| 1 |
vip-ire |
1.1 |
diff -up openssl-fips-0.9.8e/ssl/s2_lib.c.ssl2-assert openssl-fips-0.9.8e/ssl/s2_lib.c |
| 2 |
|
|
--- openssl-fips-0.9.8e/ssl/s2_lib.c.ssl2-assert 2015-04-01 12:41:28.023403066 +0200 |
| 3 |
|
|
+++ openssl-fips-0.9.8e/ssl/s2_lib.c 2015-04-02 15:29:37.468346462 +0200 |
| 4 |
|
|
@@ -410,7 +410,7 @@ int ssl2_generate_key_material(SSL *s) |
| 5 |
|
|
|
| 6 |
|
|
OPENSSL_assert(s->session->master_key_length >= 0 |
| 7 |
|
|
&& s->session->master_key_length |
| 8 |
|
|
- < (int)sizeof(s->session->master_key)); |
| 9 |
|
|
+ <= (int)sizeof(s->session->master_key)); |
| 10 |
|
|
EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length); |
| 11 |
|
|
EVP_DigestUpdate(&ctx,&c,1); |
| 12 |
|
|
c++; |
| 13 |
|
|
diff -up openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-assert openssl-fips-0.9.8e/ssl/s2_srvr.c |
| 14 |
|
|
--- openssl-fips-0.9.8e/ssl/s2_srvr.c.ssl2-assert 2015-04-01 12:41:27.950401420 +0200 |
| 15 |
|
|
+++ openssl-fips-0.9.8e/ssl/s2_srvr.c 2015-04-02 15:33:51.109049368 +0200 |
| 16 |
|
|
@@ -363,7 +363,8 @@ end: |
| 17 |
|
|
|
| 18 |
|
|
static int get_client_master_key(SSL *s) |
| 19 |
|
|
{ |
| 20 |
|
|
- int is_export,i,n,keya,ek; |
| 21 |
|
|
+ int is_export,i,n,keya; |
| 22 |
|
|
+ unsigned int ek; |
| 23 |
|
|
unsigned long len; |
| 24 |
|
|
unsigned char *p; |
| 25 |
|
|
SSL_CIPHER *cp; |
| 26 |
|
|
@@ -445,9 +446,6 @@ static int get_client_master_key(SSL *s) |
| 27 |
|
|
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); |
| 28 |
|
|
return(-1); |
| 29 |
|
|
} |
| 30 |
|
|
- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc, |
| 31 |
|
|
- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), |
| 32 |
|
|
- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); |
| 33 |
|
|
|
| 34 |
|
|
is_export=SSL_C_IS_EXPORT(s->session->cipher); |
| 35 |
|
|
|
| 36 |
|
|
@@ -466,21 +464,61 @@ static int get_client_master_key(SSL *s) |
| 37 |
|
|
else |
| 38 |
|
|
ek=5; |
| 39 |
|
|
|
| 40 |
|
|
+ /* |
| 41 |
|
|
+ * The format of the CLIENT-MASTER-KEY message is |
| 42 |
|
|
+ * 1 byte message type |
| 43 |
|
|
+ * 3 bytes cipher |
| 44 |
|
|
+ * 2-byte clear key length (stored in s->s2->tmp.clear) |
| 45 |
|
|
+ * 2-byte encrypted key length (stored in s->s2->tmp.enc) |
| 46 |
|
|
+ * 2-byte key args length (IV etc) |
| 47 |
|
|
+ * clear key |
| 48 |
|
|
+ * encrypted key |
| 49 |
|
|
+ * key args |
| 50 |
|
|
+ * |
| 51 |
|
|
+ * If the cipher is an export cipher, then the encrypted key bytes |
| 52 |
|
|
+ * are a fixed portion of the total key (5 or 8 bytes). The size of |
| 53 |
|
|
+ * this portion is in |ek|. If the cipher is not an export cipher, |
| 54 |
|
|
+ * then the entire key material is encrypted (i.e., clear key length |
| 55 |
|
|
+ * must be zero). |
| 56 |
|
|
+ */ |
| 57 |
|
|
+ if ((!is_export && s->s2->tmp.clear != 0) || |
| 58 |
|
|
+ (is_export && s->s2->tmp.clear + ek != (unsigned int)EVP_CIPHER_key_length(c))) |
| 59 |
|
|
+ { |
| 60 |
|
|
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); |
| 61 |
|
|
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); |
| 62 |
|
|
+ return -1; |
| 63 |
|
|
+ } |
| 64 |
|
|
+ /* |
| 65 |
|
|
+ * The encrypted blob must decrypt to the encrypted portion of the key. |
| 66 |
|
|
+ * Decryption can't be expanding, so if we don't have enough encrypted |
| 67 |
|
|
+ * bytes to fit the key in the buffer, stop now. |
| 68 |
|
|
+ */ |
| 69 |
|
|
+ if ((is_export && s->s2->tmp.enc < ek) || |
| 70 |
|
|
+ (!is_export && s->s2->tmp.enc < (unsigned int)EVP_CIPHER_key_length(c))) |
| 71 |
|
|
+ { |
| 72 |
|
|
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); |
| 73 |
|
|
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); |
| 74 |
|
|
+ return -1; |
| 75 |
|
|
+ } |
| 76 |
|
|
+ |
| 77 |
|
|
+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, |
| 78 |
|
|
+ &(p[s->s2->tmp.clear]), |
| 79 |
|
|
+ &(p[s->s2->tmp.clear]), |
| 80 |
|
|
+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING); |
| 81 |
|
|
+ |
| 82 |
|
|
/* bad decrypt */ |
| 83 |
|
|
#if 1 |
| 84 |
|
|
/* If a bad decrypt, continue with protocol but with a |
| 85 |
|
|
* random master secret (Bleichenbacher attack) */ |
| 86 |
|
|
- if ((i < 0) || |
| 87 |
|
|
- ((!is_export && (i != EVP_CIPHER_key_length(c))) |
| 88 |
|
|
- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i != |
| 89 |
|
|
- (unsigned int)EVP_CIPHER_key_length(c)))))) |
| 90 |
|
|
+ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) |
| 91 |
|
|
+ || (is_export && i != (int)ek))) |
| 92 |
|
|
{ |
| 93 |
|
|
ERR_clear_error(); |
| 94 |
|
|
if (is_export) |
| 95 |
|
|
i=ek; |
| 96 |
|
|
else |
| 97 |
|
|
i=EVP_CIPHER_key_length(c); |
| 98 |
|
|
- if (RAND_pseudo_bytes(p,i) <= 0) |
| 99 |
|
|
+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear],i) <= 0) |
| 100 |
|
|
return 0; |
| 101 |
|
|
} |
| 102 |
|
|
#else |
| 103 |
|
|
@@ -504,7 +542,8 @@ static int get_client_master_key(SSL *s) |
| 104 |
|
|
} |
| 105 |
|
|
#endif |
| 106 |
|
|
|
| 107 |
|
|
- if (is_export) i+=s->s2->tmp.clear; |
| 108 |
|
|
+ if (is_export) |
| 109 |
|
|
+ i = EVP_CIPHER_key_length(c); |
| 110 |
|
|
|
| 111 |
|
|
if (i > SSL_MAX_MASTER_KEY_LENGTH) |
| 112 |
|
|
{ |
Parent Directory
| 
Revision Log
| 
Revision Graph
