diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-10-24 12:30:33 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-01-05 23:59:04 +0000 |
commit | e42a2abadc90664e2615dc63ba7f79cf163f780a (patch) | |
tree | 9e98eb7d77dade5a272e791642e4db89fefefead | |
parent | ec2fede9467ae1a65f452d3a39f7fbc4891d9285 (diff) |
ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
Conflicts:
CHANGES
ssl/s3_clnt.c
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | ssl/s3_clnt.c | 15 |
2 files changed, 20 insertions, 2 deletions
@@ -4,6 +4,13 @@ Changes between 0.9.8zc and 0.9.8zd [xx XXX xxxx] + *) Abort handshake if server key exchange message is omitted for ephemeral + ECDH ciphersuites. + + Thanks to Karthikeyan Bhargavan for reporting this issue. + (CVE-2014-3572) + [Steve Henson] + *) Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 4828937566..256fc94e26 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1123,8 +1123,21 @@ int ssl3_get_key_exchange(SSL *s) if (!ok) return((int)n); + alg=s->s3->tmp.new_cipher->algorithms; + EVP_MD_CTX_init(&md_ctx); + if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + /* + * Can't skip server key exchange if this is an ephemeral + * ciphersuite. + */ + if (alg & (SSL_kEDH|SSL_kECDHE)) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); + al = SSL_AD_UNEXPECTED_MESSAGE; + goto f_err; + } s->s3->tmp.reuse_message=1; return(1); } @@ -1162,8 +1175,6 @@ int ssl3_get_key_exchange(SSL *s) /* Total length of the parameters including the length prefix */ param_len=0; - alg=s->s3->tmp.new_cipher->algorithms; - EVP_MD_CTX_init(&md_ctx); al=SSL_AD_DECODE_ERROR; #ifndef OPENSSL_NO_RSA |