From 831cbbb5dd4a569b12f3f1ae9a6688ccee8edd24 Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: Fri, 9 May 2025 11:48:17 +0200 Subject: [PATCH] statem_srvr.c: Add check for empty ecdhe encoded key The RFC definition about the errors is very vague. The TLSv1.3 RFC is a bit more specific about decode_error (but if this specific case goes for decode_error or illegal parameter is still debatable): ``` decode_error: A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. This alert is used for errors where the message does not conform to the formal protocol syntax. This alert should never be observed in communication between proper implementations, except when messages were corrupted in the network. ``` Thank you @GeorgePantelakis for reporting this issue! Resolves: #27530 Signed-off-by: Norbert Pocs Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/27594) --- ssl/statem/statem_srvr.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index b93a97999de..dceec1a5870 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3140,8 +3140,11 @@ static int tls_process_cke_ecdhe(SSL_CONNECTION *s, PACKET *pkt) * ClientKeyExchange message. */ - /* Get encoded point length */ - if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i) + /* + * Get encoded point length + * empty key should be handled here + */ + if (!PACKET_get_1(pkt, &i) || i == 0 || !PACKET_get_bytes(pkt, &data, i) || PACKET_remaining(pkt) != 0) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); goto err; -- 2.47.3