[Bug]: Incorrect error log message for invalid HelloRetryRequest in TLS 1.3

[GSoJC234]

Contact Details

thkighie1224@postech.ac.kr

Version

v5.8.4-stable

Description

Hello wolfSSL team,

I would like to report an incorrect error log observed during a TLS 1.3 handshake.

When a HelloRetryRequest message is received without a KeyShare extension, the following code path is executed in DoTls13ServerHello:

if (!ssl->options.hrrSentKeyShare
#ifdef WOLFSSL_SEND_HRR_COOKIE
        && !ssl->options.hrrSentCookie
#endif
        ) {
    SendAlert(ssl, alert_fatal, illegal_parameter);
    return DUPLICATE_MSG_E;
}

In this case, the alert description (illegal_parameter) is correct. However, wolfSSL prints the log message:
"Duplicate HandShake message Error"

This log message is misleading, as the error condition is not related to receiving a duplicate handshake message, but rather to an invalid HelloRetryRequest that does not contain the required KeyShare extension.

While this issue does not affect the handshake logic, correcting the log message would improve diagnostic accuracy and debugging clarity.

Thank you for your time and attention.

Best regards,
Jaehun Lee

Reproduction steps

1. ./configure ./configure --enable-debug --enable-usersettings --enable-session-ticket --enable-savesession --enable-opensslextra --enable-psk
2. make install
3. python3 wrong-log.py
4. ./examples/client/client -p 4444 -v 4 -l TLS_AES_128_CCM_SHA256

user_settings.h

#define PSK
#define OPENSSL_EXTRA
#define WOLFSSL_OPENSSL_COMPATIBLE
#define WOLFSSL_DTLS

#define WC_NO_HARDEN

#define HAVE_SESSION_TICKET
#define PERSIST_SESSION_CACHE
#define WOLFSSL_STATIC_PSK
#define SESSION_INDEX
#define ENABLE_SESSION_CACHE_ROW_LOCK
#define WOLFSSL_SESSION_EXPORT

#define HAVE_ECC
#define HAVE_ECC_DHE
#define HAVE_ECC_KOBLITZ
#define WOLFSSL_CUSTOM_CURVES
//#define HAVE_CURVE25519 --- does not support arm architecture
#define HAVE_CURVE448
#define HAVE_ECC384
#define HAVE_ECC_SECPR2
#define HAVE_ECC192
#define HAVE_ECC224
#define HAVE_ECC512


#define HAVE_FFDHE_2048
#define HAVE_FFDHE_3072
#define HAVE_FFDHE_4092
#define HAVE_FFDHE_6144
#define HAVE_FFDHE_8192
#define HAVE_ALL_CURVES
#define HAVE_AESCCM
#define HAVE_AESGCM
#define HAVE_HKDF

#define BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
#define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
#define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_RSA_WITH_NULL_MD5
#define BUILD_TLS_RSA_WITH_NULL_SHA
#define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
#define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384
#define BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
#define BUILD_TLS_PSK_WITH_NULL_SHA256
#define BUILD_TLS_PSK_WITH_NULL_SHA384
#define BUILD_TLS_PSK_WITH_NULL_SHA
#define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
#define BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
#define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
#define BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
#define BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
#define BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
#define BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256
#define BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
#define BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
#define BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
#define BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
#define BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
#define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
#define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
#define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_RSA_WITH_NULL_SHA256
#define BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
#define BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
#define BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
#define BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
#define BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
#define BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
#define BUILD_TLS_RSA_WITH_AES_128_CCM_8
#define BUILD_TLS_RSA_WITH_AES_256_CCM_8
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
#define BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
#define BUILD_TLS_PSK_WITH_AES_128_CCM
#define BUILD_TLS_PSK_WITH_AES_256_CCM
#define BUILD_TLS_PSK_WITH_AES_128_CCM_8
#define BUILD_TLS_PSK_WITH_AES_256_CCM_8
#define BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
#define BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
#define BUILD_TLS_AES_128_CCM_SHA256
#define BUILD_TLS_AES_128_CCM_8_SHA256
#define BUILD_TLS_AES_128_GCM_SHA256
#define BUILD_TLS_AES_256_GCM_SHA384


#define WOLFSSL_TLS12
#define WOLFSSL_SHA256
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#undef WOLFSSL_MD5
#undef WOLFSSL_MD5_SHA

#define WOLFSSL_SP_4096

#define WOLFSSL_TLS13
#define WC_RSA_PSS
#define HAVE_PUBLIC_FFDHE
#define HAVE_FFDHE_2048
#define BUILD_TLS_AES_128_CCM_SHA256

#define WOLFSSL_ALT_CERT_CHAINS
#define HAVE_TLS_EXTENSIONS
#define HAVE_SUPPORTED_CURVES

#define DEBUG_WOLFSSL
#define DEBUG_WOLFSSL_VERBOSE
#define WOLFSSL_FUNC_TIME

wrong-log.py

import socket
import binascii

def send_hex_to_server():
    server_hello = (
"16 03 03 00 32 02 00 00 2e 03 03 cf 21 ad 74 e5"
"9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a"
"bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 00 13 04 00 00"
"06 00 2b 00 02 03 04"
    )
    server_hello_payload = binascii.unhexlify(server_hello.replace(" ", ""))

    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        s.bind(("127.0.0.1", 4444))
        s.listen(1)

        conn, addr = s.accept()
        try:
            client_hello = conn.recv(4096)
            if not client_hello:
                print("Connection closed")
            print("Received: (hex):", client_hello.hex())
            conn.sendall(server_hello_payload)

        except KeyboardInterrupt:
            print("End")

if __name__ == "__main__":
    send_hex_to_server()

Relevant log output