Why do (some) unexpected messages cause neither an alert to be sent, nor flushing of the connection?

[wbudd]

To be standard compliant (see reference below), and because we (to quote s2n's DEVELOPMENT-GUIDE) also shouldn't "pass the buck" and place the burden of subtle or complicated TLS-specific decision making upon application authors and system administrators; I think reading unexpected messages should cause a fatal alert to be written to conn->reader_alert_out and s2n_flush() to be called on the connection.

However, almost immediately after starting to read s2n code carefully, I noticed a case where this doesn't happen:

tls/s2n_handshake_io.c: line 249 onward (in handshake_read_io()):

if (record_type == TLS_APPLICATION_DATA) {
    S2N_ERROR(S2N_ERR_BAD_MESSAGE);
} else if (record_type == TLS_CHANGE_CIPHER_SPEC) {
        if (s2n_stuffer_data_available(&conn->in) != 1) {
            S2N_ERROR(S2N_ERR_BAD_MESSAGE);
        }
        [...]
}

-1 and an errno are immediately returned to the application (through parent function s2n_negotiate()), but no cleaning up is performed at all - not even the record containing the bogus data is wiped, even though all the other conditional branches in s2n_handshake_io all call GUARD(s2n_stuffer_wipe(&conn->header_in)); GUARD(s2n_stuffer_wipe(&conn->in)); conn->in_status = ENCRYPTED; when done.

Just wondering if that's intentional; and if so, why? Wouldn't it be wiser to shut down and wipe the connection ASAP?

*) reference ---------------------------------------------------------------------------------------------

https://tools.ietf.org/html/rfc5246#section-7.2.2

Error handling in the TLS Handshake protocol is very simple. When an
error is detected, the detecting party sends a message to the other
party. Upon transmission or receipt of a fatal alert message, both
parties immediately close the connection. Servers and clients MUST
forget any session-identifiers, keys, and secrets associated with a
failed connection. Thus, any connection terminated with a fatal
alert MUST NOT be resumed.

unexpected_message
An inappropriate message was received. This alert is always fatal
and should never be observed in communication between proper
implementations.

https://tools.ietf.org/html/rfc5246#section-6

Implementations MUST NOT send record types not defined in this
document unless negotiated by some extension. If a TLS
implementation receives an unexpected record type, it MUST send an
unexpected_message alert.

[colmmacc]

I'm pretty sure that this isn't intentional! It's definitely worth doing the wiping. I'm less sure about sending the alert; even though the standard does say that sending alerts is required I'm not certain that it's a good idea. alert messages like this rarely help the actual users and have been implicated in protocol vulnerabilities. They also complicate the application behavior (a read suddenly becomes a write).

[wbudd]

Regarding wiping:
I think the safest/robustest way to do this is to classify the entire set of errors that s2n can throw into separate categories within s2n_errno.c. One of these categories should contain all error numbers that are considered fatal to the associated connection. That way, whenever the S2N_ERROR macro (which actually might be better off turned into a function than a macro) is called, it can see for itself (e.g., in a static array of structs) to which category the errno belongs, and take care of wiping the connection if it matches said fatal category. A little heavy-handed perhaps, but the benefit of eliminating the risk of code in various nooks and corners forgetting to clean up after itself is worth it, I'd say.

Regarding alerts:
In general --as you no doubt agree with-- I think one best be very weary of violating specifications that RFCs are explicit and adamant about (i.e., all statements containing the absolutes "MUST" and "MUST NOT").

Either way, what I believe is most important here; is that a security-critical library such as s2n demonstrate to (potential) developers and auditors that any deviations from the RFCs are based on careful consideration. At the very least the code in question should contain some comment like RFC12345 specifies that we do <this>, but instead we do <that>, because <bullet points>. In addition --but possibly excessive, because I have no idea yet how much of this there is in s2n-- I think it would be a good idea to be extra upfront about it, and add a section to the DEVELOPER-GUIDE titled "RFC Deviations" or something containing all of them together.

I'm willing to help out (through pull requests), but I'm hesitating on how/if to proceed from here on... and a little weary of the possibility of falling into a deepening rabbit hole once I get going.

Anyway, I appreciate that you seem to keep an open mind on all the feedback you're probably swamped with. :)

[colmmacc]

Oh we'd definitely welcome Pull Requests and always try to be productive and avoid rabbit holes. I completely agree about honoring standards in general, but TLS can sometimes be a strain on that because they're been times where implementations have had to ignore the specs (at the time) for safety reasons. The original alert assisted Bleichenbacher attacks are what I'm thinking of there, and POODLE is another recent example where there are working mitigations if you're willing to ignore the standard.

I'm planning to put some serious time of my own into s2n over the comings weeks, so keep the feedback coming.