diff options
| author | markus <> | 2003-05-11 21:36:58 +0000 |
|---|---|---|
| committer | markus <> | 2003-05-11 21:36:58 +0000 |
| commit | 1c98a87f0daac81245653c227eb2f2508a22a965 (patch) | |
| tree | 3de6d603296ec563b936da4e6a8a1e33d48f8884 /src/lib/libssl/s3_srvr.c | |
| parent | 31392c89d1135cf2a416f97295f6d21681b3fbc4 (diff) | |
| download | openbsd-1c98a87f0daac81245653c227eb2f2508a22a965.tar.gz openbsd-1c98a87f0daac81245653c227eb2f2508a22a965.tar.bz2 openbsd-1c98a87f0daac81245653c227eb2f2508a22a965.zip | |
import 0.9.7b (without idea and rc5)
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 53 |
1 files changed, 29 insertions, 24 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 20d716fb1b..58cf774967 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -152,11 +152,18 @@ SSL_METHOD *SSLv3_server_method(void) | |||
| 152 | 152 | ||
| 153 | if (init) | 153 | if (init) |
| 154 | { | 154 | { |
| 155 | memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), | 155 | CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); |
| 156 | sizeof(SSL_METHOD)); | 156 | |
| 157 | SSLv3_server_data.ssl_accept=ssl3_accept; | 157 | if (init) |
| 158 | SSLv3_server_data.get_ssl_method=ssl3_get_server_method; | 158 | { |
| 159 | init=0; | 159 | memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), |
| 160 | sizeof(SSL_METHOD)); | ||
| 161 | SSLv3_server_data.ssl_accept=ssl3_accept; | ||
| 162 | SSLv3_server_data.get_ssl_method=ssl3_get_server_method; | ||
| 163 | init=0; | ||
| 164 | } | ||
| 165 | |||
| 166 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); | ||
| 160 | } | 167 | } |
| 161 | return(&SSLv3_server_data); | 168 | return(&SSLv3_server_data); |
| 162 | } | 169 | } |
| @@ -1171,7 +1178,7 @@ static int ssl3_send_server_key_exchange(SSL *s) | |||
| 1171 | kn=0; | 1178 | kn=0; |
| 1172 | } | 1179 | } |
| 1173 | 1180 | ||
| 1174 | if (!BUF_MEM_grow(buf,n+4+kn)) | 1181 | if (!BUF_MEM_grow_clean(buf,n+4+kn)) |
| 1175 | { | 1182 | { |
| 1176 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); | 1183 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); |
| 1177 | goto err; | 1184 | goto err; |
| @@ -1298,7 +1305,7 @@ static int ssl3_send_certificate_request(SSL *s) | |||
| 1298 | { | 1305 | { |
| 1299 | name=sk_X509_NAME_value(sk,i); | 1306 | name=sk_X509_NAME_value(sk,i); |
| 1300 | j=i2d_X509_NAME(name,NULL); | 1307 | j=i2d_X509_NAME(name,NULL); |
| 1301 | if (!BUF_MEM_grow(buf,4+n+j+2)) | 1308 | if (!BUF_MEM_grow_clean(buf,4+n+j+2)) |
| 1302 | { | 1309 | { |
| 1303 | SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); | 1310 | SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); |
| 1304 | goto err; | 1311 | goto err; |
| @@ -1440,7 +1447,7 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1440 | if (i != SSL_MAX_MASTER_KEY_LENGTH) | 1447 | if (i != SSL_MAX_MASTER_KEY_LENGTH) |
| 1441 | { | 1448 | { |
| 1442 | al=SSL_AD_DECODE_ERROR; | 1449 | al=SSL_AD_DECODE_ERROR; |
| 1443 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); | 1450 | /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ |
| 1444 | } | 1451 | } |
| 1445 | 1452 | ||
| 1446 | if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) | 1453 | if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) |
| @@ -1456,37 +1463,35 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1456 | (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) | 1463 | (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) |
| 1457 | { | 1464 | { |
| 1458 | al=SSL_AD_DECODE_ERROR; | 1465 | al=SSL_AD_DECODE_ERROR; |
| 1459 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); | 1466 | /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ |
| 1460 | goto f_err; | 1467 | |
| 1468 | /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack | ||
| 1469 | * (http://eprint.iacr.org/2003/052/) exploits the version | ||
| 1470 | * number check as a "bad version oracle" -- an alert would | ||
| 1471 | * reveal that the plaintext corresponding to some ciphertext | ||
| 1472 | * made up by the adversary is properly formatted except | ||
| 1473 | * that the version number is wrong. To avoid such attacks, | ||
| 1474 | * we should treat this just like any other decryption error. */ | ||
| 1461 | } | 1475 | } |
| 1462 | } | 1476 | } |
| 1463 | 1477 | ||
| 1464 | if (al != -1) | 1478 | if (al != -1) |
| 1465 | { | 1479 | { |
| 1466 | #if 0 | ||
| 1467 | goto f_err; | ||
| 1468 | #else | ||
| 1469 | /* Some decryption failure -- use random value instead as countermeasure | 1480 | /* Some decryption failure -- use random value instead as countermeasure |
| 1470 | * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding | 1481 | * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding |
| 1471 | * (see RFC 2246, section 7.4.7.1). | 1482 | * (see RFC 2246, section 7.4.7.1). */ |
| 1472 | * But note that due to length and protocol version checking, the | ||
| 1473 | * attack is impractical anyway (see section 5 in D. Bleichenbacher: | ||
| 1474 | * "Chosen Ciphertext Attacks Against Protocols Based on the RSA | ||
| 1475 | * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). | ||
| 1476 | */ | ||
| 1477 | ERR_clear_error(); | 1483 | ERR_clear_error(); |
| 1478 | i = SSL_MAX_MASTER_KEY_LENGTH; | 1484 | i = SSL_MAX_MASTER_KEY_LENGTH; |
| 1479 | p[0] = s->client_version >> 8; | 1485 | p[0] = s->client_version >> 8; |
| 1480 | p[1] = s->client_version & 0xff; | 1486 | p[1] = s->client_version & 0xff; |
| 1481 | RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ | 1487 | RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ |
| 1482 | #endif | ||
| 1483 | } | 1488 | } |
| 1484 | 1489 | ||
| 1485 | s->session->master_key_length= | 1490 | s->session->master_key_length= |
| 1486 | s->method->ssl3_enc->generate_master_secret(s, | 1491 | s->method->ssl3_enc->generate_master_secret(s, |
| 1487 | s->session->master_key, | 1492 | s->session->master_key, |
| 1488 | p,i); | 1493 | p,i); |
| 1489 | memset(p,0,i); | 1494 | OPENSSL_cleanse(p,i); |
| 1490 | } | 1495 | } |
| 1491 | else | 1496 | else |
| 1492 | #endif | 1497 | #endif |
| @@ -1549,7 +1554,7 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1549 | s->session->master_key_length= | 1554 | s->session->master_key_length= |
| 1550 | s->method->ssl3_enc->generate_master_secret(s, | 1555 | s->method->ssl3_enc->generate_master_secret(s, |
| 1551 | s->session->master_key,p,i); | 1556 | s->session->master_key,p,i); |
| 1552 | memset(p,0,i); | 1557 | OPENSSL_cleanse(p,i); |
| 1553 | } | 1558 | } |
| 1554 | else | 1559 | else |
| 1555 | #endif | 1560 | #endif |
| @@ -1652,7 +1657,7 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1652 | if (enc == NULL) | 1657 | if (enc == NULL) |
| 1653 | goto err; | 1658 | goto err; |
| 1654 | 1659 | ||
| 1655 | memset(iv, 0, EVP_MAX_IV_LENGTH); /* per RFC 1510 */ | 1660 | memset(iv, 0, sizeof iv); /* per RFC 1510 */ |
| 1656 | 1661 | ||
| 1657 | if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) | 1662 | if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) |
| 1658 | { | 1663 | { |
| @@ -1740,7 +1745,7 @@ static int ssl3_get_cert_verify(SSL *s) | |||
| 1740 | SSL3_ST_SR_CERT_VRFY_A, | 1745 | SSL3_ST_SR_CERT_VRFY_A, |
| 1741 | SSL3_ST_SR_CERT_VRFY_B, | 1746 | SSL3_ST_SR_CERT_VRFY_B, |
| 1742 | -1, | 1747 | -1, |
| 1743 | 512, /* 512? */ | 1748 | 514, /* 514? */ |
| 1744 | &ok); | 1749 | &ok); |
| 1745 | 1750 | ||
| 1746 | if (!ok) return((int)n); | 1751 | if (!ok) return((int)n); |