Session resumption not working when Connection ID is used

[cartoush]

Summary

I have recently implemented the connection ID in a multi threaded DTLS server which already had session resumption. Though when trying to accomplish a session resumption with connection ID enabled it seems the client does not properly process the CID sent by the server and thus, does not send any Connection ID record with the last flight, making the server reject the handshake

System information

Mbed TLS version (number or commit id): v3.0.0
Operating system and version: Linux manjaro 5.10.114-1-MANJARO
Configuration (if not default, please attach mbedtls_config.h): resumption_fail.zip
Compiler and options (if you used a pre-built binary, please indicate how you obtained it): GCC

Expected behavior

The client should transmit a Connection ID record embedding the CID received from the server, allowing the server to finish processing the session resumption

Actual behavior

The client does not transmit any Connection ID record to the server after having received the ServerHello, the server thus does not manage to parse the connection ID and drops the session resumption as a consequence

Steps to reproduce

Attempt a session resumption with connection ID enabled

Additional information

I have attached debug logs from the client and server I use and the PCAP file corresponding to the logs

[yanesca]

@Thibautartis thank you for your bug report!

Indeed, adding resumption to a passing CID test in ssl-opt.sh makes it fail:

requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
run_test    "5872" \
            "$P_SRV debug_level=3 dtls=1 tickets=0 cid=1 cid_val=dead" \
            "$P_CLI debug_level=3 dtls=1 tickets=0 reconnect=1 cid=1 cid_val=beef" \
            0 \
            -c "Enable use of CID extension." \
            -s "Enable use of CID extension." \
            -c "client hello, adding CID extension" \
            -s "found CID extension"           \
            -s "Use of CID extension negotiated" \
            -s "server hello, adding CID extension" \
            -c "found CID extension" \
            -c "Use of CID extension negotiated" \
            -s "Copy CIDs into SSL transform" \
            -c "Copy CIDs into SSL transform" \
            -c "Peer CID (length 2 Bytes): de ad" \
            -s "Peer CID (length 2 Bytes): be ef" \
            -s "Use of Connection ID has been negotiated" \
            -c "Use of Connection ID has been negotiated"

Our test programs and environment are different from what @Thibautartis has and it would be best to validate the fix with them once it is ready.

[AndrzejKurek]

In case of a session resumption the transforms were being populated before extension parsing, which resulted in the client rejecting a server hello that contained a connection ID.
Fixed here, further investigation pending regarding the impact on other extensions.

[AndrzejKurek]

Investigating other extensions revealed one pre-existing example program bug, but no other problems with extensions and session resumption:

• renegotiation - working fine;
• max_fragment_length - OK, uses ssl->conf, which exists after handshake;
• encrypt_then_mac - OK, uses ssl->negotiate, which exists after handshake;
• extended_master_secret - OK, no premaster used when session is resumed;
• session_ticket - OK, uses ssl->conf;
• supported_point_formats - OK, public client part of ECDH key exchange is done before affected code;
• ecjpake_kkpp - missing call to mbedtls_ssl_set_hs_ecjpake_password in ssl_client2 before resumption, apart from that working fine. Filed an issue;
• alpn - OK, uses ssl->conf;
• srtp - OK, uses ssl->conf;