[openssl-dev] [openssl.org #4511] s_server does not send Alert messages upon receiving malformed Client Key Exchange messages in DHE key exchange

Hubert Kario via RT rt at openssl.org
Fri Apr 15 13:22:52 UTC 2016 

Using either current 1.0.1 or 1.0.2 branch (7a433893a and 9676402c3a
respectively) openssl s_server command does not send Alert message upon
receiving a malformed or invalid Client Key Exchange message in DHE key
exchange.

That applies to messages that are longer and shorter than needed as well
as messages that include client key shares bigger than the prime selected
by server.

Reproducer:
===========
(requires Python 2.6, 3.2 or later)
git clone https://github.com/tomato42/tlsfuzzer.git
pushd tlsfuzzer
git checkout bad-dhe # won't be necessary in future
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
pushd .tlslite-ng
git checkout buffered-socket # won't be necessary in future
popd
ln -s .tlslite-ng/tlslite tlslite
popd
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch -subj /CN=localhost
openssl s_server -www -key localhost.key -cert localhost.crt
# in another terminal, same directory
PYTHONPATH=tlsfuzzer python tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py


OpenSSL output:
===============
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
140482987349656:error:1408B094:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:dh public value length is wrong:s3_srvr.c:2363:
ACCEPT
140482987349656:error:05066066:Diffie-Hellman routines:COMPUTE_KEY:invalid public key:dh_key.c:230:
140482987349656:error:1408B005:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:DH lib:s3_srvr.c:2395:
ACCEPT
ACCEPT
140482987349656:error:1408B094:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:dh public value length is wrong:s3_srvr.c:2363:
ACCEPT


Result:
=======
padded Client Key Exchange ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa4c10> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa4c50>) with last message being: None
Error while processing
Traceback (most recent call last):
  File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main
    runner.run()
  File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run
    raise AssertionError("Unexpected closure from peer")
AssertionError: Unexpected closure from peer


invalid dh_Yc value - 8192b ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa4790> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa47d0>) with last message being: None
Error while processing
Traceback (most recent call last):
  File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main
    runner.run()
  File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run
    raise AssertionError("Unexpected closure from peer")
AssertionError: Unexpected closure from peer


sanity check DHE_RSA_AES_128 ...
OK

truncated dh_Yc value ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa49d0> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa4a10>) with last message being: None
Error while processing
Traceback (most recent call last):
  File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main
    runner.run()
  File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run
    raise AssertionError("Unexpected closure from peer")
AssertionError: Unexpected closure from peer


Test end
successful: 1
failed: 3


Expected result:
================
padded Client Key Exchange ...
OK

invalid dh_Yc value - 8192b ...
OK

sanity check DHE_RSA_AES_128 ...
OK

truncated dh_Yc value ...
OK

Test end
successful: 4
failed: 0
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4511
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160415/043bed80/attachment.sig>

More information about the openssl-dev mailing list