diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-10-23 17:09:57 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-01-06 13:27:22 +0000 |
commit | 72f181539118828ca966a0f8d03f6428e2bcf0d6 (patch) | |
tree | 634e6010fe0142661f0002fe6e9af57f874165c2 /ssl | |
parent | e42a2abadc90664e2615dc63ba7f79cf163f780a (diff) |
Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.
Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6)
Conflicts:
CHANGES
doc/ssl/SSL_CTX_set_options.pod
ssl/d1_srvr.c
ssl/s3_srvr.c
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/d1_srvr.c | 16 | ||||
-rw-r--r-- | ssl/s3_clnt.c | 7 | ||||
-rw-r--r-- | ssl/s3_srvr.c | 16 | ||||
-rw-r--r-- | ssl/ssl.h | 5 |
4 files changed, 13 insertions, 31 deletions
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 0e6bf46c02..0e9bb204ad 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -371,23 +371,11 @@ int dtls1_accept(SSL *s) /* clear this, it may get reset by * send_server_key_exchange */ - if ((s->options & SSL_OP_EPHEMERAL_RSA) -#ifndef OPENSSL_NO_KRB5 - && !(l & SSL_KRB5) -#endif /* OPENSSL_NO_KRB5 */ - ) - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key - * even when forbidden by protocol specs - * (handshake may fail as clients are not required to - * be able to handle this) */ - s->s3->tmp.use_rsa_tmp=1; - else - s->s3->tmp.use_rsa_tmp=0; + s->s3->tmp.use_rsa_tmp=0; /* only send if a DH key exchange, fortezza or * RSA but we have a sign only certificate */ - if (s->s3->tmp.use_rsa_tmp - || (l & (SSL_DH|SSL_kFZA)) + if ((l & (SSL_DH|SSL_kFZA)) || ((l & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 256fc94e26..2402a06163 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1180,6 +1180,13 @@ int ssl3_get_key_exchange(SSL *s) #ifndef OPENSSL_NO_RSA if (alg & SSL_kRSA) { + /* Temporary RSA keys only allowed in export ciphersuites */ + if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE); + goto f_err; + } if ((rsa=RSA_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index ca3e77aef6..18832e910b 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -355,18 +355,7 @@ int ssl3_accept(SSL *s) /* clear this, it may get reset by * send_server_key_exchange */ - if ((s->options & SSL_OP_EPHEMERAL_RSA) -#ifndef OPENSSL_NO_KRB5 - && !(l & SSL_KRB5) -#endif /* OPENSSL_NO_KRB5 */ - ) - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key - * even when forbidden by protocol specs - * (handshake may fail as clients are not required to - * be able to handle this) */ - s->s3->tmp.use_rsa_tmp=1; - else - s->s3->tmp.use_rsa_tmp=0; + s->s3->tmp.use_rsa_tmp=0; /* only send if a DH key exchange, fortezza or @@ -378,8 +367,7 @@ int ssl3_accept(SSL *s) * server certificate contains the server's * public key for key exchange. */ - if (s->s3->tmp.use_rsa_tmp - || (l & SSL_kECDHE) + if ((l & SSL_kECDHE) || (l & (SSL_DH|SSL_kFZA)) || ((l & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL @@ -526,9 +526,8 @@ typedef struct ssl_session_st #define SSL_OP_SINGLE_ECDH_USE 0x00080000L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L -/* Set to always use the tmp_rsa key when doing RSA operations, - * even when this violates protocol specs */ -#define SSL_OP_EPHEMERAL_RSA 0x00200000L +/* Does nothing: retained for compatibiity */ +#define SSL_OP_EPHEMERAL_RSA 0x0 /* Set on servers to choose the cipher according to the server's * preferences */ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L |