[openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected
Hubert Kario via RT
rt at openssl.org
Fri Sep 25 17:11:39 UTC 2015
On Friday 25 September 2015 16:54:02 Alessandro Ghedini via RT wrote:
> On Fri, Sep 25, 2015 at 04:17:33PM +0000, Matt Caswell via RT wrote:
> > On 25/09/15 17:05, Alessandro Ghedini via RT wrote:
> > > On Fri, Sep 25, 2015 at 03:02:27pm +0000, Hubert Kario via RT
wrote:
> > >> On Friday 25 September 2015 14:51:17 Alessandro Ghedini via RT
wrote:
> > >>> As a matter of test I changed the ssl_get_message() in
> > >>> ssl3_get_client_hello() to use 0xFFFFFF (uint24 max) as maximum
> > >>> size,
> > >>
> > >> it doesn't have in theory, but it does in practice, as extensions
> > >> can
> > >> only be 2^16 long, same for cipher suites, and you can't have
> > >> data
> > >> trailing the messages, so the actual size is limited to something
> > >> closer 2^18, so if the client hello parser is correct, it will
> > >> be limited by it> >
> > > Yeah, but OpenSSL first tries to "get" the handshake body and its
> > > length before parsing it (this is done by ssl3_get_message()). So
> > > the "max" argument is intended to be used, I imagine, as a sanity
> > > check: if the message exceeds that, then it's obviously broken
> > > and an "illegal parameters" alert is sent. This is done
> > > regardless of the message type, so the ClientHello parser has to
> > > do this as well.
> > >
> > > This max length check is not exactly smart (e.g. the max size of
> > > the SSLv3 ClientHello is very different from that of TLS) and
> > > could probably be removed completely, but I don't really know
> > > what the consequences of this would be. So the best next fix
> > > would simply be to provide an approximation of an absolute
> > > maximum length for the ClientHello (or just use 0xFFFFFF). I
> > > opened a pull request [0] with just this minimal fix. Anyone is
> > > very welcome to propose a better fix for this though.
> >
> > 0xffffff = 16777215 or 16Mb
> >
> > Allowing a ClientHello as big as this could enable a DoS attack.
> >
> > If I did my sums right I make the biggest possible valid ClientHello
> > to be 131396.
>
> I updated my patch to use this value now.
embedding magic values is rather bad form.
A define with extended comment describing how we arrived at this value
would be much better
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150925/34e35219/attachment-0001.sig>
More information about the openssl-dev
mailing list