diff options
| author | Adam Langley <agl@google.com> | 2015-02-26 11:07:37 -0800 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2015-02-26 21:35:29 +0000 |
| commit | 3fbc298104c150ed18f10eed2d2e66633f05ee98 (patch) | |
| tree | c1d8161d2b3346ab0b98e506615d7f7c14d58218 /ssl | |
| parent | 54e455157a6e1899eb6fef9440d2410cb7fedeff (diff) | |
| download | src-3fbc298104c150ed18f10eed2d2e66633f05ee98.tar.gz | |
Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export ciphersuites.
It also had an option SSL_OP_EPHEMERAL_RSA which enabled this server side.
Remove both options as they are a protocol violation.
Thanks to Karthikeyan Bhargavan for reporting this issue. (CVE-2015-0204)
(This is a backport of upstream's
37580f43b5a39f5f4e920d17273fab9713d3a744 to the M40 branch. In BoringSSL
master we fixed this with
https://boringssl.googlesource.com/boringssl/+/525a0fe315282ca1840f8f9f170c8a26ce5fab2a,
but that's a larger patch than we really want to be backporting.)
Change-Id: Ibfb0c46648bbecffb9d3b1a4ebdf10a5a79523b3
Reviewed-on: https://boringssl-review.googlesource.com/3640
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s3_clnt.c | 50 |
1 files changed, 1 insertions, 49 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 64bccfa..0c37f76 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1293,55 +1293,7 @@ int ssl3_get_server_key_exchange(SSL *s) } } - if (alg_k & SSL_kRSA) - { - CBS rsa_modulus, rsa_exponent; - - /* TODO(davidben): This was originally for export - * reasons. Do we still need to support it? */ - - if (!CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_modulus) || - CBS_len(&rsa_modulus) == 0 || - !CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_exponent) || - CBS_len(&rsa_exponent) == 0) - { - al = SSL_AD_DECODE_ERROR; - OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR); - goto f_err; - } - - if ((rsa=RSA_new()) == NULL) - { - OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE); - goto err; - } - - if (!(rsa->n = BN_bin2bn(CBS_data(&rsa_modulus), - CBS_len(&rsa_modulus), rsa->n))) - { - OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB); - goto err; - } - - if (!(rsa->e = BN_bin2bn(CBS_data(&rsa_exponent), - CBS_len(&rsa_exponent), rsa->e))) - { - OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB); - goto err; - } - - /* this should be because we are using an export cipher */ - if (alg_a & SSL_aRSA) - pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); - else - { - OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_INTERNAL_ERROR); - goto err; - } - s->session->sess_cert->peer_rsa_tmp=rsa; - rsa=NULL; - } - else if (alg_k & SSL_kEDH) + if (alg_k & SSL_kEDH) { CBS dh_p, dh_g, dh_Ys; |