[openssl-commits] [openssl] OpenSSL source code branch OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-57-g802a070

Dr. Stephen Henson steve at openssl.org
Tue Jan 6 00:07:04 UTC 2015


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  802a070bb6452dd9df49e550e0f3b16777e5232b (commit)
      from  31c65a7bc0de7ff1446645d41af388893362f579 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 802a070bb6452dd9df49e550e0f3b16777e5232b
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Oct 24 12:30:33 2014 +0100

    ECDH downgrade bug fix.
    
    Fix bug where an OpenSSL client would accept a handshake using an
    ephemeral ECDH ciphersuites with the server key exchange message omitted.
    
    Thanks to Karthikeyan Bhargavan for reporting this issue.
    
    CVE-2014-3572
    Reviewed-by: Matt Caswell <matt at openssl.org>
    
    (cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
    
    Conflicts:
    	CHANGES

-----------------------------------------------------------------------

Summary of changes:
 CHANGES       |    7 +++++++
 ssl/s3_clnt.c |   18 +++++++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8e8646e..519869b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
 
  Changes between 1.0.0o and 1.0.0p [xx XXX xxxx]
 
+  *) Abort handshake if server key exchange message is omitted for ephemeral
+     ECDH ciphersuites.
+
+     Thanks to Karthikeyan Bhargavan for reporting this issue.
+     (CVE-2014-3572)
+     [Steve Henson]
+
   *) Fix various certificate fingerprint issues.
 
      By using non-DER or invalid encodings outside the signed portion of a
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e614f96..f2e9e54 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1191,6 +1191,8 @@ int ssl3_get_key_exchange(SSL *s)
 	int encoded_pt_len = 0;
 #endif
 
+	EVP_MD_CTX_init(&md_ctx);
+
 	/* use same message size as in ssl3_get_certificate_request()
 	 * as ServerKeyExchange message may be skipped */
 	n=s->method->ssl_get_message(s,
@@ -1201,14 +1203,26 @@ int ssl3_get_key_exchange(SSL *s)
 		&ok);
 	if (!ok) return((int)n);
 
+	alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
+
 	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
 		{
+		/*
+		 * Can't skip server key exchange if this is an ephemeral
+		 * ciphersuite.
+		 */
+		if (alg_k & (SSL_kEDH|SSL_kEECDH))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
+			al = SSL_AD_UNEXPECTED_MESSAGE;
+			goto f_err;
+			}
 #ifndef OPENSSL_NO_PSK
 		/* In plain PSK ciphersuite, ServerKeyExchange can be
 		   omitted if no identity hint is sent. Set
 		   session->sess_cert anyway to avoid problems
 		   later.*/
-		if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
+		if (alg_k & SSL_kPSK)
 			{
 			s->session->sess_cert=ssl_sess_cert_new();
 			if (s->ctx->psk_identity_hint)
@@ -1253,9 +1267,7 @@ int ssl3_get_key_exchange(SSL *s)
 	/* Total length of the parameters including the length prefix */
 	param_len=0;
 
-	alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
 	alg_a=s->s3->tmp.new_cipher->algorithm_auth;
-	EVP_MD_CTX_init(&md_ctx);
 
 	al=SSL_AD_DECODE_ERROR;
 


hooks/post-receive
-- 
OpenSSL source code


More information about the openssl-commits mailing list