[gnutls-devel] GnuTLS | Malformed FFDHE key shares in TLS 1.3 are rejected incorrectly (#907)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Jan 14 19:21:54 CET 2020



Hubert Kario (@mention me if you need reply) created an issue: https://gitlab.com/gnutls/gnutls/issues/907



When a key_share in TLS 1.3 includes an FFDHE group, but the value is a single byte of value 0, the connection is rejected with `internal_error` instead of `illegal_parameter`

reproducer in https://github.com/tomato42/tlsfuzzer/pull/553:

`PYTHONPATH=. python scripts/test-tls13-ffdhe-groups.py 'ffdhe2048 - 0 as key share'`

tlsfuzzer output:
```
ffdhe2048 - 0 as key share ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9bb86956d0> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9bb8695710>) with last message being: <tlslite.messages.Message object at 0x7f9bb8657650>
Error while processing
Traceback (most recent call last):
  File "scripts/test-tls13-ffdhe-groups.py", line 470, in main
    runner.run()
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 237, in run
    node.process(self.state, msg)
  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1680, in process
    raise AssertionError(problem_desc)
AssertionError: Expected alert description "illegal_parameter" does not match received "internal_error"

Basic FFDHE group tests in TLS 1.3
Check if invalid, malformed and incompatible group key_shares are
rejected by server
version: 1

Test end
successful: 0
failed: 1
  'ffdhe2048 - 0 as key share'
```

GnuTLS (0ddd79afb4714) output:
```
|<5>| REC[0xd303e0]: Allocating epoch #0
|<2>| added 2 protocols, 43 ciphersuites, 18 sig algos and 9 groups into priority list

* Accepted connection from IPv4 127.0.0.1 port 39428 on Tue Jan 14 19:16:49 202
|<5>| REC[0xd303e0]: Allocating epoch #1
|<3>| ASSERT: buffers.c[get_last_packet]:1168
|<5>| REC[0xd303e0]: SSL 3.0 Handshake packet received. Epoch 0, length: 420
|<5>| REC[0xd303e0]: Expected Packet Handshake(22)
|<5>| REC[0xd303e0]: Received Packet Handshake(22) with length: 420
|<5>| REC[0xd303e0]: Decrypted Packet[0] Handshake(22) with length: 420
|<4>| HSK[0xd303e0]: CLIENT HELLO (1) was received. Length 416[416], frag offset 0, frag length: 416, sequence: 0
|<4>| HSK[0xd303e0]: Client's version: 3.3
|<4>| EXT[0xd303e0]: Parsing extension 'Supported Versions/43' (5 bytes)
|<4>| EXT[0xd303e0]: Found version: 3.4
|<4>| EXT[0xd303e0]: Found version: 3.3
|<4>| EXT[0xd303e0]: Negotiated version: 3.4
|<4>| EXT[0xd303e0]: Parsing extension 'Supported Groups/10' (4 bytes)
|<4>| EXT[0xd303e0]: Received group FFDHE2048 (0x100)
|<4>| EXT[0xd303e0]: Selected group FFDHE2048
|<4>| EXT[0xd303e0]: Parsing extension 'Signature Algorithms/13' (12 bytes)
|<4>| EXT[0xd303e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
|<4>| EXT[0xd303e0]: rcvd signature algo (8.9) RSA-PSS-SHA256
|<4>| EXT[0xd303e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
|<4>| EXT[0xd303e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
|<4>| EXT[0xd303e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
|<4>| HSK[0xd303e0]: Received safe renegotiation CS
|<2>| checking 13.01 (GNUTLS_AES_128_GCM_SHA256) for compatibility
|<3>| ASSERT: server_name.c[gnutls_server_name_get]:239
|<4>| HSK[0xd303e0]: Requested server name: ''
|<4>| HSK[0xd303e0]: checking compat of GNUTLS_AES_128_GCM_SHA256 with certificate[3] (RSA-PSS/X.509)
|<4>| checking cert compat with RSA-PSS-RSAE-SHA256
|<4>| checking cert compat with RSA-PSS-SHA256
|<4>| Selected signature algorithm: RSA-PSS-SHA256
|<2>| Selected (RSA-PSS) cert based on ciphersuite 13.1: GNUTLS_AES_128_GCM_SHA256
|<4>| HSK[0xd303e0]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256
|<4>| HSK[0xd303e0]: Selected version TLS1.3
|<4>| EXT[0xd303e0]: Parsing extension 'Key Share/51' (262 bytes)
|<4>| EXT[0xd303e0]: Received key share for FFDHE2048
|<4>| HSK[0xd303e0]: Selected group FFDHE2048 (256)
|<3>| ASSERT: key_share.c[server_use_key_share]:379
|<3>| ASSERT: key_share.c[key_share_recv_params]:559
|<3>| ASSERT: hello_ext.c[hello_ext_parse]:274
|<3>| ASSERT: extv.c[_gnutls_extv_parse]:69
|<3>| ASSERT: hello_ext.c[_gnutls_parse_hello_extensions]:307
|<3>| ASSERT: handshake.c[read_client_hello]:828
|<3>| ASSERT: handshake.c[_gnutls_recv_handshake]:1577
|<3>| ASSERT: handshake.c[handshake_server]:3358
Error in handshake: The scanning of a large integer has failed.
|<5>| REC: Sending Alert[2|80] - Internal error
|<5>| REC[0xd303e0]: Preparing Packet Alert(21) with length: 2 and min pad: 0
|<5>| REC[0xd303e0]: Sent Packet[1] Alert(21) in epoch 0 and length: 7
|<5>| REC[0xd303e0]: Start of epoch cleanup
|<5>| REC[0xd303e0]: End of epoch cleanup
|<5>| REC[0xd303e0]: Epoch #0 freed
|<5>| REC[0xd303e0]: Epoch #1 freed
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/907
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200114/3d057eea/attachment-0001.html>


More information about the Gnutls-devel mailing list