Closed Bug 1471656 Opened 6 years ago Closed 3 years ago

Incorrect alert response to malformed Alert message

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Version:
3.38
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hkario, Assigned: lschwarz)

References

Details

(Whiteboard: [tls13])

Using nss-3.39 in-dev (7a5ecfb8bf8c) From https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-5.4 Implementations MUST NOT send Handshake or Alert records that have a zero-length TLSInnerPlaintext.content; if such a message is received, the receiving implementation MUST terminate the connection with an "unexpected_message" alert. but NSS sends decode_error alert as a response to encrypted, empty records with content type of alert Reproducer: openssl req -x509 -newkey rsa -keyout localhost.key \ -out localhost.crt -subj /CN=localhost -nodes -batch mkdir /tmp/nssdb certutil -N -d sql:/tmp/nssdb --empty-password openssl pkcs12 -export -passout pass: -out /tmp/localhost.p12 \ -inkey /tmp/localhost.key -in /tmp/localhost.crt -name localhost pk12util -i /tmp/localhost.p12 -d sql:/tmp/nssdb -W '' selfserv -d sql:/tmp/nssdb -p 4433 -V tls1.0: -H 1 -n localhost 2> server.err > server.log & nss_pid=$! git clone https://github.com/tomato42/tlsfuzzer pushd tlsfuzzer git clone https://github.com/tomato42/tlslite-ng .tlslite-ng ln -s .tlslite-ng/tlslite tlslite git clone https://github.com/warner/python-ecdsa .python-ecdsa ln -s .python-ecdsa/ecdsa ecdsa # necessary to negotiate the currently supported draft in NSS # works because draft-26 and draft-28 are binary compatible sed -i 's/TLS_1_3_DRAFT = (127, 26)/TLS_1_3_DRAFT = (127, 28)/' tlslite/constants.py PYTHONPATH=. python scripts/test-tls13-empty-alert.py popd kill $nss_pid tlsfuzzer output: (snip) empty alert with 30 bytes of padding ... Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7fc3ec8bf090> (child: <tlsfuzzer.expect.ExpectClose object at 0x7fc3ec8bf0d0>) with last message being: <tlslite.messages.Message object at 0x7fc3ec893a90> Error while processing Traceback (most recent call last): File "scripts/test-tls13-empty-alert.py", line 222, in main runner.run() File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 212, in run node.process(self.state, msg) File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1080, in process raise AssertionError(problem_desc) AssertionError: Expected alert description "unexpected_message" does not match received "decode_error" sanity ... OK Check the tolerance of empty non-application-data messages. These should be rejected with unexpected message alert (see Record Padding section of TLS1.3) version: 1 Test end successful: 2 failed: 4 'empty alert with 2 bytes of padding' 'empty alert with 5 bytes of padding' 'empty alert with 30 bytes of padding' 'empty alert with no padding' NSS output: selfserv: HDX PR_Read returned error -12250: SSL received a malformed Alert record. selfserv: HDX PR_Read returned error -12250: SSL received a malformed Alert record. selfserv: HDX PR_Read returned error -12250: SSL received a malformed Alert record. selfserv: HDX PR_Read returned error -12250: SSL received a malformed Alert record.
Priority: -- → P2
QA Contact: jjones
Whiteboard: [tls13]
Assignee: nobody → lschwarz
Blocks: 1755264

This was fixed in D141841.

https://hg.mozilla.org/projects/nss/rev/144c87accae8ac9e60946c7684cb378880a921a0

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.