Skip to content

Commit 86f8fb0

Browse files
ekaspermattcaswell
authored andcommitted
Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers. Therefore, such servers can be DoSed by sending a specially crafted SSLv2 CLIENT-MASTER-KEY. Also fix s2_srvr.c to error out early if the key lengths are malformed. These lengths are sent unencrypted, so this does not introduce an oracle. CVE-2015-0293 This issue was discovered by Sean Burford (Google) and Emilia Käsper of the OpenSSL development team. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
1 parent c0334c2 commit 86f8fb0

File tree

2 files changed

+46
-13
lines changed

2 files changed

+46
-13
lines changed

ssl/s2_lib.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -493,7 +493,7 @@ int ssl2_generate_key_material(SSL *s)
493493

494494
OPENSSL_assert(s->session->master_key_length >= 0
495495
&& s->session->master_key_length
496-
< (int)sizeof(s->session->master_key));
496+
<= (int)sizeof(s->session->master_key));
497497
EVP_DigestUpdate(&ctx, s->session->master_key,
498498
s->session->master_key_length);
499499
EVP_DigestUpdate(&ctx, &c, 1);

ssl/s2_srvr.c

Lines changed: 45 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -454,11 +454,6 @@ static int get_client_master_key(SSL *s)
454454
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_PRIVATEKEY);
455455
return (-1);
456456
}
457-
i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
458-
&(p[s->s2->tmp.clear]),
459-
&(p[s->s2->tmp.clear]),
460-
(s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
461-
RSA_PKCS1_PADDING);
462457

463458
is_export = SSL_C_IS_EXPORT(s->session->cipher);
464459

@@ -475,23 +470,61 @@ static int get_client_master_key(SSL *s)
475470
} else
476471
ek = 5;
477472

473+
/*
474+
* The format of the CLIENT-MASTER-KEY message is
475+
* 1 byte message type
476+
* 3 bytes cipher
477+
* 2-byte clear key length (stored in s->s2->tmp.clear)
478+
* 2-byte encrypted key length (stored in s->s2->tmp.enc)
479+
* 2-byte key args length (IV etc)
480+
* clear key
481+
* encrypted key
482+
* key args
483+
*
484+
* If the cipher is an export cipher, then the encrypted key bytes
485+
* are a fixed portion of the total key (5 or 8 bytes). The size of
486+
* this portion is in |ek|. If the cipher is not an export cipher,
487+
* then the entire key material is encrypted (i.e., clear key length
488+
* must be zero).
489+
*/
490+
if ((!is_export && s->s2->tmp.clear != 0) ||
491+
(is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
492+
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
493+
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
494+
return -1;
495+
}
496+
/*
497+
* The encrypted blob must decrypt to the encrypted portion of the key.
498+
* Decryption can't be expanding, so if we don't have enough encrypted
499+
* bytes to fit the key in the buffer, stop now.
500+
*/
501+
if ((is_export && s->s2->tmp.enc < ek) ||
502+
(!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
503+
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
504+
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
505+
return -1;
506+
}
507+
508+
i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
509+
&(p[s->s2->tmp.clear]),
510+
&(p[s->s2->tmp.clear]),
511+
(s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
512+
RSA_PKCS1_PADDING);
513+
478514
/* bad decrypt */
479515
# if 1
480516
/*
481517
* If a bad decrypt, continue with protocol but with a random master
482518
* secret (Bleichenbacher attack)
483519
*/
484-
if ((i < 0) || ((!is_export && (i != EVP_CIPHER_key_length(c)))
485-
|| (is_export && ((i != ek)
486-
|| (s->s2->tmp.clear +
487-
(unsigned int)i != (unsigned int)
488-
EVP_CIPHER_key_length(c)))))) {
520+
if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
521+
|| (is_export && i != ek))) {
489522
ERR_clear_error();
490523
if (is_export)
491524
i = ek;
492525
else
493526
i = EVP_CIPHER_key_length(c);
494-
if (RAND_pseudo_bytes(p, i) <= 0)
527+
if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
495528
return 0;
496529
}
497530
# else
@@ -513,7 +546,7 @@ static int get_client_master_key(SSL *s)
513546
# endif
514547

515548
if (is_export)
516-
i += s->s2->tmp.clear;
549+
i = EVP_CIPHER_key_length(c);
517550

518551
if (i > SSL_MAX_MASTER_KEY_LENGTH) {
519552
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);

0 commit comments

Comments
 (0)