[Bug]: DTLS 1.2 client responds incorrectly to out-of-order ServerHelloDone

[pfg666]

Contact Details

My name is Paul Fiterau. GitHub is sufficient for contact. Otherwise my email is paul.fiterau_brostean@it.uu.se.

Version

5.8.2

Description

wolfSSL client responds to a ServerHelloDone by replaying the ClientHello mesage. This happens near the start, after the client sends a ClientHello and receives a bogus Finished message. Bellow is a Wireshark capture exposing the behavior. Note that messages other than ServerHelloDone seem to be processed fine.

Background We are security researchers at Uppsala University. As part of our research, we performed testing of wolfSSL using DTLS-Fuzzer and SMBugFinder. We used DTLS-Fuzzer to generate behavioral models for wolfSSL (in this case for a client using PSK), which we analyzed for bugs uncovering this and other bugs (which we are in the process of reporting) but no vulnerabilities. Besides reporting, we also work to automate detection of these bugs using SMBugFinder (making SMBugFinder detect these bugs fully automatically).

Reproduction steps

Configuration of wolfSSL library:
AM_CFLAGS='-DHAVE_AES_CBC -DWOLFSSL_AES_128 -DWOLFSSL_DEBUG_TLS' ./configure --enable-dtls --enable-dtls13 --enable-keylog-export --enable-psk --enable-rsa --enable-sha --enable-debug C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK

The client was run via the following command:
examples/client/client -i -x -p ${some_port} -s -u -l PSK-AES128-CBC-SHA256

Attached is a ZIP file containing the capture. On request, we can provide further reproduction steps, but that will involve setting up our testing tools.

2509121506_wolfssl582_client_invalidshdresponse.pcapng.zip

Relevant log output

wolfSSL Entering wolfSSL_Init

wolfSSL Entering wolfCrypt_Init
wolfSSL Entering DTLSv1_2_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
heap param is null
DYNAMIC_TYPE_CERT_MANAGER Allocating = 240 bytes
wolfSSL Leaving wolfSSL_CTX_new_ex, return 0
wolfSSL Entering wolfSSL_CTX_set_cipher_list
wolfSSL Entering wolfSSL_CTX_set_psk_client_callback
wolfSSL Entering wolfSSL_CTX_set_psk_client_cs_callback
wolfSSL Entering wolfSSL_new
wolfSSL Entering ReinitSSL
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
wolfSSL Entering SetSSL_CTX
wolfSSL Entering wolfSSL_NewSession
wolfSSL Entering wolfSSL_set_tls13_secret_cb
wolfSSL Entering wolfSSL_set_secret_cb
InitSSL done. return 0 (success)
wolfSSL_new InitSSL success
wolfSSL Leaving wolfSSL_new InitSSL =, return 0
wolfSSL Entering wolfSSL_set_fd
wolfSSL Entering wolfSSL_set_read_fd
wolfSSL Leaving wolfSSL_set_read_fd, return 1
wolfSSL Entering wolfSSL_set_write_fd
wolfSSL Leaving wolfSSL_set_write_fd, return 1
TLS 1.2 or lower
wolfSSL Entering wolfSSL_connect
wolfSSL Entering ReinitSSL
wolfSSL Entering RetrySendAlert
wolfSSL Entering SendClientHello
Adding signature algorithms extension
growing output buffer
Point Formats extension to write
Supported Groups extension to write
Encrypt-Then-Mac extension to write
EMS extension to write
wolfSSL Entering DtlsMsgPoolSave
wolfSSL Entering DtlsMsgNew
wolfSSL Leaving DtlsMsgPoolSave(), return 0
HashRaw:
Data:
	01 00 00 4a 00 00 00 00 00 00 00 4a fe fd 6a 61 |...J.......J..ja
	cb be ce a7 01 79 6a 7e 0e 0e 1a c5 c7 ac 49 68 |.....yj~......Ih
	b8 ac ad 08 2c 27 01 23 98 bd 3a a9 ef 6a 00 00 |....,'.#..:..j..
	00 02 00 ae 01 00 00 1e 00 0b 00 02 01 00 00 0a |................
	00 0c 00 0a 00 19 00 18 00 17 00 15 01 00 00 16 |................
	00 00 00 17 00 00                               |......
Hashes:
Sha256
	96 6c ff b5 f6 d1 7d 6b 9b 1d a5 4b e3 88 c0 70 |.l....}k...K...p
	88 47 8a a8 d8 07 d3 18 14 e7 cb cb 78 15 ec 09 |.G..........x...
Sha384
	42 87 4d 80 6b d8 f8 7d 12 f0 82 5b 12 39 22 da |B.M.k..}...[.9".
	06 05 97 27 68 fb 57 96 e7 83 31 d8 ec 6d 33 ed |...'h.W...1..m3.
	74 d2 be dd 44 e1 47 f7 b4 e5 7c 4f 8a e0 17 3b |t...D.G...|O...;
Sha512
	d0 d4 af ae d8 e0 7d 7f 88 a3 52 06 c0 f5 a0 cd |......}...R.....
	99 b4 7f 5f 17 6a 70 d6 80 67 34 c3 97 d3 4e 5e |..._.jp..g4...N^
	0c b3 2a 57 b7 6b 43 54 0e 08 1c b5 f4 e1 52 7d |..*W.kCT......R}
	27 6a 6d ea 7a f3 8e d7 11 fd ce 32 81 7f e6 40 |'jm.z......2...@
Data to send
	16 fe fd 00 00 00 00 00 00 00 00 00 56 01 00 00 |............V...
	4a 00 00 00 00 00 00 00 4a fe fd 6a 61 cb be ce |J.......J..ja...
	a7 01 79 6a 7e 0e 0e 1a c5 c7 ac 49 68 b8 ac ad |..yj~......Ih...
	08 2c 27 01 23 98 bd 3a a9 ef 6a 00 00 00 02 00 |.,'.#..:..j.....
	ae 01 00 00 1e 00 0b 00 02 01 00 00 0a 00 0c 00 |................
	0a 00 19 00 18 00 17 00 15 01 00 00 16 00 00 00 |................
	17 00 00                                        |...
wolfSSL Entering EmbedSendTo
Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0
connect state: CLIENT_HELLO_SENT
Server state up to needed state.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 1
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
Data received
	16 fe fd 00 00 00 00 00 00 00 00 00 18 14 00 00 |................
	0c 00 00 00 00 00 00 00 0c 60 f3 66 e1 c8 f8 fd |.........`.f....
	4c 8b 3a f9 93                                  |L.:..
received record layer msg
got HANDSHAKE
wolfSSL Entering DoDtlsHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
Already saw this message and processed it
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 1
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock
Data received
	16 fe fd 00 00 00 00 00 00 00 01 00 0c 0e 00 00 |................
	00 00 01 00 00 00 00 00 00                      |.........
received record layer msg
got HANDSHAKE
wolfSSL Entering DoDtlsHandShakeMsg
wolfSSL Entering EarlySanityCheckMsgReceived
wolfSSL Leaving EarlySanityCheckMsgReceived, return 0
Current message is out of order
wolfSSL Entering DtlsMsgStore
wolfSSL Entering DtlsMsgNew
wolfSSL Entering DtlsMsgSet
wolfSSL Entering DtlsMsgPoolSend
growing output buffer
Data to send
	16 fe fd 00 00 00 00 00 00 00 01 00 56 01 00 00 |............V...
	4a 00 00 00 00 00 00 00 4a fe fd 6a 61 cb be ce |J.......J..ja...
	a7 01 79 6a 7e 0e 0e 1a c5 c7 ac 49 68 b8 ac ad |..yj~......Ih...
	08 2c 27 01 23 98 bd 3a a9 ef 6a 00 00 00 02 00 |.,'.#..:..j.....
	ae 01 00 00 1e 00 0b 00 02 01 00 00 0a 00 0c 00 |................
	0a 00 19 00 18 00 17 00 15 01 00 00 16 00 00 00 |................
	17 00 00                                        |...
wolfSSL Entering EmbedSendTo
Shrinking output buffer
wolfSSL Leaving DtlsMsgPoolSend(), return 0
wolfSSL Leaving DoDtlsHandShakeMsg(), return 0
Shrinking input buffer
ProcessReply done.
Progressing server state...
ProcessReply...
wolfSSL Entering RetrySendAlert
growing input buffer
wolfSSL Leaving wolfSSL_dtls_get_current_timeout, return 1
wolfSSL Entering EmbedReceiveFrom
wolfSSL Entering wolfSSL_dtls_get_using_nonblock

[embhorn]

Hi @pfg666

Thanks for contacting wolfSSL and sharing this excellent report. I have requested a review of this by our engineers.

Kind regards,
@embhorn - wolfSSL Support

[gasbytes]

Hello @pfg666, thanks for all the info that you provided.

I was able to reproduce the issue locally and put up a PR that should address the issue (pr#9205).

Thanks,
Reda