1507179 - Incorrect alert description after ChangeCipherSpec message

Status: RESOLVED FIXED

(NSS :: Libraries, defect)

Description

[robert.kolcun]

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36

Steps to reproduce:

Info:
When ChangeCipherSpec message is sent after Finished message, this conversation should be aborted with unexpected_message alert. NSS abort this conversation with "bad_record_mac" alert description.

Steps to reproduce:
git clone https://github.com/tomato42/tlsfuzzer.git
pushd tlsfuzzer
git checkout tls13-ccs
git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
pushd .tlslite-ng
popd
ln -s .tlslite-ng/tlslite tlslite
popd
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch -subj /CN=localhost
openssl pkcs12 -export -passout pass:  -out localhost.p12 -inkey localhost.key -in localhost.crt
mkdir nssdb
certutil -N -d sql:nssdb --empty-password
pk12util -i localhost.p12 -d sql:nssdb -W ''
selfserv -n localhost -p 4433 -d sql:./nssdb -V tls1.0: -H 1 -U 0 -G

# in another terminal, same directory
PYTHONPATH=tlsfuzzer python tlsfuzzer/scripts/test-tls13-ccs.py


Actual results:

tlsfuzzer output:
sanity ...
OK

CCS message after Finished message ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f72a6de5250> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f72a6de50d0>) with last message being: <tlslite.messages.Message object at 0x7f72a6de5ad0>
Error while processing
Traceback (most recent call last):
  File "tlsfuzzer/scripts/test-tls13-ccs.py", line 186, in main
    runner.run()
  File "/home/rkolcun/tls_repo/nss-test/tlsfuzzer/tlsfuzzer/runner.py", line 219, in run
    node.process(self.state, msg)
  File "/home/rkolcun/tls_repo/nss-test/tlsfuzzer/tlsfuzzer/expect.py", line 1245, in process
    raise AssertionError(problem_desc)
AssertionError: Expected alert description "unexpected_message" does not match received "bad_record_mac"

sanity ...
OK

Test with unexpected message with TLS 1.3 server
Check that server will reject the communication with
unexpected_message alert, when CCS is send after Handshake.

version: 1

Test end
successful: 2
failed: 1
  'CCS message after Finished message'


NSS output:

selfserv: HDX PR_Read returned error -12273:
SSL received a record with an incorrect Message Authentication Code.


Expected results:

Pass the tests. NSS should send Alert message with an 'unexpected_message' description.

Comment 1

[Eric Rescorla (:ekr)]

Is this sending an unencrypted CCS or an encrypted CCS? I.e., should it deprotect correctly?

Comment 2

[Eric Rescorla (:ekr)]

Marking security out of an abundance of caution.

Comment 3

[robert.kolcun]

Sorry, this is about sending unencrypted CSS message.

Comment 4

[Eric Rescorla (:ekr)]

OK, this seems like expected behavior, then. Why do you believe that it's wrong?

Comment 5

[Daiki Ueno [:ueno]]

I think this is about receiving unencrypted CCS messsage, after Finished.

In section 5 of RFC 8446:

  If an implementation detects a change_cipher_spec record received
  before the first ClientHello message or after the peer's Finished
  message, it MUST be treated as an unexpected record type (though
  stateless servers may not be able to distinguish these cases from
  allowed cases).

  [...]
  
  If a TLS implementation receives an unexpected record type, it
  MUST terminate the connection with an "unexpected_message" alert.

Comment 6

[Daiki Ueno [:ueno]]

Attachment: Bug 1507179, reject CCS after handshake is complete in TLS 1.3

Comment 7

[Daiki Ueno [:ueno]]

Pushed as:
https://hg.mozilla.org/projects/nss/rev/a7ff3c6aff5b

Thank you for the report, Robert; and thank you for the review, Martin.