.conf, group_list + 1);
+            /*
+             * Need to reset again to reconstruct the group list in the
+             * handshake structure from the configured one.
+             */
+            ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
+            TEST_EQUAL(ret, 0);
+            break;
     }
 
     TEST_EQUAL(mbedtls_test_move_handshake_to_state(
@@ -3793,7 +3813,8 @@
                            MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0);
             break;
 
-        case 1:
+        case 1: /* Intentional fallthrough */
+        case 2:
             TEST_EQUAL(ret, 0);
             TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0);
             TEST_EQUAL(server_pattern.counter, 1);