Google Git
Sign in
boringssl / boringssl.git / 3fbc298104c150ed18f10eed2d2e66633f05ee98^! / .
commit3fbc298104c150ed18f10eed2d2e66633f05ee98[log] [tgz]
authorAdam Langley <agl@google.com>Thu Feb 26 11:07:37 2015 -0800
committerAdam Langley <agl@google.com>Thu Feb 26 21:35:29 2015 +0000
treec1d8161d2b3346ab0b98e506615d7f7c14d58218
parent54e455157a6e1899eb6fef9440d2410cb7fedeff [diff]
Only allow ephemeral RSA keys in export ciphersuites.

OpenSSL clients would tolerate temporary RSA keys in non-export ciphersuites.
It also had an option SSL_OP_EPHEMERAL_RSA which enabled this server side.
Remove both options as they are a protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue. (CVE-2015-0204)

(This is a backport of upstream's
37580f43b5a39f5f4e920d17273fab9713d3a744 to the M40 branch. In BoringSSL
master we fixed this with
https://boringssl.googlesource.com/boringssl/+/525a0fe315282ca1840f8f9f170c8a26ce5fab2a,
but that's a larger patch than we really want to be backporting.)

Change-Id: Ibfb0c46648bbecffb9d3b1a4ebdf10a5a79523b3
Reviewed-on: https://boringssl-review.googlesource.com/3640
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 64bccfa..0c37f76 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c

@@ -1293,55 +1293,7 @@
 			}
 		}
 
-	if (alg_k & SSL_kRSA)
-		{
-		CBS rsa_modulus, rsa_exponent;
-
-		/* TODO(davidben): This was originally for export
-		 * reasons. Do we still need to support it? */
-
-		if (!CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_modulus) ||
-			CBS_len(&rsa_modulus) == 0 ||
-			!CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_exponent) ||
-			CBS_len(&rsa_exponent) == 0)
-			{
-			al = SSL_AD_DECODE_ERROR;
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
-			goto f_err;
-			}
-
-		if ((rsa=RSA_new()) == NULL)
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
-			goto err;
-			}
-
-		if (!(rsa->n = BN_bin2bn(CBS_data(&rsa_modulus),
-					CBS_len(&rsa_modulus), rsa->n)))
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
-			goto err;
-			}
-
-		if (!(rsa->e = BN_bin2bn(CBS_data(&rsa_exponent),
-					CBS_len(&rsa_exponent), rsa->e)))
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
-			goto err;
-			}
-
-		/* this should be because we are using an export cipher */
-		if (alg_a & SSL_aRSA)
-			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-		else
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_INTERNAL_ERROR);
-			goto err;
-			}
-		s->session->sess_cert->peer_rsa_tmp=rsa;
-		rsa=NULL;
-		}
-	else if (alg_k & SSL_kEDH)
+	if (alg_k & SSL_kEDH)
 		{
 		CBS dh_p, dh_g, dh_Ys;