From 300b1d76fe27541c662ca606a6a201b2718e0c65 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 29 Nov 2010 18:32:05 +0000 Subject: [PATCH] apply J-PKAKE fix to HEAD (original by Ben) --- CHANGES | 11 +++++++++-- crypto/jpake/jpake.c | 29 +++++++++++++++++++++++++++++ crypto/jpake/jpake.h | 2 ++ crypto/jpake/jpake_err.c | 4 +++- 4 files changed, 43 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index b8e18dc1e2..6157a1ef0d 100644 --- a/CHANGES +++ b/CHANGES @@ -123,7 +123,7 @@ whose return value is often ignored. [Steve Henson] - Changes between 1.0.0b and 1.0.1 [xx XXX xxxx] + Changes between 1.0.0c and 1.0.1 [xx XXX xxxx] *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. [Steve Henson] @@ -162,7 +162,14 @@ Add command line options to s_client/s_server. [Steve Henson] - Changes between 1.0.0a and 1.0.0b [xx XXX xxxx] + Changes between 1.0.0b and 1.0.0c [xx XXX xxxx] + + *) Fixed J-PAKE implementation error, originally discovered by + Sebastien Martini, further info and confirmation from Stefan + Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 + [Ben Laurie] + + Changes between 1.0.0a and 1.0.0b [16 Nov 2010] *) Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability: resumed sessions must not be modified as they can diff --git a/crypto/jpake/jpake.c b/crypto/jpake/jpake.c index 086d9f47e0..8e4b633ccc 100644 --- a/crypto/jpake/jpake.c +++ b/crypto/jpake/jpake.c @@ -282,8 +282,37 @@ int JPAKE_STEP1_generate(JPAKE_STEP1 *send, JPAKE_CTX *ctx) return 1; } +/* g^x is a legal value */ +static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx) + { + BIGNUM *t; + int res; + + if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0) + return 0; + + t = BN_new(); + BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx); + res = BN_is_one(t); + BN_free(t); + + return res; + } + int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received) { + if(!is_legal(received->p1.gx, ctx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL); + return 0; + } + + if(!is_legal(received->p2.gx, ctx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL); + return 0; + } + /* verify their ZKP(xc) */ if(!verify_zkp(&received->p1, ctx->p.g, ctx)) { diff --git a/crypto/jpake/jpake.h b/crypto/jpake/jpake.h index 693ea188cb..fd143b4d9b 100644 --- a/crypto/jpake/jpake.h +++ b/crypto/jpake/jpake.h @@ -115,6 +115,8 @@ void ERR_load_JPAKE_strings(void); #define JPAKE_F_VERIFY_ZKP 100 /* Reason codes. */ +#define JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL 108 +#define JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL 109 #define JPAKE_R_G_TO_THE_X4_IS_ONE 105 #define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 106 #define JPAKE_R_HASH_OF_KEY_MISMATCH 107 diff --git a/crypto/jpake/jpake_err.c b/crypto/jpake/jpake_err.c index 1b95067967..a9a9dee75c 100644 --- a/crypto/jpake/jpake_err.c +++ b/crypto/jpake/jpake_err.c @@ -1,6 +1,6 @@ /* crypto/jpake/jpake_err.c */ /* ==================================================================== - * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2010 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -80,6 +80,8 @@ static ERR_STRING_DATA JPAKE_str_functs[]= static ERR_STRING_DATA JPAKE_str_reasons[]= { +{ERR_REASON(JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL),"g to the x3 is not legal"}, +{ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL),"g to the x4 is not legal"}, {ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_ONE) ,"g to the x4 is one"}, {ERR_REASON(JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),"hash of hash of key mismatch"}, {ERR_REASON(JPAKE_R_HASH_OF_KEY_MISMATCH),"hash of key mismatch"}, -- 2.25.1