Skip to content

Commit

Permalink
ECDH downgrade bug fix.
Browse files Browse the repository at this point in the history
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit b15f876)
  • Loading branch information
snhenson committed Jan 5, 2015
1 parent 2175744 commit ef28c6d
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 3 deletions.
7 changes: 7 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@

Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]

*) Abort handshake if server key exchange message is omitted for ephemeral
ECDH ciphersuites.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2014-3572)
[Steve Henson]

*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.

Expand Down
18 changes: 15 additions & 3 deletions ssl/s3_clnt.c
Original file line number Diff line number Diff line change
Expand Up @@ -1277,6 +1277,8 @@ int ssl3_get_key_exchange(SSL *s)
int encoded_pt_len = 0;
#endif

EVP_MD_CTX_init(&md_ctx);

/* use same message size as in ssl3_get_certificate_request()
* as ServerKeyExchange message may be skipped */
n=s->method->ssl_get_message(s,
Expand All @@ -1287,14 +1289,26 @@ int ssl3_get_key_exchange(SSL *s)
&ok);
if (!ok) return((int)n);

alg_k=s->s3->tmp.new_cipher->algorithm_mkey;

if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
{
/*
* Can't skip server key exchange if this is an ephemeral
* ciphersuite.
*/
if (alg_k & (SSL_kEDH|SSL_kEECDH))
{
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
al = SSL_AD_UNEXPECTED_MESSAGE;
goto f_err;
}
#ifndef OPENSSL_NO_PSK
/* In plain PSK ciphersuite, ServerKeyExchange can be
omitted if no identity hint is sent. Set
session->sess_cert anyway to avoid problems
later.*/
if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
if (alg_k & SSL_kPSK)
{
s->session->sess_cert=ssl_sess_cert_new();
if (s->ctx->psk_identity_hint)
Expand Down Expand Up @@ -1339,9 +1353,7 @@ int ssl3_get_key_exchange(SSL *s)
/* Total length of the parameters including the length prefix */
param_len=0;

alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
EVP_MD_CTX_init(&md_ctx);

al=SSL_AD_DECODE_ERROR;

Expand Down

0 comments on commit ef28c6d

Please sign in to comment.