提交 4aecfd4d 编写于 作者: A Adam Langley 提交者: Emilia Kasper

Premaster secret handling fixes

From BoringSSL
- Send an alert when the client key exchange isn't correctly formatted.
- Reject overly short RSA ciphertexts to avoid a (benign) out-of-bounds memory access.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
上级 57dc72e0
...@@ -2276,6 +2276,7 @@ int ssl3_get_client_key_exchange(SSL *s) ...@@ -2276,6 +2276,7 @@ int ssl3_get_client_key_exchange(SSL *s)
unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
int decrypt_len; int decrypt_len;
unsigned char decrypt_good, version_good; unsigned char decrypt_good, version_good;
size_t j;
/* FIX THIS UP EAY EAY EAY EAY */ /* FIX THIS UP EAY EAY EAY EAY */
if (s->s3->tmp.use_rsa_tmp) if (s->s3->tmp.use_rsa_tmp)
...@@ -2314,8 +2315,9 @@ int ssl3_get_client_key_exchange(SSL *s) ...@@ -2314,8 +2315,9 @@ int ssl3_get_client_key_exchange(SSL *s)
{ {
if (!(s->options & SSL_OP_TLS_D5_BUG)) if (!(s->options & SSL_OP_TLS_D5_BUG))
{ {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
goto err; goto f_err;
} }
else else
p-=2; p-=2;
...@@ -2324,6 +2326,20 @@ int ssl3_get_client_key_exchange(SSL *s) ...@@ -2324,6 +2326,20 @@ int ssl3_get_client_key_exchange(SSL *s)
n=i; n=i;
} }
/*
* Reject overly short RSA ciphertext because we want to be sure
* that the buffer size makes it safe to iterate over the entire
* size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The
* actual expected size is larger due to RSA padding, but the
* bound is sufficient to be safe.
*/
if (n < SSL_MAX_MASTER_KEY_LENGTH)
{
al = SSL_AD_DECRYPT_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
goto f_err;
}
/* We must not leak whether a decryption failure occurs because /* We must not leak whether a decryption failure occurs because
* of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see
* RFC 2246, section 7.4.7.1). The code follows that advice of * RFC 2246, section 7.4.7.1). The code follows that advice of
...@@ -2371,19 +2387,23 @@ int ssl3_get_client_key_exchange(SSL *s) ...@@ -2371,19 +2387,23 @@ int ssl3_get_client_key_exchange(SSL *s)
* to remain non-zero (0xff). */ * to remain non-zero (0xff). */
decrypt_good &= version_good; decrypt_good &= version_good;
/* Now copy rand_premaster_secret over p using /*
* decrypt_good_mask. */ * Now copy rand_premaster_secret over from p using
for (i = 0; i < (int) sizeof(rand_premaster_secret); i++) * decrypt_good_mask. If decryption failed, then p does not
* contain valid plaintext, however, a check above guarantees
* it is still sufficiently large to read from.
*/
for (j = 0; j < sizeof(rand_premaster_secret); j++)
{ {
p[i] = constant_time_select_8(decrypt_good, p[i], p[j] = constant_time_select_8(decrypt_good, p[j],
rand_premaster_secret[i]); rand_premaster_secret[j]);
} }
s->session->master_key_length= s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s, s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, s->session->master_key,
p,i); p,sizeof(rand_premaster_secret));
OPENSSL_cleanse(p,i); OPENSSL_cleanse(p,sizeof(rand_premaster_secret));
} }
else else
#endif #endif
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册