Skip to content

TLS 1.3, plaintext alert: ignore when expecting encrypted #9466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SparkiDev wants to merge 1 commit into
base: master
Choose a base branch
from
Open

TLS 1.3, plaintext alert: ignore when expecting encrypted #9466

SparkiDev wants to merge 1 commit into from
+285 −37

Conversation

@SparkiDev
Copy link
Contributor

@SparkiDev SparkiDev commented Nov 24, 2025

Description

In TLS 1.3, ignore valid unencrypted alerts that appear after encryption has started.
Only ignore WOLFSSL_ALERT_COUNT_MAX-1 alerts.

Fixes zd#20857

Testing

./configure --disable-shared
make
./tests/unit.test -test_tls13_plaintext_alert

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@SparkiDev SparkiDev self-assigned this Nov 24, 2025
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Nov 24, 2025

🛟 Devin Lifeguard found 1 likely issues in this PR

  • check-all-return-codes snippet snippet snippet: Capture and assert the return value of wolfSSL_SetIORecv, wolfSSL_SetIOSend and wolfSSL_SetIOReadCtx (e.g. ExpectIntEQ(wolfSSL_SetIORecv(ctx, MbRecv), WOLFSSL_SUCCESS);).

@SparkiDev
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@SparkiDev SparkiDev force-pushed the tls13_pt_alert_when_enc branch 2 times, most recently from 130c70d to 8943d6c Compare November 24, 2025 08:08
@rizlik
Copy link
Contributor

rizlik commented Nov 24, 2025
edited
Loading

If the goal of this PR is to protect against DoS I don't think it's a good idea:

  • under TCP one can easily forge a RST packet and close the connection
  • peer can still forge arbitrary packets that cause the handshake to error out (handshake, app_data) ecc

UDP is different but DtlsShouldDrop ignores plaintext packet after handshake keys are computed.

@SparkiDev
Copy link
Contributor Author

SparkiDev commented Nov 24, 2025
edited
Loading

DoS can be done by any message, it doesn't have to be a valid alert.
But yes that is the report.

Instead the PR is about skipping alerts that were sent by the client before it received anything from the server to indicate it should be encrypted. OpenSSL and others do this.

May make this a compile time option.

@SparkiDev
Copy link
Contributor Author

SparkiDev commented Nov 24, 2025

retest this please

@dgarske dgarske requested a review from julek-wolfssl December 4, 2025 19:42
dgarske
dgarske previously approved these changes Dec 4, 2025
View reviewed changes
julek-wolfssl
julek-wolfssl requested changes Dec 5, 2025
View reviewed changes
Copy link
Member

@julek-wolfssl julek-wolfssl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still don't agree with fixing it. IMO ignoring plaintext alerts is going to introduce edge cases in the transition period between plaintext and ciphertext. This in turn can hang clients/servers that think the connection is still alive when its really dead. The argument that its a DoS of a connection doesn't make any sense since injecting garbage would also kill the connection.

@SparkiDev SparkiDev force-pushed the tls13_pt_alert_when_enc branch from e2938ed to ebc15e8 Compare December 9, 2025 23:44
@SparkiDev
Copy link
Contributor Author

SparkiDev commented Dec 9, 2025

Changed to be compile time option when WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC is defined.
Test is testing as many alerts as is required to cause an error or one less being OK.
Test is checking that without define that an error is returned.

@SparkiDev SparkiDev force-pushed the tls13_pt_alert_when_enc branch from ebc15e8 to 8a94314 Compare December 10, 2025 00:56
@SparkiDev
TLS 1.3, plaintext alert: ignore when expecting encrypted
9bce18f 
In TLS 1.3, ignore valid unencrypted alerts that appear after encryption
has started.
Only ignore WOLFSSL_ALERT_COUNT_MAX-1 alerts.
@SparkiDev SparkiDev force-pushed the tls13_pt_alert_when_enc branch from 8a94314 to 9bce18f Compare December 10, 2025 02:14
@SparkiDev
Copy link
Contributor Author

SparkiDev commented Dec 10, 2025

retest this please

@SparkiDev SparkiDev removed their assignment Dec 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julek-wolfssl julek-wolfssl julek-wolfssl requested changes

@dgarske dgarske dgarske left review comments

Requested changes must be addressed to merge this pull request.

Assignees

@julek-wolfssl julek-wolfssl

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@SparkiDev @rizlik @dgarske @julek-wolfssl @wolfSSL-Bot