Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed wrong key usage for finish message when using early data #171

Closed
wants to merge 1 commit into from
Closed

Fixed wrong key usage for finish message when using early data #171

wants to merge 1 commit into from

Conversation

Leonie-Theobald
Copy link
Contributor

When I used TLS-Attacker in client mode for testing early data, I found that the server side couldn't decrypt the Finished Message in the second handshake.

How to reproduce

  1. Start server: openssl s_server -cert ./server_cert.pem -key ./server_key.pem -tls1_3 -early_data -no_anti_replay -trace
    • hint: -anit_replay is only active because the client won't close the connection with close_notify and I want to prevent that s_server is throwing away the session information
  2. Start TLS-Attacker client: java -jar ./apps/TLS-Client.jar -connect localhost:4433 -config ./tls13_0rtt_short.txt
    tls13_0rtt_short.txt

Error on server side:

ERROR
80609AF601000000:error:0A000119:SSL routines:tls_get_more_records:decryption failed or bad record mac:ssl/record/methods/tls_common.c:859:
80609AF601000000:error:0A000139:SSL routines::record layer failure:ssl/record/rec_layer_s3.c:650:
shutting down SSL
CONNECTION CLOSED

After some digging I think I found the root cause. The Finished message is encrypted with the same key as the EndOfEarlyData message. To see this, you can put

System.out.println(
    "Key used for encryption: "
    + Arrays.toString(
        getState().getKeySet().getWriteKey(getConnectionEndType())
));

at the beginning of public void encrypt(Record record) throws CryptoException { } in "TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/record/cipher/RecordAEADCipher.java"
But EndOfEarlyData message needs to be encrypted under client_early_traffic_secret and the Finished message with client_handshake_traffic_secret (compare RFC8446, chapter 4.5 and 7.3).

I implemented a rough workaround to fix the client behavior in the second handshake flow. Roughly speaking, at the point where the client receives the server's Finish message, we precalculate the handshake_traffic_secret and store it in TlsContext (see FinishHandler.java) even though the next secret to be used is early_traffic_secret for sending EndOfEarlyData message.
When this message is sent out, we set the active key set to the stored handshake_traffic_secret so that the following Finish message sent by the client to the server is correctly encrypted (see EndOfEarlyDataHandler.java)

Disclaimer: This is working when using TLS-Attacker in client mode but not yet for the server mode. I will update this draft PR accordingly.

@Leonie-Theobald
Copy link
Contributor Author

PR is available on TLS-Attacker Development: https://github.com/tls-attacker/TLS-Attacker-Development/pull/1142

@Leonie-Theobald Leonie-Theobald deleted the early_data_fix branch August 1, 2024 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Leonie-Theobald