ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b15f876964)
This commit is contained in:
Dr. Stephen Henson
7
CHANGES
7
CHANGES
@@ -4,6 +4,13 @@
|
||||
|
||||
Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
|
||||
|
||||
*) Abort handshake if server key exchange message is omitted for ephemeral
|
||||
ECDH ciphersuites.
|
||||
|
||||
Thanks to Karthikeyan Bhargavan for reporting this issue.
|
||||
(CVE-2014-3572)
|
||||
[Steve Henson]
|
||||
|
||||
*) Ensure that the session ID context of an SSL is updated when its
|
||||
SSL_CTX is updated via SSL_set_SSL_CTX.
|
||||
|
||||
|
||||
@@ -1277,6 +1277,8 @@ int ssl3_get_key_exchange(SSL *s)
|
||||
int encoded_pt_len = 0;
|
||||
#endif
|
||||
|
||||
EVP_MD_CTX_init(&md_ctx);
|
||||
|
||||
/* use same message size as in ssl3_get_certificate_request()
|
||||
* as ServerKeyExchange message may be skipped */
|
||||
n=s->method->ssl_get_message(s,
|
||||
@@ -1287,14 +1289,26 @@ int ssl3_get_key_exchange(SSL *s)
|
||||
&ok);
|
||||
if (!ok) return((int)n);
|
||||
|
||||
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
|
||||
|
||||
if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
|
||||
{
|
||||
/*
|
||||
* Can't skip server key exchange if this is an ephemeral
|
||||
* ciphersuite.
|
||||
*/
|
||||
if (alg_k & (SSL_kEDH|SSL_kEECDH))
|
||||
{
|
||||
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
|
||||
al = SSL_AD_UNEXPECTED_MESSAGE;
|
||||
goto f_err;
|
||||
}
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
/* In plain PSK ciphersuite, ServerKeyExchange can be
|
||||
omitted if no identity hint is sent. Set
|
||||
session->sess_cert anyway to avoid problems
|
||||
later.*/
|
||||
if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
|
||||
if (alg_k & SSL_kPSK)
|
||||
{
|
||||
s->session->sess_cert=ssl_sess_cert_new();
|
||||
if (s->ctx->psk_identity_hint)
|
||||
@@ -1339,9 +1353,7 @@ int ssl3_get_key_exchange(SSL *s)
|
||||
/* Total length of the parameters including the length prefix */
|
||||
param_len=0;
|
||||
|
||||
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
|
||||
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
|
||||
EVP_MD_CTX_init(&md_ctx);
|
||||
|
||||
al=SSL_AD_DECODE_ERROR;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user