ECDH downgrade bug fix.

author Dr. Stephen Henson <steve@openssl.org>

Fri, 24 Oct 2014 11:30:33 +0000 (12:30 +0100)

committer Dr. Stephen Henson <steve@openssl.org>

Mon, 5 Jan 2015 23:59:04 +0000 (23:59 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Fri, 24 Oct 2014 11:30:33 +0000 (12:30 +0100)
committer Dr. Stephen Henson <steve@openssl.org>
Mon, 5 Jan 2015 23:59:04 +0000 (23:59 +0000)
diff --git a/CHANGES b/CHANGES

index 60a45965d3ed1a4332614f58020c4488b09c5c0b..75da406b620b91d90e3f4a58afa87a52871fe3e7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
  
   Changes between 0.9.8zc and 0.9.8zd [xx XXX xxxx]
  
+  *) Abort handshake if server key exchange message is omitted for ephemeral
+     ECDH ciphersuites.
+
+     Thanks to Karthikeyan Bhargavan for reporting this issue.
+     (CVE-2014-3572)
+     [Steve Henson]
+
    *) Fix various certificate fingerprint issues.
  
       By using non-DER or invalid encodings outside the signed portion of a
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index 48289375669391c7777095d400199f061b8a0e97..256fc94e26693229b4ed5e1538b12bb75e82697c 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1123,8 +1123,21 @@ int ssl3_get_key_exchange(SSL *s)
  
         if (!ok) return((int)n);
  
+       alg=s->s3->tmp.new_cipher->algorithms;
+       EVP_MD_CTX_init(&md_ctx);
+
         if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
                 {
+               /*
+                * Can't skip server key exchange if this is an ephemeral
+                * ciphersuite.
+                */
+               if (alg & (SSL_kEDH|SSL_kECDHE))
+                       {
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
+                       al = SSL_AD_UNEXPECTED_MESSAGE;
+                       goto f_err;
+                       }
                 s->s3->tmp.reuse_message=1;
                 return(1);
                 }
@@ -1162,8 +1175,6 @@ int ssl3_get_key_exchange(SSL *s)
  
         /* Total length of the parameters including the length prefix */
         param_len=0;
-       alg=s->s3->tmp.new_cipher->algorithms;
-       EVP_MD_CTX_init(&md_ctx);
  
         al=SSL_AD_DECODE_ERROR;
  #ifndef OPENSSL_NO_RSA
author	Dr. Stephen Henson <steve@openssl.org>
	Fri, 24 Oct 2014 11:30:33 +0000 (12:30 +0100)
committer	Dr. Stephen Henson <steve@openssl.org>
	Mon, 5 Jan 2015 23:59:04 +0000 (23:59 +0000)
CHANGES		patch \| blob \| history
ssl/s3_clnt.c		patch \| blob \| history