[openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

[Alessandro Ghedini via RT]

On Fri, Sep 25, 2015 at 02:02:36pm +0000, Hubert Kario via RT wrote:
> On Friday 25 September 2015 13:55:56 Alessandro Ghedini via RT wrote:
> > On Fri, Sep 25, 2015 at 01:20:12pm +0000, Hubert Kario via RT wrote:
> > > Current OpenSSL-1.0.1, 1.0.2 as well as state-machine-rewrite
> > > branches reject Client Hello messages bigger than 2^14+4 bytes.
> > 
> > IIRC SSLv3 does place the limit at 2^14 or so bytes, so I think the
> > problem is that OpenSSL only checks for that.
> 
> yes, it does place a limit of 2^14, but only on _records_, not handshake 
> messages that travel in those records
> 
> > I think a proper fix would be to have all the ssl_get_message() calls
> > changed to use the proper "max" parameter depending on the protocol
> > version.
> 
> As far as I can tell, SSLv3, TLS1.0, TLS1.1 and TLS1.2 are exactly the 
> same as in they don't specify any upper size limit for the Handshake 
> protocol messages or Client Hello specifically other than the limits 
> enforced by the length fields themselves.
> 
> Remember, the records are completely independent of messages that travel 
> through them, record layer is just there to multiplex the different 
> protocols that are required for TLS to work (handshake, CCS, application 
> data, etc.)

Right. Some of the handshake messages do have a maximum length though (e.g.
ChangeCipherSpace), so the maximum length check shouldn't be removed (as a
sanity check). In the case of ClientHello, the minimal fix for the problem
then is just a matter of finding the absolute maximum it can hold (which may
as well be whatever the Handshake length field maximum value is).

As a matter of test I changed the ssl_get_message() in ssl3_get_client_hello()
to use 0xFFFFFF (uint24 max) as maximum size, and the tlsfuzzer failures went
from 5 to 2, are all the tests supposed to pass? If so, then there's another
problem as well.

Cheers