[openssl-commits] [openssl] OpenSSL source code branch OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-99-gef28c6d
Dr. Stephen Henson
steve at openssl.org
Tue Jan 6 00:07:04 UTC 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".
The branch, OpenSSL_1_0_1-stable has been updated
via ef28c6d6767a6a30df5add36171894c96628fe98 (commit)
from 2175744952f5c8eaa2749f347629891497a1bcca (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ef28c6d6767a6a30df5add36171894c96628fe98
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Oct 24 12:30:33 2014 +0100
ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 7 +++++++
ssl/s3_clnt.c | 18 +++++++++++++++---
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/CHANGES b/CHANGES
index bfb75be..8d3e6ff 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+ *) Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
+
+ Thanks to Karthikeyan Bhargavan for reporting this issue.
+ (CVE-2014-3572)
+ [Steve Henson]
+
*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 7a95d5a..43ffc77 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1277,6 +1277,8 @@ int ssl3_get_key_exchange(SSL *s)
int encoded_pt_len = 0;
#endif
+ EVP_MD_CTX_init(&md_ctx);
+
/* use same message size as in ssl3_get_certificate_request()
* as ServerKeyExchange message may be skipped */
n=s->method->ssl_get_message(s,
@@ -1287,14 +1289,26 @@ int ssl3_get_key_exchange(SSL *s)
&ok);
if (!ok) return((int)n);
+ alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
+
if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
{
+ /*
+ * Can't skip server key exchange if this is an ephemeral
+ * ciphersuite.
+ */
+ if (alg_k & (SSL_kEDH|SSL_kEECDH))
+ {
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ goto f_err;
+ }
#ifndef OPENSSL_NO_PSK
/* In plain PSK ciphersuite, ServerKeyExchange can be
omitted if no identity hint is sent. Set
session->sess_cert anyway to avoid problems
later.*/
- if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
+ if (alg_k & SSL_kPSK)
{
s->session->sess_cert=ssl_sess_cert_new();
if (s->ctx->psk_identity_hint)
@@ -1339,9 +1353,7 @@ int ssl3_get_key_exchange(SSL *s)
/* Total length of the parameters including the length prefix */
param_len=0;
- alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
- EVP_MD_CTX_init(&md_ctx);
al=SSL_AD_DECODE_ERROR;
hooks/post-receive
--
OpenSSL source code
More information about the openssl-commits
mailing list