Fix end-point shared secret for DTLS/SCTP (243ff51c) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

CHANGES

+7 −0

Original line number	Diff line number	Diff line
		@@ -9,6 +9,13 @@

		Changes between 1.1.1a and 1.1.1b [xx XXX xxxx]

		*) Fix a bug in the computation of the endpoint-pair shared secret used
		by DTLS over SCTP. This breaks interoperability with older versions
		of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
		switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
		interoperability with such broken implementations. However, enabling
		this switch breaks interoperability with correct implementations.

		*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
		[Richard Levitte]

apps/s_client.c

+15 −0

Original line number	Diff line number	Diff line
		@@ -596,6 +596,7 @@ typedef enum OPTION_choice {
		#endif
		OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
		OPT_ENABLE_PHA,
		OPT_SCTP_LABEL_BUG,
		OPT_R_ENUM
		} OPTION_CHOICE;

		@@ -750,6 +751,7 @@ const OPTIONS s_client_options[] = {
		#endif
		#ifndef OPENSSL_NO_SCTP
		{"sctp", OPT_SCTP, '-', "Use SCTP"},
		{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
		#endif
		#ifndef OPENSSL_NO_SSL_TRACE
		{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
		@@ -976,6 +978,9 @@ int s_client_main(int argc, char **argv)
		#endif
		char *psksessf = NULL;
		int enable_pha = 0;
		#ifndef OPENSSL_NO_SCTP
		int sctp_label_bug = 0;
		#endif

		FD_ZERO(&readfds);
		FD_ZERO(&writefds);
		@@ -1321,6 +1326,11 @@ int s_client_main(int argc, char **argv)
		case OPT_SCTP:
		#ifndef OPENSSL_NO_SCTP
		protocol = IPPROTO_SCTP;
		#endif
		break;
		case OPT_SCTP_LABEL_BUG:
		#ifndef OPENSSL_NO_SCTP
		sctp_label_bug = 1;
		#endif
		break;
		case OPT_TIMEOUT:
		@@ -1707,6 +1717,11 @@ int s_client_main(int argc, char **argv)
		}
		}

		#ifndef OPENSSL_NO_SCTP
		if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
		SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
		#endif

		if (min_version != 0
		&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
		goto end;

apps/s_server.c

+16 −1

Original line number	Diff line number	Diff line
		@@ -751,7 +751,7 @@ typedef enum OPTION_choice {
		OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
		OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
		OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
		OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY,
		OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
		OPT_R_ENUM,
		OPT_S_ENUM,
		OPT_V_ENUM,
		@@ -938,6 +938,7 @@ const OPTIONS s_server_options[] = {
		#endif
		#ifndef OPENSSL_NO_SCTP
		{"sctp", OPT_SCTP, '-', "Use SCTP"},
		{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
		#endif
		#ifndef OPENSSL_NO_DH
		{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
		@@ -1047,6 +1048,9 @@ int s_server_main(int argc, char *argv[])
		const char *keylog_file = NULL;
		int max_early_data = -1, recv_max_early_data = -1;
		char *psksessf = NULL;
		#ifndef OPENSSL_NO_SCTP
		int sctp_label_bug = 0;
		#endif

		/* Init of few remaining global variables */
		local_argc = argc;
		@@ -1488,6 +1492,11 @@ int s_server_main(int argc, char *argv[])
		case OPT_SCTP:
		#ifndef OPENSSL_NO_SCTP
		protocol = IPPROTO_SCTP;
		#endif
		break;
		case OPT_SCTP_LABEL_BUG:
		#ifndef OPENSSL_NO_SCTP
		sctp_label_bug = 1;
		#endif
		break;
		case OPT_TIMEOUT:
		@@ -1792,6 +1801,12 @@ int s_server_main(int argc, char *argv[])
		goto end;
		}
		}

		#ifndef OPENSSL_NO_SCTP
		if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
		SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
		#endif

		if (min_version != 0
		&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
		goto end;

doc/man1/s_client.pod

+9 −0

Original line number	Diff line number	Diff line
		@@ -100,6 +100,7 @@ B<openssl> B<s_client>
		[B<-dtls1>]
		[B<-dtls1_2>]
		[B<-sctp>]
		[B<-sctp_label_bug>]
		[B<-fallback_scsv>]
		[B<-async>]
		[B<-max_send_frag>]
		@@ -489,6 +490,14 @@ Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
		conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
		available where OpenSSL has support for SCTP enabled.

		=item B<-sctp_label_bug>

		Use the incorrect behaviour of older OpenSSL implementations when computing
		endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
		older broken implementations but breaks interoperability with correct
		implementations. Must be used in conjunction with B<-sctp>. This option is only
		available where OpenSSL has support for SCTP enabled.

		=item B<-fallback_scsv>

		Send TLS_FALLBACK_SCSV in the ClientHello.

doc/man1/s_server.pod

+9 −0

Original line number	Diff line number	Diff line
		@@ -173,6 +173,7 @@ B<openssl> B<s_server>
		[B<-dtls1>]
		[B<-dtls1_2>]
		[B<-sctp>]
		[B<-sctp_label_bug>]
		[B<-no_dhe>]
		[B<-nextprotoneg val>]
		[B<-use_srtp val>]
		@@ -685,6 +686,14 @@ Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
		conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
		available where OpenSSL has support for SCTP enabled.

		=item B<-sctp_label_bug>

		Use the incorrect behaviour of older OpenSSL implementations when computing
		endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
		older broken implementations but breaks interoperability with correct
		implementations. Must be used in conjunction with B<-sctp>. This option is only
		available where OpenSSL has support for SCTP enabled.

		=item B<-no_dhe>

		If this option is set then no DH parameters will be loaded effectively

Admin message