Open Bug 1210782 Opened 9 years ago Updated 2 years ago

Malformed Client Key Exchange messages are accepted (Handshake.length)

Categories

(NSS :: Libraries, defect, P3)

3.20

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: hkario, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20150922120153

Steps to reproduce:

Client sends a Client Key Exchange message during RSA key exchange in which the Handshake.length field doesn't match the EncryptedPreMasterSecret.length field.

Automated reproducer:
mkdir nssdb
certutil -N -d sql:nssdb/ --empty-password
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch
openssl pkcs12 -export -out cert.p12 -passout pass: -inkey localhost.key -name localhost -keypbe DES-EDE3-CBC -macalg SHA1 -in localhost.crt
pk12util -i cert.p12 -d sql:nssdb/ -W ''
./selfserv -n localhost -d sql:nssdb/ -p 4433 -V ssl3:

in different console:
pip install --pre tlslite-ng
git clone https://github.com/tomato42/tlsfuzzer.git
cd tlsfuzzer
PYTHONPATH=. python scripts/test-truncating-of-kRSA-client-key-exchange.py


Actual results:

The server didn't send an Alert message


Expected results:

Server should have sent a decode_error message:

RFC 5246:
   A server MUST accept ClientHello
   messages both with and without the extensions field, and (as for all
   other messages) it MUST check that the amount of data in the message
   precisely matches one of these formats; if not, then it MUST send a
   fatal "decode_error" alert.
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.