Server Key Exchange should process PSK Identity as per RFC #4279

[ManojKrSrivastava]

Description

As per section #5 of RFC #4279, Server key exchange should process PSK identity hint provided in Client Hello. I have seen the ssl_srv.c code and it's having a check and it's returning error as MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE instead of processing PSK identity hint provided in Client Hello. This is an essential requirement considering increasing Use Cases of IoT.

• Type: Enhancement\Feature Request
• Priority: Major

---

Bug

OS
Mbed OS|linux|windows|

mbed TLS build:
Version: x.x.x or git commit id
OS version: x.x.x
Configuration: please attach config.h file where possible
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:

Peer device TLS stack and version
OpenSSL|GnuTls|Chrome|NSS(Firefox)|SecureChannel (IIS/Internet Explorer/Edge)|Other
Version:

Expected behavior

Actual behavior

Steps to reproduce

---

Enhancement\Feature Request

Justification - why does the library need this feature?

Suggested enhancement

---

Question

Please first check for answers in the Mbed TLS knowledge Base, and preferably file an issue in the Mbed TLS support forum

[RonEld]

@ManojKrSrivastava Thank you for reporting this issue!
Could you provide more information? What is the Mbed TLS version you are using?

AFAIK, the server parse the PSK identity in ssl_parse_client_psk_identity().

Is the negotiated cipher suite PSK based? Did you supply in your server configuration your own psk parsing callback or used the default psk_callback as shown in the example?

Regards,
Mbed TLS Team member
Ron

[ManojKrSrivastava]

@RonEld Thank you for your reply and query.
Currently we are using older version mbedtls-1.3.16 but we will be migrating to newer version v2.x.x.
To give the brief about the requirement, please refer following description:
Support required for following activities:-
A) Introduction of ServerKeyExchange(optional) message during TLS/Http Handshake procedure:-
As per "3GPP TS 33.222 version 13.0.0 Release 13" section "5.4.0 Procedures" :
2. If the NAF server is willing to establish a TLS tunnel using a PSK-based ciphersuite, it shall select one of the PSKbased ciphersuites offered by the UE, and send the selected ciphersuite to the UE in the ServerHello message.
Otherwise, the NAF shall send the ServerKeyExchange message with a list of PSK-identity hints. A constant string "3GPPbootstrapping" is used as PSK-identity hint to indicate the local configuration in the NAF server.
For support of Http-GBA feature, ServerKeyExchange message is mandatory as it supplies the "PSK-identity hints" to the Client and based on which TLS tunnel using GBA-based shared secret can be established.
There has to be a mechanism provided by MbedTLS by which user can turn on ServerKeyExchange during Http/TLS handshake with setting specific "PSK-identity hints".

Yes, it is parsing PSK identity in ssl_parse_client_psk_identity() but it is failing during
/* Identity is not a big secret since clients send it in the clear,
* but treat it carefully anyway, just in case */
if( n != ssl->psk_identity_len ||
safer_memcmp( ssl->psk_identity, *p, n ) != 0 )
{
ret = POLARSSL_ERR_SSL_UNKNOWN_IDENTITY;
}

Negotiated cipher suite is not PSK based.
As per my understanding changes are required for above said requirement in the following functions:

1. ssl_parse_servername_ext()
2. ssl_parse_client_hello()
3. ssl_write_server_key_exchange()
4. ssl_parse_client_psk_identity()

Please let me know if clarification required.

Best Regards,
Manoj Srivastava

[RonEld]

Hi @ManojKrSrivastava
Thank you for your clarification.

Please note that version 1.3 has reached End Of Life about a year ago, and not supported anymore.
Please try to reproduce this issue on one of our LTS versions, as many bugs and security defects have been fixed since the version you are working on.

Have you called mbedtls_ssl_conf_psk() in your server application?

[ManojKrSrivastava]

Hi @RonEld,
Thank you for your reply and clarification.
I will try the same with latest version and if encounter any issue then I will get back to you on the same.

Best Regards,
Manoj Srivastava

[ManojKrSrivastava]

Hi @RonEld ,
I just migrated to mbedtls-2.16.2 and observed that reported issue is still present.
Yes, I called mbedtls_ssl_conf_psk() in my server application.

In 'ssl_parse_server_psk_hint()' function, there is note mentioning followings:
/*
* Note: we currently ignore the PKS identity hint, as we only allow one
* PSK to be provisionned on the client. This could be changed later if
* someone needs that feature.
*/

I think support for PSK identity hint is not available.
Can anyone please look into it and confirm the status?

Best Regards,
Manoj Srivastava

[ManojKrSrivastava]

Hi @RonEld,

Can you please let me know which branch I should refer for TLS v1.3 development?
In one of the blog, I got the information that the development is ongoing. If I you share the branch details then it will be helpful for me.

Best Regards,
Manoj Srivastava

[daverodgman]

TLS 1.3 is currently supported on development, and an initial version has been released in Mbed TLS 3.1. Work is currently continuing to support more features of TLS 1.3 (e.g., PSK support is planned for Q2/Q3 timeframe - please see https://github.com/orgs/Mbed-TLS/projects/1#column-17950145 ).