<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #777;">
<a href="https://gitlab.com/tomato42">Hubert Kario (@mention me if you need reply)</a> created an issue:
</p>
<div></div>
<p dir="auto">When a key_share in TLS 1.3 includes an FFDHE group, but the value is a single byte of value 0, the connection is rejected with <code>internal_error</code> instead of <code>illegal_parameter</code></p>
<p dir="auto">reproducer in <a href="https://github.com/tomato42/tlsfuzzer/pull/553" rel="nofollow noreferrer noopener" target="_blank">https://github.com/tomato42/tlsfuzzer/pull/553</a>:</p>
<p dir="auto"><code>PYTHONPATH=. python scripts/test-tls13-ffdhe-groups.py 'ffdhe2048 - 0 as key share'</code></p>
<p dir="auto">tlsfuzzer output:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">ffdhe2048 - 0 as key share ...</span>
<span id="LC2" class="line" lang="plaintext">Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9bb86956d0> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9bb8695710>) with last message being: <tlslite.messages.Message object at 0x7f9bb8657650></span>
<span id="LC3" class="line" lang="plaintext">Error while processing</span>
<span id="LC4" class="line" lang="plaintext">Traceback (most recent call last):</span>
<span id="LC5" class="line" lang="plaintext">  File "scripts/test-tls13-ffdhe-groups.py", line 470, in main</span>
<span id="LC6" class="line" lang="plaintext">    runner.run()</span>
<span id="LC7" class="line" lang="plaintext">  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 237, in run</span>
<span id="LC8" class="line" lang="plaintext">    node.process(self.state, msg)</span>
<span id="LC9" class="line" lang="plaintext">  File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 1680, in process</span>
<span id="LC10" class="line" lang="plaintext">    raise AssertionError(problem_desc)</span>
<span id="LC11" class="line" lang="plaintext">AssertionError: Expected alert description "illegal_parameter" does not match received "internal_error"</span>
<span id="LC12" class="line" lang="plaintext"></span>
<span id="LC13" class="line" lang="plaintext">Basic FFDHE group tests in TLS 1.3</span>
<span id="LC14" class="line" lang="plaintext">Check if invalid, malformed and incompatible group key_shares are</span>
<span id="LC15" class="line" lang="plaintext">rejected by server</span>
<span id="LC16" class="line" lang="plaintext">version: 1</span>
<span id="LC17" class="line" lang="plaintext"></span>
<span id="LC18" class="line" lang="plaintext">Test end</span>
<span id="LC19" class="line" lang="plaintext">successful: 0</span>
<span id="LC20" class="line" lang="plaintext">failed: 1</span>
<span id="LC21" class="line" lang="plaintext">  'ffdhe2048 - 0 as key share'</span></code></pre>
<p dir="auto">GnuTLS (<a href="https://gitlab.com/gnutls/gnutls/commit/0ddd79afb47149cd49690b3a89b9a8ca79acd29b" data-original="0ddd79afb4714" data-link="false" data-link-reference="false" data-project="179611" data-commit="0ddd79afb47149cd49690b3a89b9a8ca79acd29b" data-reference-type="commit" data-container="body" data-placement="bottom" title="Merge branch 'override-default-priority' into 'master'" class="gfm gfm-commit has-tooltip">0ddd79af</a>) output:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Allocating epoch #0</span>
<span id="LC2" class="line" lang="plaintext">|<2>| added 2 protocols, 43 ciphersuites, 18 sig algos and 9 groups into priority list</span>
<span id="LC3" class="line" lang="plaintext"></span>
<span id="LC4" class="line" lang="plaintext">* Accepted connection from IPv4 127.0.0.1 port 39428 on Tue Jan 14 19:16:49 202</span>
<span id="LC5" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Allocating epoch #1</span>
<span id="LC6" class="line" lang="plaintext">|<3>| ASSERT: buffers.c[get_last_packet]:1168</span>
<span id="LC7" class="line" lang="plaintext">|<5>| REC[0xd303e0]: SSL 3.0 Handshake packet received. Epoch 0, length: 420</span>
<span id="LC8" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Expected Packet Handshake(22)</span>
<span id="LC9" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Received Packet Handshake(22) with length: 420</span>
<span id="LC10" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Decrypted Packet[0] Handshake(22) with length: 420</span>
<span id="LC11" class="line" lang="plaintext">|<4>| HSK[0xd303e0]: CLIENT HELLO (1) was received. Length 416[416], frag offset 0, frag length: 416, sequence: 0</span>
<span id="LC12" class="line" lang="plaintext">|<4>| HSK[0xd303e0]: Client's version: 3.3</span>
<span id="LC13" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Parsing extension 'Supported Versions/43' (5 bytes)</span>
<span id="LC14" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Found version: 3.4</span>
<span id="LC15" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Found version: 3.3</span>
<span id="LC16" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Negotiated version: 3.4</span>
<span id="LC17" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Parsing extension 'Supported Groups/10' (4 bytes)</span>
<span id="LC18" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Received group FFDHE2048 (0x100)</span>
<span id="LC19" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Selected group FFDHE2048</span>
<span id="LC20" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Parsing extension 'Signature Algorithms/13' (12 bytes)</span>
<span id="LC21" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256</span>
<span id="LC22" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: rcvd signature algo (8.9) RSA-PSS-SHA256</span>
<span id="LC23" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512</span>
<span id="LC24" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384</span>
<span id="LC25" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256</span>
<span id="LC26" class="line" lang="plaintext">|<4>| HSK[0xd303e0]: Received safe renegotiation CS</span>
<span id="LC27" class="line" lang="plaintext">|<2>| checking 13.01 (GNUTLS_AES_128_GCM_SHA256) for compatibility</span>
<span id="LC28" class="line" lang="plaintext">|<3>| ASSERT: server_name.c[gnutls_server_name_get]:239</span>
<span id="LC29" class="line" lang="plaintext">|<4>| HSK[0xd303e0]: Requested server name: ''</span>
<span id="LC30" class="line" lang="plaintext">|<4>| HSK[0xd303e0]: checking compat of GNUTLS_AES_128_GCM_SHA256 with certificate[3] (RSA-PSS/X.509)</span>
<span id="LC31" class="line" lang="plaintext">|<4>| checking cert compat with RSA-PSS-RSAE-SHA256</span>
<span id="LC32" class="line" lang="plaintext">|<4>| checking cert compat with RSA-PSS-SHA256</span>
<span id="LC33" class="line" lang="plaintext">|<4>| Selected signature algorithm: RSA-PSS-SHA256</span>
<span id="LC34" class="line" lang="plaintext">|<2>| Selected (RSA-PSS) cert based on ciphersuite 13.1: GNUTLS_AES_128_GCM_SHA256</span>
<span id="LC35" class="line" lang="plaintext">|<4>| HSK[0xd303e0]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256</span>
<span id="LC36" class="line" lang="plaintext">|<4>| HSK[0xd303e0]: Selected version TLS1.3</span>
<span id="LC37" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Parsing extension 'Key Share/51' (262 bytes)</span>
<span id="LC38" class="line" lang="plaintext">|<4>| EXT[0xd303e0]: Received key share for FFDHE2048</span>
<span id="LC39" class="line" lang="plaintext">|<4>| HSK[0xd303e0]: Selected group FFDHE2048 (256)</span>
<span id="LC40" class="line" lang="plaintext">|<3>| ASSERT: key_share.c[server_use_key_share]:379</span>
<span id="LC41" class="line" lang="plaintext">|<3>| ASSERT: key_share.c[key_share_recv_params]:559</span>
<span id="LC42" class="line" lang="plaintext">|<3>| ASSERT: hello_ext.c[hello_ext_parse]:274</span>
<span id="LC43" class="line" lang="plaintext">|<3>| ASSERT: extv.c[_gnutls_extv_parse]:69</span>
<span id="LC44" class="line" lang="plaintext">|<3>| ASSERT: hello_ext.c[_gnutls_parse_hello_extensions]:307</span>
<span id="LC45" class="line" lang="plaintext">|<3>| ASSERT: handshake.c[read_client_hello]:828</span>
<span id="LC46" class="line" lang="plaintext">|<3>| ASSERT: handshake.c[_gnutls_recv_handshake]:1577</span>
<span id="LC47" class="line" lang="plaintext">|<3>| ASSERT: handshake.c[handshake_server]:3358</span>
<span id="LC48" class="line" lang="plaintext">Error in handshake: The scanning of a large integer has failed.</span>
<span id="LC49" class="line" lang="plaintext">|<5>| REC: Sending Alert[2|80] - Internal error</span>
<span id="LC50" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Preparing Packet Alert(21) with length: 2 and min pad: 0</span>
<span id="LC51" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Sent Packet[1] Alert(21) in epoch 0 and length: 7</span>
<span id="LC52" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Start of epoch cleanup</span>
<span id="LC53" class="line" lang="plaintext">|<5>| REC[0xd303e0]: End of epoch cleanup</span>
<span id="LC54" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Epoch #0 freed</span>
<span id="LC55" class="line" lang="plaintext">|<5>| REC[0xd303e0]: Epoch #1 freed</span></code></pre>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/907">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/332717241bbc3d61b77c05ae67ea1709/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/907"}}</script>


</p>
</div>
</body>
</html>