[Bug]: RFC 8446 violation : WolfSSL returns incorrect Alert when server selects unoffered cipher suite #9639
Description
Version
5.8.4
Description
A WolfSSL TLS 1.3 client receiving a ServerHello with a cipher suite that was not offered in the ClientHello returns a HandshakeFailure alert instead of an IllegalParameter alert.
According to the RFC 8446 section 6.2 : illegal_parameter : A field in the handshake was incorrect or inconsistent with other fields. This alert is used for errors which conform to the formal protocol syntax but are otherwise incorrect. and handshake_failure: Receipt of a "handshake_failure" alert message indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available.
So handshake_failure alert is intended to indicate that the sender was unable to negotiate a set of parameters, not that the counterparty provided an illegal value. When a server selects a suite the client did not offer, this is a protocol violation and a handshake inconsistency, which mandates an IllegalParameter alert.
Impact
RFC violation.
Expected behavior
WolfSSL client should send an IllegalParameter Alert and abort the connection.
Reproduction steps
Here is an example of a TLS 1.3 handshake that triggers the described behavior :
- Wait for a client's ClientHello
- Send a ServerHello with an incorrect cipher
TLSv1.3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 123
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 119
Version: TLS 1.2 (0x0303)
Random: 0101010101010101010101010101010101010101010101010101010101010101
Session ID Length: 0
Cipher Suite: TLS_AES_128_CCM_SHA256 (0x1304)
Compression Method: null (0)
Extensions Length: 79
Extension: key_share (len=69) secp256r1
Type: key_share (51)
Length: 69
Key Share extension
Extension: supported_versions (len=2) TLS 1.3
Type: supported_versions (43)
Length: 2
Supported Version: TLS 1.3 (0x0304)
in raw hex:160303007b020000770303010101010101010101010101010101010101010101010101010101010101010100130400004f0033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304 - The client should send an
HandshakeFailurealert
Start the following Python TCP server :
import socket
HOST = "0.0.0.0"
PORT = 3000
payload1 = bytes.fromhex(
"160303007b020000770303010101010101010101010101010101010101010101010101010101010101010100130400004f0033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304"
)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as server_socket:
server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server_socket.bind((HOST, PORT))
server_socket.listen(1)
print(f"[*] Listening on {HOST}:{PORT} ...")
# Accept client connection
conn, addr = server_socket.accept()
with conn:
print(f"[+] Connection from {addr}")
# receive ClientHello
data = conn.recv(1024)
print(f"[>] Received: {data.hex()}")
# Send decoded payload
conn.sendall(payload1)
print(f"[<] Sent: {payload1.hex()}")
data = conn.recv(1024)
print(f"[>] Received: {data.hex()}")Then start a TLS 1.3 WolfSSL client :
# Only offer GCM, but the server will respond with CCM
./examples/client/client -v4 -p 3000 -l 'TLS_AES_128_GCM_SHA256'
Acknowledgements
This bug was found thanks to the tlspuffin fuzzer designed and developed by the tlspuffin team:
- Max Ammann
- Olivier Demengeon - Loria, Inria
- Tom Gouville - Loria, Inria
- Lucca Hirschi - Loria, Inria
- Steve Kremer - Loria, Inria
- Michael Mera - Loria, Inria