From a58b04649be2afda5db5739c983367609edfe6bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Mar 2020 11:11:02 +0100 Subject: [PATCH 1/5] Add negative test for hard reconnect cookie check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The server must check client reachability (we chose to do that by checking a cookie) before destroying the existing association (RFC 6347 section 4.2.8). Let's make sure we do, by having a proxy-in-the-middle inject a ClientHello - the server should notice, but not destroy the connection. Signed-off-by: Manuel Pégourié-Gonnard --- programs/test/udp_proxy.c | 57 +++++++++++++++++++++++++++++++++++++-- tests/ssl-opt.sh | 8 ++++++ 2 files changed, 63 insertions(+), 2 deletions(-) diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index 02428b9dd..e209d17b3 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -107,7 +107,8 @@ int main( void ) " drop packets larger than N bytes\n" \ " bad_ad=0/1 default: 0 (don't add bad ApplicationData)\n" \ " protect_hvr=0/1 default: 0 (don't protect HelloVerifyRequest)\n" \ - " protect_len=%%d default: (don't protect packets of this size)\n" \ + " protect_len=%%d default: (don't protect packets of this size)\n" \ + " inject_clihlo=0/1 default: 0 (don't inject fake ClientHello)\n" \ "\n" \ " seed=%%d default: (use current time)\n" \ "\n" @@ -130,7 +131,7 @@ static struct options int bad_ad; /* inject corrupted ApplicationData record */ int protect_hvr; /* never drop or delay HelloVerifyRequest */ int protect_len; /* never drop/delay packet of the given size*/ - + int inject_clihlo; /* inject fake ClientHello after handshake */ unsigned int seed; /* seed for "random" events */ } opt; @@ -219,6 +220,12 @@ static void get_options( int argc, char *argv[] ) if( opt.protect_len < 0 ) exit_usage( p, q ); } + else if( strcmp( p, "inject_clihlo" ) == 0 ) + { + opt.inject_clihlo = atoi( q ); + if( opt.inject_clihlo < 0 || opt.inject_clihlo > 1 ) + exit_usage( p, q ); + } else if( strcmp( p, "seed" ) == 0 ) { opt.seed = atoi( q ); @@ -311,11 +318,40 @@ void print_packet( const packet *p, const char *why ) fflush( stdout ); } +/* + * In order to test the server's behaviour when receiving a ClientHello after + * the connection is established (this could be a hard reset from the client, + * but the server must not drop the existing connection before establishing + * client reachability, see RFC 6347 Section 4.2.8), we memorize the first + * ClientHello we see (which can't have a cookie), then replay it after the + * first ApplicationData record - then we're done. + * + * This is controlled by the inject_clihlo option. + * + * We want an explicit state and a place to store the packet. + */ +static enum { + ich_init, /* haven't seen the first ClientHello yet */ + ich_cached, /* cached the initial ClientHello */ + ich_injected, /* ClientHello already injected, done */ +} inject_clihlo_state; + +static packet initial_clihlo; + int send_packet( const packet *p, const char *why ) { int ret; mbedtls_net_context *dst = p->dst; + /* save initial ClientHello? */ + if( opt.inject_clihlo != 0 && + inject_clihlo_state == ich_init && + strcmp( p->type, "ClientHello" ) == 0 ) + { + memcpy( &initial_clihlo, p, sizeof( packet ) ); + inject_clihlo_state = ich_cached; + } + /* insert corrupted ApplicationData record? */ if( opt.bad_ad && strcmp( p->type, "ApplicationData" ) == 0 ) @@ -353,6 +389,23 @@ int send_packet( const packet *p, const char *why ) } } + /* Inject ClientHello after first ApplicationData */ + if( opt.inject_clihlo != 0 && + inject_clihlo_state == ich_cached && + strcmp( p->type, "ApplicationData" ) == 0 ) + { + print_packet( &initial_clihlo, "injected" ); + + if( ( ret = mbedtls_net_send( dst, initial_clihlo.buf, + initial_clihlo.len ) ) <= 0 ) + { + mbedtls_printf( " ! mbedtls_net_send returned %d\n", ret ); + return( ret ); + } + + inject_clihlo_state = ich_injected; + } + return( 0 ); } diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1434156ec..6ec0e139c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5011,6 +5011,14 @@ run_test "DTLS client reconnect from same port: no cookies" \ -s "The operation timed out" \ -S "Client initiated reconnection from same port" +run_test "DTLS client reconnect from same port: attacker-injected" \ + -p "$P_PXY inject_clihlo=1" \ + "$P_SRV dtls=1 exchanges=2 debug_level=1" \ + "$P_CLI dtls=1 exchanges=2" \ + 0 \ + -s "possible client reconnect from the same port" \ + -S "Client initiated reconnection from same port" + # Tests for various cases of client authentication with DTLS # (focused on handshake flows and message parsing) From b1ee30bfe918c617d05632b26c8c03a3a5eca736 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 9 Sep 2019 11:14:37 +0200 Subject: [PATCH 2/5] Adjust timeout of tests with "no resend" assertions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are currently 4 tests in ssl-opt.sh with either -C "resend" or -S "resend", that is, asserting that no retransmission will occur. They sometimes fail on loaded CI machines as one side doesn't send a message fast enough, causing the other side to retransmit, causing the test to fail. (For the "reconnect" test there was an other issue causing random failures, fixed in a previous commit, but even after that fix the test would still sometimes randomly fail, even if much more rarely.) While it's a hard problem to fix in a general and perfect way, in practice the probability of failures can be drastically reduced by making the timeout values much larger. For some tests, where retransmissions are actually expected, this would have the negative effect of increasing the average running time of the test, as each side would wait for longer before it starts retransmission, so we have a trade-off between average running time and probability of spurious failures. But for tests where retransmission is not expected, there is no such trade-off as the expected running time of the test (assuming the code is correct most of the time) is not impacted by the timeout value. So the only negative effect of increasing the timeout value is on the worst-case running time on the test, which is much less important, as test should only fail quite rarely. This commit addresses the easy case of tests that don't expect retransmission by increasing the value of their timeout range to 10s-20s. This value corresponds to the value used for tests that assert `-S "autoreduction"` which are in the same case and where the current value seems acceptable so far. It also represents an increase, compared to the values before this commit, of a factor 20 for the "reconnect" tests which were frequently observed to fail in the CI, and of a factor 10 for the first two "DTLS proxy" tests, which were observed to fail much less frequently, so hopefully the new values are enough to reduce the probability of spurious failures to an acceptable level. Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6ec0e139c..f304fdc52 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4972,8 +4972,8 @@ run_test "DTLS cookie: enabled, nbio" \ not_with_valgrind # spurious resend run_test "DTLS client reconnect from same port: reference" \ - "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \ - "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \ + "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \ + "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \ 0 \ -C "resend" \ -S "The operation timed out" \ @@ -4981,8 +4981,8 @@ run_test "DTLS client reconnect from same port: reference" \ not_with_valgrind # spurious resend run_test "DTLS client reconnect from same port: reconnect" \ - "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \ - "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \ + "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \ + "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \ 0 \ -C "resend" \ -S "The operation timed out" \ @@ -5143,8 +5143,8 @@ run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ not_with_valgrind # spurious resend due to timeout run_test "DTLS proxy: reference" \ -p "$P_PXY" \ - "$P_SRV dtls=1 debug_level=2" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \ + "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \ 0 \ -C "replayed record" \ -S "replayed record" \ @@ -5159,8 +5159,8 @@ run_test "DTLS proxy: reference" \ not_with_valgrind # spurious resend due to timeout run_test "DTLS proxy: duplicate every packet" \ -p "$P_PXY duplicate=1" \ - "$P_SRV dtls=1 debug_level=2" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \ + "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \ 0 \ -c "replayed record" \ -s "replayed record" \ From 7ef7bf39c4ca7832c37933eb8777576128d11494 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 30 Mar 2020 12:46:21 +0200 Subject: [PATCH 3/5] Fix some style issues in udp_proxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- programs/test/udp_proxy.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index e209d17b3..5b5809d79 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -330,12 +330,13 @@ void print_packet( const packet *p, const char *why ) * * We want an explicit state and a place to store the packet. */ -static enum { - ich_init, /* haven't seen the first ClientHello yet */ - ich_cached, /* cached the initial ClientHello */ - ich_injected, /* ClientHello already injected, done */ -} inject_clihlo_state; +typedef enum { + ICH_INIT, /* haven't seen the first ClientHello yet */ + ICH_CACHED, /* cached the initial ClientHello */ + ICH_INJECTED, /* ClientHello already injected, done */ +} inject_clihlo_state_t; +static inject_clihlo_state_t inject_clihlo_state; static packet initial_clihlo; int send_packet( const packet *p, const char *why ) @@ -345,11 +346,11 @@ int send_packet( const packet *p, const char *why ) /* save initial ClientHello? */ if( opt.inject_clihlo != 0 && - inject_clihlo_state == ich_init && + inject_clihlo_state == ICH_INIT && strcmp( p->type, "ClientHello" ) == 0 ) { memcpy( &initial_clihlo, p, sizeof( packet ) ); - inject_clihlo_state = ich_cached; + inject_clihlo_state = ICH_CACHED; } /* insert corrupted ApplicationData record? */ @@ -391,7 +392,7 @@ int send_packet( const packet *p, const char *why ) /* Inject ClientHello after first ApplicationData */ if( opt.inject_clihlo != 0 && - inject_clihlo_state == ich_cached && + inject_clihlo_state == ICH_CACHED && strcmp( p->type, "ApplicationData" ) == 0 ) { print_packet( &initial_clihlo, "injected" ); @@ -403,7 +404,7 @@ int send_packet( const packet *p, const char *why ) return( ret ); } - inject_clihlo_state = ich_injected; + inject_clihlo_state = ICH_INJECTED; } return( 0 ); From 4bbbdc36bce72cbeb27e71c9fff2ceb1d5f31740 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 31 Mar 2020 12:31:24 +0200 Subject: [PATCH 4/5] Improve debug logging of client hard reconnect MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The current logging was sub-standard, in particular there was no trace whatsoever of the HelloVerifyRequest being sent. Now it's being logged with the usual levels: 4 for full content, 2 return of f_send, 1 decision about sending it (or taking other branches in the same function) because that's the same level as state changes in the handshake, and also same as the "possible client reconnect" message" to which it's the logical continuation (what are we doing about it?). Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1188e5399..b82e24f0e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3610,17 +3610,23 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) { + int send_ret; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) ); + MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", + ssl->out_buf, len ); /* Don't check write errors as we can't do anything here. * If the error is permanent we'll catch it later, * if it's not, then hopefully it'll work next time. */ - (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); + send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len ); + MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret ); + (void) send_ret; return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); } if( ret == 0 ) { - /* Got a valid cookie, partially reset context */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) ); if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); From 6062b49d29f58a01dbcefc99785f5aa7de74d7f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 31 Mar 2020 12:49:27 +0200 Subject: [PATCH 5/5] Fix bug in handling of DTLS client hard reconnect MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We keep track of the current epoch and record sequence number in out_ctr, which was overwritten when writing the record containing the HelloVerifyRequest starting from out_buf. We can avoid that by only using the rest of the buffer. Using MBEDTLS_SSL_MAX_CONTENT_LEN as the buffer size is still correct, as it was a pretty conservative value when starting from out_buf. Note: this bug was also fixed unknowingly in 2.13 by introducing a new buffer that holds the current value of the sequence number (including epoch), while working on datagram packing: 198594709baa82d55bba4e5ee442ffb5ffe886b4 Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog | 9 +++++++++ library/ssl_tls.c | 9 ++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b4d2d4481..9e0abd76f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,15 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx +Security + * Fix bug in DTLS handling of new associations with the same parameters + (RFC 6347 section 4.2.8): after sending its HelloVerifyRequest, the + server would end up with corrupted state and only send invalid records to + the client. An attacker able to send forged UDP packets to the server + could use that to obtain a Denial of Service. This could only happen when + MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h (which it is + by default). + Bugfix * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and MBEDTLS_SSL_HW_RECORD_ACCEL are enabled. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b82e24f0e..5f6ae6200 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3598,13 +3598,16 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) int ret; size_t len; + /* Use out_msg as temporary buffer for writing out HelloVerifyRequest, + * because the output buffer's already around. Don't use out_buf though, + * as we don't want to overwrite out_ctr. */ ret = ssl_check_dtls_clihlo_cookie( ssl->conf->f_cookie_write, ssl->conf->f_cookie_check, ssl->conf->p_cookie, ssl->cli_id, ssl->cli_id_len, ssl->in_buf, ssl->in_left, - ssl->out_buf, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); + ssl->out_msg, MBEDTLS_SSL_MAX_CONTENT_LEN, &len ); MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); @@ -3613,11 +3616,11 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) int send_ret; MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) ); MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", - ssl->out_buf, len ); + ssl->out_msg, len ); /* Don't check write errors as we can't do anything here. * If the error is permanent we'll catch it later, * if it's not, then hopefully it'll work next time. */ - send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len ); + send_ret = ssl->f_send( ssl->p_bio, ssl->out_msg, len ); MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret ); (void) send_ret;