diff options
| author | jsing <> | 2017-03-07 13:37:03 +0000 |
|---|---|---|
| committer | jsing <> | 2017-03-07 13:37:03 +0000 |
| commit | 63d577c4e04cccd70b05bf2005ebe494f4da7478 (patch) | |
| tree | 38ccc93377fc811e45369923ac49d511014471e5 | |
| parent | cab54f8dc6223f27aec286860e686425563855c8 (diff) | |
| download | openbsd-63d577c4e04cccd70b05bf2005ebe494f4da7478.tar.gz openbsd-63d577c4e04cccd70b05bf2005ebe494f4da7478.tar.bz2 openbsd-63d577c4e04cccd70b05bf2005ebe494f4da7478.zip | |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned
and each hash processed separately.
Tested by tb@
| -rw-r--r-- | src/lib/libssl/t1_enc.c | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 84f2e182d9..ac037478d6 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.98 2017/03/06 15:08:57 jsing Exp $ */ | 1 | /* $OpenBSD: t1_enc.c,v 1.99 2017/03/07 13:37:03 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -378,6 +378,7 @@ tls1_PRF(SSL *s, const void *seed1, int seed1_len, const void *seed2, | |||
| 378 | int slen, unsigned char *out1, unsigned char *out2, int olen) | 378 | int slen, unsigned char *out1, unsigned char *out2, int olen) |
| 379 | { | 379 | { |
| 380 | const EVP_MD *md; | 380 | const EVP_MD *md; |
| 381 | size_t hlen; | ||
| 381 | int i; | 382 | int i; |
| 382 | 383 | ||
| 383 | memset(out1, 0, olen); | 384 | memset(out1, 0, olen); |
| @@ -385,13 +386,33 @@ tls1_PRF(SSL *s, const void *seed1, int seed1_len, const void *seed2, | |||
| 385 | if (!ssl_get_handshake_evp_md(s, &md)) | 386 | if (!ssl_get_handshake_evp_md(s, &md)) |
| 386 | return (0); | 387 | return (0); |
| 387 | 388 | ||
| 389 | if (md->type == NID_md5_sha1) { | ||
| 390 | /* | ||
| 391 | * Partition secret between MD5 and SHA1, then XOR result. | ||
| 392 | * If the secret length is odd, a one byte overlap is used. | ||
| 393 | */ | ||
| 394 | hlen = slen - (slen / 2); | ||
| 395 | if (!tls1_P_hash(EVP_md5(), sec, hlen, seed1, seed1_len, seed2, | ||
| 396 | seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, | ||
| 397 | seed5_len, out1, olen)) | ||
| 398 | return (0); | ||
| 399 | |||
| 400 | sec += slen - hlen; | ||
| 401 | if (!tls1_P_hash(EVP_sha1(), sec, hlen, seed1, seed1_len, seed2, | ||
| 402 | seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, | ||
| 403 | seed5_len, out2, olen)) | ||
| 404 | return (0); | ||
| 405 | |||
| 406 | for (i = 0; i < olen; i++) | ||
| 407 | out1[i] ^= out2[i]; | ||
| 408 | |||
| 409 | return (1); | ||
| 410 | } | ||
| 411 | |||
| 388 | if (!tls1_P_hash(md, sec, slen, seed1, seed1_len, seed2, seed2_len, | 412 | if (!tls1_P_hash(md, sec, slen, seed1, seed1_len, seed2, seed2_len, |
| 389 | seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, out2, olen)) | 413 | seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, out1, olen)) |
| 390 | return (0); | 414 | return (0); |
| 391 | 415 | ||
| 392 | for (i = 0; i < olen; i++) | ||
| 393 | out1[i] ^= out2[i]; | ||
| 394 | |||
| 395 | return (1); | 416 | return (1); |
| 396 | } | 417 | } |
| 397 | 418 | ||