Closed
Bug 1471656
Opened 6 years ago
Closed 3 years ago
Incorrect alert response to malformed Alert message
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: hkario, Assigned: lschwarz)
References
Details
(Whiteboard: [tls13])
Using nss-3.39 in-dev (7a5ecfb8bf8c)
From https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-5.4
Implementations
MUST NOT send Handshake or Alert records that have a zero-length
TLSInnerPlaintext.content; if such a message is received, the
receiving implementation MUST terminate the connection with an
"unexpected_message" alert.
but NSS sends decode_error alert as a response to encrypted, empty records with content type of alert
Reproducer:
openssl req -x509 -newkey rsa -keyout localhost.key \
-out localhost.crt -subj /CN=localhost -nodes -batch
mkdir /tmp/nssdb
certutil -N -d sql:/tmp/nssdb --empty-password
openssl pkcs12 -export -passout pass: -out /tmp/localhost.p12 \
-inkey /tmp/localhost.key -in /tmp/localhost.crt -name localhost
pk12util -i /tmp/localhost.p12 -d sql:/tmp/nssdb -W ''
selfserv -d sql:/tmp/nssdb -p 4433 -V tls1.0: -H 1 -n localhost 2> server.err > server.log &
nss_pid=$!
git clone https://github.com/tomato42/tlsfuzzer
pushd tlsfuzzer
git clone https://github.com/tomato42/tlslite-ng .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
# necessary to negotiate the currently supported draft in NSS
# works because draft-26 and draft-28 are binary compatible
sed -i 's/TLS_1_3_DRAFT = (127, 26)/TLS_1_3_DRAFT = (127, 28)/' tlslite/constants.py
PYTHONPATH=. python scripts/test-tls13-empty-alert.py
popd
kill $nss_pid
tlsfuzzer output:
(snip)
empty alert with 30 bytes of padding ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7fc3ec8bf090> (child: <tlsfuzzer.expect.ExpectClose object at 0x7fc3ec8bf0d0>) with last message being: <tlslite.messages.Message object at 0x7fc3ec893a90>
Error while processing
Traceback (most recent call last):
File "scripts/test-tls13-empty-alert.py", line 222, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 212, in run
node.process(self.state, msg)
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1080, in process
raise AssertionError(problem_desc)
AssertionError: Expected alert description "unexpected_message" does not match received "decode_error"
sanity ...
OK
Check the tolerance of empty non-application-data messages. These should be
rejected with unexpected message alert (see Record Padding section of TLS1.3)
version: 1
Test end
successful: 2
failed: 4
'empty alert with 2 bytes of padding'
'empty alert with 5 bytes of padding'
'empty alert with 30 bytes of padding'
'empty alert with no padding'
NSS output:
selfserv: HDX PR_Read returned error -12250:
SSL received a malformed Alert record.
selfserv: HDX PR_Read returned error -12250:
SSL received a malformed Alert record.
selfserv: HDX PR_Read returned error -12250:
SSL received a malformed Alert record.
selfserv: HDX PR_Read returned error -12250:
SSL received a malformed Alert record.
Updated•5 years ago
|
Priority: -- → P2
QA Contact: jjones
Whiteboard: [tls13]
Assignee | ||
Comment 1•3 years ago
|
||
This was fixed in D141841.
https://hg.mozilla.org/projects/nss/rev/144c87accae8ac9e60946c7684cb378880a921a0
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•