Commit 34628967 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Fix DTLS retransmission from previous session. 

For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
parent a6c62f0c

CHANGES

+5 −0
Original line number Diff line number Diff line
@@ -4,6 +4,11 @@ 


 Changes between 1.0.1e and 1.0.1f [xx XXX xxxx]



  *) Keep original DTLS digest and encryption contexts in retransmission

     structures so we can use the previous session parameters if they need

     to be resent. (CVE-2013-6450)

     [Steve Henson]



  *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which

     avoids preferring ECDHE-ECDSA ciphers when the client appears to be

     Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for

ssl/d1_both.c

+6 −0
Original line number Diff line number Diff line
@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) 
static void

dtls1_hm_fragment_free(hm_fragment *frag)

	{



	if (frag->msg_header.is_ccs)

		{

		EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);

		EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);

		}

	if (frag->fragment) OPENSSL_free(frag->fragment);

	if (frag->reassembly) OPENSSL_free(frag->reassembly);

	OPENSSL_free(frag);

ssl/ssl_locl.h

+2 −0
Original line number Diff line number Diff line
@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; 
extern SSL3_ENC_METHOD SSLv3_enc_data;

extern SSL3_ENC_METHOD DTLSv1_enc_data;



#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)



#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \

				s_get_meth) \

const SSL_METHOD *func_name(void)  \

ssl/t1_enc.c

+11 −6
Original line number Diff line number Diff line
@@ -414,14 +414,19 @@ int tls1_change_cipher_state(SSL *s, int which) 
			s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;

			else

			s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;

		if (s->enc_write_ctx != NULL)

		if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))

			reuse_dd = 1;

		else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)

		else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)

			goto err;

		else

			/* make sure it's intialized in case we exit later with an error */

			EVP_CIPHER_CTX_init(s->enc_write_ctx);

		dd= s->enc_write_ctx;

		if (SSL_IS_DTLS(s))

			{

			mac_ctx = EVP_MD_CTX_create();

			if (!mac_ctx)

				goto err;

			s->write_hash = mac_ctx;

			}

		else

			mac_ctx = ssl_replace_hash(&s->write_hash,NULL);

#ifndef OPENSSL_NO_COMP

		if (s->compress != NULL)