Skip to content

Commit ce325c6

Browse files
committed
Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which enabled this server side. Remove both options as they are a protocol violation. Thanks to Karthikeyan Bhargavan for reporting this issue. (CVE-2015-0204) Reviewed-by: Matt Caswell <matt@openssl.org>
1 parent b15f876 commit ce325c6

File tree

7 files changed

+38
-57
lines changed

7 files changed

+38
-57
lines changed

Diff for: CHANGES

+8
Original file line numberDiff line numberDiff line change
@@ -666,6 +666,14 @@
666666
(CVE-2014-3572)
667667
[Steve Henson]
668668

669+
*) Remove non-export ephemeral RSA code on client and server. This code
670+
violated the TLS standard by allowing the use of temporary RSA keys in
671+
non-export ciphersuites and could be used by a server to effectively
672+
downgrade the RSA key length used to a value smaller than the server
673+
certificate. Thanks for Karthikeyan Bhargavan for reporting this issue.
674+
(CVE-2015-0204)
675+
[Steve Henson]
676+
669677
*) Ensure that the session ID context of an SSL is updated when its
670678
SSL_CTX is updated via SSL_set_SSL_CTX.
671679

Diff for: doc/ssl/SSL_CTX_set_options.pod

+1-9
Original file line numberDiff line numberDiff line change
@@ -151,15 +151,7 @@ temporary/ephemeral DH parameters are used.
151151

152152
=item SSL_OP_EPHEMERAL_RSA
153153

154-
Always use ephemeral (temporary) RSA key when doing RSA operations
155-
(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
156-
According to the specifications this is only done, when a RSA key
157-
can only be used for signature operations (namely under export ciphers
158-
with restricted RSA keylength). By setting this option, ephemeral
159-
RSA keys are always used. This option breaks compatibility with the
160-
SSL/TLS specifications and may lead to interoperability problems with
161-
clients and should therefore never be used. Ciphers with DHE (ephemeral
162-
Diffie-Hellman) key exchange should be used instead.
154+
This option is no longer implemented and is treated as no op.
163155

164156
=item SSL_OP_CIPHER_SERVER_PREFERENCE
165157

Diff for: doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod

+8-15
Original file line numberDiff line numberDiff line change
@@ -74,21 +74,14 @@ exchange and use DHE (Ephemeral Diffie-Hellman) key exchange instead
7474
in order to achieve forward secrecy (see
7575
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
7676

77-
On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
78-
and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
79-
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
80-
standard. When ephemeral RSA key exchange is required for export ciphers,
81-
it will automatically be used without this option!
82-
83-
An application may either directly specify the key or can supply the key via
84-
a callback function. The callback approach has the advantage, that the
85-
callback may generate the key only in case it is actually needed. As the
86-
generation of a RSA key is however costly, it will lead to a significant
87-
delay in the handshake procedure. Another advantage of the callback function
88-
is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
89-
usage) while the explicit setting of the key is only useful for key size of
90-
512 bits to satisfy the export restricted ciphers and does give away key length
91-
if a longer key would be allowed.
77+
An application may either directly specify the key or can supply the key via a
78+
callback function. The callback approach has the advantage, that the callback
79+
may generate the key only in case it is actually needed. As the generation of a
80+
RSA key is however costly, it will lead to a significant delay in the handshake
81+
procedure. Another advantage of the callback function is that it can supply
82+
keys of different size while the explicit setting of the key is only useful for
83+
key size of 512 bits to satisfy the export restricted ciphers and does give
84+
away key length if a longer key would be allowed.
9285

9386
The B<tmp_rsa_callback> is called with the B<keylength> needed and
9487
the B<is_export> information. The B<is_export> flag is set, when the

Diff for: ssl/d1_srvr.c

+6-15
Original file line numberDiff line numberDiff line change
@@ -472,24 +472,15 @@ int dtls1_accept(SSL *s)
472472
case SSL3_ST_SW_KEY_EXCH_B:
473473
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
474474

475-
/* clear this, it may get reset by
476-
* send_server_key_exchange */
477-
if ((s->options & SSL_OP_EPHEMERAL_RSA)
478-
#ifndef OPENSSL_NO_KRB5
479-
&& !(alg_k & SSL_kKRB5)
480-
#endif /* OPENSSL_NO_KRB5 */
481-
)
482-
/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
483-
* even when forbidden by protocol specs
484-
* (handshake may fail as clients are not required to
485-
* be able to handle this) */
486-
s->s3->tmp.use_rsa_tmp=1;
487-
else
488-
s->s3->tmp.use_rsa_tmp=0;
475+
/*
476+
* clear this, it may get reset by
477+
* send_server_key_exchange
478+
*/
479+
s->s3->tmp.use_rsa_tmp=0;
489480

490481
/* only send if a DH key exchange or
491482
* RSA but we have a sign only certificate */
492-
if (s->s3->tmp.use_rsa_tmp
483+
if (
493484
/* PSK: send ServerKeyExchange if PSK identity
494485
* hint if provided */
495486
#ifndef OPENSSL_NO_PSK

Diff for: ssl/s3_clnt.c

+7
Original file line numberDiff line numberDiff line change
@@ -1636,6 +1636,13 @@ int ssl3_get_key_exchange(SSL *s)
16361636
#ifndef OPENSSL_NO_RSA
16371637
if (alg_k & SSL_kRSA)
16381638
{
1639+
/* Temporary RSA keys only allowed in export ciphersuites */
1640+
if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
1641+
{
1642+
al=SSL_AD_UNEXPECTED_MESSAGE;
1643+
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE);
1644+
goto f_err;
1645+
}
16391646
if ((rsa=RSA_new()) == NULL)
16401647
{
16411648
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);

Diff for: ssl/s3_srvr.c

+6-15
Original file line numberDiff line numberDiff line change
@@ -453,20 +453,11 @@ int ssl3_accept(SSL *s)
453453
case SSL3_ST_SW_KEY_EXCH_B:
454454
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
455455

456-
/* clear this, it may get reset by
457-
* send_server_key_exchange */
458-
if ((s->options & SSL_OP_EPHEMERAL_RSA)
459-
#ifndef OPENSSL_NO_KRB5
460-
&& !(alg_k & SSL_kKRB5)
461-
#endif /* OPENSSL_NO_KRB5 */
462-
)
463-
/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
464-
* even when forbidden by protocol specs
465-
* (handshake may fail as clients are not required to
466-
* be able to handle this) */
467-
s->s3->tmp.use_rsa_tmp=1;
468-
else
469-
s->s3->tmp.use_rsa_tmp=0;
456+
/*
457+
* clear this, it may get reset by
458+
* send_server_key_exchange
459+
*/
460+
s->s3->tmp.use_rsa_tmp=0;
470461

471462

472463
/* only send if a DH key exchange, fortezza or
@@ -480,7 +471,7 @@ int ssl3_accept(SSL *s)
480471
* server certificate contains the server's
481472
* public key for key exchange.
482473
*/
483-
if (s->s3->tmp.use_rsa_tmp
474+
if (
484475
/* PSK: send ServerKeyExchange if PSK identity
485476
* hint if provided */
486477
#ifndef OPENSSL_NO_PSK

Diff for: ssl/ssl.h

+2-3
Original file line numberDiff line numberDiff line change
@@ -606,9 +606,8 @@ struct ssl_session_st
606606
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
607607
/* If set, always create a new key when using tmp_dh parameters */
608608
#define SSL_OP_SINGLE_DH_USE 0x00100000L
609-
/* Set to always use the tmp_rsa key when doing RSA operations,
610-
* even when this violates protocol specs */
611-
#define SSL_OP_EPHEMERAL_RSA 0x00200000L
609+
/* Does nothing: retained for compatibiity */
610+
#define SSL_OP_EPHEMERAL_RSA 0x0
612611
/* Set on servers to choose the cipher according to the server's
613612
* preferences */
614613
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L

0 commit comments

Comments
 (0)