Fix ClientHello key share ext no curveSM2 when enable TLS1.3 + SM strictly #525

dongbeiouba · 2023-11-24T13:04:47Z

Fixed #522

Re-order curveSM2 to the first supported group when enable_sm_tls13_strict is set, so that the key_share extension will include a KeyShareEntry for the "curveSM2" group because only one KeyShareEntry is sent now.

Checklist

在 https://yuque.com/tsdoc 增加或更新了必要的文档
增加或更新了必要的测试用例
对于重要修改，更新了CHANGES文件
当前修改存在对已有API参数或返回值的改变
当前修改存在对旧版本功能的兼容性改变（如网络协议或密码算法）

FlyGoat · 2023-11-24T17:56:13Z

IMO this is really hacky.
Clients without enable_sm_tls13_strict set won't be able to handshake with server that have enable_sm_tls13_strict set.
It creates a major interoperability barrier.
A proper implementation should send multiple KeyShareEntry at ClientHello.

dongbeiouba · 2023-11-25T06:43:29Z

IMO this is really hacky. Clients without enable_sm_tls13_strict set won't be able to handshake with server that have enable_sm_tls13_strict set. It creates a major interoperability barrier. A proper implementation should send multiple KeyShareEntry at ClientHello.

Clients without enable_sm_tls13_strict set won't be able to handshake with server that have enable_sm_tls13_strict set.

The test cases already cover this situation, Clients (enable_sm_tls13_strict = off) is able to handshake with server(enable_sm_tls13_strict = on). If you find any problems, please paste a test report.

2.It creates a major interoperability barrier.

As required by RFC8998: For the key_share extension, a KeyShareEntry for the "curveSM2" group MUST be included. So clients set enable_sm_tls13_strict include "curveSM2" both in supported_groups and key_share extensions.

Can you describe the interoperability problem in detail?

zzl360 · 2023-11-25T10:16:25Z

like https://rfc8998.badgmssl.com,If client support rfc8998 and send curveSM2 in key_share extension,the server will handshake using tls1.3+rfc8998.and if client doesn’t support rfc8998,the server will handshake with client using tls1.3 without rfc8998.
Another case,Image that client doesn't know whether server support rfc8998,If client only support one curve in key_share extension, there will no chance for client that send CurveSM2 handshak with server which don't support rfc8998 using tls1.3.

InfoHunter · 2023-11-27T04:35:19Z

CIs are still failing

…+ SM strictly Fixed #522 Re-order curveSM2 to the first supported group when enable_sm_tls13_strict is set, so that the key_share extension will include a KeyShareEntry for the "curveSM2" group because only one KeyShareEntry is sent now.

dongbeiouba · 2023-11-27T10:01:03Z

CIs are still failing

Fixed.

dongbeiouba added bug Something isn't working master labels Nov 24, 2023

dongbeiouba requested review from InfoHunter and wa5i November 24, 2023 13:04

wa5i approved these changes Nov 27, 2023

View reviewed changes

InfoHunter approved these changes Nov 27, 2023

View reviewed changes

InfoHunter merged commit 8559a4c into Tongsuo-Project:master Nov 27, 2023
77 checks passed

dongbeiouba requested review from zzl360 and a team December 12, 2023 08:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix ClientHello key share ext no curveSM2 when enable TLS1.3 + SM strictly #525

Fix ClientHello key share ext no curveSM2 when enable TLS1.3 + SM strictly #525

dongbeiouba commented Nov 24, 2023

FlyGoat commented Nov 24, 2023 •

edited

Loading

dongbeiouba commented Nov 25, 2023

zzl360 commented Nov 25, 2023

InfoHunter commented Nov 27, 2023

dongbeiouba commented Nov 27, 2023

Fix ClientHello key share ext no curveSM2 when enable TLS1.3 + SM strictly #525

Fix ClientHello key share ext no curveSM2 when enable TLS1.3 + SM strictly #525

Conversation

dongbeiouba commented Nov 24, 2023

Checklist

FlyGoat commented Nov 24, 2023 • edited Loading

dongbeiouba commented Nov 25, 2023

zzl360 commented Nov 25, 2023

InfoHunter commented Nov 27, 2023

dongbeiouba commented Nov 27, 2023

FlyGoat commented Nov 24, 2023 •

edited

Loading