check EC tmp key matches preferences

(backport from HEAD)
openssl · Dec 26, 2012 · 44adfeb · 44adfeb
1 parent 5ff2ef7
commit 44adfeb
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 3 deletions.
diff --git a/CHANGES b/CHANGES
@@ -8,6 +8,9 @@
      OID NID.
      [Steve Henson]
 
+  *) If server EC tmp key is not in client preference list abort handshake.
+     [Steve Henson]
+
   *) Add support for certificate stores in CERT structure. This makes it
      possible to have different stores per SSL structure or one store in
      the parent SSL_CTX. Include distint stores for certificate chain

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
@@ -1648,9 +1648,17 @@ int ssl3_get_key_exchange(SSL *s)
 		 * and the ECParameters in this case is just three bytes.
 		 */
 		param_len=3;
-		if ((param_len > n) ||
-		    (*p != NAMED_CURVE_TYPE) || 
-		    ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0)) 
+		/* Check curve is one of our prefrences, if not server has
+		 * sent an invalid curve.
+		 */
+		if (!tls1_check_curve(s, p, param_len))
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_CURVE);
+			goto f_err;
+			}
+
+		if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) 
 			{
 			al=SSL_AD_INTERNAL_ERROR;
 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);

diff --git a/ssl/ssl.h b/ssl/ssl.h
@@ -2745,6 +2745,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_USE_SRTP_NOT_NEGOTIATED			 369
 #define SSL_R_WRITE_BIO_NOT_SET				 260
 #define SSL_R_WRONG_CIPHER_RETURNED			 261
+#define SSL_R_WRONG_CURVE				 378
 #define SSL_R_WRONG_MESSAGE_TYPE			 262
 #define SSL_R_WRONG_NUMBER_OF_KEY_BITS			 263
 #define SSL_R_WRONG_SIGNATURE_LENGTH			 264

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
@@ -604,6 +604,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),"use srtp not negotiated"},
 {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET)     ,"write bio not set"},
 {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
+{ERR_REASON(SSL_R_WRONG_CURVE)           ,"wrong curve"},
 {ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE)    ,"wrong message type"},
 {ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
 {ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
@@ -1188,6 +1188,7 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
 #ifndef OPENSSL_NO_EC
 int tls1_ec_curve_id2nid(int curve_id);
 int tls1_ec_nid2curve_id(int nid);
+int tls1_check_curve(SSL *s, const unsigned char *p, size_t len);
 int tls1_shared_curve(SSL *s, int nmatch);
 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
 			int *curves, size_t ncurves);

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
@@ -333,6 +333,21 @@ static void tls1_get_curvelist(SSL *s, int sess,
 		*pcurveslen = sizeof(eccurves_default);
 		}
 	}
+/* Check a curve is one of our preferences */
+int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
+	{
+	const unsigned char *curves;
+	size_t curveslen, i;
+	if (len != 3 || p[0] != NAMED_CURVE_TYPE)
+		return 0;
+	tls1_get_curvelist(s, 0, &curves, &curveslen);
+	for (i = 0; i < curveslen; i += 2, curves += 2)
+		{
+		if (p[1] == curves[0] && p[2] == curves[1])
+			return 1;
+		}
+	return 0;
+	}
 
 /* Return nth shared curve. If nmatch == -1 return number of
  * matches.
@@ -584,7 +599,12 @@ int tls1_check_ec_tmp_key(SSL *s)
 		}
 	if (!tls1_set_ec_id(curve_id, NULL, ec))
 		return 0;
+/* Set this to allow use of invalid curves for testing */
+#if 0
+	return 1;
+#else
 	return tls1_check_ec_key(s, curve_id, NULL);
+#endif
 	}
 
 #endif /* OPENSSL_NO_EC */