Skip to content

Commit b15f876

Browse files
committed
ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted. Thanks to Karthikeyan Bhargavan for reporting this issue. CVE-2014-3572 Reviewed-by: Matt Caswell <matt@openssl.org>
1 parent b552648 commit b15f876

File tree

2 files changed

+22
-3
lines changed

2 files changed

+22
-3
lines changed

Diff for: CHANGES

+7
Original file line numberDiff line numberDiff line change
@@ -659,6 +659,13 @@
659659

660660
Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
661661

662+
*) Abort handshake if server key exchange message is omitted for ephemeral
663+
ECDH ciphersuites.
664+
665+
Thanks to Karthikeyan Bhargavan for reporting this issue.
666+
(CVE-2014-3572)
667+
[Steve Henson]
668+
662669
*) Ensure that the session ID context of an SSL is updated when its
663670
SSL_CTX is updated via SSL_set_SSL_CTX.
664671

Diff for: ssl/s3_clnt.c

+15-3
Original file line numberDiff line numberDiff line change
@@ -1376,6 +1376,8 @@ int ssl3_get_key_exchange(SSL *s)
13761376
int encoded_pt_len = 0;
13771377
#endif
13781378

1379+
EVP_MD_CTX_init(&md_ctx);
1380+
13791381
/* use same message size as in ssl3_get_certificate_request()
13801382
* as ServerKeyExchange message may be skipped */
13811383
n=s->method->ssl_get_message(s,
@@ -1386,14 +1388,26 @@ int ssl3_get_key_exchange(SSL *s)
13861388
&ok);
13871389
if (!ok) return((int)n);
13881390

1391+
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
1392+
13891393
if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
13901394
{
1395+
/*
1396+
* Can't skip server key exchange if this is an ephemeral
1397+
* ciphersuite.
1398+
*/
1399+
if (alg_k & (SSL_kDHE|SSL_kECDHE))
1400+
{
1401+
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
1402+
al = SSL_AD_UNEXPECTED_MESSAGE;
1403+
goto f_err;
1404+
}
13911405
#ifndef OPENSSL_NO_PSK
13921406
/* In plain PSK ciphersuite, ServerKeyExchange can be
13931407
omitted if no identity hint is sent. Set
13941408
session->sess_cert anyway to avoid problems
13951409
later.*/
1396-
if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
1410+
if (alg_k & SSL_kPSK)
13971411
{
13981412
s->session->sess_cert=ssl_sess_cert_new();
13991413
if (s->ctx->psk_identity_hint)
@@ -1438,9 +1452,7 @@ int ssl3_get_key_exchange(SSL *s)
14381452
/* Total length of the parameters including the length prefix */
14391453
param_len=0;
14401454

1441-
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
14421455
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
1443-
EVP_MD_CTX_init(&md_ctx);
14441456

14451457
al=SSL_AD_DECODE_ERROR;
14461458

0 commit comments

Comments
 (0)