Commit e42a2aba authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

ECDH downgrade bug fix. 



Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>

(cherry picked from commit b15f8769)

Conflicts:
	CHANGES
	ssl/s3_clnt.c
parent ec2fede9

CHANGES

+7 −0
Original line number Diff line number Diff line
@@ -4,6 +4,13 @@ 


 Changes between 0.9.8zc and 0.9.8zd [xx XXX xxxx]



  *) Abort handshake if server key exchange message is omitted for ephemeral

     ECDH ciphersuites.



     Thanks to Karthikeyan Bhargavan for reporting this issue.

     (CVE-2014-3572)

     [Steve Henson]



  *) Fix various certificate fingerprint issues.



     By using non-DER or invalid encodings outside the signed portion of a

ssl/s3_clnt.c

+13 −2
Original line number Diff line number Diff line
@@ -1123,8 +1123,21 @@ int ssl3_get_key_exchange(SSL *s) 


	if (!ok) return((int)n);



	alg=s->s3->tmp.new_cipher->algorithms;

	EVP_MD_CTX_init(&md_ctx);



	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)

		{

		/*

		 * Can't skip server key exchange if this is an ephemeral

		 * ciphersuite.

		 */

		if (alg & (SSL_kEDH|SSL_kECDHE))

			{

			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);

			al = SSL_AD_UNEXPECTED_MESSAGE;

			goto f_err;

			}

		s->s3->tmp.reuse_message=1;

		return(1);

		}
@@ -1162,8 +1175,6 @@ int ssl3_get_key_exchange(SSL *s) 


	/* Total length of the parameters including the length prefix */

	param_len=0;

	alg=s->s3->tmp.new_cipher->algorithms;

	EVP_MD_CTX_init(&md_ctx);



	al=SSL_AD_DECODE_ERROR;

#ifndef OPENSSL_NO_RSA