Bug 1758602

Summary: OpenSSL will send unexpected alert for too short ciphertext with specific ciphersuites [rhel-7]
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 7.8CC: qe-baseos-security, tmraz
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1758587 Environment:
Last Closed: 2019-10-07 06:15:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1758587    
Bug Blocks:    

Description Alicja Kario 2019-10-04 15:24:09 UTC 
+++ This bug was initially created as a clone of Bug #1758587 +++

Description of problem:
When the ciphertext is too small to contain IV, MAC and padding, openssl will send decryption_failed alert instead of the bad_record_mac.
This happens only for ciphers that do not use the "stiched" implementation of a cipher that combines the symmetric cipher with the HMAC.

Version-Release number of selected component (if applicable):
openssl-1.1.1c-2.el8

How reproducible:
always

Steps to Reproduce:
1. send a 16 bytes long ciphertext in a TLS record after negotiating TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 or TLS_RSA_WITH_3DES_EDE_CBC_SHA

Actual results:
server replies with decryption_failed

Expected results:
bad_record_mac alert

Additional info:
since the check is based on publicly visible data (the length of ciphertext), the difference in alert returned can't be used as a padding oracle for decryption

--- Additional comment from Tomas Mraz on 2019-10-04 15:05:00 UTC ---

Trivial fix.