Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Plain text alert message handling in TLS1.3 #344

Closed
markuspi opened this issue Mar 18, 2019 · 1 comment · Fixed by #499
Closed

Plain text alert message handling in TLS1.3 #344

markuspi opened this issue Mar 18, 2019 · 1 comment · Fixed by #499
Assignees
@tomato42
Labels
bug unintented behaviour in tlslite-ng code complex Issues that require good knowledge of tlslite-ng internals or cryptography help wanted
Milestone
v0.8.0

Comments

@markuspi
Copy link

In TLS1.3, a tlslite-ng server raises a bad_record_mac exception when a plain text alert message is received after CCS has been sent.

On the other hand, OpenSSL 1.1.1b nevertheless sends certain Alert Messages in plain text, such as unknown_ca.

Reproduction:

tlslite-ng (0.8.0a26):

cd tests
PYTHONPATH=.. ./httpsserver.sh

openssl (1.1.1b):

openssl s_client -connect localhost:4443 -verify_return_error -tls1_3

tlslite output:

I am an HTTPS test server, I will listen on localhost:4443
Serving files from /home/user/Documents/tlslite-ng/tests
Using certificate and private key...


About to handshake...
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 49608)
Traceback (most recent call last):
  File "/usr/lib/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/home/user/Documents/tlslite-ng/tlslite/integration/tlssocketservermixin.py", line 55, in finish_request
    if self.handshake(tlsConnection) == True:
  File "../scripts/tls.py", line 535, in handshake
    sni=sni)
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 1885, in handshakeServer
    nextProtos=nextProtos, anon=anon, alpn=alpn, sni=sni):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 1914, in handshakeServerAsync
    for result in self._handshakeWrapperAsync(handshaker, checker):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 3924, in _handshakeWrapperAsync
    for result in handshaker:
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 1974, in _handshakeServerAsyncHelper
    alpn, reqCert):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsconnection.py", line 2667, in _serverTLS13Handshake
    prf_size):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsrecordlayer.py", line 750, in _getMsg
    for result in self._getNextRecord():
  File "/home/user/Documents/tlslite-ng/tlslite/tlsrecordlayer.py", line 982, in _getNextRecord
    for result in self._getNextRecordFromSocket():
  File "/home/user/Documents/tlslite-ng/tlslite/tlsrecordlayer.py", line 1038, in _getNextRecordFromSocket
    "MAC failure (or padding failure)"):
  File "/home/user/Documents/tlslite-ng/tlslite/tlsrecordlayer.py", line 629, in _sendError
    raise TLSLocalAlert(alert, errorStr)
TLSLocalAlert: bad_record_mac: MAC failure (or padding failure)
----------------------------------------

tshark output: (tshark -i lo -Y ssl)

    4 0.000389078    127.0.0.1 → 127.0.0.1    TLSv1   281  49652 4443  Client Hello
    6 0.007804799    127.0.0.1 → 127.0.0.1    TLSv1.3 199  4443 49652  Server Hello, Change Cipher Spec
    8 0.013638382    127.0.0.1 → 127.0.0.1    TLSv1.3 1190 4443 49652  Application Data
   10 0.014175835    127.0.0.1 → 127.0.0.1    TLSv1.3 73   49652 4443  Alert (Level: Fatal, Description: Unknown CA)
   12 0.015590855    127.0.0.1 → 127.0.0.1    TLSv1.3 90   4443 49652  Application Data

Expected output

A TLSRemoteAlert: unknown_ca should be raised instead of a TLSLocalAlert: bad_record_mac
@tomato42 tomato42 added bug unintented behaviour in tlslite-ng code help wanted complex Issues that require good knowledge of tlslite-ng internals or cryptography labels Mar 19, 2019
@tomato42 tomato42 added this to the v0.8.0 milestone Mar 19, 2019
@tomato42
Copy link
Member

given that it is a reply to an encrypted handshake record, the alert should be encrypted

but the alert can be in relation to the ServerHello message too, so tlslite-ng should be able to read it anyway

@tomato42 tomato42 assigned tomato42 and unassigned inikolchev Aug 2, 2023
@tomato42 tomato42 mentioned this issue Aug 3, 2023
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tomato42 tomato42

Labels
bug unintented behaviour in tlslite-ng code complex Issues that require good knowledge of tlslite-ng internals or cryptography help wanted
Projects
None yet
Milestone
v0.8.0
Development

Successfully merging a pull request may close this issue.

allow unencrypted alerts just before encrypted messages tlsfuzzer/tlslite-ng
3 participants
@tomato42 @markuspi @inikolchev