Hubert Kario via RT
2016-04-15 13:22:52 UTC
Using either current 1.0.1 or 1.0.2 branch (7a433893a and 9676402c3a
respectively) openssl s_server command does not send Alert message upon
receiving a malformed or invalid Client Key Exchange message in DHE key
exchange.
That applies to messages that are longer and shorter than needed as well
as messages that include client key shares bigger than the prime selected
by server.
Reproducer:
===========
(requires Python 2.6, 3.2 or later)
git clone https://github.com/tomato42/tlsfuzzer.git
pushd tlsfuzzer
git checkout bad-dhe # won't be necessary in future
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
pushd .tlslite-ng
git checkout buffered-socket # won't be necessary in future
popd
ln -s .tlslite-ng/tlslite tlslite
popd
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch -subj /CN=localhost
openssl s_server -www -key localhost.key -cert localhost.crt
# in another terminal, same directory
PYTHONPATH=tlsfuzzer python tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py
OpenSSL output:
===============
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
140482987349656:error:1408B094:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:dh public value length is wrong:s3_srvr.c:2363:
ACCEPT
140482987349656:error:05066066:Diffie-Hellman routines:COMPUTE_KEY:invalid public key:dh_key.c:230:
140482987349656:error:1408B005:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:DH lib:s3_srvr.c:2395:
ACCEPT
ACCEPT
140482987349656:error:1408B094:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:dh public value length is wrong:s3_srvr.c:2363:
ACCEPT
Result:
=======
padded Client Key Exchange ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa4c10> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa4c50>) with last message being: None
Error while processing
Traceback (most recent call last):
File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main
runner.run()
File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run
raise AssertionError("Unexpected closure from peer")
AssertionError: Unexpected closure from peer
invalid dh_Yc value - 8192b ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa4790> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa47d0>) with last message being: None
Error while processing
Traceback (most recent call last):
File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main
runner.run()
File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run
raise AssertionError("Unexpected closure from peer")
AssertionError: Unexpected closure from peer
sanity check DHE_RSA_AES_128 ...
OK
truncated dh_Yc value ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa49d0> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa4a10>) with last message being: None
Error while processing
Traceback (most recent call last):
File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main
runner.run()
File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run
raise AssertionError("Unexpected closure from peer")
AssertionError: Unexpected closure from peer
Test end
successful: 1
failed: 3
Expected result:
================
padded Client Key Exchange ...
OK
invalid dh_Yc value - 8192b ...
OK
sanity check DHE_RSA_AES_128 ...
OK
truncated dh_Yc value ...
OK
Test end
successful: 4
failed: 0
respectively) openssl s_server command does not send Alert message upon
receiving a malformed or invalid Client Key Exchange message in DHE key
exchange.
That applies to messages that are longer and shorter than needed as well
as messages that include client key shares bigger than the prime selected
by server.
Reproducer:
===========
(requires Python 2.6, 3.2 or later)
git clone https://github.com/tomato42/tlsfuzzer.git
pushd tlsfuzzer
git checkout bad-dhe # won't be necessary in future
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng
pushd .tlslite-ng
git checkout buffered-socket # won't be necessary in future
popd
ln -s .tlslite-ng/tlslite tlslite
popd
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch -subj /CN=localhost
openssl s_server -www -key localhost.key -cert localhost.crt
# in another terminal, same directory
PYTHONPATH=tlsfuzzer python tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py
OpenSSL output:
===============
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
140482987349656:error:1408B094:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:dh public value length is wrong:s3_srvr.c:2363:
ACCEPT
140482987349656:error:05066066:Diffie-Hellman routines:COMPUTE_KEY:invalid public key:dh_key.c:230:
140482987349656:error:1408B005:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:DH lib:s3_srvr.c:2395:
ACCEPT
ACCEPT
140482987349656:error:1408B094:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:dh public value length is wrong:s3_srvr.c:2363:
ACCEPT
Result:
=======
padded Client Key Exchange ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa4c10> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa4c50>) with last message being: None
Error while processing
Traceback (most recent call last):
File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main
runner.run()
File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run
raise AssertionError("Unexpected closure from peer")
AssertionError: Unexpected closure from peer
invalid dh_Yc value - 8192b ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa4790> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa47d0>) with last message being: None
Error while processing
Traceback (most recent call last):
File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main
runner.run()
File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run
raise AssertionError("Unexpected closure from peer")
AssertionError: Unexpected closure from peer
sanity check DHE_RSA_AES_128 ...
OK
truncated dh_Yc value ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f9189fa49d0> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f9189fa4a10>) with last message being: None
Error while processing
Traceback (most recent call last):
File "tlsfuzzer/scripts/test-dhe-rsa-key-exchange-with-bad-messages.py", line 137, in main
runner.run()
File "/tmp/tlsfuzzer/tlsfuzzer/runner.py", line 145, in run
raise AssertionError("Unexpected closure from peer")
AssertionError: Unexpected closure from peer
Test end
successful: 1
failed: 3
Expected result:
================
padded Client Key Exchange ...
OK
invalid dh_Yc value - 8192b ...
OK
sanity check DHE_RSA_AES_128 ...
OK
truncated dh_Yc value ...
OK
Test end
successful: 4
failed: 0
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., PurkyÅova 99/71, 612 45, Brno, Czech Republic
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4511
Please log in as guest with password guest if prompted
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., PurkyÅova 99/71, 612 45, Brno, Czech Republic
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4511
Please log in as guest with password guest if prompted