scapy icon indicating copy to clipboard operation
scapy copied to clipboard
verified publisher icon secdev

TLS class modifies packets with invalid extensions data

Open stevenskevin opened this issue 3 years ago • 1 comments

Brief description

bytes(TLS(b)) == b isn't true for certain TLS packets with invalid extensions data.

Scapy version

5c6085067079f063a7bc11d592d0a80ff6138cb9

Python version

3.10

Operating system

Ubuntu 22.04

Additional environment information

No response

How to reproduce

from scapy.layers.tls.record import TLS

b = bytes.fromhex("""
16 03 01 00 51 02 00 00 49 03 01 cd 8a 0e d1 00
01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10
11 12 13 14 15 16 17 18 19 1a 1b 20 20 21 22 23
24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33
34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 00 02 00 04
01 00 0e 00 00 00
""")

print(b.hex())
print(bytes(TLS(b)).hex())
print(bytes(TLS(b)) == b)

Actual result

1603010051020000490301cd8a0ed1000102030405060708090a0b0c0d0e0f101112131415161718191a1b20202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0002000401000e000000
1603010051020000490301cd8a0ed1000102030405060708090a0b0c0d0e0f101112131415161718191a1b20202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f00020004010e000000
False

Expected result

1603010051020000490301cd8a0ed1000102030405060708090a0b0c0d0e0f101112131415161718191a1b20202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0002000401000e000000
1603010051020000490301cd8a0ed1000102030405060708090a0b0c0d0e0f101112131415161718191a1b20202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0002000401000e000000
True

The difference is that the second line is no longer missing a null byte near the end of the data.

Related resources

Explanation: In the example packet above, the first handshake message (TLSServerHello), which is 77 bytes long, declares that it has 1025 bytes of extensions data, but actually only has one. Scapy discards that byte, causing the packet data to change when converted back to bytes.

"Any packet data can survive a round-trip through Scapy unmodified" isn't an explicit documented guarantee as far as I can tell, but "What makes Scapy so special" makes it sound like Scapy tries to avoid assuming anything in order to cater to unusual use cases. So this feels like a bug to me, personally. Let me know if I'm wrong :)

stevenskevin avatar Jan 13 '23 22:01 stevenskevin

Hi & thanks for the report !

You're probably right, looks like a but. TLS is quite hard so I'm actually not that surprised that you would find something like that. Feel free to have a look and maybe submit a PR, we'll be happy to have a look, but this is unlikely to be prioritised :p

gpotter2 avatar Jan 15 '23 16:01 gpotter2