Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned

and each hash processed separately. Tested by tb@
author: jsing <> 2017-03-07 13:37:03 +0000
committer: jsing <> 2017-03-07 13:37:03 +0000
commit: ece3827c47590e118f7dbc7997da4a429495abd0 (patch)
tree: 38ccc93377fc811e45369923ac49d511014471e5
parent: 8f3432a06f852cd787898bca11abb5707354176f (diff)
download: openbsd-ece3827c47590e118f7dbc7997da4a429495abd0.tar.gz
openbsd-ece3827c47590e118f7dbc7997da4a429495abd0.tar.bz2
openbsd-ece3827c47590e118f7dbc7997da4a429495abd0.zip
1 files changed, 26 insertions, 5 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 84f2e182d9..ac037478d6 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.98 2017/03/06 15:08:57 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.99 2017/03/07 13:37:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -378,6 +378,7 @@ tls1_PRF(SSL *s, const void *seed1, int seed1_len, const void *seed2,
    int slen, unsigned char *out1, unsigned char *out2, int olen)
 {
        const EVP_MD *md;
+        size_t hlen;
        int i;
        memset(out1, 0, olen);
@@ -385,13 +386,33 @@ tls1_PRF(SSL *s, const void *seed1, int seed1_len, const void *seed2,
        if (!ssl_get_handshake_evp_md(s, &md))
                return (0);
+        if (md->type == NID_md5_sha1) {
+                /*
+                 * Partition secret between MD5 and SHA1, then XOR result.
+                 * If the secret length is odd, a one byte overlap is used.
+                 */
+                hlen = slen - (slen / 2);
+                if (!tls1_P_hash(EVP_md5(), sec, hlen, seed1, seed1_len, seed2,
+                    seed2_len, seed3, seed3_len, seed4, seed4_len, seed5,
+                    seed5_len, out1, olen))
+                        return (0);
+                sec += slen - hlen;
+                if (!tls1_P_hash(EVP_sha1(), sec, hlen, seed1, seed1_len, seed2,
+                    seed2_len, seed3, seed3_len, seed4, seed4_len, seed5,
+                    seed5_len, out2, olen))
+                        return (0);
+                for (i = 0; i < olen; i++)
+                        out1[i] ^= out2[i];
+                return (1);
+        }
        if (!tls1_P_hash(md, sec, slen, seed1, seed1_len, seed2, seed2_len,
-            seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, out2, olen))
+            seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, out1, olen))
                return (0);
-        for (i = 0; i < olen; i++)
-                out1[i] ^= out2[i];
        return (1);
 }
author	jsing <>	2017-03-07 13:37:03 +0000
committer	jsing <>	2017-03-07 13:37:03 +0000
commit	ece3827c47590e118f7dbc7997da4a429495abd0 (patch)
tree	38ccc93377fc811e45369923ac49d511014471e5
parent	8f3432a06f852cd787898bca11abb5707354176f (diff)
download	openbsd-ece3827c47590e118f7dbc7997da4a429495abd0.tar.gz openbsd-ece3827c47590e118f7dbc7997da4a429495abd0.tar.bz2 openbsd-ece3827c47590e118f7dbc7997da4a429495abd0.zip

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 84f2e182d9..ac037478d6 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_enc.c,v 1.98 2017/03/06 15:08:57 jsing Exp $ */	1	/* $OpenBSD: t1_enc.c,v 1.99 2017/03/07 13:37:03 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -378,6 +378,7 @@ tls1_PRF(SSL s, const void seed1, int seed1_len, const void *seed2,
378	int slen, unsigned char out1, unsigned char out2, int olen)	378	int slen, unsigned char out1, unsigned char out2, int olen)
379	{	379	{
380	const EVP_MD *md;	380	const EVP_MD *md;
		381	size_t hlen;
381	int i;	382	int i;
382		383
383	memset(out1, 0, olen);	384	memset(out1, 0, olen);
@@ -385,13 +386,33 @@ tls1_PRF(SSL s, const void seed1, int seed1_len, const void *seed2,
385	if (!ssl_get_handshake_evp_md(s, &md))	386	if (!ssl_get_handshake_evp_md(s, &md))
386	return (0);	387	return (0);
387		388
		389	if (md->type == NID_md5_sha1) {
		390	/*
		391	* Partition secret between MD5 and SHA1, then XOR result.
		392	* If the secret length is odd, a one byte overlap is used.
		393	*/
		394	hlen = slen - (slen / 2);
		395	if (!tls1_P_hash(EVP_md5(), sec, hlen, seed1, seed1_len, seed2,
		396	seed2_len, seed3, seed3_len, seed4, seed4_len, seed5,
		397	seed5_len, out1, olen))
		398	return (0);
		399
		400	sec += slen - hlen;
		401	if (!tls1_P_hash(EVP_sha1(), sec, hlen, seed1, seed1_len, seed2,
		402	seed2_len, seed3, seed3_len, seed4, seed4_len, seed5,
		403	seed5_len, out2, olen))
		404	return (0);
		405
		406	for (i = 0; i < olen; i++)
		407	out1[i] ^= out2[i];
		408
		409	return (1);
		410	}
		411
388	if (!tls1_P_hash(md, sec, slen, seed1, seed1_len, seed2, seed2_len,	412	if (!tls1_P_hash(md, sec, slen, seed1, seed1_len, seed2, seed2_len,
389	seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, out2, olen))	413	seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, out1, olen))
390	return (0);	414	return (0);
391		415
392	for (i = 0; i < olen; i++)
393	out1[i] ^= out2[i];
394
395	return (1);	416	return (1);
396	}	417	}
397		418