wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

[Bug]: RFC 8446 violation : WolfSSL returns incorrect Alert when receiving unsolicited PresharedKey extension

Open aeyno opened this issue 1 month ago • 3 comments

Version

5.8.4

Description

A WolfSSL TLS 1.3 client receiving a ServerHello with a PresharedKey extension when the client hasn't requested the use of a preshared key, returns an IllegalParameter Alert.

According to the RFC 8446 section 4.2 : Implementations MUST NOT send extension responses if the remote endpoint did not send the corresponding extension requests, with the exception of the "cookie" extension in the HelloRetryRequest. Upon receiving such an extension, an endpoint MUST abort the handshake with an "unsupported_extension" alert., this means that WolfSSL should return an UnsupportedExtension instead of an IllegalParameter when receiving the unsolicited PSK extension.

Impact

RFC violation

Expected behavior

WolfSSL server should send an "UnsupportedExtension" Alert and abort the connection.

Reproduction steps

Here is an example of a TLS 1.3 handshake that triggers the described behavior :

  • Wait for a client's ClientHello
  • Send a ServerHello with a PresharedKey extension TLSv1.3 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 129 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 125 Version: TLS 1.2 (0x0303) Random: 0101010101010101010101010101010101010101010101010101010101010101 Session ID Length: 0 Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) Compression Method: null (0) Extensions Length: 85 Extension: pre_shared_key (len=2) Type: pre_shared_key (41) Length: 2 Pre-Shared Key extension Selected Identity: 5 Extension: key_share (len=69) secp256r1 Type: key_share (51) Length: 69 Key Share extension Key Share Entry: Group: secp256r1, Key Exchange length: 65 Group: secp256r1 (23) Key Exchange Length: 65 Key Exchange: 040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e Extension: supported_versions (len=2) TLS 1.3 Type: supported_versions (43) Length: 2 Supported Version: TLS 1.3 (0x0304) in raw hex: 16030300810200007d030301010101010101010101010101010101010101010101010101010101010101010013010000550029000200050033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304
  • The client should send an IllegalParameter alert

Start the following Python TCP server :

import socket

HOST = "0.0.0.0"
PORT = 3000

payload1 = bytes.fromhex(
    "16030300810200007d030301010101010101010101010101010101010101010101010101010101010101010013010000550029000200050033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304"
)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as server_socket:
    server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    server_socket.bind((HOST, PORT))
    server_socket.listen(1)
    print(f"[*] Listening on {HOST}:{PORT} ...")

    # Accept client connection
    conn, addr = server_socket.accept()
    with conn:
        print(f"[+] Connection from {addr}")

        data = conn.recv(1024)
        print(f"[>] Received: {data.hex()}")

        # Send decoded payload
        conn.sendall(payload1)
        print(f"[<] Sent: {payload1.hex()}")

        data = conn.recv(1024)
        print(f"[>] Received: {data.hex()}")

        data = conn.recv(1024)
        print(f"[>] Received: {data.hex()}")

Then start a TLS 1.3 WolfSSL client :

./examples/client/client -v4 -p 3000 -l 'TLS_AES_128_GCM_SHA256'

You should see the WolfSSL client sending an IllegalParameter alert.

Acknowledgements

This bug was found thanks to the tlspuffin fuzzer designed and developed by the tlspuffin team:

  • Max Ammann
  • Olivier Demengeon - Loria, Inria
  • Tom Gouville - Loria, Inria
  • Lucca Hirschi - Loria, Inria
  • Steve Kremer - Loria, Inria
  • Michael Mera - Loria, Inria

aeyno avatar Dec 09 '25 14:12 aeyno

Hi @aeyno,

Thanks for the report. Unfortunately I'm not able to reproduce the issue you're seeing here with 5.8.4. Please share the full configure command you used to build wolfSSL to help me reproduce this.

kareem-wolfssl avatar Dec 09 '25 20:12 kareem-wolfssl

Hi @kareem-wolfssl ,

I am sorry I forgot to mention my compilation command (./configure --enable-session-ticket && make) which allows WolfSSL to recognize the PresharedKey extension.

aeyno avatar Dec 10 '25 22:12 aeyno

Hi @aeyno,

No worries, thanks for the additional info. I am able to reproduce the issue you're seeing with that configure line. The problem is wolfSSL is currently translating all PSK errors into an illegal_parameter alert. I am working on splitting this specific case into a separate error which will send unsupported_extension, I'll let you know when I have a patch ready.

kareem-wolfssl avatar Dec 10 '25 23:12 kareem-wolfssl