OpenWrt – Blame information for rev 4
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 4 | office | 1 | From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001 |
| 2 | From: David Garske <david@wolfssl.com> |
||
| 3 | Date: Tue, 14 Nov 2017 14:05:50 -0800 |
||
| 4 | Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so |
||
| 5 | they are indistinguishable from from correctly formatted RSA blocks (per |
||
| 6 | RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG |
||
| 7 | creation for consistency in client case. Removed obsolete |
||
| 8 | `PMS_VERSION_ERROR`. |
||
| 9 | |||
| 10 | --- |
||
| 11 | src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++-------- |
||
| 12 | wolfssl/error-ssl.h | 2 +- |
||
| 13 | 2 files changed, 61 insertions(+), 11 deletions(-) |
||
| 14 | |||
| 15 | --- a/src/internal.c |
||
| 16 | +++ b/src/internal.c |
||
| 17 | @@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str |
||
| 18 | case NOT_READY_ERROR : |
||
| 19 | return "handshake layer not ready yet, complete first"; |
||
| 20 | |||
| 21 | - case PMS_VERSION_ERROR : |
||
| 22 | - return "premaster secret version mismatch error"; |
||
| 23 | - |
||
| 24 | case VERSION_ERROR : |
||
| 25 | return "record layer version error"; |
||
| 26 | |||
| 27 | @@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl) |
||
| 28 | #ifndef NO_RSA |
||
| 29 | case rsa_kea: |
||
| 30 | { |
||
| 31 | + /* build PreMasterSecret with RNG data */ |
||
| 32 | ret = wc_RNG_GenerateBlock(ssl->rng, |
||
| 33 | - ssl->arrays->preMasterSecret, SECRET_LEN); |
||
| 34 | + &ssl->arrays->preMasterSecret[VERSION_SZ], |
||
| 35 | + SECRET_LEN - VERSION_SZ); |
||
| 36 | if (ret != 0) { |
||
| 37 | goto exit_scke; |
||
| 38 | } |
||
| 39 | @@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl, |
||
| 40 | word32 idx; |
||
| 41 | word32 begin; |
||
| 42 | word32 sigSz; |
||
| 43 | + #ifndef NO_RSA |
||
| 44 | + int lastErr; |
||
| 45 | + #endif |
||
| 46 | } DckeArgs; |
||
| 47 | |||
| 48 | static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs) |
||
| 49 | @@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl, |
||
| 50 | ERROR_OUT(BUFFER_ERROR, exit_dcke); |
||
| 51 | } |
||
| 52 | |||
| 53 | + /* pre-load PreMasterSecret with RNG data */ |
||
| 54 | + ret = wc_RNG_GenerateBlock(ssl->rng, |
||
| 55 | + &ssl->arrays->preMasterSecret[VERSION_SZ], |
||
| 56 | + SECRET_LEN - VERSION_SZ); |
||
| 57 | + if (ret != 0) { |
||
| 58 | + goto exit_dcke; |
||
| 59 | + } |
||
| 60 | + |
||
| 61 | args->output = NULL; |
||
| 62 | break; |
||
| 63 | } /* rsa_kea */ |
||
| 64 | @@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl, |
||
| 65 | NULL, 0, NULL |
||
| 66 | #endif |
||
| 67 | ); |
||
| 68 | + |
||
| 69 | + /* Errors that can occur here that should be |
||
| 70 | + * indistinguishable: |
||
| 71 | + * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR |
||
| 72 | + */ |
||
| 73 | + if (ret < 0 && ret != BAD_FUNC_ARG) { |
||
| 74 | + #ifdef WOLFSSL_ASYNC_CRYPT |
||
| 75 | + if (ret == WC_PENDING_E) |
||
| 76 | + goto exit_dcke; |
||
| 77 | + #endif |
||
| 78 | + /* store error code for handling below */ |
||
| 79 | + args->lastErr = ret; |
||
| 80 | + ret = 0; |
||
| 81 | + } |
||
| 82 | break; |
||
| 83 | } /* rsa_kea */ |
||
| 84 | #endif /* !NO_RSA */ |
||
| 85 | @@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl, |
||
| 86 | /* Add the signature length to idx */ |
||
| 87 | args->idx += args->length; |
||
| 88 | |||
| 89 | - if (args->sigSz == SECRET_LEN && args->output != NULL) { |
||
| 90 | - XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN); |
||
| 91 | - if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major || |
||
| 92 | - ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) { |
||
| 93 | - ERROR_OUT(PMS_VERSION_ERROR, exit_dcke); |
||
| 94 | + #ifdef DEBUG_WOLFSSL |
||
| 95 | + /* check version (debug warning message only) */ |
||
| 96 | + if (args->output != NULL) { |
||
| 97 | + if (args->output[0] != ssl->chVersion.major || |
||
| 98 | + args->output[1] != ssl->chVersion.minor) { |
||
| 99 | + WOLFSSL_MSG("preMasterSecret version mismatch"); |
||
| 100 | } |
||
| 101 | } |
||
| 102 | + #endif |
||
| 103 | + |
||
| 104 | + /* RFC5246 7.4.7.1: |
||
| 105 | + * Treat incorrectly formatted message blocks and/or |
||
| 106 | + * mismatched version numbers in a manner |
||
| 107 | + * indistinguishable from correctly formatted RSA blocks |
||
| 108 | + */ |
||
| 109 | + |
||
| 110 | + ret = args->lastErr; |
||
| 111 | + args->lastErr = 0; /* reset */ |
||
| 112 | + |
||
| 113 | + /* build PreMasterSecret */ |
||
| 114 | + ssl->arrays->preMasterSecret[0] = ssl->chVersion.major; |
||
| 115 | + ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; |
||
| 116 | + if (ret == 0 && args->sigSz == SECRET_LEN && |
||
| 117 | + args->output != NULL) { |
||
| 118 | + XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ], |
||
| 119 | + &args->output[VERSION_SZ], |
||
| 120 | + SECRET_LEN - VERSION_SZ); |
||
| 121 | + } |
||
| 122 | else { |
||
| 123 | - ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke); |
||
| 124 | + /* preMasterSecret has RNG and version set */ |
||
| 125 | + /* return proper length and ignore error */ |
||
| 126 | + /* error will be caught as decryption error */ |
||
| 127 | + args->sigSz = SECRET_LEN; |
||
| 128 | + ret = 0; |
||
| 129 | } |
||
| 130 | + |
||
| 131 | break; |
||
| 132 | } /* rsa_kea */ |
||
| 133 | #endif /* !NO_RSA */ |
||
| 134 | --- a/wolfssl/error-ssl.h |
||
| 135 | +++ b/wolfssl/error-ssl.h |
||
| 136 | @@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes { |
||
| 137 | DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ |
||
| 138 | WANT_READ = -323, /* want read, call again */ |
||
| 139 | NOT_READY_ERROR = -324, /* handshake layer not ready */ |
||
| 140 | - PMS_VERSION_ERROR = -325, /* pre m secret version error */ |
||
| 141 | + |
||
| 142 | VERSION_ERROR = -326, /* record layer version error */ |
||
| 143 | WANT_WRITE = -327, /* want write, call again */ |
||
| 144 | BUFFER_ERROR = -328, /* malformed buffer input */ |