Merge branch 'tmp-session-ticket-incompatible' into 'master'

TLS 1.3 session ticket: don't send ticket when no common KE modes

See merge request gnutls/gnutls!652

5 files changed, 37 insertions, 40 deletions

diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c
index 9c41d9e94a..dacfba7ef6 100644
--- a/lib/ext/psk_ke_modes.c
+++ b/lib/ext/psk_ke_modes.c
@@ -28,26 +28,6 @@
 #define PSK_KE 0
 #define PSK_DHE_KE 1
 
-/* Relevant to client only */
-static bool
-psk_ke_modes_is_required(gnutls_session_t session)
-{
-	gnutls_psk_client_credentials_t cred;
-
-	if (!(session->internals.flags & GNUTLS_NO_TICKETS) &&
-	    session->internals.tls13_ticket.ticket.data != NULL)
-		return 1;
-
-	if (session->internals.priorities->have_psk) {
-		cred = (gnutls_psk_client_credentials_t)
-				_gnutls_get_cred(session, GNUTLS_CRD_PSK);
-		if (cred && _gnutls_have_psk_credentials(cred, session))
-			return 1;
-	}
-
-	return 0;
-}
-
 static int
 psk_ke_modes_send_params(gnutls_session_t session,
 			 gnutls_buffer_t extdata)
@@ -63,7 +43,10 @@ psk_ke_modes_send_params(gnutls_session_t session,
 	if (session->security_parameters.entity == GNUTLS_SERVER)
 		return 0;
 
-	if (!psk_ke_modes_is_required(session))
+	/* If session ticket is disabled and no PSK key exchange is
+	 * enabled, don't send the extension */
+	if ((session->internals.flags & GNUTLS_NO_TICKETS) &&
+	    !session->internals.priorities->have_psk)
 		return 0;
 
 	vers = _gnutls_version_max(session);
@@ -135,7 +118,7 @@ psk_ke_modes_recv_params(gnutls_session_t session,
 	int cli_dhpsk_pos = MAX_POS;
 	unsigned i;
 
-	/* Server doesn't send psk_key_exchange_modes */
+	/* Client doesn't receive psk_key_exchange_modes */
 	if (session->security_parameters.entity == GNUTLS_CLIENT)
 		return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
 
diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c
index d98475094a..8515b9cb19 100644
--- a/lib/tls13/session_ticket.c
+++ b/lib/tls13/session_ticket.c
@@ -230,6 +230,12 @@ int _gnutls13_send_session_ticket(gnutls_session_t session, unsigned again)
 	if (session->internals.flags & GNUTLS_NO_TICKETS)
 		return gnutls_assert_val(0);
 
+	/* If we received the psk_key_exchange_modes extension which
+	 * does not have overlap with the server configuration, don't
+	 * send a session ticket */
+	if (session->internals.hsk_flags & HSK_PSK_KE_MODE_INVALID)
+		return gnutls_assert_val(0);
+
 	if (again == 0) {
 		memset(&ticket, 0, sizeof(tls13_ticket_t));
 
diff --git a/tests/session-tickets-missing.c b/tests/session-tickets-missing.c
index a767cbfd37..9db194904f 100644
--- a/tests/session-tickets-missing.c
+++ b/tests/session-tickets-missing.c
@@ -94,13 +94,15 @@ static int handshake_callback(gnutls_session_t session, unsigned int htype,
 
 #define MAX_BUF 1024
 
-static void client(int fd, const char *prio)
+static void client(int fd, const char *prio, unsigned int flags)
 {
 	int ret;
 	gnutls_certificate_credentials_t x509_cred;
 	gnutls_session_t session;
 	/* Need to enable anonymous KX specifically. */
 
+	flags |= GNUTLS_CLIENT;
+
 	gnutls_global_set_time_function(mytime);
 	global_init();
 
@@ -113,7 +115,7 @@ static void client(int fd, const char *prio)
 
 	/* Initialize TLS session
 	 */
-	gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_NO_TICKETS);
+	gnutls_init(&session, flags);
 
 	assert(gnutls_priority_set_direct(session, prio, NULL)>=0);
 
@@ -171,17 +173,15 @@ static void terminate(void)
 	exit(1);
 }
 
-static void server(int fd, const char *prio, unsigned server_no_tickets)
+static void server(int fd, const char *prio, unsigned int flags)
 {
 	int ret;
 	char buffer[MAX_BUF + 1];
 	gnutls_session_t session;
 	gnutls_certificate_credentials_t x509_cred;
 	gnutls_datum_t skey = {NULL, 0};
-	unsigned int flags = GNUTLS_SERVER;
 
-	if (server_no_tickets)
-		flags |= GNUTLS_NO_TICKETS;
+	flags |= GNUTLS_SERVER;
 
 	/* this must be called once in the program
 	 */
@@ -200,7 +200,7 @@ static void server(int fd, const char *prio, unsigned server_no_tickets)
 
 	assert(gnutls_init(&session, flags)>=0);
 
-	if (!server_no_tickets) {
+	if (!(flags & GNUTLS_NO_TICKETS)) {
 		assert(gnutls_session_ticket_key_generate(&skey)>=0);
 		assert(gnutls_session_ticket_enable_server(session, &skey) >= 0);
 	}
@@ -263,7 +263,7 @@ static void ch_handler(int sig)
 }
 
 static
-void start(const char *prio, unsigned server_no_tickets)
+void start2(const char *prio, const char *sprio, unsigned int flags, unsigned int sflags)
 {
 	int fd[2];
 	int ret, status = 0;
@@ -290,24 +290,32 @@ void start(const char *prio, unsigned server_no_tickets)
 	if (child) {
 		/* parent */
 		close(fd[1]);
-		server(fd[0], prio, server_no_tickets);
+		server(fd[0], sprio, sflags);
 		waitpid(child, &status, 0);
 		check_wait_status(status);
 	} else {
 		close(fd[0]);
-		client(fd[1], prio);
+		client(fd[1], prio, flags);
 		exit(0);
 	}
 
 	return;
 }
 
+static
+void start(const char *prio, unsigned int flags)
+{
+	start2(prio, prio, GNUTLS_NO_TICKETS, flags);
+}
+
 void doit(void)
 {
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.2", 0);
 	/* Under TLS 1.3 session tickets are not negotiated; they are
-	 * "always sent unless server sets GNUTLS_NO_TICKETS */
-	start("NORMAL:-VERS-ALL:+VERS-TLS1.3", 1);
+	 * always sent unless server sets GNUTLS_NO_TICKETS... */
+	start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_NO_TICKETS);
+	/* ...or there is no overlap between PSK key exchange modes */
+	start2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-DHE-PSK", "NORMAL:-VERS-ALL:+VERS-TLS1.3", 0, 0);
 	start("NORMAL", 0);
 }
 
diff --git a/tests/tls13/no-psk-exts.c b/tests/tls13/no-psk-exts.c
index b70c667822..e8f1e2e84f 100644
--- a/tests/tls13/no-psk-exts.c
+++ b/tests/tls13/no-psk-exts.c
@@ -84,7 +84,7 @@ static void client(int fd)
 
 	/* Initialize TLS session
 	 */
-	gnutls_init(&session, GNUTLS_CLIENT);
+	gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_NO_TICKETS);
 
 	gnutls_handshake_set_timeout(session, 20 * 1000);
 
@@ -148,7 +148,7 @@ static int hellos_callback(gnutls_session_t session, unsigned int htype,
 		fail("PSK extension seen in client hello with no PSK!\n");
 
 	if (find_client_extension(msg, TLS_EXT_PSK_KE, NULL, NULL))
-		fail("PSK extension seen in client hello with no PSK!\n");
+		fail("PSK KE extension seen in client hello with no PSK!\n");
 
 	return 0;
 }
diff --git a/tests/tls13/prf.c b/tests/tls13/prf.c
index f221896124..22e7f0e08f 100644
--- a/tests/tls13/prf.c
+++ b/tests/tls13/prf.c
@@ -126,8 +126,8 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size)
 	} \
 	}
 
-#define KEY_EXP_VALUE "\x1f\x17\xb5\xe2\xef\xfc\x1c\x27\x1e\x1a\x2c\x9b\x36\xc7\x43\x70\x5c\x80\x93\x7a\xce\x7b\x52\x18\xe0\x22\xca\x0d\xf8\x01\xa5\x7f\xef\x8b"
-#define HELLO_VALUE "\x5c\x6d\x0a\xa0\xc7\x1e\x52\xb5\xb4\x2c\x4b\xfa\x24\xc8\x3f\x3f\xba\xfc\x43\xc2\x05\xe5\x04\xd9\xfd\x86\x84\x00\x1c\xfb\xf3"
+#define KEY_EXP_VALUE "\x81\x7a\x37\xc6\xa3\x2b\x83\x47\x3b\xad\x03\xa6\xd4\x6d\xac\xe3\x1c\x9d\xa4\xdc\x8e\x0c\x77\xf8\x1c\x5e\x5d\xe5\xca\x1c\xbc\x89\x4c\x37"
+#define HELLO_VALUE "\x10\x3e\xef\x5e\x62\x1d\x03\x95\xfc\x8f\x59\xc7\x7d\xdc\x14\x7e\xcf\x46\x86\x2f\xfb\x1c\x5a\x16\x6a\xf5\x38\x69\xa8\x3c\x85"
 static void check_prfs(gnutls_session_t session)
 {
 	unsigned char key_material[512];
@@ -138,8 +138,8 @@ static void check_prfs(gnutls_session_t session)
 
 	TRY(13, "key expansion", 0, NULL, 34, (uint8_t*)KEY_EXP_VALUE);
 	TRY(6, "hello", 0, NULL, 31, (uint8_t*)HELLO_VALUE);
-	TRY(7, "context", 5, "abcd\xfa", 31, (uint8_t*)"\xa5\xc0\x3e\x31\x5b\x70\x57\x48\x1e\xfe\x11\x2b\x13\x13\x8f\x97\x14\x2d\x4d\x35\xac\x0a\x20\x4e\x9c\x84\xcf\x48\x8c\xa2\x0b");
-	TRY(12, "null-context", 0, "", 31, (uint8_t*)"\x7b\xb9\x00\x8a\x2c\x97\xa0\x73\x28\x91\xbf\x73\xda\xa5\x78\x08\x45\xac\xa7\x29\xa8\xc4\x30\x30\xc2\x76\x94\x1a\xaf\x74\x4b");
+	TRY(7, "context", 5, "abcd\xfa", 31, (uint8_t*)"\xbc\x23\xe3\xf4\x29\xdb\x48\x20\x48\x8c\x37\xd9\xd4\xe0\xcf\x88\xc3\x3d\x7b\x12\x59\xfb\xad\x8e\x4d\x8c\x53\x58\xf4\xe6\xef");
+	TRY(12, "null-context", 0, "", 31, (uint8_t*)"\x89\x89\x1f\x2f\x6c\x35\x26\x0b\xe9\x1c\x7b\xb7\x27\x5e\x7c\x41\xfb\xa0\x11\x9c\xd7\xe6\xd5\xdc\x2a\xcc\x54\x23\x3f\x52\x9f");
 
 	/* Try whether calling gnutls_prf() with non-null context or server-first
 	 * param, will fail */