3
From ef28c6d6767a6a30df5add36171894c96628fe98 Mon Sep 17 00:00:00 2001
4
From: "Dr. Stephen Henson" <steve@openssl.org>
5
Date: Fri, 24 Oct 2014 12:30:33 +0100
6
Subject: [PATCH] ECDH downgrade bug fix.
8
Fix bug where an OpenSSL client would accept a handshake using an
9
ephemeral ECDH ciphersuites with the server key exchange message omitted.
11
Thanks to Karthikeyan Bhargavan for reporting this issue.
14
Reviewed-by: Matt Caswell <matt@openssl.org>
16
(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
19
ssl/s3_clnt.c | 18 +++++++++++++++---
20
2 files changed, 22 insertions(+), 3 deletions(-)
22
Index: openssl-1.0.1f/ssl/s3_clnt.c
23
===================================================================
24
--- openssl-1.0.1f.orig/ssl/s3_clnt.c 2015-01-09 07:56:21.527753974 -0500
25
+++ openssl-1.0.1f/ssl/s3_clnt.c 2015-01-09 07:59:51.177173529 -0500
27
int encoded_pt_len = 0;
30
+ EVP_MD_CTX_init(&md_ctx);
32
/* use same message size as in ssl3_get_certificate_request()
33
* as ServerKeyExchange message may be skipped */
34
n=s->method->ssl_get_message(s,
35
@@ -1305,14 +1307,26 @@
37
if (!ok) return((int)n);
39
+ alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
41
if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
44
+ * Can't skip server key exchange if this is an ephemeral
47
+ if (alg_k & (SSL_kEDH|SSL_kEECDH))
49
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
50
+ al = SSL_AD_UNEXPECTED_MESSAGE;
53
#ifndef OPENSSL_NO_PSK
54
/* In plain PSK ciphersuite, ServerKeyExchange can be
55
omitted if no identity hint is sent. Set
56
session->sess_cert anyway to avoid problems
58
- if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
59
+ if (alg_k & SSL_kPSK)
61
s->session->sess_cert=ssl_sess_cert_new();
62
if (s->ctx->psk_identity_hint)
67
- alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
68
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
69
- EVP_MD_CTX_init(&md_ctx);
71
#ifndef OPENSSL_NO_PSK