Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS 1.3: Fix anti replay fail from GnuTLS #6788

Merged
merged 26 commits into from
Nov 21, 2023
Merged

TLS 1.3: Fix anti replay fail from GnuTLS #6788

merged 26 commits into from
Nov 21, 2023

Conversation

yuhaoth
Copy link
Contributor

@yuhaoth yuhaoth commented Dec 15, 2022
edited by minosgalanakis
Loading

Description

fix #6623

preceding-pr: #6891

ROOT CAUSE

TIME RESOLUTION OF TICKET AGE

The time precision of ticket_age is milliseconds(RFC 8446). But our precision is senconds, we caculate
ticket age with (mbedtls_time( NULL ) - ticket_recived)*1000 .
If the ticket is sent/received near the end of a second and client send ticket at the beggining of
next second, ticket age of client is 1000 ms, but ticket age of server is less than it. As a result,
it offends the anit replay ruler.

Workaround solution: Add 1 second to ticket_received and do reconnect 1 second later.

The issue can be reproduce and verified with #6712 . That PR include test script and test result.
This PR is to fix that.

  • Add platform time function with milliseconds.
  • Change the time resolution from seconds to milliseconds for ticket->start and ticket->ticket_received

The commit is come from #6712 and verified in that PR

Gatekeeper checklist

I am not sure if it needs backport.

  • changelog provided
  • backport not required
  • tests provided

Notes for the submitter

Please refer to the contributing guidelines, especially the
checklist for PR contributors.

@yuhaoth yuhaoth force-pushed the pr/fix-gnutls_anti_replay_fail branch 8 times, most recently from 0b842fc to 8edc501 Compare December 16, 2022 05:30
@yuhaoth yuhaoth added bug component-tls13 needs-review Every commit must be reviewed by at least two team members, needs-ci Needs to pass CI tests needs-reviewer This PR needs someone to pick it up for review priority-high High priority - will be reviewed soon labels Dec 16, 2022
@yuhaoth yuhaoth force-pushed the pr/fix-gnutls_anti_replay_fail branch 2 times, most recently from 4eb83db to 304fb38 Compare December 18, 2022 02:53
@yuhaoth yuhaoth force-pushed the pr/fix-gnutls_anti_replay_fail branch from 304fb38 to b62df4f Compare January 3, 2023 01:50
@yuhaoth yuhaoth mentioned this pull request Jan 3, 2023
Merged
xkqian
xkqian suggested changes Jan 3, 2023
View reviewed changes
@yuhaoth yuhaoth force-pushed the pr/fix-gnutls_anti_replay_fail branch from 6eb846c to 0551d8d Compare January 4, 2023 03:03
@yuhaoth yuhaoth requested a review from xkqian January 4, 2023 12:06
@yuhaoth yuhaoth force-pushed the pr/fix-gnutls_anti_replay_fail branch from 0551d8d to 3717758 Compare January 7, 2023 08:28
@yuhaoth yuhaoth mentioned this pull request Jan 7, 2023
Merged
3 tasks
@yuhaoth yuhaoth added needs-preceding-pr Requires another PR to be merged first and removed needs-reviewer This PR needs someone to pick it up for review labels Jan 7, 2023
@yuhaoth yuhaoth force-pushed the pr/fix-gnutls_anti_replay_fail branch 3 times, most recently from c9487a0 to 6da4268 Compare January 12, 2023 10:01
@yuhaoth yuhaoth force-pushed the pr/fix-gnutls_anti_replay_fail branch from 6da4268 to 30e2973 Compare February 3, 2023 03:19
yuhaoth added 16 commits November 21, 2023 09:58
@yuhaoth
Change the bottom of tolerance window
28e7c55 
The unit of ticket time has been changed to milliseconds.
And age difference might be negative

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
Update document of ticket age tolerance
034a8b7 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
Add maximum ticket lifetime check
46c7926 
Also add comments for age cast

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
rename ticket_creation to ticket_creation_time
25ba4d4 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
rename ticket received
342a555 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
fix various issues
cf91351 
- fix CI failure due to wrong usage of ticket_lifetime
- Improve document and comments

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
fix build failure
472a692 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
Add maximum ticket lifetime check
8e0174a 
Also add comments for age cast

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
Add freshness check information into document
04fceb7 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
improve document
9cb953a 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
Guards ticket_creation_time
b2455d2 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
improve code style
d84c14f 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
improve readability
4ac648e 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
various improvement
713ce1f 
- improve change log entry
- improve comments
- remove unnecessary statement
- change type of client_age

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
replace check string
60e9972 
The output has been changed

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth
Change if to switch case
aa5dc24 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
@yuhaoth yuhaoth force-pushed the pr/fix-gnutls_anti_replay_fail branch from 2721fd3 to aa5dc24 Compare November 21, 2023 01:59
@yuhaoth
Copy link
Contributor Author

yuhaoth commented Nov 21, 2023

Rebased to resolve conflicts

@yuhaoth yuhaoth requested a review from xkqian November 21, 2023 02:20
xkqian
xkqian approved these changes Nov 21, 2023
View reviewed changes
Copy link
Contributor

@xkqian xkqian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yuhaoth
Copy link
Contributor Author

yuhaoth commented Nov 21, 2023

internal CI reports pip install fail and open CI pass

ronald-cron-arm
ronald-cron-arm approved these changes Nov 21, 2023
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've checked the rebase, LGTM.

@ronald-cron-arm ronald-cron-arm added this pull request to the merge queue Nov 21, 2023
@daverodgman daverodgman added approved Design and code approved - may be waiting for CI or backports and removed needs-review Every commit must be reviewed by at least two team members, labels Nov 21, 2023
Merged via the queue into Mbed-TLS:development with commit effdfe7 Nov 21, 2023
@yuhaoth yuhaoth deleted the pr/fix-gnutls_anti_replay_fail branch November 22, 2023 01:59
@ronald-cron-arm ronald-cron-arm mentioned this pull request Nov 28, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ronald-cron-arm ronald-cron-arm ronald-cron-arm approved these changes

@xkqian xkqian xkqian approved these changes

Assignees
No one assigned
Labels
approved Design and code approved - may be waiting for CI or backports bug component-tls13 priority-high High priority - will be reviewed soon
Projects
No open projects
Roadmap Board for Mbed TLS
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Early data test case will fail randomly cause the anti-play protection from gnutls server
5 participants
@yuhaoth @ronald-cron-arm @xkqian @daverodgman @yanesca