Using either current 1.0.1 or 1.0.2 branch (7a433893a and 9676402c3a respectively) openssl s_server command does not send Alert message upon receiving a malformed or invalid Client Key Exchange message in DHE key exchange.
That applies to messages that are longer and shorter than needed as well as messages that include client key shares bigger than the prime selected by server. Reproducer: =========== (requires Python 2.6, 3.2 or later) git clone https://github.com/tomato42/tlsfuzzer.git pushd tlsfuzzer git checkout bad-dhe # won't be necessary in future git clone https://github.com/warner/python-ecdsa .python-ecdsa ln -s .python-ecdsa/ecdsa ecdsa git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng pushd .tlslite-ng git checkout buffered-socket # won't be necessary in future popd ln -s .tlslite-ng/tlslite tlslite popd openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch -subj /CN=localhost openssl s_server -www -key localhost.key -cert localhost.crt # in another terminal, same directory PYTHONPATH=tlsfuzzer python tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py OpenSSL output: =============== Using default temp DH parameters Using default temp ECDH parameters ACCEPT 140482987349656:error:1408B094:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:dh public value length is wrong:s3_srvr.c:2363: ACCEPT 140482987349656:error:05066066:Diffie-Hellman routines:COMPUTE_KEY:invalid public key:dh_key.c:230: 140482987349656:error:1408B005:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:DH lib:s3_srvr.c:2395: ACCEPT ACCEPT 140482987349656:error:1408B094:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:dh public value length is wrong:s3_srvr.c:2363: ACCEPT Result: ======= padded Client Key Exchange ... Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa4c10> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa4c50>) with last message being: None Error while processing Traceback (most recent call last): File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main runner.run() File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run raise AssertionError("Unexpected closure from peer") AssertionError: Unexpected closure from peer invalid dh_Yc value - 8192b ... Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa4790> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa47d0>) with last message being: None Error while processing Traceback (most recent call last): File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main runner.run() File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run raise AssertionError("Unexpected closure from peer") AssertionError: Unexpected closure from peer sanity check DHE_RSA_AES_128 ... OK truncated dh_Yc value ... Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa49d0> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa4a10>) with last message being: None Error while processing Traceback (most recent call last): File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main runner.run() File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run raise AssertionError("Unexpected closure from peer") AssertionError: Unexpected closure from peer Test end successful: 1 failed: 3 Expected result: ================ padded Client Key Exchange ... OK invalid dh_Yc value - 8192b ... OK sanity check DHE_RSA_AES_128 ... OK truncated dh_Yc value ... OK Test end successful: 4 failed: 0 -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4511 Please log in as guest with password guest if prompted
signature.asc
Description: PGP signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
