Skip to content

Fix DTLS 1.2 OpenSSL 1.1.1k client fuzzing null exception #201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fix DTLS 1.2 OpenSSL 1.1.1k client fuzzing null exception #201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4010925
fix DTLS 1.2 OpenSSL 1.1.1k Client Fuzzing null exception
c-southwest May 29, 2025
b38d807
apply spotless for TLS-Attacker
c-southwest May 29, 2025
802a13c
remove unnecessary code
c-southwest May 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 33 additions & 3 deletions experiments/patches/TLS-Attacker-v6.3.4.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,7 @@ index 7a74620ce..b6c9112f9 100644
return new LayerStack(
context,
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/context/TlsContext.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/context/TlsContext.java
index 135a9e80f..09c55c01e 100644
index 135a9e80f..20a636880 100644
--- a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/context/TlsContext.java
+++ b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/context/TlsContext.java
@@ -80,6 +80,15 @@ import java.util.Set;
Expand All @@ -290,7 +290,15 @@ index 135a9e80f..09c55c01e 100644
private List<Session> sessionList;

private Keylogfile keylogfile;
@@ -2278,4 +2287,12 @@ public class TlsContext extends LayerContext {
@@ -412,6 +421,7 @@ public class TlsContext extends LayerContext {
private byte[] lastServerVerifyData;

private byte[] lastClientHello;
+ private byte[] lastClientHelloCleanProtocolMessageBytes;

private Random random;

@@ -2278,4 +2288,21 @@ public class TlsContext extends LayerContext {
public void setPeerReceiveLimit(Integer peerReceiveLimit) {
this.peerReceiveLimit = peerReceiveLimit;
}
Expand All @@ -301,10 +309,19 @@ index 135a9e80f..09c55c01e 100644
+
+ public void setDtls13ShouldSendFinished(boolean dtls13ShouldSendFinished) {
+ this.dtls13ShouldSendFinished = dtls13ShouldSendFinished;
+ }
+
+ public byte[] getLastClientHelloCleanProtocolMessageBytes() {
+ return lastClientHelloCleanProtocolMessageBytes;
+ }
+
+ public void setLastClientHelloCleanProtocolMessageBytes(
+ byte[] lastClientHelloCleanProtocolMessageBytes) {
+ this.lastClientHelloCleanProtocolMessageBytes = lastClientHelloCleanProtocolMessageBytes;
+ }
}
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/impl/DtlsFragmentLayer.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/impl/DtlsFragmentLayer.java
index 19802504f..b5315904c 100644
index 19802504f..6f513d94d 100644
--- a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/impl/DtlsFragmentLayer.java
+++ b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/impl/DtlsFragmentLayer.java
@@ -197,6 +197,12 @@ public class DtlsFragmentLayer
Expand All @@ -320,6 +337,19 @@ index 19802504f..b5315904c 100644
DtlsHandshakeMessageFragment fragment = new DtlsHandshakeMessageFragment();
fragment.setEpoch(tempHint.getEpoch());
DtlsHandshakeMessageFragmentParser parser =
@@ -207,6 +213,12 @@ public class DtlsFragmentLayer
parser.parse(fragment);
fragment.setCompleteResultingMessage(
fragment.getSerializer(context).serialize());
+ if (fragment.getType().getValue()
+ == HandshakeMessageType.CLIENT_HELLO.getValue()) {
+ context.getTlsContext()
+ .setLastClientHelloCleanProtocolMessageBytes(
+ fragment.getCompleteResultingMessage().getValue());
+ }
fragmentManager.addMessageFragment(fragment);
List<DtlsHandshakeMessageFragment> uninterpretedMessageFragments =
fragmentManager.getOrderedCombinedUninterpretedMessageFragments(
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/impl/FirstCachedUdpLayer.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/impl/FirstCachedUdpLayer.java
new file mode 100644
index 000000000..f2a7ff48e
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/se/uu/it/dtlsfuzzer/components/sul/core/TlsSul.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ private void initializeTransportHandler() {
if (!firstClientHello.getName().equals("CLIENT_HELLO")) {
LOGGER.fatal("The first Client Hello should have been received");
}
context.addStepContext();
// context.addStepContext();
}
} catch (IOException e) {
LOGGER.error("Could not initialize transport handler");
Expand Down
5 changes: 4 additions & 1 deletion src/main/java/se/uu/it/dtlsfuzzer/components/sul/mapper/symbols/inputs/ServerHelloInput.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,10 @@ public void postReceiveUpdate(TlsOutput output, OutputChecker<TlsOutput> abstrac
byte[] hrBytes = context.getStepContext(lastChStepIndex).getReceivedRecords().get(0).getCleanProtocolMessageBytes().getValue();
context.getTlsContext().getDigest().append(hrBytes);
}
byte[] chBytes = lastChPair.getRight().getCleanProtocolMessageBytes().getValue();
byte[] chBytes = context.getTlsContext().getLastClientHelloCleanProtocolMessageBytes();
if(chBytes.length==0){
System.out.println("No ClientHello clean protocol message found");
}
byte[] shBytes = context.getStepContext().getSentRecords().get(0).getCleanProtocolMessageBytes().getValue();
context.getTlsContext().getDigest().append(chBytes);
context.getTlsContext().getDigest().append(shBytes);
Expand Down
Loading