Bug 962568

Summary: SSL DHE cipher suites broken in OpenJDK 7
Product: Red Hat Enterprise Linux 6 Reporter: Aaron Ogburn <aogburn>
Component: java-1.7.0-openjdkAssignee: Andrew John Hughes <ahughes>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: jvanek, pe
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-01 12:22:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
test keystore
none
test openssl script none

Description Aaron Ogburn 2013-05-13 21:40:17 UTC 
Description of problem:

When performing Diffie-Hellman key agreement for SSL/TLS, the TLS
specification (RFC 5246) says that "Leading bytes of Z that contain all zero
bits are stripped before it is used as the pre_master_secret."

However, com.sun.crypto.provider.DHKeyAgreement.java does not strip leading
zero bytes. This causes approximately 1 out 256 SSL/TLS handshakes with
DH/DHE cipher suites to fail (when the leading byte happens, by chance, to
be zero).


Version-Release number of selected component (if applicable):

java 1.7.0.19. openjdk package version 2.3.9.1.el6_4


How reproducible:

Very


Steps to Reproduce:
1. Start the provided TestServer class:

java -Djavax.net.debug=all -Djavax.net.ssl.keyStore=./test_keystore.jks
-Djavax.net.ssl.keyStorePassword=password TestServer

2.  Test repeated connections through openssl.  Can use attached script:

./openssl_client.sh


You will occassionally see openssl gets a handshake failure.  The ssl logging logs a "SSLHandshakeException: Invalid Padding lengh"

  
Actual results: 

Roughly one out of 256 connections fail.


Expected results:

Every connection succeeds


Additional info:

It seems this commit from March 2012 inadvertently broke this:

http://hg.openjdk.java.net/jdk7u/jdk7u-gate/jdk/rev/e574e475c8a6

The commit was done to fix this bug:

http://bugs.sun.com/view_bug.do?bug_id=7146728
Comment 3 Aaron Ogburn 2013-05-13 21:43:13 UTC 
Created attachment 747450 [details]
test keystore
Comment 4 Aaron Ogburn 2013-05-13 21:43:37 UTC 
Created attachment 747451 [details]
test openssl script
Comment 5 Pasi Eronen 2013-05-14 11:01:26 UTC 
Reported to Oracle (bugs.sun.com) as bug 9001039; bug report available this this email on OpenJDK list:

http://mail.openjdk.java.net/pipermail/security-dev/2013-May/007435.html

A patch and testcase are available in OpenJDK Bugzilla:

https://bugs.openjdk.java.net/show_bug.cgi?id=100316
Comment 7 Pasi Eronen 2013-05-20 09:31:04 UTC 
This is now visible with Oracle bug ID 8014618:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8014618
Comment 8 Andrew John Hughes 2013-05-23 10:17:09 UTC 
Once this patch is committed upstream, it can be backported to the 7u trees.
Comment 9 Andrew John Hughes 2013-06-06 17:10:47 UTC 
http://hg.openjdk.java.net/jdk8/tl/jdk/rev/6407106f1b1c
http://icedtea.classpath.org/hg/icedtea7-forest/jdk/rev/5a7678b3a250
http://icedtea.classpath.org/hg/icedtea7-forest/jdk/rev/12756cb85ec1
Comment 10 Andrew John Hughes 2013-06-11 14:44:36 UTC 
Fixed in 2.4.0: http://blog.fuseyism.com/index.php/2013/06/10/icedtea-2-4-0-released/
Comment 11 Andrew John Hughes 2013-06-30 23:01:31 UTC 
In 2.3.10: http://blog.fuseyism.com/index.php/2013/06/28/security-icedtea-2-3-10-for-openjdk-7-released/

Need info from jvanek when this is packaged.
Comment 12 jiri vanek 2013-07-01 12:22:05 UTC 
6.4 have already recieved 2.3.10. So the issue should be fixed.