Bug 1511460 - malformed ALPN extension is rejected with incorrect alert messages
Summary: malformed ALPN extension is rejected with incorrect alert messages
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.5
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: nss-nspr-maint
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 1410874
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-09 12:14 UTC by Hubert Kario
Modified: 2019-02-11 15:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1410874
Environment:
Last Closed: 2019-02-11 15:39:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1330615 0 None None None 2019-02-12 15:27:29 UTC

Description Hubert Kario 2017-11-09 12:14:53 UTC
+++ This bug was initially created as a clone of Bug #1410874 +++

Description of problem:

The extension is defined as follows:

   The "extension_data" field of the
   ("application_layer_protocol_negotiation(16)") extension SHALL
   contain a "ProtocolNameList" value.

   opaque ProtocolName<1..2^8-1>;

   struct {
       ProtocolName protocol_name_list<2..2^16-1>
   } ProtocolNameList;

When the ProtocolName length is 0 or the protocol_name_list length is 0, NSS doesn't send the expected decode_error alert:

   decode_error
      A message could not be decoded because some field was out of the
      specified range or the length of the message was incorrect.  This
      message is always fatal and should never be observed in
      communication between proper implementations (except when messages
      were corrupted in the network).

Instead it sends illegal_parameter and no_application_protocol alerts.

Version-Release number of selected component (if applicable):
nss-3.27.1-12.el6.x86_64

How reproducible:
always

Steps to Reproduce:
git clone https://github.com/tomato42/tlsfuzzer.git
pushd tlsfuzzer
git checkout alpn-test # won't be necessary in future
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
popd
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch -subj /CN=localhost
openssl pkcs12 -export -passout pass:  -out localhost.p12 -inkey localhost.key -in localhost.crt
mkdir nssdb
certutil -N -d sql:nssdb --empty-password
pk12util -i localhost.p12 -d sql:nssdb -W ''
./selfserv -d sql:./nssdb -p 4433 -V tls1.0: -H 1 -n localhost -Q
# in another terminal, same directory
PYTHONPATH=tlsfuzzer python tlsfuzzer/scripts/test-alpn-negotiation.py 'empty extension' 'empty list'

Actual results:
empty extension ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x2dd9790> (child: <tlsfuzzer.expect.ExpectClose object at 0x2dd97d0>) with last message being: <tlslite.messages.Message object at 0x2dd9f90>
Error while processing
Traceback (most recent call last):
  File "test-alpn-negotiation.py", line 218, in main
    runner.run()
  File "/tmp/tmp.pejrU9l8lU/tlsfuzzer/tlsfuzzer/runner.py", line 168, in run
    node.process(self.state, msg)
  File "/tmp/tmp.pejrU9l8lU/tlsfuzzer/tlsfuzzer/expect.py", line 542, in process
    raise AssertionError(problem_desc)
AssertionError: Alert description 47 != 50

empty list ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x2dd9650> (child: <tlsfuzzer.expect.ExpectClose object at 0x2dd9690>) with last message being: <tlslite.messages.Message object at 0x2ddaf10>
Error while processing
Traceback (most recent call last):
  File "test-alpn-negotiation.py", line 218, in main
    runner.run()
  File "/tmp/tmp.pejrU9l8lU/tlsfuzzer/tlsfuzzer/runner.py", line 168, in run
    node.process(self.state, msg)
  File "/tmp/tmp.pejrU9l8lU/tlsfuzzer/tlsfuzzer/expect.py", line 542, in process
    raise AssertionError(problem_desc)
AssertionError: Alert description 120 != 50

Expected results:
empty extension ...
OK

empty list ...
OK

Additional info:

--- Additional comment from Hubert Kario on 2017-01-06 11:39:36 EST ---

QE: those two cases are currently disabled, reenable once the issue is fixed

Comment 2 Simo Sorce 2019-02-11 15:39:55 UTC
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.