[openssl-dev] [openssl.org #4623] OpenSSL master regression in handling malformed Client Key Exchange messages in RSA key exchange

[Hubert Kario via RT]

On Friday, 22 July 2016 17:14:43 CEST Stephen Henson via RT wrote:
> On Fri Jul 22 14:56:11 2016, hkario at redhat.com wrote:
> > the issue is present in master 0ed26acce328ec16a3aa and looks to have
> > been
> 
> > introduced in commit:
> I tried what I thought was a fix for this which is to simply delete the
> lines:
> 
> if (decrypt_len < 0)
> goto err;
> 
> from ssl/statem/statem_srvr.c
> 
> However your reproducer still indicates errors. I checked the message logs
> and it should be now sending as many alerts as the original. The difference
> however is that some of them will be sent immediately whereas originally
> they would be at the end of the handshake.
> 
> Could your reproducer possibly not be expecting this?


sorry, I copied this part:

> when the OpenSSL receives a Client Key Exchange message that has the
> encrypted
> premaster secret comprised only of zero bytes, or equal to server's modulus,
> the server just aborts the connection without sending an Alert message

from the DHE/ECDHE bug reports

the expected behaviour is to continue the connection, but the server should 
select a premaster secret that was not provided by the client, instead OpenSSL 
just closes the connection
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4623
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160722/5b9e0347/attachment.sig>