[Bug]: RFC 8446 violation : WolfSSL returns incorrect Alert when receiving unsolicited PresharedKey extension #9503
Description
Version
5.8.4
Description
A WolfSSL TLS 1.3 client receiving a ServerHello with a PresharedKey extension when the client hasn't requested the use of a preshared key, returns an IllegalParameter Alert.
According to the RFC 8446 section 4.2 : Implementations MUST NOT send extension responses if the remote endpoint did not send the corresponding extension requests, with the exception of the "cookie" extension in the HelloRetryRequest. Upon receiving such an extension, an endpoint MUST abort the handshake with an "unsupported_extension" alert., this means that WolfSSL should return an UnsupportedExtension instead of an IllegalParameter when receiving the unsolicited PSK extension.
Impact
RFC violation
Expected behavior
WolfSSL server should send an "UnsupportedExtension" Alert and abort the connection.
Reproduction steps
Here is an example of a TLS 1.3 handshake that triggers the described behavior :
- Wait for a client's ClientHello
- Send a ServerHello with a PresharedKey extension
TLSv1.3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 129
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 125
Version: TLS 1.2 (0x0303)
Random: 0101010101010101010101010101010101010101010101010101010101010101
Session ID Length: 0
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Compression Method: null (0)
Extensions Length: 85
Extension: pre_shared_key (len=2)
Type: pre_shared_key (41)
Length: 2
Pre-Shared Key extension
Selected Identity: 5
Extension: key_share (len=69) secp256r1
Type: key_share (51)
Length: 69
Key Share extension
Key Share Entry: Group: secp256r1, Key Exchange length: 65
Group: secp256r1 (23)
Key Exchange Length: 65
Key Exchange: 040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e
Extension: supported_versions (len=2) TLS 1.3
Type: supported_versions (43)
Length: 2
Supported Version: TLS 1.3 (0x0304)
in raw hex:16030300810200007d030301010101010101010101010101010101010101010101010101010101010101010013010000550029000200050033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304 - The client should send an
IllegalParameteralert
Start the following Python TCP server :
import socket
HOST = "0.0.0.0"
PORT = 3000
payload1 = bytes.fromhex(
"16030300810200007d030301010101010101010101010101010101010101010101010101010101010101010013010000550029000200050033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304"
)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as server_socket:
server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server_socket.bind((HOST, PORT))
server_socket.listen(1)
print(f"[*] Listening on {HOST}:{PORT} ...")
# Accept client connection
conn, addr = server_socket.accept()
with conn:
print(f"[+] Connection from {addr}")
data = conn.recv(1024)
print(f"[>] Received: {data.hex()}")
# Send decoded payload
conn.sendall(payload1)
print(f"[<] Sent: {payload1.hex()}")
data = conn.recv(1024)
print(f"[>] Received: {data.hex()}")
data = conn.recv(1024)
print(f"[>] Received: {data.hex()}")Then start a TLS 1.3 WolfSSL client :
./examples/client/client -v4 -p 3000 -l 'TLS_AES_128_GCM_SHA256'You should see the WolfSSL client sending an IllegalParameter alert.
Acknowledgements
This bug was found thanks to the tlspuffin fuzzer designed and developed by the tlspuffin team:
- Max Ammann
- Olivier Demengeon - Loria, Inria
- Tom Gouville - Loria, Inria
- Lucca Hirschi - Loria, Inria
- Steve Kremer - Loria, Inria
- Michael Mera - Loria, Inria