Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: server should send a illegal_parameter alert when it received an invalid ECHClientHello.type #71061

Open
thekuwayama opened this issue Dec 29, 2024 · 2 comments · May be fixed by #71062
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@thekuwayama
Copy link
Contributor

thekuwayama commented Dec 29, 2024

Go version

go version 1.24rc1

Output of go env in your module/workspace:

AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/tkuwayama/Library/Caches/go-build'
GODEBUG=''
GOENV='/Users/tkuwayama/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/3h/8hlzn7655lggm28v_4c6hnp80000gn/T/go-build1579618073=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/tkuwayama/ech_server/go.mod'
GOMODCACHE='/Users/tkuwayama/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/tkuwayama/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/tkuwayama/ech_server/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/tkuwayama/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/tkuwayama/ech_server/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='devel go1.24-2b794ed86c Fri Dec 27 17:23:24 2024 -0800'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

I am testing ECH in go1.24rc1. I noticed that the server aborts the handshake with a decode_error alert if the client sends an invalid ECHClientHello.type.

In section 7, the draft indicates an invalid ECHClientHello.type should generate an illegal_parameter alert.

If ECHClientHello.type is not a valid ECHClientHelloType, then the server MUST abort with an "illegal_parameter" alert.

https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22#section-7-5

What did you see happen?

I implemented an ECH TLS server using the "go1.24rc1" tag. The following is the implementation code for the server.

https://github.com/thekuwayama/sample_ech_server

$ git clone --recursive [email protected]:thekuwayama/sample_ech_server.git
$ cd sample_ech_server/go/src/
$ ./make.bash
$ cd ../..
$ GOROOT='' go/bin/go run main.go
main.go:113: /tmp/echconfigs.pem3815808868

I am developing a conformance testing tool for ECH implementation.
I used the tool and confirmed that when a client sends an invalid ECHClientHello.type in ClientHelloOuter, the server aborts the handshake with a decode_error alert.

$ gem specific_install [email protected]:thekuwayama/echspec.git
$ echspec -f /tmp/echconfigs.pem3815808868 -p 4433 -s 7-5 localhost -v
TLS Encrypted Client Hello Server
        ✔ MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloInner. [7-5]
        x MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloOuter. [7-5]

Failures:

        1) MUST abort with an "illegal_parameter" alert, if ECHClientHello.type is not a valid ECHClientHelloType in ClientHelloOuter. [7-5]
                did not send expected alert: illegal_parameter
{"Alert":{"level":"0x02","description":"0x32"},"ClientHello":{"msg_type":"0x01","legacy_version":"0x0303","random":"0xe4a185724a980665b7c80747d3d9b85fae5085d673071ac30afbf0111b8139e1","legacy_session_id":"0x90e53937201797e49bdce9cd2d9164e63069877a6e1bde306aaa4357d132aa50","cipher_suites":["0x1302","0x1303","0x1301"],"legacy_compression_methods":["0x00"],"extensions":{"0x0000":{"extension_type":"0x0000","server_name":"0x6c6f63616c686f7374"},"0x002b":{"extension_type":"0x002b","msg_type":"0x01","versions":["0x0304"]},"0x000d":{"extension_type":"0x000d","supported_signature_algorithms":["0x0403","0x0503","0x0603","0x0804","0x0805","0x0806","0x0401","0x0501","0x0601"]},"0x000a":{"extension_type":"0x000a","named_group_list":["0x0017","0x0018","0x0019"]},"0x0033":{"extension_type":"0x0033","msg_type":"0x01","key_share_entry":[{"group":"0x0017","key_exchange":"0x0444d7c5dc352521211889ff074bf6f175e1577bb44b9a022ca9e2382788c52921d875dd1fd38fa757ebd822863228dd7221fc5e844b08c94462d70888061ef4b0"},{"group":"0x0018","key_exchange":"0x04955b8f67fa68eaef773509df3a905ce42ae4596c818dacd50b6715190c0f4b32615c45889d6c07c75ffb8330d2847c3639b5550a417b68348707faf76f935281932a1ad8ac42b59019b99b375bf6cbac5540040f3ad3cf3a2d49999157a97a4d"},{"group":"0x0019","key_exchange":"0x04005d7d8446fce79cd6424d8e68b7c06b47400e7b35a997259016c1166144b12d295fe602ae3167c7caf5158c3042bef0d898a3b05944367283f3073201d4823453ca0171ba35414bdfaae5d9d48d90b4ea6c250eecf7aab7607f9b4afacb2f7819695f9835daaea6957eaa8b624b06f768fe3c6fa0ea0a70c90a923426a4211acdf1947a"}]},"0xfe0d":{"extension_type":"0xfe0d","type":"0x02","cipher_suite":{"kdf_id":{"uint16":1},"aead_id":{"uint16":1}},"config_id":123,"enc":"0x611d5683e66c5c8a76db982870b37671513fa7f3ff5f550fcc32b4d3e372d82a","payload":"0xbe6cddb5281dfd3154e36547e86b91019180d2e0ca26437904920b42ad9f144995c7416a67598f25672f37cf88168842e1f255becd61abfe1491ad17ca02246be894db43aac362f2c3f56a010132d75662647d9215b9f7e7b7d525479687d4b8d9606222795049df86d03b7e0ae01413dc1f9a867ce4a14d3b9bafa8d3cc34bd7328d3b1716e0a4882a972d60789aeb044ea2c9261d03a2ac7b57ab53ed616708cf553e799ae7d961565e55ff0ebdb35e0e5adc0634e18f154095024a9fcdc27d69966226c83cdfcac390743c25c74ef04db3a997a492e5a6e1cae30274daeb59088353146049592c3cd419df7d8c19da2f37d3043771f0892c66c4b642c0539db24517db54978cb2f0a16eb5b3ae9364c4a9e14c921458ed7eaba49040b45d2ceaf979b6408aa665c85c371826a7df7a2b1b9ff50436d198d6cb66d4d023c2ed1a4f06ae62d057d53d4535d4f261ea71f9e6067279a72c25b7256acbc4916847f103f45f13af531666c3f182492df5e2c73196c8db4033550abd44ff7a8a266232fd1ec96162f5651bf6214e0aa611570a74196d414d8f8dc6fe4a59d3cd2e00291a52a5b0799d8e2e439cc0c74f03187748a250d75e290e9a7d993d2fb8876bac4cb79f7bd5a093b2befa326992c1fda35686e770fe5b2f7"}}},"ClientHelloInner":{"msg_type":"0x01","legacy_version":"0x0303","random":"0x60cdfa15e66502b2e268d49f49a567ec9abad0ea62132626e9e2a38a2f30b281","legacy_session_id":"0x90e53937201797e49bdce9cd2d9164e63069877a6e1bde306aaa4357d132aa50","cipher_suites":["0x1302","0x1303","0x1301"],"legacy_compression_methods":["0x00"],"extensions":{"0x0000":{"extension_type":"0x0000","server_name":"0x6c6f63616c686f7374"},"0x002b":{"extension_type":"0x002b","msg_type":"0x01","versions":["0x0304"]},"0x000d":{"extension_type":"0x000d","supported_signature_algorithms":["0x0403","0x0503","0x0603","0x0804","0x0805","0x0806","0x0401","0x0501","0x0601"]},"0x000a":{"extension_type":"0x000a","named_group_list":["0x0017","0x0018","0x0019"]},"0x0033":{"extension_type":"0x0033","msg_type":"0x01","key_share_entry":[{"group":"0x0017","key_exchange":"0x0444d7c5dc352521211889ff074bf6f175e1577bb44b9a022ca9e2382788c52921d875dd1fd38fa757ebd822863228dd7221fc5e844b08c94462d70888061ef4b0"},{"group":"0x0018","key_exchange":"0x04955b8f67fa68eaef773509df3a905ce42ae4596c818dacd50b6715190c0f4b32615c45889d6c07c75ffb8330d2847c3639b5550a417b68348707faf76f935281932a1ad8ac42b59019b99b375bf6cbac5540040f3ad3cf3a2d49999157a97a4d"},{"group":"0x0019","key_exchange":"0x04005d7d8446fce79cd6424d8e68b7c06b47400e7b35a997259016c1166144b12d295fe602ae3167c7caf5158c3042bef0d898a3b05944367283f3073201d4823453ca0171ba35414bdfaae5d9d48d90b4ea6c250eecf7aab7607f9b4afacb2f7819695f9835daaea6957eaa8b624b06f768fe3c6fa0ea0a70c90a923426a4211acdf1947a"}]},"0xfe0d":{"extension_type":"0xfe0d","type":"0x01","cipher_suite":null,"config_id":null,"enc":null,"payload":null}}}}

1 failure

What did you expect to see?

I think the server should abort the handshake with an illegal_parameter alert if the client sends an invalid ECHClientHello.type.

The following is a related comment.
https://go-review.googlesource.com/c/go/+/623576/8..16/src/crypto/tls/ech.go#b490

thekuwayama added a commit to thekuwayama/go that referenced this issue Dec 29, 2024
…an invalid `ECHClientHello.type`

The spec indicates that if a client sends an invalid ECHClientHello.type in ClientHelloOuter, the server will abort the handshake with a decode_error alert.
Defined errInvalidECHExt for invalid ECHClientHello.type. If parseECHExt returns an errInvalidECHExt error, Conn now sends an illegal_parameter alert.

Fixes golang#71061
thekuwayama added a commit to thekuwayama/go that referenced this issue Dec 29, 2024
… illegal_parameter

The spec indicates that if a client sends an invalid ECHClientHello.type in
ClientHelloOuter, the server will abort the handshake with a decode_error
alert. Defined errInvalidECHExt for invalid ECHClientHello.type. If
parseECHExt returns an errInvalidECHExt error, Conn now sends an
illegal_parameter alert.

Fixes golang#71061
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/639235 mentions this issue: crypto/tls: if received an invalid ECHClientHello.type, server send a illegal_parameter

@dmitshur dmitshur added this to the Go1.24 milestone Dec 30, 2024
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. FixPending Issues that have a fix which has not yet been reviewed or submitted. labels Dec 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants