diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2014-10-24 12:30:33 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2015-01-05 23:52:28 +0000 |
| commit | 802a070bb6452dd9df49e550e0f3b16777e5232b (patch) | |
| tree | 7625fdd97fc935f7cb1c50f44054ea94505baf93 | |
| parent | 31c65a7bc0de7ff1446645d41af388893362f579 (diff) | |
ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
Conflicts:
CHANGES
| -rw-r--r-- | CHANGES | 7 | ||||
| -rw-r--r-- | ssl/s3_clnt.c | 18 |
2 files changed, 22 insertions, 3 deletions
@@ -4,6 +4,13 @@ Changes between 1.0.0o and 1.0.0p [xx XXX xxxx] + *) Abort handshake if server key exchange message is omitted for ephemeral + ECDH ciphersuites. + + Thanks to Karthikeyan Bhargavan for reporting this issue. + (CVE-2014-3572) + [Steve Henson] + *) Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index e614f9693e..f2e9e548c5 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1191,6 +1191,8 @@ int ssl3_get_key_exchange(SSL *s) int encoded_pt_len = 0; #endif + EVP_MD_CTX_init(&md_ctx); + /* use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped */ n=s->method->ssl_get_message(s, @@ -1201,14 +1203,26 @@ int ssl3_get_key_exchange(SSL *s) &ok); if (!ok) return((int)n); + alg_k=s->s3->tmp.new_cipher->algorithm_mkey; + if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + /* + * Can't skip server key exchange if this is an ephemeral + * ciphersuite. + */ + if (alg_k & (SSL_kEDH|SSL_kEECDH)) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); + al = SSL_AD_UNEXPECTED_MESSAGE; + goto f_err; + } #ifndef OPENSSL_NO_PSK /* In plain PSK ciphersuite, ServerKeyExchange can be omitted if no identity hint is sent. Set session->sess_cert anyway to avoid problems later.*/ - if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) + if (alg_k & SSL_kPSK) { s->session->sess_cert=ssl_sess_cert_new(); if (s->ctx->psk_identity_hint) @@ -1253,9 +1267,7 @@ int ssl3_get_key_exchange(SSL *s) /* Total length of the parameters including the length prefix */ param_len=0; - alg_k=s->s3->tmp.new_cipher->algorithm_mkey; alg_a=s->s3->tmp.new_cipher->algorithm_auth; - EVP_MD_CTX_init(&md_ctx); al=SSL_AD_DECODE_ERROR; |