From c8008e29b9096f83f58e2cfb945fe1dec98665cf Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Thu, 21 Jul 2022 10:52:45 +0200 Subject: [PATCH 1/3] Announce TLSX_PSK_KEY_EXCHANGE_MODES in non-resuming ClientHello. - can be reverted to previous style by defining NO_TLSX_PSKKEM_PLAIN_ANNOUNCE - QUIC interop testing reveals that at least QUIC stacks refrain from issuing session tickets unless the ClientHello shows this extension. --- src/tls.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/tls.c b/src/tls.c index 2f10e4b90..888cf0e8c 100644 --- a/src/tls.c +++ b/src/tls.c @@ -11385,7 +11385,15 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) } #endif /* !NO_PSK */ #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) + + #ifndef NO_TLSX_PSKKEM_PLAIN_ANNOUNCE + /* Some servers do not generate session tickets unless + * the extension is seen in a non-resume client hello */ + if (1) { + (void)usingPSK; + #else if (usingPSK) { + #endif byte modes; /* Pre-shared key modes: mandatory extension for resumption. */ From 1db80135666f8859d1a9f37e1f26fc8c86af7923 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Thu, 21 Jul 2022 11:03:03 +0200 Subject: [PATCH 2/3] Update README with note about change in TLSX_PSK_KEY_EXCHANGE_MODES use. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a1f827e82..fdeeff878 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,7 @@ CVE-2020-12966 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb * Add TLS 1.2 ciphersuite ECDHE_PSK_WITH_AES_128_GCM_SHA256 from RFC 8442 * Expand CAAM support with QNX to include i.MX8 boards and add AES-CTR support * Enhanced glitching protection by hardening the TLS encrypt operations +* The TLS Extension for PSK Key Exchange Modes is now always included in a ClientHello (with PSK enabled) to improve inter-op. ## Math and Performance From a943de7969b995335e1033369a645737f4b63b61 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Fri, 29 Jul 2022 11:26:08 +0200 Subject: [PATCH 3/3] Changes after PR review. - removed additions to REAME.md - changed coding style of conditional PSKKEM announce as requested. --- README.md | 1 - src/tls.c | 14 ++++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index fdeeff878..a1f827e82 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,6 @@ CVE-2020-12966 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb * Add TLS 1.2 ciphersuite ECDHE_PSK_WITH_AES_128_GCM_SHA256 from RFC 8442 * Expand CAAM support with QNX to include i.MX8 boards and add AES-CTR support * Enhanced glitching protection by hardening the TLS encrypt operations -* The TLS Extension for PSK Key Exchange Modes is now always included in a ClientHello (with PSK enabled) to improve inter-op. ## Math and Performance diff --git a/src/tls.c b/src/tls.c index 888cf0e8c..16f54cee7 100644 --- a/src/tls.c +++ b/src/tls.c @@ -11386,16 +11386,18 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) #endif /* !NO_PSK */ #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) - #ifndef NO_TLSX_PSKKEM_PLAIN_ANNOUNCE /* Some servers do not generate session tickets unless - * the extension is seen in a non-resume client hello */ - if (1) { - (void)usingPSK; - #else - if (usingPSK) { + * the extension is seen in a non-resume client hello. + * We used to send it only if we were otherwise using PSK. + * Now always send it. Define NO_TLSX_PSKKEM_PLAIN_ANNOUNCE + * to revert to the old behaviour. */ + #ifdef NO_TLSX_PSKKEM_PLAIN_ANNOUNCE + if (usingPSK) #endif + { byte modes; + (void)usingPSK; /* Pre-shared key modes: mandatory extension for resumption. */ modes = 1 << PSK_KE; #if !defined(NO_DH) || defined(HAVE_ECC) || \