[gnutls-devel] GnuTLS | DTLS handshake restarted by ClientHello using invalid message sequence numbers (#1233)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue May 11 19:51:28 CEST 2021 


Paul created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1233



## Description of problem:
GnuTLS does not validate message sequence numbers in ClientHello messages.
According to [DTLS RFC](https://www.rfc-editor.org/rfc/rfc6347.html#page-18):
> The first message each side transmits in each handshake always has message_seq = 0. Whenever each new message is generated,  the message_seq value is incremented by one.

We found that GnuTLS does not check for message_seq to be 0 in a ClientHello delivered in the middle of an on-going handshake.

## Version of gnutls used:
3.7.1

## Operating System
Ubuntu 20

## How reproducible:

I attached files necessary for reproduction using [DTLS-fuzzer](https://github.com/assist-project/dtls-fuzzer/), a Java-based tool for testing DTLS libraries, whose .jar is included in the archive. Also included is a capture of the interaction,  generated on my machine. DTLS-fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed  by running:
`sudo apt-get install openjdk-8-jdk`

Unpack the archive at the end of this post, `cd` to resulting folder, download to this folder  the .jar of DTLS-fuzzer available [here](https://github.com/pfg666/reproduction/blob/main/dtls-fuzzer.jar),  and  run `bash reproduce.sh `, while running an instance of Wireshark on the side. The reproduction script will: 

* launch a gnutls-serv server instance
* execute a test exposing the behavior using DTLS-fuzzer.
 
It assumes `gnutls-serv` is present in the PATH.

## Actual results:

If everything works as planned, Wireshark should show an interaction similar to that in the image below:
![handshake_restart](/uploads/cba60d807a4f7486b7ec81926c02ffb3/handshake_restart.png)

Therein, if we check the value of the highlighted restarting ClientHello message, we see:
![handshake_restart_mseq](/uploads/31b4c6a9e60dc748d4bf89a065a7a788/handshake_restart_mseq.png)

BTW, I had to pack dtls-fuzzer separately since its .jar is too large.
## Expected results:

The server should not have restarted the handshake using this message.

Thanks!
[handshake_restarted.tar.gz](/uploads/848784142be5fb0e425d95f3f33e4e09/handshake_restarted.tar.gz)

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1233
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210511/0a48ae18/attachment.html>

More information about the Gnutls-devel mailing list