File openssl-CVE-2015-0204.patch of Package compat-openssl098.11471
commit 72f181539118828ca966a0f8d03f6428e2bcf0d6
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Thu Oct 23 17:09:57 2014 +0100
Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.
Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6)
Conflicts:
CHANGES
doc/ssl/SSL_CTX_set_options.pod
ssl/d1_srvr.c
ssl/s3_srvr.c
Index: openssl-0.9.8j/doc/ssl/SSL_CTX_set_options.pod
===================================================================
--- openssl-0.9.8j.orig/doc/ssl/SSL_CTX_set_options.pod 2015-01-08 14:27:11.716850632 +0100
+++ openssl-0.9.8j/doc/ssl/SSL_CTX_set_options.pod 2015-01-08 14:27:13.896877214 +0100
@@ -151,15 +151,7 @@ temporary/ephemeral DH parameters are us
=item SSL_OP_EPHEMERAL_RSA
-Always use ephemeral (temporary) RSA key when doing RSA operations
-(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
-According to the specifications this is only done, when a RSA key
-can only be used for signature operations (namely under export ciphers
-with restricted RSA keylength). By setting this option, ephemeral
-RSA keys are always used. This option breaks compatibility with the
-SSL/TLS specifications and may lead to interoperability problems with
-clients and should therefore never be used. Ciphers with EDH (ephemeral
-Diffie-Hellman) key exchange should be used instead.
+This option is no longer implemented and is treated as no op.
=item SSL_OP_CIPHER_SERVER_PREFERENCE
Index: openssl-0.9.8j/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
===================================================================
--- openssl-0.9.8j.orig/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod 2015-01-08 14:27:11.716850632 +0100
+++ openssl-0.9.8j/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod 2015-01-08 14:27:13.896877214 +0100
@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-H
in order to achieve forward secrecy (see
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
-and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
-standard. When ephemeral RSA key exchange is required for export ciphers,
-it will automatically be used without this option!
-
-An application may either directly specify the key or can supply the key via
-a callback function. The callback approach has the advantage, that the
-callback may generate the key only in case it is actually needed. As the
-generation of a RSA key is however costly, it will lead to a significant
-delay in the handshake procedure. Another advantage of the callback function
-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
-usage) while the explicit setting of the key is only useful for key size of
-512 bits to satisfy the export restricted ciphers and does give away key length
-if a longer key would be allowed.
+An application may either directly specify the key or can supply the key via a
+callback function. The callback approach has the advantage, that the callback
+may generate the key only in case it is actually needed. As the generation of a
+RSA key is however costly, it will lead to a significant delay in the handshake
+procedure. Another advantage of the callback function is that it can supply
+keys of different size while the explicit setting of the key is only useful for
+key size of 512 bits to satisfy the export restricted ciphers and does give
+away key length if a longer key would be allowed.
The B<tmp_rsa_callback> is called with the B<keylength> needed and
the B<is_export> information. The B<is_export> flag is set, when the
Index: openssl-0.9.8j/ssl/d1_srvr.c
===================================================================
--- openssl-0.9.8j.orig/ssl/d1_srvr.c 2015-01-08 14:27:11.716850632 +0100
+++ openssl-0.9.8j/ssl/d1_srvr.c 2015-01-08 14:27:13.896877214 +0100
@@ -347,23 +347,11 @@ int dtls1_accept(SSL *s)
/* clear this, it may get reset by
* send_server_key_exchange */
- if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
- && !(l & SSL_KRB5)
-#endif /* OPENSSL_NO_KRB5 */
- )
- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
- * even when forbidden by protocol specs
- * (handshake may fail as clients are not required to
- * be able to handle this) */
- s->s3->tmp.use_rsa_tmp=1;
- else
- s->s3->tmp.use_rsa_tmp=0;
+ s->s3->tmp.use_rsa_tmp=0;
/* only send if a DH key exchange, fortezza or
* RSA but we have a sign only certificate */
- if (s->s3->tmp.use_rsa_tmp
- || (l & (SSL_DH|SSL_kFZA))
+ if ((l & (SSL_DH|SSL_kFZA))
|| ((l & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
Index: openssl-0.9.8j/ssl/s3_clnt.c
===================================================================
--- openssl-0.9.8j.orig/ssl/s3_clnt.c 2015-01-08 14:27:11.717850644 +0100
+++ openssl-0.9.8j/ssl/s3_clnt.c 2015-01-08 14:27:13.897877226 +0100
@@ -1164,6 +1164,13 @@ int ssl3_get_key_exchange(SSL *s)
#ifndef OPENSSL_NO_RSA
if (alg & SSL_kRSA)
{
+ /* Temporary RSA keys only allowed in export ciphersuites */
+ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE);
+ goto f_err;
+ }
if ((rsa=RSA_new()) == NULL)
{
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
Index: openssl-0.9.8j/ssl/s3_srvr.c
===================================================================
--- openssl-0.9.8j.orig/ssl/s3_srvr.c 2015-01-08 14:27:11.718850656 +0100
+++ openssl-0.9.8j/ssl/s3_srvr.c 2015-01-08 14:27:13.897877226 +0100
@@ -355,18 +355,7 @@ int ssl3_accept(SSL *s)
/* clear this, it may get reset by
* send_server_key_exchange */
- if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
- && !(l & SSL_KRB5)
-#endif /* OPENSSL_NO_KRB5 */
- )
- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
- * even when forbidden by protocol specs
- * (handshake may fail as clients are not required to
- * be able to handle this) */
- s->s3->tmp.use_rsa_tmp=1;
- else
- s->s3->tmp.use_rsa_tmp=0;
+ s->s3->tmp.use_rsa_tmp=0;
/* only send if a DH key exchange, fortezza or
@@ -378,8 +367,7 @@ int ssl3_accept(SSL *s)
* server certificate contains the server's
* public key for key exchange.
*/
- if (s->s3->tmp.use_rsa_tmp
- || (l & SSL_kECDHE)
+ if ((l & SSL_kECDHE)
|| (l & (SSL_DH|SSL_kFZA))
|| ((l & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
Index: openssl-0.9.8j/ssl/ssl.h
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl.h 2015-01-08 14:27:11.718850656 +0100
+++ openssl-0.9.8j/ssl/ssl.h 2015-01-08 14:27:13.898877238 +0100
@@ -524,9 +524,8 @@ typedef struct ssl_session_st
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
-/* Set to always use the tmp_rsa key when doing RSA operations,
- * even when this violates protocol specs */
-#define SSL_OP_EPHEMERAL_RSA 0x00200000L
+/* Does nothing: retained for compatibiity */
+#define SSL_OP_EPHEMERAL_RSA 0x0
/* Set on servers to choose the cipher according to the server's
* preferences */
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
