diff options
| author | deraadt <> | 2014-08-07 04:49:53 +0000 |
|---|---|---|
| committer | deraadt <> | 2014-08-07 04:49:53 +0000 |
| commit | 4bcdac8281676ec72b23bb5dbfa6716fc392dfc1 (patch) | |
| tree | aca4d994835fb200914ade352b8bd14a3e8d2bef | |
| parent | 43f5d1f3bd255cb997b91514a2993b278a7b4216 (diff) | |
| download | openbsd-4bcdac8281676ec72b23bb5dbfa6716fc392dfc1.tar.gz openbsd-4bcdac8281676ec72b23bb5dbfa6716fc392dfc1.tar.bz2 openbsd-4bcdac8281676ec72b23bb5dbfa6716fc392dfc1.zip | |
Fix CVE-2014-3511; TLS downgrade, verbatim diff
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=280b1f1ad12131defcd986676a8fc9717aaa601b
ok guenther miod
| -rw-r--r-- | src/lib/libssl/s23_srvr.c | 32 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s23_srvr.c | 32 |
2 files changed, 54 insertions, 10 deletions
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index e6356ba2a2..ee977130fb 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s23_srvr.c,v 1.31 2014/07/11 08:17:36 miod Exp $ */ | 1 | /* $OpenBSD: s23_srvr.c,v 1.32 2014/08/07 04:49:53 deraadt Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -358,17 +358,19 @@ ssl23_get_client_hello(SSL *s) | |||
| 358 | * Client Hello message, this would be difficult, and we'd have | 358 | * Client Hello message, this would be difficult, and we'd have |
| 359 | * to read more records to find out. | 359 | * to read more records to find out. |
| 360 | * No known SSL 3.0 client fragments ClientHello like this, | 360 | * No known SSL 3.0 client fragments ClientHello like this, |
| 361 | * so we simply assume TLS 1.0 to avoid protocol version downgrade | 361 | * so we simply reject such connections to avoid |
| 362 | * attacks. */ | 362 | * protocol version downgrade attacks. */ |
| 363 | if (p[3] == 0 && p[4] < 6) { | 363 | if (p[3] == 0 && p[4] < 6) { |
| 364 | v[1] = TLS1_VERSION_MINOR; | 364 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, |
| 365 | SSL_R_RECORD_TOO_SMALL); | ||
| 366 | return -1; | ||
| 365 | } | 367 | } |
| 366 | /* if major version number > 3 set minor to a value | 368 | /* if major version number > 3 set minor to a value |
| 367 | * which will use the highest version 3 we support. | 369 | * which will use the highest version 3 we support. |
| 368 | * If TLS 2.0 ever appears we will need to revise | 370 | * If TLS 2.0 ever appears we will need to revise |
| 369 | * this.... | 371 | * this.... |
| 370 | */ | 372 | */ |
| 371 | else if (p[9] > SSL3_VERSION_MAJOR) | 373 | if (p[9] > SSL3_VERSION_MAJOR) |
| 372 | v[1] = 0xff; | 374 | v[1] = 0xff; |
| 373 | else | 375 | else |
| 374 | v[1] = p[10]; /* minor version according to client_version */ | 376 | v[1] = p[10]; /* minor version according to client_version */ |
| @@ -422,13 +424,33 @@ ssl23_get_client_hello(SSL *s) | |||
| 422 | v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ | 424 | v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ |
| 423 | v[1] = p[4]; | 425 | v[1] = p[4]; |
| 424 | 426 | ||
| 427 | /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 | ||
| 428 | * header is sent directly on the wire, not wrapped as a TLS | ||
| 429 | * record. It's format is: | ||
| 430 | * Byte Content | ||
| 431 | * 0-1 msg_length | ||
| 432 | * 2 msg_type | ||
| 433 | * 3-4 version | ||
| 434 | * 5-6 cipher_spec_length | ||
| 435 | * 7-8 session_id_length | ||
| 436 | * 9-10 challenge_length | ||
| 437 | * ... ... | ||
| 438 | */ | ||
| 425 | n = ((p[0] & 0x7f) << 8) | p[1]; | 439 | n = ((p[0] & 0x7f) << 8) | p[1]; |
| 426 | if (n > (1024 * 4)) { | 440 | if (n > (1024 * 4)) { |
| 427 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); | 441 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); |
| 428 | return -1; | 442 | return -1; |
| 429 | } | 443 | } |
| 444 | if (n < 9) { | ||
| 445 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, | ||
| 446 | SSL_R_RECORD_LENGTH_MISMATCH); | ||
| 447 | return -1; | ||
| 448 | } | ||
| 430 | 449 | ||
| 431 | j = ssl23_read_bytes(s, n + 2); | 450 | j = ssl23_read_bytes(s, n + 2); |
| 451 | /* We previously read 11 bytes, so if j > 0, we must have | ||
| 452 | * j == n+2 == s->packet_length. We have at least 11 valid | ||
| 453 | * packet bytes. */ | ||
| 432 | if (j <= 0) | 454 | if (j <= 0) |
| 433 | return (j); | 455 | return (j); |
| 434 | 456 | ||
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c index e6356ba2a2..ee977130fb 100644 --- a/src/lib/libssl/src/ssl/s23_srvr.c +++ b/src/lib/libssl/src/ssl/s23_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s23_srvr.c,v 1.31 2014/07/11 08:17:36 miod Exp $ */ | 1 | /* $OpenBSD: s23_srvr.c,v 1.32 2014/08/07 04:49:53 deraadt Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -358,17 +358,19 @@ ssl23_get_client_hello(SSL *s) | |||
| 358 | * Client Hello message, this would be difficult, and we'd have | 358 | * Client Hello message, this would be difficult, and we'd have |
| 359 | * to read more records to find out. | 359 | * to read more records to find out. |
| 360 | * No known SSL 3.0 client fragments ClientHello like this, | 360 | * No known SSL 3.0 client fragments ClientHello like this, |
| 361 | * so we simply assume TLS 1.0 to avoid protocol version downgrade | 361 | * so we simply reject such connections to avoid |
| 362 | * attacks. */ | 362 | * protocol version downgrade attacks. */ |
| 363 | if (p[3] == 0 && p[4] < 6) { | 363 | if (p[3] == 0 && p[4] < 6) { |
| 364 | v[1] = TLS1_VERSION_MINOR; | 364 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, |
| 365 | SSL_R_RECORD_TOO_SMALL); | ||
| 366 | return -1; | ||
| 365 | } | 367 | } |
| 366 | /* if major version number > 3 set minor to a value | 368 | /* if major version number > 3 set minor to a value |
| 367 | * which will use the highest version 3 we support. | 369 | * which will use the highest version 3 we support. |
| 368 | * If TLS 2.0 ever appears we will need to revise | 370 | * If TLS 2.0 ever appears we will need to revise |
| 369 | * this.... | 371 | * this.... |
| 370 | */ | 372 | */ |
| 371 | else if (p[9] > SSL3_VERSION_MAJOR) | 373 | if (p[9] > SSL3_VERSION_MAJOR) |
| 372 | v[1] = 0xff; | 374 | v[1] = 0xff; |
| 373 | else | 375 | else |
| 374 | v[1] = p[10]; /* minor version according to client_version */ | 376 | v[1] = p[10]; /* minor version according to client_version */ |
| @@ -422,13 +424,33 @@ ssl23_get_client_hello(SSL *s) | |||
| 422 | v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ | 424 | v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ |
| 423 | v[1] = p[4]; | 425 | v[1] = p[4]; |
| 424 | 426 | ||
| 427 | /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 | ||
| 428 | * header is sent directly on the wire, not wrapped as a TLS | ||
| 429 | * record. It's format is: | ||
| 430 | * Byte Content | ||
| 431 | * 0-1 msg_length | ||
| 432 | * 2 msg_type | ||
| 433 | * 3-4 version | ||
| 434 | * 5-6 cipher_spec_length | ||
| 435 | * 7-8 session_id_length | ||
| 436 | * 9-10 challenge_length | ||
| 437 | * ... ... | ||
| 438 | */ | ||
| 425 | n = ((p[0] & 0x7f) << 8) | p[1]; | 439 | n = ((p[0] & 0x7f) << 8) | p[1]; |
| 426 | if (n > (1024 * 4)) { | 440 | if (n > (1024 * 4)) { |
| 427 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); | 441 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); |
| 428 | return -1; | 442 | return -1; |
| 429 | } | 443 | } |
| 444 | if (n < 9) { | ||
| 445 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, | ||
| 446 | SSL_R_RECORD_LENGTH_MISMATCH); | ||
| 447 | return -1; | ||
| 448 | } | ||
| 430 | 449 | ||
| 431 | j = ssl23_read_bytes(s, n + 2); | 450 | j = ssl23_read_bytes(s, n + 2); |
| 451 | /* We previously read 11 bytes, so if j > 0, we must have | ||
| 452 | * j == n+2 == s->packet_length. We have at least 11 valid | ||
| 453 | * packet bytes. */ | ||
| 432 | if (j <= 0) | 454 | if (j <= 0) |
| 433 | return (j); | 455 | return (j); |
| 434 | 456 | ||