Duplicated key_shares from client are not detected by GnuTLS server
When in TLS 1.3 the client advertises two key_shares for the same group, the server does not notice that, instead it continues the connection (sends ServerHello with its key_share).
IOW, GnuTLS doesn't implement the check described in https://tools.ietf.org/html/rfc8446#section-4.2.8:
Clients MUST NOT offer multiple KeyShareEntry values
for the same group. Clients MUST NOT offer any KeyShareEntry values
for groups not listed in the client's "supported_groups" extension.
Servers MAY check for violations of these rules and abort the
handshake with an "illegal_parameter" alert if one is violated.
Reproducer:
https://github.com/tomato42/tlsfuzzer/pull/553
PYTHONPATH=. python scripts/test-tls13-ffdhe-groups.py 'ffdhe2048 - duplicated key share entry'
tlsfuzzer output:
ffdhe2048 - duplicated key share entry ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7fa7563e5810> (child: <tlsfuzzer.expect.ExpectClose object at 0x7fa7563e5850>) with last message being: <tlslite.messages.Message object at 0x7fa7563b2610>
Error while processing
Traceback (most recent call last):
File "scripts/test-tls13-ffdhe-groups.py", line 470, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 235, in run
RecordHeader2)))
AssertionError: Unexpected message from peer: Handshake(server_hello)
Basic FFDHE group tests in TLS 1.3
Check if invalid, malformed and incompatible group key_shares are
rejected by server
version: 1
Test end
successful: 0
failed: 1
'ffdhe2048 - duplicated key share entry'
gnutls output:
|<5>| REC[0xd303e0]: Allocating epoch #0
|<2>| added 2 protocols, 43 ciphersuites, 18 sig algos and 9 groups into priority list
* Accepted connection from IPv4 127.0.0.1 port 39456 on Tue Jan 14 19:17:58 202
|<5>| REC[0xd303e0]: Allocating epoch #1
|<3>| ASSERT: buffers.c[get_last_packet]:1168
|<5>| REC[0xd303e0]: SSL 3.0 Handshake packet received. Epoch 0, length: 680
|<5>| REC[0xd303e0]: Expected Packet Handshake(22)
|<5>| REC[0xd303e0]: Received Packet Handshake(22) with length: 680
|<5>| REC[0xd303e0]: Decrypted Packet[0] Handshake(22) with length: 680
|<4>| HSK[0xd303e0]: CLIENT HELLO (1) was received. Length 676[676], frag offset 0, frag length: 676, sequence: 0
|<4>| HSK[0xd303e0]: Client's version: 3.3
|<4>| EXT[0xd303e0]: Parsing extension 'Supported Versions/43' (5 bytes)
|<4>| EXT[0xd303e0]: Found version: 3.4
|<4>| EXT[0xd303e0]: Found version: 3.3
|<4>| EXT[0xd303e0]: Negotiated version: 3.4
|<4>| EXT[0xd303e0]: Parsing extension 'Supported Groups/10' (4 bytes)
|<4>| EXT[0xd303e0]: Received group FFDHE2048 (0x100)
|<4>| EXT[0xd303e0]: Selected group FFDHE2048
|<4>| EXT[0xd303e0]: Parsing extension 'Signature Algorithms/13' (12 bytes)
|<4>| EXT[0xd303e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
|<4>| EXT[0xd303e0]: rcvd signature algo (8.9) RSA-PSS-SHA256
|<4>| EXT[0xd303e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
|<4>| EXT[0xd303e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
|<4>| EXT[0xd303e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
|<4>| HSK[0xd303e0]: Received safe renegotiation CS
|<2>| checking 13.01 (GNUTLS_AES_128_GCM_SHA256) for compatibility
|<3>| ASSERT: server_name.c[gnutls_server_name_get]:239
|<4>| HSK[0xd303e0]: Requested server name: ''
|<4>| HSK[0xd303e0]: checking compat of GNUTLS_AES_128_GCM_SHA256 with certificate[3] (RSA-PSS/X.509)
|<4>| checking cert compat with RSA-PSS-RSAE-SHA256
|<4>| checking cert compat with RSA-PSS-SHA256
|<4>| Selected signature algorithm: RSA-PSS-SHA256
|<2>| Selected (RSA-PSS) cert based on ciphersuite 13.1: GNUTLS_AES_128_GCM_SHA256
|<4>| HSK[0xd303e0]: Selected cipher suite: GNUTLS_AES_128_GCM_SHA256
|<4>| HSK[0xd303e0]: Selected version TLS1.3
|<4>| EXT[0xd303e0]: Parsing extension 'Key Share/51' (522 bytes)
|<4>| EXT[0xd303e0]: Received key share for FFDHE2048
|<4>| HSK[0xd303e0]: Selected group FFDHE2048 (256)
|<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60
|<2>| EXT[0xd303e0]: server generated FFDHE2048 shared key
|<4>| HSK[0xd303e0]: Safe renegotiation succeeded
|<4>| HSK[0xd303e0]: SessionID: 0efa6ab1f6c10f577b1dc58831d7274953157b7602bfc407a0c83e2fef7ebeea
|<4>| EXT[0xd303e0]: Not sending extension (OCSP Status Request/5) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Client Certificate Type/19) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Server Certificate Type/20) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Supported Groups/10) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Supported EC Point Formats/11) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (SRP/12) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Signature Algorithms/13) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (SRTP/14) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Heartbeat/15) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (ALPN/16) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Encrypt-then-MAC/22) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Extended Master Secret/23) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Session Ticket/35) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Preparing extension (Key Share/51) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: sending key share for FFDHE2048
|<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60
|<4>| EXT[0xd303e0]: Sending extension Key Share/51 (260 bytes)
|<4>| EXT[0xd303e0]: Preparing extension (Supported Versions/43) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Sending extension Supported Versions/43 (2 bytes)
|<4>| EXT[0xd303e0]: Not sending extension (Post Handshake Auth/49) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Safe Renegotiation/65281) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Server Name Indication/0) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Cookie/44) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Early Data/42) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Preparing extension (PSK Key Exchange Modes/45) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Record Size Limit/28) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (Maximum Record Size/1) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Not sending extension (ClientHello Padding/21) for 'TLS 1.3 server hello'
|<4>| EXT[0xd303e0]: Preparing extension (Pre Shared Key/41) for 'TLS 1.3 server hello'
|<4>| HSK[0xd303e0]: SERVER HELLO was queued [346 bytes]
|<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 346 and min pad: 0
|<5>| REC[0xd303e0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 351
|<5>| REC[0xd303e0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
|<5>| REC[0xd303e0]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6
|<4>| REC[0xd303e0]: Sent ChangeCipherSpec
|<5>| REC[0xd303e0]: Initializing epoch #1
|<5>| REC[0xd303e0]: Epoch #1 ready
|<4>| HSK[0xd303e0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_128_GCM_SHA256
|<4>| EXT[0xd303e0]: Not sending extension (OCSP Status Request/5) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (Client Certificate Type/19) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (Server Certificate Type/20) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (Supported Groups/10) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Supported EC Point Formats/11) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (SRP/12) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Signature Algorithms/13) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (SRTP/14) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (Heartbeat/15) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (ALPN/16) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Encrypt-then-MAC/22) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Extended Master Secret/23) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Session Ticket/35) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Key Share/51) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Supported Versions/43) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Post Handshake Auth/49) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Safe Renegotiation/65281) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (Server Name Indication/0) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Cookie/44) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (Early Data/42) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (PSK Key Exchange Modes/45) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (Record Size Limit/28) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Preparing extension (Maximum Record Size/1) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (ClientHello Padding/21) for 'encrypted extensions'
|<4>| EXT[0xd303e0]: Not sending extension (Pre Shared Key/41) for 'encrypted extensions'
|<4>| HSK[0xd303e0]: ENCRYPTED EXTENSIONS was queued [6 bytes]
|<4>| HSK[0xd303e0]: CERTIFICATE was queued [874 bytes]
|<4>| checking cert compat with RSA-PSS-RSAE-SHA256
|<4>| checking cert compat with RSA-PSS-SHA256
|<4>| HSK[0xd303e0]: signing TLS 1.3 handshake data: using RSA-PSS-SHA256 and PRF: SHA256
|<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60
|<4>| HSK[0xd303e0]: CERTIFICATE VERIFY was queued [264 bytes]
|<4>| HSK[0xd303e0]: sending finished
|<4>| HSK[0xd303e0]: FINISHED was queued [36 bytes]
|<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 6 and min pad: 0
|<5>| REC[0xd303e0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 28
|<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 874 and min pad: 0
|<5>| REC[0xd303e0]: Sent Packet[2] Handshake(22) in epoch 1 and length: 896
|<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 264 and min pad: 0
|<5>| REC[0xd303e0]: Sent Packet[3] Handshake(22) in epoch 1 and length: 286
|<5>| REC[0xd303e0]: Preparing Packet Handshake(22) with length: 36 and min pad: 0
|<5>| REC[0xd303e0]: Sent Packet[4] Handshake(22) in epoch 1 and length: 58
|<2>| WRITE: -1 returned from 0x5, errno: 104
|<3>| ASSERT: buffers.c[_gnutls_io_write_flush]:722
|<3>| ASSERT: handshake-tls13.c[_gnutls13_handshake_server]:469
Error in handshake: The TLS connection was non-properly terminated.
|<5>| REC: Sending Alert[2|10] - Unexpected message
|<2>| WRITE: -1 returned from 0x5, errno: 32
|<3>| ASSERT: buffers.c[errno_to_gerr]:230
|<3>| ASSERT: buffers.c[_gnutls_io_write_flush]:722
|<3>| ASSERT: record.c[_gnutls_send_tlen_int]:588
|<5>| REC[0xd303e0]: Start of epoch cleanup
|<5>| REC[0xd303e0]: Epoch #0 freed
|<5>| REC[0xd303e0]: End of epoch cleanup
|<5>| REC[0xd303e0]: Epoch #1 freed
^[[2;2~^CExiting via signal 2
Tested with 0ddd79af