Closed
Bug 1290758
Opened 9 years ago
Closed 9 years ago
NSS accepts handshake data that spans CCS (in < TLS 1.2 mode)
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(firefox-esr45 affected)
RESOLVED
FIXED
3.27
| Tracking | Status | |
|---|---|---|
| firefox-esr45 | --- | affected |
People
(Reporter: ekr, Assigned: ekr)
Details
(Keywords: sec-low)
Attachments
(1 file, 1 obsolete file)
|
11.40 KB,
patch
|
mt
:
review+
|
Details | Diff | Splinter Review |
Found with BoGo testing tool.
The security impact here is modest in that you would accept an unencrypted Finished but the attacker shouldn't have access to that.
Preliminary patch attached for TLS 1.2.
This patch doesn't test DTLS so that needs analysis, however, I believe that it is likely fine because we do not accept out-of-order packets.
|
Assignee | |
Comment 1•9 years ago
|
||
MT: note that I only check for handshake_bytes being non-zero but it stays non-zero through packet reading, so this should be enough. I would appreciate review of this approach.
Assignee: nobody → ekr
Attachment #8776411 -
Flags: feedback?
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8776411 -
Flags: feedback? → feedback?(martin.thomson)
|
|
Assignee | |
Comment 2•9 years ago
|
||
+ davidben who asked me privately about this.
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8776411 [details] [diff] [review]
0001-Bug-1290758-Don-t-accept-CCS-when-you-have-pending-h.patch
Review of attachment 8776411 [details] [diff] [review]:
-----------------------------------------------------------------
Not sure what to do with this without a test.
Attachment #8776411 -
Flags: feedback?(martin.thomson)
|
|
Assignee | |
Comment 4•9 years ago
|
||
(In reply to Martin Thomson [:mt:] from comment #3)
> Comment on attachment 8776411 [details] [diff] [review]
> 0001-Bug-1290758-Don-t-accept-CCS-when-you-have-pending-h.patch
>
> Review of attachment 8776411 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> Not sure what to do with this without a test.
As I said in c3, please provide feedback on the approach and on whether this needs to be security sensitive. This is why I asked for feedback, not review. When I am ready for actual review of the patch, I will also provide a test, but in the meantime I tested it with BoGo (which is how I discovered it in the first place).
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8776411 -
Flags: feedback?(martin.thomson)
|
|
||
Comment 5•9 years ago
|
||
I'm fairly sure that I don't understand the bounds of the problem, hence the request for a test.
Per https://github.com/tlswg/tls13-spec/pull/566, I think that we need to take a bit of a harder look at this than just CCS. It isn't clear to me that we are safe from someone smuggling extra handshake records from the next epoch into the same record as the TLS 1.3 Finished.
Without thinking about this too hard - and even with the expanded scope - this doesn't seem dire: we won't send data like that (we flush at the right times) and the risk is limited to handshake records. I do worry that we will accept an EncryptedExtensions that appears in the clear though. I thought that we had protection against this sort of drift, but I couldn't find anything. We would need similar checks in tls13_SetCipherSpec() to be sure.
|
|
Assignee | |
Comment 6•9 years ago
|
||
This isn't about TLS 1.3. We have separate code for this in TLS 1.3, landed
in bug 1274335.
This is a defect in the TLS 1.2 code in which you accept a Finished message which
partly spans a CCS. I'll have to cook up a test for this, but roughly what it's going
to be is inserting some plaintext handshake data into the stream, resulting in a
Finished error rather than an unexpected data error (you can't get handshake
success without rather more screwing around with the NSS code than is probably
practical).
|
|
||
Comment 7•9 years ago
|
||
Comment on attachment 8776411 [details] [diff] [review]
0001-Bug-1290758-Don-t-accept-CCS-when-you-have-pending-h.patch
Review of attachment 8776411 [details] [diff] [review]:
-----------------------------------------------------------------
This seems like a reasonable fix. The only thing I can imagine being a problem here is that we might accept handshake messages that aren't encrypted. We don't rely on confidentiality to protect the handshake.
Also: git config --global diff.context 8
Attachment #8776411 -
Flags: feedback?(martin.thomson)
|
||
Comment 8•9 years ago
|
||
Triage group marking sec-low as per EKR's statements in comment 0.
Keywords: sec-low
|
|
Assignee | |
Comment 9•9 years ago
|
||
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8776411 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8778619 -
Flags: review?(martin.thomson)
|
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8778619 [details] [diff] [review]
0001-Bug-1290758-Don-t-accept-CCS-when-you-have-pending-h.patch
Review of attachment 8778619 [details] [diff] [review]:
-----------------------------------------------------------------
::: external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ +153,5 @@
> + TlsPreCCSHeaderInjector() {}
> + virtual PacketFilter::Action FilterRecord(
> + const RecordHeader& record_header,
> + const DataBuffer& input,
> + size_t* offset, DataBuffer* output) {
override (I've been trying to be good about putting these in for new code)
::: external_tests/ssl_gtest/test_io.cc
@@ +377,5 @@
> case PacketFilter::DROP:
> LOG("Droppped packet: " << packet);
> break;
> case PacketFilter::KEEP:
> + LOG("PacketReceived: " << packet);
Do you want to keep this? I found it pretty useful, but it's a bit spammy. Maybe we can guard it with an environment variable.
::: external_tests/ssl_gtest/tls_filter.h
@@ +30,5 @@
>
> class Versioned {
> public:
> Versioned() : version_(0) {}
> + Versioned(uint16_t version) : version_(version) {}
explicit
@@ +83,5 @@
> // outparam with the new record contents if it chooses to CHANGE the record.
> virtual PacketFilter::Action FilterRecord(const RecordHeader& header,
> const DataBuffer& data,
> + DataBuffer* changed) {
> + return KEEP; }
Fix formatting.
::: lib/ssl/ssl3con.c
@@ +3984,5 @@
> (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
> PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
> return SECFailure;
> }
> + if (ss->ssl3.hs.header_bytes) {
Comment please. /* If there is any part of the next message present in the remainder of the message, then this is probably part of a Finished message. */ Or something.
Attachment #8778619 -
Flags: review?(martin.thomson) → review+
|
|
Assignee | |
Comment 11•9 years ago
|
||
|
|
Assignee | |
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Group: crypto-core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
Flags: needinfo?(mwobensmith)
|
||
Updated•8 years ago
|
Target Milestone: --- → 3.27
|
|
||
Updated•8 years ago
|
status-firefox-esr45:
--- → fixed
tracking-firefox-esr45:
--- → 51+
|
|
||
Comment 13•8 years ago
|
||
Mistakenly thought we landed 3.28.1 on the ESR-45 branch
You need to log in
before you can comment on or make changes to this bug.
Description
•