tlslite-ng icon indicating copy to clipboard operation
tlslite-ng copied to clipboard

Published 20 hours ago verified publisher icon tlsfuzzer

Plain text alert message handling in TLS1.3

Open markuspi opened this issue 5 years ago • 1 comments

In TLS1.3, a tlslite-ng server raises a bad_record_mac exception when a plain text alert message is received after CCS has been sent.

On the other hand, OpenSSL 1.1.1b nevertheless sends certain Alert Messages in plain text, such as unknown_ca.

Reproduction:

tlslite-ng (0.8.0a26):

cd tests
PYTHONPATH=.. ./httpsserver.sh

openssl (1.1.1b):

openssl s_client -connect localhost:4443 -verify_return_error -tls1_3

tlslite output:

I am an HTTPS test server, I will listen on localhost:4443
Serving files from /home/user/Documents/tlslite-ng/tests
Using certificate and private key...


About to handshake...
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 49608)
Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/home/user/Documents/tlslite-ng/tlslite/integration/tlssocketservermixin.py", line 55, in finish_request
    if self.handshake(tlsConnection) == True:
  File "../scripts/tls.py", line 535, in handshake
    sni=sni)
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 1885, in handshakeServer
    nextProtos=nextProtos, anon=anon, alpn=alpn, sni=sni):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 1914, in handshakeServerAsync
    for result in self._handshakeWrapperAsync(handshaker, checker):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 3924, in _handshakeWrapperAsync
    for result in handshaker:
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 1974, in _handshakeServerAsyncHelper
    alpn, reqCert):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 2667, in _serverTLS13Handshake
    prf_size):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsrecordlayer.py", line 750, in _getMsg
    for result in self._getNextRecord():
  File "/home/user/Documents/tlslite-ng/tlslite/tlsrecordlayer.py", line 982, in _getNextRecord
    for result in self._getNextRecordFromSocket():
  File "/home/user/Documents/tlslite-ng/tlslite/tlsrecordlayer.py", line 1038, in _getNextRecordFromSocket
    "MAC failure (or padding failure)"):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsrecordlayer.py", line 629, in _sendError
    raise TLSLocalAlert(alert, errorStr)
TLSLocalAlert: bad_record_mac: MAC failure (or padding failure)
----------------------------------------

tshark output: (tshark -i lo -Y ssl)

    4 0.000389078    127.0.0.1 → 127.0.0.1    TLSv1   281  49652 4443  Client Hello
    6 0.007804799    127.0.0.1 → 127.0.0.1    TLSv1.3 199  4443 49652  Server Hello, Change Cipher Spec
    8 0.013638382    127.0.0.1 → 127.0.0.1    TLSv1.3 1190 4443 49652  Application Data
   10 0.014175835    127.0.0.1 → 127.0.0.1    TLSv1.3 73   49652 4443  Alert (Level: Fatal, Description: Unknown CA)
   12 0.015590855    127.0.0.1 → 127.0.0.1    TLSv1.3 90   4443 49652  Application Data

Expected output

A TLSRemoteAlert: unknown_ca should be raised instead of a TLSLocalAlert: bad_record_mac

markuspi avatar Mar 18 '19 15:03 markuspi

given that it is a reply to an encrypted handshake record, the alert should be encrypted

but the alert can be in relation to the ServerHello message too, so tlslite-ng should be able to read it anyway

tomato42 avatar Mar 19 '19 10:03 tomato42