1 From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
2 From: David Garske <david@wolfssl.com>
3 Date: Tue, 14 Nov 2017 14:05:50 -0800
4 Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
5 they are indistinguishable from from correctly formatted RSA blocks (per
6 RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
7 creation for consistency in client case. Removed obsolete
11 src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
12 wolfssl/error-ssl.h | 2 +-
13 2 files changed, 61 insertions(+), 11 deletions(-)
17 @@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
18 case NOT_READY_ERROR :
19 return "handshake layer not ready yet, complete first";
21 - case PMS_VERSION_ERROR :
22 - return "premaster secret version mismatch error";
25 return "record layer version error";
27 @@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
31 + /* build PreMasterSecret with RNG data */
32 ret = wc_RNG_GenerateBlock(ssl->rng,
33 - ssl->arrays->preMasterSecret, SECRET_LEN);
34 + &ssl->arrays->preMasterSecret[VERSION_SZ],
35 + SECRET_LEN - VERSION_SZ);
39 @@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
48 static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
49 @@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
50 ERROR_OUT(BUFFER_ERROR, exit_dcke);
53 + /* pre-load PreMasterSecret with RNG data */
54 + ret = wc_RNG_GenerateBlock(ssl->rng,
55 + &ssl->arrays->preMasterSecret[VERSION_SZ],
56 + SECRET_LEN - VERSION_SZ);
64 @@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
69 + /* Errors that can occur here that should be
70 + * indistinguishable:
71 + * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
73 + if (ret < 0 && ret != BAD_FUNC_ARG) {
74 + #ifdef WOLFSSL_ASYNC_CRYPT
75 + if (ret == WC_PENDING_E)
78 + /* store error code for handling below */
79 + args->lastErr = ret;
85 @@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
86 /* Add the signature length to idx */
87 args->idx += args->length;
89 - if (args->sigSz == SECRET_LEN && args->output != NULL) {
90 - XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
91 - if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
92 - ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
93 - ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
94 + #ifdef DEBUG_WOLFSSL
95 + /* check version (debug warning message only) */
96 + if (args->output != NULL) {
97 + if (args->output[0] != ssl->chVersion.major ||
98 + args->output[1] != ssl->chVersion.minor) {
99 + WOLFSSL_MSG("preMasterSecret version mismatch");
104 + /* RFC5246 7.4.7.1:
105 + * Treat incorrectly formatted message blocks and/or
106 + * mismatched version numbers in a manner
107 + * indistinguishable from correctly formatted RSA blocks
110 + ret = args->lastErr;
111 + args->lastErr = 0; /* reset */
113 + /* build PreMasterSecret */
114 + ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
115 + ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
116 + if (ret == 0 && args->sigSz == SECRET_LEN &&
117 + args->output != NULL) {
118 + XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
119 + &args->output[VERSION_SZ],
120 + SECRET_LEN - VERSION_SZ);
123 - ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
124 + /* preMasterSecret has RNG and version set */
125 + /* return proper length and ignore error */
126 + /* error will be caught as decryption error */
127 + args->sigSz = SECRET_LEN;
134 --- a/wolfssl/error-ssl.h
135 +++ b/wolfssl/error-ssl.h
136 @@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
137 DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */
138 WANT_READ = -323, /* want read, call again */
139 NOT_READY_ERROR = -324, /* handshake layer not ready */
140 - PMS_VERSION_ERROR = -325, /* pre m secret version error */
142 VERSION_ERROR = -326, /* record layer version error */
143 WANT_WRITE = -327, /* want write, call again */
144 BUFFER_ERROR = -328, /* malformed buffer input */