1 files changed, 40 insertions, 53 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 3bd3319989..ff5b020d7a 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.34 2018/06/03 15:33:37 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.35 2018/06/10 13:50:39 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1724,22 +1724,18 @@ ssl3_send_certificate_request(SSL *s)
 }
 static int
-ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
+ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
 {
        unsigned char fakekey[SSL_MAX_MASTER_KEY_LENGTH];
        unsigned char *pms = NULL;
+        unsigned char *p;
        size_t pms_len = 0;
        EVP_PKEY *pkey = NULL;
        RSA *rsa = NULL;
-        CBS cbs, enc_pms;
+        CBS enc_pms;
        int decrypt_len;
        int al = -1;
-        if (n < 0)
-                goto err;
-        CBS_init(&cbs, p, n);
        arc4random_buf(fakekey, sizeof(fakekey));
        fakekey[0] = s->client_version >> 8;
        fakekey[1] = s->client_version & 0xff;
@@ -1760,9 +1756,9 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
                goto err;
        p = pms;
-        if (!CBS_get_u16_length_prefixed(&cbs, &enc_pms))
+        if (!CBS_get_u16_length_prefixed(cbs, &enc_pms))
                goto truncated;
-        if (CBS_len(&cbs) != 0 || CBS_len(&enc_pms) != RSA_size(rsa)) {
+        if (CBS_len(cbs) != 0 || CBS_len(&enc_pms) != RSA_size(rsa)) {
                SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
                goto err;
        }
@@ -1827,23 +1823,17 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n)
 }
 static int
-ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n)
+ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
 {
        int key_size = 0, key_len, al;
        unsigned char *key = NULL;
        BIGNUM *bn = NULL;
-        CBS cbs, dh_Yc;
+        CBS dh_Yc;
        DH *dh;
-        if (n < 0)
+        if (!CBS_get_u16_length_prefixed(cbs, &dh_Yc))
-                goto err;
-        CBS_init(&cbs, p, n);
-        if (!CBS_get_u16_length_prefixed(&cbs, &dh_Yc))
                goto truncated;
+        if (CBS_len(cbs) != 0)
-        if (CBS_len(&cbs) != 0)
                goto truncated;
        if (S3I(s)->tmp.dh == NULL) {
@@ -1895,25 +1885,20 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n)
 }
 static int
-ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
+ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs)
 {
        unsigned char *key = NULL;
        int key_size = 0, key_len;
        EC_POINT *point = NULL;
        BN_CTX *bn_ctx = NULL;
        const EC_GROUP *group;
-        CBS cbs, public;
        EC_KEY *ecdh;
+        CBS public;
        int ret = -1;
-        if (n < 0)
+        if (!CBS_get_u8_length_prefixed(cbs, &public))
-                goto err;
-        CBS_init(&cbs, p, n);
-        if (!CBS_get_u8_length_prefixed(&cbs, &public))
                goto err;
-        if (CBS_len(&cbs) != 0)
+        if (CBS_len(cbs) != 0)
                goto err;
        /*
@@ -1977,17 +1962,15 @@ ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n)
 }
 static int
-ssl3_get_client_kex_ecdhe_ecx(SSL *s, unsigned char *p, long n)
+ssl3_get_client_kex_ecdhe_ecx(SSL *s, CBS *cbs)
 {
        uint8_t *shared_key = NULL;
-        CBS cbs, ecpoint;
+        CBS ecpoint;
        int ret = -1;
-        if (n < 0)
+        if (!CBS_get_u8_length_prefixed(cbs, &ecpoint))
                goto err;
+        if (CBS_len(cbs) != 0)
-        CBS_init(&cbs, p, n);
-        if (!CBS_get_u8_length_prefixed(&cbs, &ecpoint))
                goto err;
        if (CBS_len(&ecpoint) != X25519_KEY_LENGTH)
                goto err;
@@ -2013,31 +1996,26 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, unsigned char *p, long n)
 }
 static int
-ssl3_get_client_kex_ecdhe(SSL *s, unsigned char *p, long n)
+ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
 {
        if (S3I(s)->tmp.x25519 != NULL)
-                return ssl3_get_client_kex_ecdhe_ecx(s, p, n);
+                return ssl3_get_client_kex_ecdhe_ecx(s, cbs);
-        return ssl3_get_client_kex_ecdhe_ecp(s, p, n);
+        return ssl3_get_client_kex_ecdhe_ecp(s, cbs);
 }
 static int
-ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n)
+ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
 {
        EVP_PKEY_CTX *pkey_ctx;
        EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
        unsigned char premaster_secret[32];
        unsigned long alg_a;
        size_t outlen = 32;
-        CBS cbs, gostblob;
+        CBS gostblob;
        int al;
        int ret = 0;
-        if (n < 0)
-                goto err;
-        CBS_init(&cbs, p, n);
        /* Get our certificate private key*/
        alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
        if (alg_a & SSL_aGOST01)
@@ -2062,9 +2040,9 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n)
        }
        /* Decrypt session key */
-        if (!CBS_get_asn1(&cbs, &gostblob, CBS_ASN1_SEQUENCE))
+        if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE))
                goto truncated;
-        if (CBS_len(&cbs) != 0)
+        if (CBS_len(cbs) != 0)
                goto truncated;
        if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
            CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
@@ -2103,8 +2081,8 @@ int
 ssl3_get_client_key_exchange(SSL *s)
 {
        unsigned long alg_k;
-        unsigned char *p;
        int al, ok;
+        CBS cbs;
        long n;
        /* 2048 maxlen is a guess.  How long a key does that permit? */
@@ -2113,21 +2091,24 @@ ssl3_get_client_key_exchange(SSL *s)
        if (!ok)
                return ((int)n);
-        p = (unsigned char *)s->internal->init_msg;
+        if (n < 0)
+                goto err;
+        CBS_init(&cbs, s->internal->init_msg, n);
        alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
        if (alg_k & SSL_kRSA) {
-                if (ssl3_get_client_kex_rsa(s, p, n) != 1)
+                if (ssl3_get_client_kex_rsa(s, &cbs) != 1)
                        goto err;
        } else if (alg_k & SSL_kDHE) {
-                if (ssl3_get_client_kex_dhe(s, p, n) != 1)
+                if (ssl3_get_client_kex_dhe(s, &cbs) != 1)
                        goto err;
        } else if (alg_k & SSL_kECDHE) {
-                if (ssl3_get_client_kex_ecdhe(s, p, n) != 1)
+                if (ssl3_get_client_kex_ecdhe(s, &cbs) != 1)
                        goto err;
        } else if (alg_k & SSL_kGOST) {
-                if (ssl3_get_client_kex_gost(s, p, n) != 1)
+                if (ssl3_get_client_kex_gost(s, &cbs) != 1)
                        goto err;
        } else {
                al = SSL_AD_HANDSHAKE_FAILURE;
@@ -2135,6 +2116,12 @@ ssl3_get_client_key_exchange(SSL *s)
                goto f_err;
        }
+        if (CBS_len(&cbs) != 0) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
+                goto f_err;
+        }
        return (1);
 f_err:

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 3bd3319989..ff5b020d7a 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.34 2018/06/03 15:33:37 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.35 2018/06/10 13:50:39 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1724,22 +1724,18 @@ ssl3_send_certificate_request(SSL *s)
1724	}	1724	}
1725		1725
1726	static int	1726	static int
1727	ssl3_get_client_kex_rsa(SSL s, unsigned char p, long n)	1727	ssl3_get_client_kex_rsa(SSL s, CBS cbs)
1728	{	1728	{
1729	unsigned char fakekey[SSL_MAX_MASTER_KEY_LENGTH];	1729	unsigned char fakekey[SSL_MAX_MASTER_KEY_LENGTH];
1730	unsigned char *pms = NULL;	1730	unsigned char *pms = NULL;
		1731	unsigned char *p;
1731	size_t pms_len = 0;	1732	size_t pms_len = 0;
1732	EVP_PKEY *pkey = NULL;	1733	EVP_PKEY *pkey = NULL;
1733	RSA *rsa = NULL;	1734	RSA *rsa = NULL;
1734	CBS cbs, enc_pms;	1735	CBS enc_pms;
1735	int decrypt_len;	1736	int decrypt_len;
1736	int al = -1;	1737	int al = -1;
1737		1738
1738	if (n < 0)
1739	goto err;
1740
1741	CBS_init(&cbs, p, n);
1742
1743	arc4random_buf(fakekey, sizeof(fakekey));	1739	arc4random_buf(fakekey, sizeof(fakekey));
1744	fakekey[0] = s->client_version >> 8;	1740	fakekey[0] = s->client_version >> 8;
1745	fakekey[1] = s->client_version & 0xff;	1741	fakekey[1] = s->client_version & 0xff;
@@ -1760,9 +1756,9 @@ ssl3_get_client_kex_rsa(SSL s, unsigned char p, long n)
1760	goto err;	1756	goto err;
1761	p = pms;	1757	p = pms;
1762		1758
1763	if (!CBS_get_u16_length_prefixed(&cbs, &enc_pms))	1759	if (!CBS_get_u16_length_prefixed(cbs, &enc_pms))
1764	goto truncated;	1760	goto truncated;
1765	if (CBS_len(&cbs) != 0 \|\| CBS_len(&enc_pms) != RSA_size(rsa)) {	1761	if (CBS_len(cbs) != 0 \|\| CBS_len(&enc_pms) != RSA_size(rsa)) {
1766	SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);	1762	SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
1767	goto err;	1763	goto err;
1768	}	1764	}
@@ -1827,23 +1823,17 @@ ssl3_get_client_kex_rsa(SSL s, unsigned char p, long n)
1827	}	1823	}
1828		1824
1829	static int	1825	static int
1830	ssl3_get_client_kex_dhe(SSL s, unsigned char p, long n)	1826	ssl3_get_client_kex_dhe(SSL s, CBS cbs)
1831	{	1827	{
1832	int key_size = 0, key_len, al;	1828	int key_size = 0, key_len, al;
1833	unsigned char *key = NULL;	1829	unsigned char *key = NULL;
1834	BIGNUM *bn = NULL;	1830	BIGNUM *bn = NULL;
1835	CBS cbs, dh_Yc;	1831	CBS dh_Yc;
1836	DH *dh;	1832	DH *dh;
1837		1833
1838	if (n < 0)	1834	if (!CBS_get_u16_length_prefixed(cbs, &dh_Yc))
1839	goto err;
1840
1841	CBS_init(&cbs, p, n);
1842
1843	if (!CBS_get_u16_length_prefixed(&cbs, &dh_Yc))
1844	goto truncated;	1835	goto truncated;
1845		1836	if (CBS_len(cbs) != 0)
1846	if (CBS_len(&cbs) != 0)
1847	goto truncated;	1837	goto truncated;
1848		1838
1849	if (S3I(s)->tmp.dh == NULL) {	1839	if (S3I(s)->tmp.dh == NULL) {
@@ -1895,25 +1885,20 @@ ssl3_get_client_kex_dhe(SSL s, unsigned char p, long n)
1895	}	1885	}
1896		1886
1897	static int	1887	static int
1898	ssl3_get_client_kex_ecdhe_ecp(SSL s, unsigned char p, long n)	1888	ssl3_get_client_kex_ecdhe_ecp(SSL s, CBS cbs)
1899	{	1889	{
1900	unsigned char *key = NULL;	1890	unsigned char *key = NULL;
1901	int key_size = 0, key_len;	1891	int key_size = 0, key_len;
1902	EC_POINT *point = NULL;	1892	EC_POINT *point = NULL;
1903	BN_CTX *bn_ctx = NULL;	1893	BN_CTX *bn_ctx = NULL;
1904	const EC_GROUP *group;	1894	const EC_GROUP *group;
1905	CBS cbs, public;
1906	EC_KEY *ecdh;	1895	EC_KEY *ecdh;
		1896	CBS public;
1907	int ret = -1;	1897	int ret = -1;
1908		1898
1909	if (n < 0)	1899	if (!CBS_get_u8_length_prefixed(cbs, &public))
1910	goto err;
1911
1912	CBS_init(&cbs, p, n);
1913
1914	if (!CBS_get_u8_length_prefixed(&cbs, &public))
1915	goto err;	1900	goto err;
1916	if (CBS_len(&cbs) != 0)	1901	if (CBS_len(cbs) != 0)
1917	goto err;	1902	goto err;
1918		1903
1919	/*	1904	/*
@@ -1977,17 +1962,15 @@ ssl3_get_client_kex_ecdhe_ecp(SSL s, unsigned char p, long n)
1977	}	1962	}
1978		1963
1979	static int	1964	static int
1980	ssl3_get_client_kex_ecdhe_ecx(SSL s, unsigned char p, long n)	1965	ssl3_get_client_kex_ecdhe_ecx(SSL s, CBS cbs)
1981	{	1966	{
1982	uint8_t *shared_key = NULL;	1967	uint8_t *shared_key = NULL;
1983	CBS cbs, ecpoint;	1968	CBS ecpoint;
1984	int ret = -1;	1969	int ret = -1;
1985		1970
1986	if (n < 0)	1971	if (!CBS_get_u8_length_prefixed(cbs, &ecpoint))
1987	goto err;	1972	goto err;
1988		1973	if (CBS_len(cbs) != 0)
1989	CBS_init(&cbs, p, n);
1990	if (!CBS_get_u8_length_prefixed(&cbs, &ecpoint))
1991	goto err;	1974	goto err;
1992	if (CBS_len(&ecpoint) != X25519_KEY_LENGTH)	1975	if (CBS_len(&ecpoint) != X25519_KEY_LENGTH)
1993	goto err;	1976	goto err;
@@ -2013,31 +1996,26 @@ ssl3_get_client_kex_ecdhe_ecx(SSL s, unsigned char p, long n)
2013	}	1996	}
2014		1997
2015	static int	1998	static int
2016	ssl3_get_client_kex_ecdhe(SSL s, unsigned char p, long n)	1999	ssl3_get_client_kex_ecdhe(SSL s, CBS cbs)
2017	{	2000	{
2018	if (S3I(s)->tmp.x25519 != NULL)	2001	if (S3I(s)->tmp.x25519 != NULL)
2019	return ssl3_get_client_kex_ecdhe_ecx(s, p, n);	2002	return ssl3_get_client_kex_ecdhe_ecx(s, cbs);
2020		2003
2021	return ssl3_get_client_kex_ecdhe_ecp(s, p, n);	2004	return ssl3_get_client_kex_ecdhe_ecp(s, cbs);
2022	}	2005	}
2023		2006
2024	static int	2007	static int
2025	ssl3_get_client_kex_gost(SSL s, unsigned char p, long n)	2008	ssl3_get_client_kex_gost(SSL s, CBS cbs)
2026	{	2009	{
2027	EVP_PKEY_CTX *pkey_ctx;	2010	EVP_PKEY_CTX *pkey_ctx;
2028	EVP_PKEY client_pub_pkey = NULL, pk = NULL;	2011	EVP_PKEY client_pub_pkey = NULL, pk = NULL;
2029	unsigned char premaster_secret[32];	2012	unsigned char premaster_secret[32];
2030	unsigned long alg_a;	2013	unsigned long alg_a;
2031	size_t outlen = 32;	2014	size_t outlen = 32;
2032	CBS cbs, gostblob;	2015	CBS gostblob;
2033	int al;	2016	int al;
2034	int ret = 0;	2017	int ret = 0;
2035		2018
2036	if (n < 0)
2037	goto err;
2038
2039	CBS_init(&cbs, p, n);
2040
2041	/* Get our certificate private key*/	2019	/* Get our certificate private key*/
2042	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;	2020	alg_a = S3I(s)->hs.new_cipher->algorithm_auth;
2043	if (alg_a & SSL_aGOST01)	2021	if (alg_a & SSL_aGOST01)
@@ -2062,9 +2040,9 @@ ssl3_get_client_kex_gost(SSL s, unsigned char p, long n)
2062	}	2040	}
2063		2041
2064	/* Decrypt session key */	2042	/* Decrypt session key */
2065	if (!CBS_get_asn1(&cbs, &gostblob, CBS_ASN1_SEQUENCE))	2043	if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE))
2066	goto truncated;	2044	goto truncated;
2067	if (CBS_len(&cbs) != 0)	2045	if (CBS_len(cbs) != 0)
2068	goto truncated;	2046	goto truncated;
2069	if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,	2047	if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen,
2070	CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {	2048	CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) {
@@ -2103,8 +2081,8 @@ int
2103	ssl3_get_client_key_exchange(SSL *s)	2081	ssl3_get_client_key_exchange(SSL *s)
2104	{	2082	{
2105	unsigned long alg_k;	2083	unsigned long alg_k;
2106	unsigned char *p;
2107	int al, ok;	2084	int al, ok;
		2085	CBS cbs;
2108	long n;	2086	long n;
2109		2087
2110	/* 2048 maxlen is a guess. How long a key does that permit? */	2088	/* 2048 maxlen is a guess. How long a key does that permit? */
@@ -2113,21 +2091,24 @@ ssl3_get_client_key_exchange(SSL *s)
2113	if (!ok)	2091	if (!ok)
2114	return ((int)n);	2092	return ((int)n);
2115		2093
2116	p = (unsigned char *)s->internal->init_msg;	2094	if (n < 0)
		2095	goto err;
		2096
		2097	CBS_init(&cbs, s->internal->init_msg, n);
2117		2098
2118	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;	2099	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
2119		2100
2120	if (alg_k & SSL_kRSA) {	2101	if (alg_k & SSL_kRSA) {
2121	if (ssl3_get_client_kex_rsa(s, p, n) != 1)	2102	if (ssl3_get_client_kex_rsa(s, &cbs) != 1)
2122	goto err;	2103	goto err;
2123	} else if (alg_k & SSL_kDHE) {	2104	} else if (alg_k & SSL_kDHE) {
2124	if (ssl3_get_client_kex_dhe(s, p, n) != 1)	2105	if (ssl3_get_client_kex_dhe(s, &cbs) != 1)
2125	goto err;	2106	goto err;
2126	} else if (alg_k & SSL_kECDHE) {	2107	} else if (alg_k & SSL_kECDHE) {
2127	if (ssl3_get_client_kex_ecdhe(s, p, n) != 1)	2108	if (ssl3_get_client_kex_ecdhe(s, &cbs) != 1)
2128	goto err;	2109	goto err;
2129	} else if (alg_k & SSL_kGOST) {	2110	} else if (alg_k & SSL_kGOST) {
2130	if (ssl3_get_client_kex_gost(s, p, n) != 1)	2111	if (ssl3_get_client_kex_gost(s, &cbs) != 1)
2131	goto err;	2112	goto err;
2132	} else {	2113	} else {
2133	al = SSL_AD_HANDSHAKE_FAILURE;	2114	al = SSL_AD_HANDSHAKE_FAILURE;
@@ -2135,6 +2116,12 @@ ssl3_get_client_key_exchange(SSL *s)
2135	goto f_err;	2116	goto f_err;
2136	}	2117	}
2137		2118
		2119	if (CBS_len(&cbs) != 0) {
		2120	al = SSL_AD_DECODE_ERROR;
		2121	SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
		2122	goto f_err;
		2123	}
		2124
2138	return (1);	2125	return (1);
2139		2126
2140	f_err:	2127	f_err: