<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #666;">

<a href="https://gitlab.com/pfg666">Paul</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1233">#1233</a>

</p>

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">GnuTLS does not validate message sequence numbers in ClientHello messages.

According to <a href="https://www.rfc-editor.org/rfc/rfc6347.html#page-18" rel="nofollow noreferrer noopener" target="_blank">DTLS RFC</a>:</p>

<blockquote dir="auto">

<p>The first message each side transmits in each handshake always has message_seq = 0. Whenever each new message is generated,  the message_seq value is incremented by one.</p>

</blockquote>

<p dir="auto">We found that GnuTLS does not check for message_seq to be 0 in a ClientHello delivered in the middle of an on-going handshake.</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">3.7.1</p>

<h2 dir="auto">

<a id="user-content-operating-system" class="anchor" href="#operating-system" aria-hidden="true"></a>Operating System</h2>

<p dir="auto">Ubuntu 20</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">I attached files necessary for reproduction using <a href="https://github.com/assist-project/dtls-fuzzer/" rel="nofollow noreferrer noopener" target="_blank">DTLS-fuzzer</a>, a Java-based tool for testing DTLS libraries, whose .jar is included in the archive. Also included is a capture of the interaction,  generated on my machine. DTLS-fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed  by running:

<code>sudo apt-get install openjdk-8-jdk</code></p>

<p dir="auto">Unpack the archive at the end of this post, <code>cd</code> to resulting folder, download to this folder  the .jar of DTLS-fuzzer available <a href="https://github.com/pfg666/reproduction/blob/main/dtls-fuzzer.jar" rel="nofollow noreferrer noopener" target="_blank">here</a>,  and  run <code>bash reproduce.sh </code>, while running an instance of Wireshark on the side. The reproduction script will:</p>

<ul dir="auto">

<li>launch a gnutls-serv server instance</li>

<li>execute a test exposing the behavior using DTLS-fuzzer.</li>

</ul>

<p dir="auto">It assumes <code>gnutls-serv</code> is present in the PATH.</p>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<p dir="auto">If everything works as planned, Wireshark should show an interaction similar to that in the image below:

<a class="no-attachment-icon gfm" href="https://gitlab.com/gnutls/gnutls/uploads/cba60d807a4f7486b7ec81926c02ffb3/handshake_restart.png" target="_blank" rel="noopener noreferrer" data-link="true"><img src="https://gitlab.com/gnutls/gnutls/uploads/cba60d807a4f7486b7ec81926c02ffb3/handshake_restart.png" alt="handshake_restart" class="gfm" style="max-width: 100%; height: auto;"></a></p>

<p dir="auto">Therein, if we check the value of the highlighted restarting ClientHello message, we see:

<a class="no-attachment-icon gfm" href="https://gitlab.com/gnutls/gnutls/uploads/31b4c6a9e60dc748d4bf89a065a7a788/handshake_restart_mseq.png" target="_blank" rel="noopener noreferrer" data-link="true"><img src="https://gitlab.com/gnutls/gnutls/uploads/31b4c6a9e60dc748d4bf89a065a7a788/handshake_restart_mseq.png" alt="handshake_restart_mseq" class="gfm" style="max-width: 100%; height: auto;"></a></p>

<p dir="auto">BTW, I had to pack dtls-fuzzer separately since its .jar is too large.</p>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<p dir="auto">The server should not have restarted the handshake using this message.</p>

<p dir="auto">Thanks!

<a href="https://gitlab.com/gnutls/gnutls/uploads/848784142be5fb0e425d95f3f33e4e09/handshake_restarted.tar.gz" data-link="true" class="gfm">handshake_restarted.tar.gz</a></p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1233">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/3a667ff5731a78bb66f962fc5d6fc837/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1233"}}</script>

</p>

</div>

</body>

</html>