incorrect alert for content_type 0 in TLS 1.3
Categories
(NSS :: Libraries, defect, P3)
Tracking
(Not tracked)
People
(Reporter: hkario, Assigned: jschanck)
Details
(Whiteboard: [nss-fx])
Attachments
(2 files)
Using 15743:c100e11991f6
When NSS receives a TLS 1.3 record that has an encrypted content_type of 0, it sends a bad_record_mac alert instead of the expected unexpected_message alert.
This is an RFC 8446 MUST clause violation, see section 5.4:
Implementations MUST limit their scanning to the cleartext returned
from the AEAD decryption. If a receiving implementation does not
find a non-zero octet in the cleartext, it MUST terminate the
connection with an "unexpected_message" alert.
Reproducer:
- start selfserv with RSA or ECDSA certificate, listen on localhost:4433
- run tlsfuzzer
test-tls13-zero-content-type.py
from https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-tls13-zero-content-type.py
Result:
sanity ...
OK
zero content type after handshake ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f2c4b626b10> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f2c4b626b50>) with last message being: <tlslite.messages.Message object at 0x7f2c4b88eb90>
Error while processing
Traceback (most recent call last):
File "scripts/test-tls13-zero-content-type.py", line 427, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 239, in run
node.process(self.state, msg)
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1759, in process
raise AssertionError(problem_desc)
AssertionError: Expected alert description "unexpected_message" does not match received "bad_record_mac"
zero content type with padding during handshake ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f2c4b624f10> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f2c4b624f50>) with last message being: <tlslite.messages.Message object at 0x7f2c4b8b2c10>
Error while processing
Traceback (most recent call last):
File "scripts/test-tls13-zero-content-type.py", line 427, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 239, in run
node.process(self.state, msg)
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1759, in process
raise AssertionError(problem_desc)
AssertionError: Expected alert description "unexpected_message" does not match received "bad_record_mac"
zero content type during application data ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f2c4b600690> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f2c4b6006d0>) with last message being: <tlslite.messages.Message object at 0x7f2c4b8b2c90>
Error while processing
Traceback (most recent call last):
File "scripts/test-tls13-zero-content-type.py", line 427, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 239, in run
node.process(self.state, msg)
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1759, in process
raise AssertionError(problem_desc)
AssertionError: Expected alert description "unexpected_message" does not match received "bad_record_mac"
zero content type with padding after handshake ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f2c4b624210> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f2c4b624250>) with last message being: <tlslite.messages.Message object at 0x7f2c4b8b2fd0>
Error while processing
Traceback (most recent call last):
File "scripts/test-tls13-zero-content-type.py", line 427, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 239, in run
node.process(self.state, msg)
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1759, in process
raise AssertionError(problem_desc)
AssertionError: Expected alert description "unexpected_message" does not match received "bad_record_mac"
zero content type and padding during application data ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f2c4b600dd0> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f2c4b600e10>) with last message being: <tlslite.messages.Message object at 0x7f2c4b8b2450>
Error while processing
Traceback (most recent call last):
File "scripts/test-tls13-zero-content-type.py", line 427, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 239, in run
node.process(self.state, msg)
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1759, in process
raise AssertionError(problem_desc)
AssertionError: Expected alert description "unexpected_message" does not match received "bad_record_mac"
zero content type during handshake ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f2c4b624890> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f2c4b6248d0>) with last message being: <tlslite.messages.Message object at 0x7f2c4b8b2290>
Error while processing
Traceback (most recent call last):
File "scripts/test-tls13-zero-content-type.py", line 427, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 239, in run
node.process(self.state, msg)
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1759, in process
raise AssertionError(problem_desc)
AssertionError: Expected alert description "unexpected_message" does not match received "bad_record_mac"
sanity ...
OK
TLS 1.3 zero-value content type
Check if handling of records with an internal content type of zero is
correct.
Test end
====================
version: 1
====================
TOTAL: 8
SKIP: 0
PASS: 2
XFAIL: 0
FAIL: 6
XPASS: 0
====================
FAILED:
'zero content type after handshake'
'zero content type and padding during application data'
'zero content type during application data'
'zero content type during handshake'
'zero content type with padding after handshake'
'zero content type with padding during handshake'
Expected result:
all tests pass
Comment 1•4 years ago
|
||
Correct or not, this is likely a good thing. A different error code only confirms that the record contains only zero bytes. That sort of information leakage is worth avoiding.
Comment 2•4 years ago
|
||
OK, I just read the code. This happens after we determine that the record is authentic, so it is probably OK to send a different alert. The fix should be trivial.
Updated•4 years ago
|
Comment 3•4 years ago
|
||
Reporter | ||
Comment 4•4 years ago
|
||
could you add the tlsfuzzer test case to verify the fix? they are already automated in nss/tests/tlsfuzzer
Assignee | ||
Comment 5•3 years ago
|
||
Depends on D90107
Assignee | ||
Comment 6•3 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/fae49696d3747c3ba7d7d51e6bb5fe97c6b31b74
https://hg.mozilla.org/projects/nss/rev/7c3a0a99f7fa24502e27b6cfa92728c4ceee03df
Updated•3 years ago
|
Description
•