summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortedu <>2015-03-11 19:52:41 +0000
committertedu <>2015-03-11 19:52:41 +0000
commit226d6a5d87975332d4fcc59a84b281713a349e0c (patch)
tree0a597466c74dc1da16910f88953fc5afefe53c8c
parent404d8b0257aff75d468f7bf4abb396fa8bbdfbc6 (diff)
downloadopenbsd-226d6a5d87975332d4fcc59a84b281713a349e0c.tar.gz
openbsd-226d6a5d87975332d4fcc59a84b281713a349e0c.tar.bz2
openbsd-226d6a5d87975332d4fcc59a84b281713a349e0c.zip
backport fixes to prevent connections from being downgraded to weak keys.
ok bluhm miod
Diffstat
-rw-r--r--src/lib/libssl/src/ssl/d1_clnt.c24
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c127
-rw-r--r--src/lib/libssl/src/ssl/ssl_cert.c3
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h4
4 files changed, 56 insertions, 102 deletions
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index c9ec32173b..23762524fa 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_clnt.c,v 1.33 2014/08/07 20:02:23 miod Exp $ */ 1/* $OpenBSD: d1_clnt.c,v 1.33.2.1 2015/03/11 19:52:37 tedu Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -939,20 +939,16 @@ dtls1_send_client_key_exchange(SSL *s)
939 RSA *rsa; 939 RSA *rsa;
940 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 940 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
941 941
942 if (s->session->sess_cert->peer_rsa_tmp != NULL) 942 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
943 rsa = s->session->sess_cert->peer_rsa_tmp; 943 if ((pkey == NULL) ||
944 else { 944 (pkey->type != EVP_PKEY_RSA) ||
945 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 945 (pkey->pkey.rsa == NULL)) {
946 if ((pkey == NULL) || 946 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
947 (pkey->type != EVP_PKEY_RSA) || 947 ERR_R_INTERNAL_ERROR);
948 (pkey->pkey.rsa == NULL)) { 948 goto err;
949 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
950 ERR_R_INTERNAL_ERROR);
951 goto err;
952 }
953 rsa = pkey->pkey.rsa;
954 EVP_PKEY_free(pkey);
955 } 949 }
950 rsa = pkey->pkey.rsa;
951 EVP_PKEY_free(pkey);
956 952
957 tmp_buf[0] = s->client_version >> 8; 953 tmp_buf[0] = s->client_version >> 8;
958 tmp_buf[1] = s->client_version&0xff; 954 tmp_buf[1] = s->client_version&0xff;
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index af6c81dae5..66e55f599e 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.85 2014/08/07 01:24:10 deraadt Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.85.2.1 2015/03/11 19:52:37 tedu Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1162,6 +1162,9 @@ ssl3_get_key_exchange(SSL *s)
1162 int curve_nid = 0; 1162 int curve_nid = 0;
1163 int encoded_pt_len = 0; 1163 int encoded_pt_len = 0;
1164 1164
1165 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1166 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1167
1165 /* 1168 /*
1166 * Use same message size as in ssl3_get_certificate_request() 1169 * Use same message size as in ssl3_get_certificate_request()
1167 * as ServerKeyExchange message may be skipped. 1170 * as ServerKeyExchange message may be skipped.
@@ -1170,17 +1173,27 @@ ssl3_get_key_exchange(SSL *s)
1170 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok); 1173 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list, &ok);
1171 if (!ok) 1174 if (!ok)
1172 return ((int)n); 1175 return ((int)n);
1176
1177 EVP_MD_CTX_init(&md_ctx);
1173 1178
1174 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { 1179 if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1180 /*
1181 * Do not skip server key exchange if this cipher suite uses
1182 * ephemeral keys.
1183 */
1184 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
1185 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1186 SSL_R_UNEXPECTED_MESSAGE);
1187 al = SSL_AD_UNEXPECTED_MESSAGE;
1188 goto f_err;
1189 }
1190
1175 s->s3->tmp.reuse_message = 1; 1191 s->s3->tmp.reuse_message = 1;
1192 EVP_MD_CTX_cleanup(&md_ctx);
1176 return (1); 1193 return (1);
1177 } 1194 }
1178 1195
1179 param = p = (unsigned char *)s->init_msg;
1180 if (s->session->sess_cert != NULL) { 1196 if (s->session->sess_cert != NULL) {
1181 RSA_free(s->session->sess_cert->peer_rsa_tmp);
1182 s->session->sess_cert->peer_rsa_tmp = NULL;
1183
1184 DH_free(s->session->sess_cert->peer_dh_tmp); 1197 DH_free(s->session->sess_cert->peer_dh_tmp);
1185 s->session->sess_cert->peer_dh_tmp = NULL; 1198 s->session->sess_cert->peer_dh_tmp = NULL;
1186 1199
@@ -1192,68 +1205,10 @@ ssl3_get_key_exchange(SSL *s)
1192 goto err; 1205 goto err;
1193 } 1206 }
1194 1207
1208 param = p = (unsigned char *)s->init_msg;
1195 param_len = 0; 1209 param_len = 0;
1196 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1197 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1198 EVP_MD_CTX_init(&md_ctx);
1199
1200 if (alg_k & SSL_kRSA) {
1201 if ((rsa = RSA_new()) == NULL) {
1202 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1203 ERR_R_MALLOC_FAILURE);
1204 goto err;
1205 }
1206 if (2 > n)
1207 goto truncated;
1208 n2s(p, i);
1209 param_len = i + 2;
1210 if (param_len > n) {
1211 al = SSL_AD_DECODE_ERROR;
1212 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1213 SSL_R_BAD_RSA_MODULUS_LENGTH);
1214 goto f_err;
1215 }
1216 if (!(rsa->n = BN_bin2bn(p, i, rsa->n))) {
1217 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1218 ERR_R_BN_LIB);
1219 goto err;
1220 }
1221 p += i;
1222 1210
1223 if (param_len + 2 > n) 1211 if (alg_k & SSL_kDHE) {
1224 goto truncated;
1225 n2s(p, i);
1226 param_len += i + 2;
1227 if (param_len > n) {
1228 al = SSL_AD_DECODE_ERROR;
1229 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1230 SSL_R_BAD_RSA_E_LENGTH);
1231 goto f_err;
1232 }
1233 if (!(rsa->e = BN_bin2bn(p, i, rsa->e))) {
1234 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1235 ERR_R_BN_LIB);
1236 goto err;
1237 }
1238 p += i;
1239 n -= param_len;
1240
1241 /*
1242 * This should be because we are using an
1243 * export cipher
1244 */
1245 if (alg_a & SSL_aRSA)
1246 pkey = X509_get_pubkey(
1247 s->session->sess_cert->peer_pkeys[
1248 SSL_PKEY_RSA_ENC].x509);
1249 else {
1250 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1251 ERR_R_INTERNAL_ERROR);
1252 goto err;
1253 }
1254 s->session->sess_cert->peer_rsa_tmp = rsa;
1255 rsa = NULL;
1256 } else if (alg_k & SSL_kDHE) {
1257 if ((dh = DH_new()) == NULL) { 1212 if ((dh = DH_new()) == NULL) {
1258 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, 1213 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1259 ERR_R_DH_LIB); 1214 ERR_R_DH_LIB);
@@ -1311,6 +1266,17 @@ ssl3_get_key_exchange(SSL *s)
1311 p += i; 1266 p += i;
1312 n -= param_len; 1267 n -= param_len;
1313 1268
1269 /*
1270 * Check the strength of the DH key just constructed.
1271 * Discard keys weaker than 1024 bits.
1272 */
1273
1274 if (DH_size(dh) < 1024 / 8) {
1275 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1276 SSL_R_BAD_DH_P_LENGTH);
1277 goto err;
1278 }
1279
1314 if (alg_a & SSL_aRSA) 1280 if (alg_a & SSL_aRSA)
1315 pkey = X509_get_pubkey( 1281 pkey = X509_get_pubkey(
1316 s->session->sess_cert->peer_pkeys[ 1282 s->session->sess_cert->peer_pkeys[
@@ -1953,23 +1919,19 @@ ssl3_send_client_key_exchange(SSL *s)
1953 goto err; 1919 goto err;
1954 } 1920 }
1955 1921
1956 if (s->session->sess_cert->peer_rsa_tmp != NULL) 1922 pkey = X509_get_pubkey(
1957 rsa = s->session->sess_cert->peer_rsa_tmp; 1923 s->session->sess_cert->peer_pkeys[
1958 else { 1924 SSL_PKEY_RSA_ENC].x509);
1959 pkey = X509_get_pubkey( 1925 if ((pkey == NULL) ||
1960 s->session->sess_cert->peer_pkeys[ 1926 (pkey->type != EVP_PKEY_RSA) ||
1961 SSL_PKEY_RSA_ENC].x509); 1927 (pkey->pkey.rsa == NULL)) {
1962 if ((pkey == NULL) || 1928 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1963 (pkey->type != EVP_PKEY_RSA) || 1929 ERR_R_INTERNAL_ERROR);
1964 (pkey->pkey.rsa == NULL)) {
1965 SSLerr(
1966 SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
1967 ERR_R_INTERNAL_ERROR);
1968 goto err;
1969 }
1970 rsa = pkey->pkey.rsa;
1971 EVP_PKEY_free(pkey); 1930 EVP_PKEY_free(pkey);
1931 goto err;
1972 } 1932 }
1933 rsa = pkey->pkey.rsa;
1934 EVP_PKEY_free(pkey);
1973 1935
1974 tmp_buf[0] = s->client_version >> 8; 1936 tmp_buf[0] = s->client_version >> 8;
1975 tmp_buf[1] = s->client_version & 0xff; 1937 tmp_buf[1] = s->client_version & 0xff;
@@ -2598,7 +2560,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2598 long alg_k, alg_a; 2560 long alg_k, alg_a;
2599 EVP_PKEY *pkey = NULL; 2561 EVP_PKEY *pkey = NULL;
2600 SESS_CERT *sc; 2562 SESS_CERT *sc;
2601 RSA *rsa;
2602 DH *dh; 2563 DH *dh;
2603 2564
2604 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2565 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
@@ -2614,8 +2575,6 @@ ssl3_check_cert_and_algorithm(SSL *s)
2614 ERR_R_INTERNAL_ERROR); 2575 ERR_R_INTERNAL_ERROR);
2615 goto err; 2576 goto err;
2616 } 2577 }
2617
2618 rsa = s->session->sess_cert->peer_rsa_tmp;
2619 dh = s->session->sess_cert->peer_dh_tmp; 2578 dh = s->session->sess_cert->peer_dh_tmp;
2620 2579
2621 /* This is the passed certificate. */ 2580 /* This is the passed certificate. */
@@ -2648,7 +2607,7 @@ ssl3_check_cert_and_algorithm(SSL *s)
2648 goto f_err; 2607 goto f_err;
2649 } 2608 }
2650 if ((alg_k & SSL_kRSA) && 2609 if ((alg_k & SSL_kRSA) &&
2651 !(has_bits(i, EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) { 2610 !has_bits(i, EVP_PK_RSA|EVP_PKT_ENC)) {
2652 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 2611 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
2653 SSL_R_MISSING_RSA_ENCRYPTING_CERT); 2612 SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2654 goto f_err; 2613 goto f_err;
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c
index 6aae59e310..c132404e69 100644
--- a/src/lib/libssl/src/ssl/ssl_cert.c
+++ b/src/lib/libssl/src/ssl/ssl_cert.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_cert.c,v 1.41 2014/07/10 08:25:00 guenther Exp $ */ 1/* $OpenBSD: ssl_cert.c,v 1.41.4.1 2015/03/11 19:52:37 tedu Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -407,7 +407,6 @@ ssl_sess_cert_free(SESS_CERT *sc)
407 X509_free(sc->peer_pkeys[i].x509); 407 X509_free(sc->peer_pkeys[i].x509);
408 } 408 }
409 409
410 RSA_free(sc->peer_rsa_tmp);
411 DH_free(sc->peer_dh_tmp); 410 DH_free(sc->peer_dh_tmp);
412 EC_KEY_free(sc->peer_ecdh_tmp); 411 EC_KEY_free(sc->peer_ecdh_tmp);
413 412
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 3c1c444cb0..65062ee4a8 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.63 2014/07/28 04:23:12 guenther Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.63.4.1 2015/03/11 19:52:37 tedu Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -464,7 +464,7 @@ typedef struct sess_cert_st {
464 /* Obviously we don't have the private keys of these, 464 /* Obviously we don't have the private keys of these,
465 * so maybe we shouldn't even use the CERT_PKEY type here. */ 465 * so maybe we shouldn't even use the CERT_PKEY type here. */
466 466
467 RSA *peer_rsa_tmp; 467 RSA *__peer_rsa_tmp;
468 DH *peer_dh_tmp; 468 DH *peer_dh_tmp;
469 EC_KEY *peer_ecdh_tmp; 469 EC_KEY *peer_ecdh_tmp;
470 470
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 09:46:28 +0000