diff options
author | Matt Caswell <matt@openssl.org> | 2017-02-03 14:06:20 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-02-16 09:39:06 +0000 |
commit | 4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2 (patch) | |
tree | cf50c7a4eaaf7620c3decf0d116d5c0b08523e1b /ssl/t1_enc.c | |
parent | 9c5a691d578a4debfd6ecacc030a85900906bf0d (diff) |
Don't change the state of the ETM flags until CCS processing
Changing the ciphersuite during a renegotiation can result in a crash
leading to a DoS attack. ETM has not been implemented in 1.1.0 for DTLS
so this is TLS only.
The problem is caused by changing the flag indicating whether to use ETM
or not immediately on negotiation of ETM, rather than at CCS. Therefore,
during a renegotiation, if the ETM state is changing (usually due to a
change of ciphersuite), then an error/crash will occur.
Due to the fact that there are separate CCS messages for read and write
we actually now need two flags to determine whether to use ETM or not.
CVE-2017-3733
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'ssl/t1_enc.c')
-rw-r--r-- | ssl/t1_enc.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 4aa5ddd18a..0fb88af249 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -130,6 +130,11 @@ int tls1_change_cipher_state(SSL *s, int which) #endif if (which & SSL3_CC_READ) { + if (s->tlsext_use_etm) + s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; + else + s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; else @@ -168,6 +173,11 @@ int tls1_change_cipher_state(SSL *s, int which) mac_secret = &(s->s3->read_mac_secret[0]); mac_secret_size = &(s->s3->read_mac_secret_size); } else { + if (s->tlsext_use_etm) + s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; + else + s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; + if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; else @@ -367,9 +377,8 @@ int tls1_setup_key_block(SSL *s) if (s->s3->tmp.key_block_length != 0) return (1); - if (!ssl_cipher_get_evp - (s->session, &c, &hash, &mac_type, &mac_secret_size, &comp, - SSL_USE_ETM(s))) { + if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, + &comp, s->tlsext_use_etm)) { SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } |