[openssl-commits] [openssl] OpenSSL source code branch OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-49-g40c2812

Emilia Kasper emilia at openssl.org
Wed Dec 17 13:07:38 UTC 2014


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  40c2812f5656b1c78fa18b14c264fd48421c2d24 (commit)
      from  2e3e3d278ec4984d352c65e2df8270ecf658d5b4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 40c2812f5656b1c78fa18b14c264fd48421c2d24
Author: Adam Langley <agl at chromium.org>
Date:   Tue Dec 16 14:03:47 2014 +0100

    Premaster secret handling fixes
    
    From BoringSSL
    - Send an alert when the client key exchange isn't correctly formatted.
    - Reject overly short RSA ciphertexts to avoid a (benign) out-of-bounds memory access.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>
    (cherry picked from commit 4aecfd4d9f366c849c9627ab666d1b1addc024e6)

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c |   36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 4573ec8..20c6fa0 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2015,6 +2015,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 		unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
 		int decrypt_len;
 		unsigned char decrypt_good, version_good;
+		size_t j;
 
 		/* FIX THIS UP EAY EAY EAY EAY */
 		if (s->s3->tmp.use_rsa_tmp)
@@ -2053,8 +2054,9 @@ int ssl3_get_client_key_exchange(SSL *s)
 				{
 				if (!(s->options & SSL_OP_TLS_D5_BUG))
 					{
+					al = SSL_AD_DECODE_ERROR;
 					SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
-					goto err;
+					goto f_err;
 					}
 				else
 					p-=2;
@@ -2063,6 +2065,20 @@ int ssl3_get_client_key_exchange(SSL *s)
 				n=i;
 			}
 
+		/*
+		 * Reject overly short RSA ciphertext because we want to be sure
+		 * that the buffer size makes it safe to iterate over the entire
+		 * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The
+		 * actual expected size is larger due to RSA padding, but the
+		 * bound is sufficient to be safe.
+		 */
+		if (n < SSL_MAX_MASTER_KEY_LENGTH)
+			{
+			al = SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
+			goto f_err;
+			}
+
 		/* We must not leak whether a decryption failure occurs because
 		 * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see
 		 * RFC 2246, section 7.4.7.1). The code follows that advice of
@@ -2110,19 +2126,23 @@ int ssl3_get_client_key_exchange(SSL *s)
 		 * to remain non-zero (0xff). */
 		decrypt_good &= version_good;
 
-		/* Now copy rand_premaster_secret over p using
-		 * decrypt_good_mask. */
-		for (i = 0; i < (int) sizeof(rand_premaster_secret); i++)
+		/*
+		 * Now copy rand_premaster_secret over from p using
+		 * decrypt_good_mask. If decryption failed, then p does not
+		 * contain valid plaintext, however, a check above guarantees
+		 * it is still sufficiently large to read from.
+		 */
+		for (j = 0; j < sizeof(rand_premaster_secret); j++)
 			{
-			p[i] = constant_time_select_8(decrypt_good, p[i],
-						      rand_premaster_secret[i]);
+			p[j] = constant_time_select_8(decrypt_good, p[j],
+						      rand_premaster_secret[j]);
 			}
 
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
 				s->session->master_key,
-				p,i);
-		OPENSSL_cleanse(p,i);
+				p,sizeof(rand_premaster_secret));
+		OPENSSL_cleanse(p,sizeof(rand_premaster_secret));
 		}
 	else
 #endif


hooks/post-receive
-- 
OpenSSL source code


More information about the openssl-commits mailing list