Closed maxammann closed 1 year ago
I patched wolfSSL like this to get it working:
diff --git a/src/tls.c b/src/tls.c
index f2f62dc..2d808f7 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -5050,7 +5050,8 @@ int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap)
#define SCR_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX)
#define SCR_GET_SIZE TLSX_SecureRenegotiation_GetSize
#define SCR_WRITE TLSX_SecureRenegotiation_Write
-#define SCR_PARSE TLSX_SecureRenegotiation_Parse
+//#define SCR_PARSE TLSX_SecureRenegotiation_Parse
+#define SCR_PARSE(a, b, c, d) 0
#else
Not sure if wolfSSL or TLS-Anvil is at fault.
Hey,
thank you for these reports, they are much appreciated. Regarding the IndexOutOfBoundsException at the top, did this occur for wolfSSL in TLS 1.3-only mode? In our publication, we actually tested TLS 1.2 and 1.3 for wolfSSL and enabled both versions with the CLI version flag (-v).
The IndexOutOfBoundsException
is also thrown during OpenSSL client exploration I think. It does not let the exploration fail.
The issue comes with enabling this feature in wolfSSL: https://github.com/wolfSSL/wolfssl/blob/870f7cc95b1061b0f829d15315c66b6b6823eb99/configure.ac#L5074-L5078
Apparently TLS-Anvil is sending an invalid renegotiation information, which makes wolfSSL always return errors.
This issues has now been addressed with release v5.2.1 of TLS-Attacker and v1.2.0 of TLS-Anvil. Thank you again for the reports.
I'm getting this exception while running TLS-Attacker through TLS-Anvil on wolfSSL clients.
The following exception is caused when TLS 1.3 is enabled, which was disabled in the TLS-Anvil publication, because TLS 1.3 is opt-in in wolfSSL.
The next crash is linked to some tested cipher suite.
It think the line where it actually crashes is the following:
https://github.com/tls-attacker/TLS-Anvil/blob/v1.1.0/TLS-Test-Framework/TestFramework/src/main/java/de/rub/nds/tlstest/framework/execution/TestRunner.java#L371
I investigated this, and it turns out this is due to the Renegotiation Info feature enabled in wolfSSL 5.3.0 by default. When disabling it works again: https://github.com/wolfSSL/wolfssl/blob/870f7cc95b1061b0f829d15315c66b6b6823eb99/configure.ac#L5074-L5078