Non-conformance Bug affecting usability of the library
A similar issue was reported for eclipse's TinyDTLS implementation.
Contiki-NG TinyDTLS client generates an unwarranted decrypt_error alert upon receiving an unencrypted HelloVerifyRequest with epoch 1. Similarly, the server generates a decrypt_error upon receiving a CKE with epoch 1. Below captures for the two behaviors are shown.
Upon investigating this matter, we found that by terminating the initial handshake on receiving messages with epoch 1, TinyDTLS no longer ensures reliability of the handshake protocol. If the client/server receive Finished (epoch 1) before ChangeCipherSpec (epoch 0), Contik-NG TinyDTLS will abort the handshake. Such an event can happen due to reordering. This problem is exposed in the below capture for a TinyDTLS client. Notice that the server ChangeCipherSpec is received after an encrypted record which is the Finished message. This leads to unwarranted handshake termination.
Steps to Reproduce
I attached files necessary for reproduction using DTLS-Fuzzer, a Java-based tool for testing DTLS libraries. Also included in the archive the captures of the interaction show above. DTLS-Fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed by running:
sudo apt-get install openjdk-8-jdk
Unpack the archive, cd to resulting folder and run bash reproduce.sh test_sequence_decrypt or bash reproduce.sh test_sequence_reorder, while running an instance of Wireshark on the side. The reproduction script will:
setup Contik-NG TinyDTLS and DTLS-Fuzzer
launch the TinyDTLS client using the 'tests/dtls-client utility;
launch DTLS-Fuzzer to execute the input sequences 'test_sequence_decrypt' or 'test_sequence_reorder' which expose the two problems.
I also added the test sequence 'test_sequence_handshake'. This is similar to the reordering sequence, but without the reordering. By executing this sequence via bash reproduce.sh test_sequence_handshake, you should complete the handshake with the client.
Note that the problems affect both clients and servers. On request, I can provide reproduction scripts also for servers. I am guessing fixing the problem for clients will also do it for servers.
Non-conformance Bug affecting usability of the library
A similar issue was reported for eclipse's TinyDTLS implementation.
Contiki-NG TinyDTLS client generates an unwarranted decrypt_error alert upon receiving an unencrypted HelloVerifyRequest with epoch 1. Similarly, the server generates a decrypt_error upon receiving a CKE with epoch 1. Below captures for the two behaviors are shown.
Upon investigating this matter, we found that by terminating the initial handshake on receiving messages with epoch 1, TinyDTLS no longer ensures reliability of the handshake protocol. If the client/server receive Finished (epoch 1) before ChangeCipherSpec (epoch 0), Contik-NG TinyDTLS will abort the handshake. Such an event can happen due to reordering. This problem is exposed in the below capture for a TinyDTLS client. Notice that the server ChangeCipherSpec is received after an encrypted record which is the Finished message. This leads to unwarranted handshake termination.
Steps to Reproduce I attached files necessary for reproduction using DTLS-Fuzzer, a Java-based tool for testing DTLS libraries. Also included in the archive the captures of the interaction show above. DTLS-Fuzzer requires the JDK for Java 8. On Ubuntu, this can be installed by running:
sudo apt-get install openjdk-8-jdkUnpack the archive,
cdto resulting folder and runbash reproduce.sh test_sequence_decryptorbash reproduce.sh test_sequence_reorder, while running an instance of Wireshark on the side. The reproduction script will:I also added the test sequence 'test_sequence_handshake'. This is similar to the reordering sequence, but without the reordering. By executing this sequence via
bash reproduce.sh test_sequence_handshake, you should complete the handshake with the client.Note that the problems affect both clients and servers. On request, I can provide reproduction scripts also for servers. I am guessing fixing the problem for clients will also do it for servers.
Thanks!
reproduction.tar.gz