[Bug]: DTLSv1.3 Alert (Level: Fatal, Description: Illegal Parameter) because of use_srtp

[RAGHURH1]

Contact Details

raghavendrarh4@gmail.com

Version

5.8.2

Description

There is a issue with wolfSSL_CTX_set_tlsext_use_srtp() with dtls1.3 as handshake is fails as Alert (Level: Fatal, Description: Illegal Parameter). you can see this error in wire-shark filtered by dtls

Working scenario:

1. if you keep wolfSSL_CTX_set_tlsext_use_srtp() and downgrade dtls 1.3 to 1.2 (in code wolfDTLSv1_2_client_method and wolfDTLSv1_2_server_method) then Handshake is successful.

2. if you keep the dtls 1.3 version and comment out wolfSSL_CTX_set_tlsext_use_srtp() from both run_client() and run_server() then Handshake is successful.

Reproduction steps

/*
 * Simple DTLS 1.3 Example using WolfSSL
 * Compile:
 *   gcc test_dtls.c -o test_dtls $(wolfssl-config --cflags --libs)
 *
 * Usage:
 *   ./test_dtls server   # runs server on localhost:1500
 *   ./test_dtls client   # runs client on localhost:1501
 */

#include <wolfssl/options.h>
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>

#define SERVER_PORT 1500
#define CLIENT_PORT 1501

/* Shared key */
static const unsigned char psk_key[] = "secret";
static const char* identity = "Client_identity";

unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint,
                              char* identity_out, unsigned int id_max_len,
                              unsigned char* key, unsigned int key_max_len)
{
    (void)ssl; (void)hint;
    strncpy(identity_out, identity, id_max_len);
    memcpy(key, psk_key, sizeof(psk_key));
    return sizeof(psk_key);
}

unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identity_in,
                              unsigned char* key, unsigned int key_max_len)
{
    (void)ssl; (void)identity_in;
    memcpy(key, psk_key, sizeof(psk_key));
    return sizeof(psk_key);
}

void run_server()
{
    int sockfd;
    struct sockaddr_in servAddr, cliAddr;
    socklen_t cliLen = sizeof(cliAddr);

    wolfSSL_Init();
    WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfDTLSv1_3_server_method());
    if (!ctx) { perror("wolfSSL_CTX_new"); exit(EXIT_FAILURE); }

    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
    wolfSSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
    wolfSSL_CTX_set_cipher_list(ctx, "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");
    wolfSSL_CTX_set_tlsext_use_srtp(ctx, "SRTP_AEAD_AES_256_GCM:SRTP_AEAD_AES_128_GCM:SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32");


    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    memset(&servAddr, 0, sizeof(servAddr));
    servAddr.sin_family = AF_INET;
    servAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
    servAddr.sin_port = htons(SERVER_PORT);

    if (bind(sockfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) < 0) {
        perror("bind");
        exit(EXIT_FAILURE);
    }

    printf("DTLS server listening on 127.0.0.1:%d...\n", SERVER_PORT);

    char buffer[1500];
    int n = recvfrom(sockfd, buffer, sizeof(buffer), MSG_PEEK,
                     (struct sockaddr*)&cliAddr, &cliLen);
    if (n < 0) { perror("recvfrom"); exit(EXIT_FAILURE); }

    WOLFSSL* ssl = wolfSSL_new(ctx);
    wolfSSL_set_fd(ssl, sockfd);
    wolfSSL_dtls_set_peer(ssl, &cliAddr, cliLen);

    if (wolfSSL_accept(ssl) != WOLFSSL_SUCCESS) {
        printf("DTLS handshake failed\n");
        wolfSSL_free(ssl);
        wolfSSL_CTX_free(ctx);
        close(sockfd);
        wolfSSL_Cleanup();
        return;
    }

    printf("Handshake success (server)\n");
    wolfSSL_write(ssl, "Hello from server", 18);

    wolfSSL_free(ssl);
    wolfSSL_CTX_free(ctx);
    close(sockfd);
    wolfSSL_Cleanup();
}

void run_client()
{
    int sockfd;
    struct sockaddr_in cliAddr, servAddr;

    wolfSSL_Init();
    WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfDTLSv1_3_client_method());
    if (!ctx) { perror("wolfSSL_CTX_new"); exit(EXIT_FAILURE); }

    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
    wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb);
    wolfSSL_CTX_set_cipher_list(ctx, "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK");
    wolfSSL_CTX_set_tlsext_use_srtp(ctx, "SRTP_AEAD_AES_256_GCM:SRTP_AEAD_AES_128_GCM:SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32");

    sockfd = socket(AF_INET, SOCK_DGRAM, 0);

    memset(&cliAddr, 0, sizeof(cliAddr));
    cliAddr.sin_family = AF_INET;
    cliAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
    cliAddr.sin_port = htons(CLIENT_PORT);

    if (bind(sockfd, (struct sockaddr*)&cliAddr, sizeof(cliAddr)) < 0) {
        perror("bind");
        exit(EXIT_FAILURE);
    }

    memset(&servAddr, 0, sizeof(servAddr));
    servAddr.sin_family = AF_INET;
    servAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
    servAddr.sin_port = htons(SERVER_PORT);

    WOLFSSL* ssl = wolfSSL_new(ctx);
    wolfSSL_set_fd(ssl, sockfd);
    wolfSSL_dtls_set_peer(ssl, &servAddr, sizeof(servAddr));

    if (wolfSSL_connect(ssl) != WOLFSSL_SUCCESS) {
        printf("DTLS handshake failed\n");
        wolfSSL_free(ssl);
        wolfSSL_CTX_free(ctx);
        close(sockfd);
        wolfSSL_Cleanup();
        return;
    }

    printf("Handshake success (client)\n");

    char buffer[1500];
    int n = wolfSSL_read(ssl, buffer, sizeof(buffer)-1);
    if (n > 0) {
        buffer[n] = '\0';
        printf("Received from server: %s\n", buffer);
    }

    wolfSSL_free(ssl);
    wolfSSL_CTX_free(ctx);
    close(sockfd);
    wolfSSL_Cleanup();
}

int main(int argc, char** argv)
{
    if (argc != 2) {
        printf("Usage: %s [server|client]\n", argv[0]);
        return 1;
    }

    if (strcmp(argv[1], "server") == 0)
        run_server();
    else if (strcmp(argv[1], "client") == 0)
        run_client();
    else {
        printf("Unknown mode: %s\n", argv[1]);
        return 1;
    }

    return 0;
}

Relevant log output

./test_dtls server
DTLS server listening on 127.0.0.1:1500...
ERR TRACE: src/tls13.c L 6754 VERSION_ERROR (-326)
ERR TRACE: src/tls13.c L 7063 HRR_COOKIE_ERROR (-505)
ERR TRACE: src/ssl.c L 10898 WOLFSSL_FATAL_ERROR (-1)
DTLS handshake failed



./test_dtls client
ERR TRACE: src/internal.c L 22994 FATAL_ERROR (-313)
ERR TRACE: src/tls13.c L 13284 WOLFSSL_FATAL_ERROR (-1)
DTLS handshake failed




wire-shark : output
127.0.0.1:1501	127.0.0.1:1500	DTLSv1.3	427	Client Hello
Frame 1316859: 427 bytes on wire (3416 bits), 427 bytes captured (3416 bits) on interface any, id 0
Linux cooked capture v1
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
User Datagram Protocol, Src Port: 1501, Dst Port: 1500
Datagram Transport Layer Security
    DTLSv1.3 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: DTLS 1.2 (0xfefd)
        Epoch: 0
        Sequence Number: 0
        Length: 370
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 358
            Message Sequence: 0
            Fragment Offset: 0
            Fragment Length: 358
            Version: DTLS 1.2 (0xfefd)
            Random: 2caa227e5ac229ced8ce5f65395ed3f477a605fa7490e67caa118733534b06d4
            Session ID Length: 0
            Cookie Length: 0
            Cipher Suites Length: 72
            Cipher Suites (36 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 244
            Extension: psk_key_exchange_modes (len=3)
                Type: psk_key_exchange_modes (45)
                Length: 3
                PSK Key Exchange Modes Length: 2
                PSK Key Exchange Mode: PSK-only key establishment (psk_ke) (0)
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
            Extension: key_share (len=71) secp256r1
                Type: key_share (51)
                Length: 71
                Key Share extension
                    Client Key Share Length: 69
                    Key Share Entry: Group: secp256r1, Key Exchange length: 65
                        Group: secp256r1 (23)
                        Key Exchange Length: 65
                        Key Exchange: 0418f32e7a91dbeed1cee2d0867db1e8e6e6c5db0b8bf8c87872c06551662c3e5f0cbd8f91f7c41d8a15a8a09c5c7fdf1d745dc302a26ddfa5663ca4c97341dd79
            Extension: supported_versions (len=3) DTLS 1.3
                Type: supported_versions (43)
                Length: 3
                Supported Versions length: 2
                Supported Version: DTLS 1.3 (0xfefc)
            Extension: signature_algorithms (len=28)
                Type: signature_algorithms (13)
                Length: 28
                Signature Hash Algorithms Length: 26
                Signature Hash Algorithms (13 algorithms)
            Extension: use_srtp (len=11)
                Type: use_srtp (14)
                Length: 11
                SRTP Protection Profiles Length: 8
                SRTP Protection Profile: SRTP_AES128_CM_HMAC_SHA1_80 (0x0001)
                SRTP Protection Profile: SRTP_AES128_CM_HMAC_SHA1_32 (0x0002)
                SRTP Protection Profile: SRTP_AEAD_AES_128_GCM (0x0007)
                SRTP Protection Profile: SRTP_AEAD_AES_256_GCM (0x0008)
                MKI Length: 0
            Extension: supported_groups (len=38)
                Type: supported_groups (10)
                Length: 38
                Supported Groups List Length: 36
                Supported Groups (18 groups)
                    Supported Group: secp521r1 (0x0019)
                    Supported Group: secp384r1 (0x0018)
                    Supported Group: x448 (0x001e)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp224r1 (0x0015)
                    Supported Group: ffdhe2048 (0x0100)
                    Supported Group: MLKEM512 (0x0200)
                    Supported Group: Unknown (0x2f4b)
                    Supported Group: Unknown (0x2fb6)
                    Supported Group: MLKEM768 (0x0201)
                    Supported Group: Unknown (0x2f4c)
                    Supported Group: SecP256r1MLKEM768 (0x11eb)
                    Supported Group: X25519MLKEM768 (0x11ec)
                    Supported Group: Unknown (0x2fb7)
                    Supported Group: MLKEM1024 (0x0202)
                    Supported Group: Unknown (0x2f4d)
                    Supported Group: SecP384r1MLKEM1024 (0x11ed)
            Extension: encrypt_then_mac (len=0)
                Type: encrypt_then_mac (22)
                Length: 0
            Extension: pre_shared_key (len=58)
                Type: pre_shared_key (41)
                Length: 58
                Pre-Shared Key extension
            [JA4: dd3i360800_d87cea7c656d_7886d48078ae]
            [JA4_r […]: dd3i360800_0033,0039,0067,006b,009e,009f,00aa,00ab,00b2,00b3,1301,1302,1303,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c037,cc13,cc14,cc15,cca8,cca9,ccaa,ccab,ccac,ccad,d001_000a,000d,000e,0016,0029,002b,002d,]
            [JA3 Fullstring […]: 65277,4866-4865-4867-49196-49195-49200-49199-159-158-171-170-52393-52392-52394-49191-49187-49192-49188-49162-49161-49172-49171-107-103-57-51-52244-52243-52245-179-178-52395-52396-52397-49207-53249,45-51-43-13-14-10-22]
            [JA3: 9fbfa719850ffe71af3984a78c4d11f9]




127.0.0.1:1500	127.0.0.1:1501	DTLSv1.3	59	Alert (Level: Fatal, Description: Illegal Parameter)
Frame 1316860: 59 bytes on wire (472 bits), 59 bytes captured (472 bits) on interface any, id 0
Linux cooked capture v1
Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
User Datagram Protocol, Src Port: 1500, Dst Port: 1501
Datagram Transport Layer Security
    DTLSv1.3 Record Layer: Alert (Level: Fatal, Description: Illegal Parameter)
        Content Type: Alert (21)
        Version: DTLS 1.2 (0xfefd)
        Epoch: 0
        Sequence Number: 0
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Illegal Parameter (47)

[anhu]

Hi, @RAGHURH1 ,

sorry for the delayed response and thanks for your detailed report.
I've assigned an engineer to this. Unfortunately, its the start of the weekend so he'll probably get to it next week.

Warm regards, Anthony

[julek-wolfssl]

Hi @RAGHURH1,

I opened #9253 which addresses this bug. The issue is that we are allowing DTLS-SRTP to skip the cookie exchange early but requiring it later.

Sincerely
Juliusz