diff options
| author | jsing <> | 2015-02-06 09:58:52 +0000 |
|---|---|---|
| committer | jsing <> | 2015-02-06 09:58:52 +0000 |
| commit | 9bec1611d9610ec152375d6e1f622b93ed03a1a0 (patch) | |
| tree | ed361a344289c7ae8f6d94cc1f12da9e7618aa36 /src | |
| parent | c1f6acb1132a3014b5f1be04adc57d03d6851dbb (diff) | |
| download | openbsd-9bec1611d9610ec152375d6e1f622b93ed03a1a0.tar.gz openbsd-9bec1611d9610ec152375d6e1f622b93ed03a1a0.tar.bz2 openbsd-9bec1611d9610ec152375d6e1f622b93ed03a1a0.zip | |
Add additional checks to ssl3_send_client_key_exchange() that ensures
ephemeral keys exist for SSL_kDHE and SSL_kECDHE.
This would have prevented CVE-2014-3572.
ok doug@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 43 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_clnt.c | 43 |
2 files changed, 50 insertions, 36 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 1a64a7e5f2..b2c7517598 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_clnt.c,v 1.105 2015/02/06 08:30:23 jsing Exp $ */ | 1 | /* $OpenBSD: s3_clnt.c,v 1.106 2015/02/06 09:58:52 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1968,16 +1968,15 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 1968 | } else if (alg_k & SSL_kDHE) { | 1968 | } else if (alg_k & SSL_kDHE) { |
| 1969 | DH *dh_srvr, *dh_clnt; | 1969 | DH *dh_srvr, *dh_clnt; |
| 1970 | 1970 | ||
| 1971 | if (s->session->sess_cert->peer_dh_tmp != NULL) | 1971 | /* Ensure that we have an ephemeral key for DHE. */ |
| 1972 | dh_srvr = s->session->sess_cert->peer_dh_tmp; | 1972 | if (s->session->sess_cert->peer_dh_tmp == NULL) { |
| 1973 | else { | ||
| 1974 | /* We get them from the cert. */ | ||
| 1975 | ssl3_send_alert(s, SSL3_AL_FATAL, | 1973 | ssl3_send_alert(s, SSL3_AL_FATAL, |
| 1976 | SSL_AD_HANDSHAKE_FAILURE); | 1974 | SSL_AD_HANDSHAKE_FAILURE); |
| 1977 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | 1975 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
| 1978 | SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); | 1976 | SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); |
| 1979 | goto err; | 1977 | goto err; |
| 1980 | } | 1978 | } |
| 1979 | dh_srvr = s->session->sess_cert->peer_dh_tmp; | ||
| 1981 | 1980 | ||
| 1982 | /* Generate a new random key. */ | 1981 | /* Generate a new random key. */ |
| 1983 | if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { | 1982 | if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { |
| @@ -2057,22 +2056,30 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2057 | */ | 2056 | */ |
| 2058 | } | 2057 | } |
| 2059 | 2058 | ||
| 2060 | if (s->session->sess_cert->peer_ecdh_tmp != NULL) { | 2059 | /* Ensure that we have an ephemeral key for ECDHE. */ |
| 2061 | tkey = s->session->sess_cert->peer_ecdh_tmp; | 2060 | if ((alg_k & SSL_kECDHE) && |
| 2062 | } else { | 2061 | s->session->sess_cert->peer_ecdh_tmp == NULL) { |
| 2062 | ssl3_send_alert(s, SSL3_AL_FATAL, | ||
| 2063 | SSL_AD_HANDSHAKE_FAILURE); | ||
| 2064 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2065 | ERR_R_INTERNAL_ERROR); | ||
| 2066 | goto err; | ||
| 2067 | } | ||
| 2068 | tkey = s->session->sess_cert->peer_ecdh_tmp; | ||
| 2069 | |||
| 2070 | if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { | ||
| 2063 | /* Get the Server Public Key from Cert */ | 2071 | /* Get the Server Public Key from Cert */ |
| 2064 | srvr_pub_pkey = X509_get_pubkey(s->session-> \ | 2072 | srvr_pub_pkey = X509_get_pubkey(s->session-> \ |
| 2065 | sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); | 2073 | sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); |
| 2066 | if ((srvr_pub_pkey == NULL) || | 2074 | if (srvr_pub_pkey != NULL && |
| 2067 | (srvr_pub_pkey->type != EVP_PKEY_EC) || | 2075 | srvr_pub_pkey->type == EVP_PKEY_EC) |
| 2068 | (srvr_pub_pkey->pkey.ec == NULL)) { | 2076 | tkey = srvr_pub_pkey->pkey.ec; |
| 2069 | SSLerr( | 2077 | } |
| 2070 | SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2071 | ERR_R_INTERNAL_ERROR); | ||
| 2072 | goto err; | ||
| 2073 | } | ||
| 2074 | 2078 | ||
| 2075 | tkey = srvr_pub_pkey->pkey.ec; | 2079 | if (tkey == NULL) { |
| 2080 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2081 | ERR_R_INTERNAL_ERROR); | ||
| 2082 | goto err; | ||
| 2076 | } | 2083 | } |
| 2077 | 2084 | ||
| 2078 | srvr_group = EC_KEY_get0_group(tkey); | 2085 | srvr_group = EC_KEY_get0_group(tkey); |
| @@ -2314,7 +2321,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2314 | ssl3_send_alert(s, SSL3_AL_FATAL, | 2321 | ssl3_send_alert(s, SSL3_AL_FATAL, |
| 2315 | SSL_AD_HANDSHAKE_FAILURE); | 2322 | SSL_AD_HANDSHAKE_FAILURE); |
| 2316 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | 2323 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
| 2317 | ERR_R_INTERNAL_ERROR); | 2324 | ERR_R_INTERNAL_ERROR); |
| 2318 | goto err; | 2325 | goto err; |
| 2319 | } | 2326 | } |
| 2320 | 2327 | ||
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 1a64a7e5f2..b2c7517598 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_clnt.c,v 1.105 2015/02/06 08:30:23 jsing Exp $ */ | 1 | /* $OpenBSD: s3_clnt.c,v 1.106 2015/02/06 09:58:52 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1968,16 +1968,15 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 1968 | } else if (alg_k & SSL_kDHE) { | 1968 | } else if (alg_k & SSL_kDHE) { |
| 1969 | DH *dh_srvr, *dh_clnt; | 1969 | DH *dh_srvr, *dh_clnt; |
| 1970 | 1970 | ||
| 1971 | if (s->session->sess_cert->peer_dh_tmp != NULL) | 1971 | /* Ensure that we have an ephemeral key for DHE. */ |
| 1972 | dh_srvr = s->session->sess_cert->peer_dh_tmp; | 1972 | if (s->session->sess_cert->peer_dh_tmp == NULL) { |
| 1973 | else { | ||
| 1974 | /* We get them from the cert. */ | ||
| 1975 | ssl3_send_alert(s, SSL3_AL_FATAL, | 1973 | ssl3_send_alert(s, SSL3_AL_FATAL, |
| 1976 | SSL_AD_HANDSHAKE_FAILURE); | 1974 | SSL_AD_HANDSHAKE_FAILURE); |
| 1977 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | 1975 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
| 1978 | SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); | 1976 | SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); |
| 1979 | goto err; | 1977 | goto err; |
| 1980 | } | 1978 | } |
| 1979 | dh_srvr = s->session->sess_cert->peer_dh_tmp; | ||
| 1981 | 1980 | ||
| 1982 | /* Generate a new random key. */ | 1981 | /* Generate a new random key. */ |
| 1983 | if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { | 1982 | if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { |
| @@ -2057,22 +2056,30 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2057 | */ | 2056 | */ |
| 2058 | } | 2057 | } |
| 2059 | 2058 | ||
| 2060 | if (s->session->sess_cert->peer_ecdh_tmp != NULL) { | 2059 | /* Ensure that we have an ephemeral key for ECDHE. */ |
| 2061 | tkey = s->session->sess_cert->peer_ecdh_tmp; | 2060 | if ((alg_k & SSL_kECDHE) && |
| 2062 | } else { | 2061 | s->session->sess_cert->peer_ecdh_tmp == NULL) { |
| 2062 | ssl3_send_alert(s, SSL3_AL_FATAL, | ||
| 2063 | SSL_AD_HANDSHAKE_FAILURE); | ||
| 2064 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2065 | ERR_R_INTERNAL_ERROR); | ||
| 2066 | goto err; | ||
| 2067 | } | ||
| 2068 | tkey = s->session->sess_cert->peer_ecdh_tmp; | ||
| 2069 | |||
| 2070 | if (alg_k & (SSL_kECDHr|SSL_kECDHe)) { | ||
| 2063 | /* Get the Server Public Key from Cert */ | 2071 | /* Get the Server Public Key from Cert */ |
| 2064 | srvr_pub_pkey = X509_get_pubkey(s->session-> \ | 2072 | srvr_pub_pkey = X509_get_pubkey(s->session-> \ |
| 2065 | sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); | 2073 | sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); |
| 2066 | if ((srvr_pub_pkey == NULL) || | 2074 | if (srvr_pub_pkey != NULL && |
| 2067 | (srvr_pub_pkey->type != EVP_PKEY_EC) || | 2075 | srvr_pub_pkey->type == EVP_PKEY_EC) |
| 2068 | (srvr_pub_pkey->pkey.ec == NULL)) { | 2076 | tkey = srvr_pub_pkey->pkey.ec; |
| 2069 | SSLerr( | 2077 | } |
| 2070 | SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2071 | ERR_R_INTERNAL_ERROR); | ||
| 2072 | goto err; | ||
| 2073 | } | ||
| 2074 | 2078 | ||
| 2075 | tkey = srvr_pub_pkey->pkey.ec; | 2079 | if (tkey == NULL) { |
| 2080 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||
| 2081 | ERR_R_INTERNAL_ERROR); | ||
| 2082 | goto err; | ||
| 2076 | } | 2083 | } |
| 2077 | 2084 | ||
| 2078 | srvr_group = EC_KEY_get0_group(tkey); | 2085 | srvr_group = EC_KEY_get0_group(tkey); |
| @@ -2314,7 +2321,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2314 | ssl3_send_alert(s, SSL3_AL_FATAL, | 2321 | ssl3_send_alert(s, SSL3_AL_FATAL, |
| 2315 | SSL_AD_HANDSHAKE_FAILURE); | 2322 | SSL_AD_HANDSHAKE_FAILURE); |
| 2316 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | 2323 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, |
| 2317 | ERR_R_INTERNAL_ERROR); | 2324 | ERR_R_INTERNAL_ERROR); |
| 2318 | goto err; | 2325 | goto err; |
| 2319 | } | 2326 | } |
| 2320 | 2327 | ||