[openssl-commits] [openssl] OpenSSL source code branch master updated. b15f8769644b00ef7283521593360b7b2135cb63
Dr. Stephen Henson
steve at openssl.org
Mon Jan 5 23:34:40 UTC 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".
The branch, master has been updated
via b15f8769644b00ef7283521593360b7b2135cb63 (commit)
from b5526482ef81ee7906b967e326d23a45fbcf3abc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b15f8769644b00ef7283521593360b7b2135cb63
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Oct 24 12:30:33 2014 +0100
ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 7 +++++++
ssl/s3_clnt.c | 18 +++++++++++++++---
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/CHANGES b/CHANGES
index c444b24..0252eb5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -659,6 +659,13 @@
Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+ *) Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
+
+ Thanks to Karthikeyan Bhargavan for reporting this issue.
+ (CVE-2014-3572)
+ [Steve Henson]
+
*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 4ca2774..2313fbc 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1376,6 +1376,8 @@ int ssl3_get_key_exchange(SSL *s)
int encoded_pt_len = 0;
#endif
+ EVP_MD_CTX_init(&md_ctx);
+
/* use same message size as in ssl3_get_certificate_request()
* as ServerKeyExchange message may be skipped */
n=s->method->ssl_get_message(s,
@@ -1386,14 +1388,26 @@ int ssl3_get_key_exchange(SSL *s)
&ok);
if (!ok) return((int)n);
+ alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
+
if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
{
+ /*
+ * Can't skip server key exchange if this is an ephemeral
+ * ciphersuite.
+ */
+ if (alg_k & (SSL_kDHE|SSL_kECDHE))
+ {
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ goto f_err;
+ }
#ifndef OPENSSL_NO_PSK
/* In plain PSK ciphersuite, ServerKeyExchange can be
omitted if no identity hint is sent. Set
session->sess_cert anyway to avoid problems
later.*/
- if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
+ if (alg_k & SSL_kPSK)
{
s->session->sess_cert=ssl_sess_cert_new();
if (s->ctx->psk_identity_hint)
@@ -1438,9 +1452,7 @@ int ssl3_get_key_exchange(SSL *s)
/* Total length of the parameters including the length prefix */
param_len=0;
- alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
- EVP_MD_CTX_init(&md_ctx);
al=SSL_AD_DECODE_ERROR;
hooks/post-receive
--
OpenSSL source code
More information about the openssl-commits
mailing list