diff options
author | jason <> | 2002-07-30 15:47:56 +0000 |
---|---|---|
committer | jason <> | 2002-07-30 15:47:56 +0000 |
commit | f85814b99411f07f87dbb2ec1977014aaa43a1c2 (patch) | |
tree | 6adf5bdd6187440b2d469c3252113631f2c2e877 | |
parent | 61f51d1b1714d7f1eb3350fed1b78632ef17c937 (diff) | |
download | openbsd-f85814b99411f07f87dbb2ec1977014aaa43a1c2.tar.gz openbsd-f85814b99411f07f87dbb2ec1977014aaa43a1c2.tar.bz2 openbsd-f85814b99411f07f87dbb2ec1977014aaa43a1c2.zip |
Pull in patch from current:
Fix (markus), errata 013:
apply patches from OpenSSL Security Advisory [30 July 2002],
http://marc.theaimsgroup.com/?l=openssl-dev&m=102802395104110&w=2
-rw-r--r-- | src/lib/libssl/src/CHANGES | 29 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/asn1/asn1_lib.c | 10 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/conf/conf_def.c | 3 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/cryptlib.h | 4 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/objects/obj_dat.c | 2 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/s2_clnt.c | 8 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/s2_lib.c | 6 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/s2_srvr.c | 14 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/s3_clnt.c | 10 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/s3_srvr.c | 2 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/ssl.h | 2 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/ssl_asn1.c | 1 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/ssl_err.c | 4 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/ssl_lib.c | 7 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/ssl_locl.h | 3 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/ssl_sess.c | 1 |
16 files changed, 99 insertions, 7 deletions
diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES index f88867b065..a9c0c810b8 100644 --- a/src/lib/libssl/src/CHANGES +++ b/src/lib/libssl/src/CHANGES | |||
@@ -2,6 +2,35 @@ | |||
2 | OpenSSL CHANGES | 2 | OpenSSL CHANGES |
3 | _______________ | 3 | _______________ |
4 | 4 | ||
5 | Changes in security patch | ||
6 | |||
7 | Changes marked "(CHATS)" were sponsored by the Defense Advanced | ||
8 | Research Projects Agency (DARPA) and Air Force Research Laboratory, | ||
9 | Air Force Materiel Command, USAF, under agreement number | ||
10 | F30602-01-2-0537. | ||
11 | |||
12 | *) Add various sanity checks to asn1_get_length() to reject | ||
13 | the ASN1 length bytes if they exceed sizeof(long), will appear | ||
14 | negative or the content length exceeds the length of the | ||
15 | supplied buffer. | ||
16 | [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] | ||
17 | |||
18 | *) Assertions for various potential buffer overflows, not known to | ||
19 | happen in practice. | ||
20 | [Ben Laurie (CHATS)] | ||
21 | |||
22 | *) Various temporary buffers to hold ASCII versions of integers were | ||
23 | too small for 64 bit platforms. (CAN-2002-0655) | ||
24 | [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)> | ||
25 | |||
26 | *) Remote buffer overflow in SSL3 protocol - an attacker could | ||
27 | supply an oversized session ID to a client. (CAN-2002-0656) | ||
28 | [Ben Laurie (CHATS)] | ||
29 | |||
30 | *) Remote buffer overflow in SSL2 protocol - an attacker could | ||
31 | supply an oversized client master key. (CAN-2002-0656) | ||
32 | [Ben Laurie (CHATS)] | ||
33 | |||
5 | Changes between 0.9.6a and 0.9.6b [9 Jul 2001] | 34 | Changes between 0.9.6a and 0.9.6b [9 Jul 2001] |
6 | 35 | ||
7 | *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) | 36 | *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) |
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_lib.c b/src/lib/libssl/src/crypto/asn1/asn1_lib.c index a8b651e54e..1fe3fbc1fa 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1_lib.c +++ b/src/lib/libssl/src/crypto/asn1/asn1_lib.c | |||
@@ -124,15 +124,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass, | |||
124 | (int)(omax+ *pp)); | 124 | (int)(omax+ *pp)); |
125 | 125 | ||
126 | #endif | 126 | #endif |
127 | #if 0 | 127 | if (*plength > (omax - (*pp - p))) |
128 | if ((p+ *plength) > (omax+ *pp)) | ||
129 | { | 128 | { |
130 | ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG); | 129 | ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG); |
131 | /* Set this so that even if things are not long enough | 130 | /* Set this so that even if things are not long enough |
132 | * the values are set correctly */ | 131 | * the values are set correctly */ |
133 | ret|=0x80; | 132 | ret|=0x80; |
134 | } | 133 | } |
135 | #endif | ||
136 | *pp=p; | 134 | *pp=p; |
137 | return(ret|inf); | 135 | return(ret|inf); |
138 | err: | 136 | err: |
@@ -159,6 +157,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) | |||
159 | i= *p&0x7f; | 157 | i= *p&0x7f; |
160 | if (*(p++) & 0x80) | 158 | if (*(p++) & 0x80) |
161 | { | 159 | { |
160 | if (i > sizeof(long)) | ||
161 | return 0; | ||
162 | if (max-- == 0) return(0); | 162 | if (max-- == 0) return(0); |
163 | while (i-- > 0) | 163 | while (i-- > 0) |
164 | { | 164 | { |
@@ -170,6 +170,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) | |||
170 | else | 170 | else |
171 | ret=i; | 171 | ret=i; |
172 | } | 172 | } |
173 | if (ret < 0) | ||
174 | return 0; | ||
173 | *pp=p; | 175 | *pp=p; |
174 | *rl=ret; | 176 | *rl=ret; |
175 | return(1); | 177 | return(1); |
@@ -407,7 +409,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b) | |||
407 | 409 | ||
408 | void asn1_add_error(unsigned char *address, int offset) | 410 | void asn1_add_error(unsigned char *address, int offset) |
409 | { | 411 | { |
410 | char buf1[16],buf2[16]; | 412 | char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; |
411 | 413 | ||
412 | sprintf(buf1,"%lu",(unsigned long)address); | 414 | sprintf(buf1,"%lu",(unsigned long)address); |
413 | sprintf(buf2,"%d",offset); | 415 | sprintf(buf2,"%d",offset); |
diff --git a/src/lib/libssl/src/crypto/conf/conf_def.c b/src/lib/libssl/src/crypto/conf/conf_def.c index 773df32c68..d43c9de3f5 100644 --- a/src/lib/libssl/src/crypto/conf/conf_def.c +++ b/src/lib/libssl/src/crypto/conf/conf_def.c | |||
@@ -67,6 +67,7 @@ | |||
67 | #include "conf_def.h" | 67 | #include "conf_def.h" |
68 | #include <openssl/buffer.h> | 68 | #include <openssl/buffer.h> |
69 | #include <openssl/err.h> | 69 | #include <openssl/err.h> |
70 | #include "cryptlib.h" | ||
70 | 71 | ||
71 | static char *eat_ws(CONF *conf, char *p); | 72 | static char *eat_ws(CONF *conf, char *p); |
72 | static char *eat_alpha_numeric(CONF *conf, char *p); | 73 | static char *eat_alpha_numeric(CONF *conf, char *p); |
@@ -180,12 +181,12 @@ static int def_destroy_data(CONF *conf) | |||
180 | static int def_load(CONF *conf, BIO *in, long *line) | 181 | static int def_load(CONF *conf, BIO *in, long *line) |
181 | { | 182 | { |
182 | #define BUFSIZE 512 | 183 | #define BUFSIZE 512 |
183 | char btmp[16]; | ||
184 | int bufnum=0,i,ii; | 184 | int bufnum=0,i,ii; |
185 | BUF_MEM *buff=NULL; | 185 | BUF_MEM *buff=NULL; |
186 | char *s,*p,*end; | 186 | char *s,*p,*end; |
187 | int again,n; | 187 | int again,n; |
188 | long eline=0; | 188 | long eline=0; |
189 | char btmp[DECIMAL_SIZE(eline)+1]; | ||
189 | CONF_VALUE *v=NULL,*tv; | 190 | CONF_VALUE *v=NULL,*tv; |
190 | CONF_VALUE *sv=NULL; | 191 | CONF_VALUE *sv=NULL; |
191 | char *section=NULL,*buf; | 192 | char *section=NULL,*buf; |
diff --git a/src/lib/libssl/src/crypto/cryptlib.h b/src/lib/libssl/src/crypto/cryptlib.h index 5eff5d3141..075b79db05 100644 --- a/src/lib/libssl/src/crypto/cryptlib.h +++ b/src/lib/libssl/src/crypto/cryptlib.h | |||
@@ -89,6 +89,10 @@ extern "C" { | |||
89 | #define X509_CERT_DIR_EVP "SSL_CERT_DIR" | 89 | #define X509_CERT_DIR_EVP "SSL_CERT_DIR" |
90 | #define X509_CERT_FILE_EVP "SSL_CERT_FILE" | 90 | #define X509_CERT_FILE_EVP "SSL_CERT_FILE" |
91 | 91 | ||
92 | /* size of string represenations */ | ||
93 | #define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) | ||
94 | #define HEX_SIZE(type) ((sizeof(type)*2) | ||
95 | |||
92 | #ifdef __cplusplus | 96 | #ifdef __cplusplus |
93 | } | 97 | } |
94 | #endif | 98 | #endif |
diff --git a/src/lib/libssl/src/crypto/objects/obj_dat.c b/src/lib/libssl/src/crypto/objects/obj_dat.c index 4b1bb9583a..3659d5a17f 100644 --- a/src/lib/libssl/src/crypto/objects/obj_dat.c +++ b/src/lib/libssl/src/crypto/objects/obj_dat.c | |||
@@ -428,7 +428,7 @@ int OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *a, int no_name) | |||
428 | unsigned long l; | 428 | unsigned long l; |
429 | unsigned char *p; | 429 | unsigned char *p; |
430 | const char *s; | 430 | const char *s; |
431 | char tbuf[32]; | 431 | char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; |
432 | 432 | ||
433 | if (buf_len <= 0) return(0); | 433 | if (buf_len <= 0) return(0); |
434 | 434 | ||
diff --git a/src/lib/libssl/src/ssl/s2_clnt.c b/src/lib/libssl/src/ssl/s2_clnt.c index 28d6d65296..e137d52db7 100644 --- a/src/lib/libssl/src/ssl/s2_clnt.c +++ b/src/lib/libssl/src/ssl/s2_clnt.c | |||
@@ -63,6 +63,7 @@ | |||
63 | #include <openssl/buffer.h> | 63 | #include <openssl/buffer.h> |
64 | #include <openssl/objects.h> | 64 | #include <openssl/objects.h> |
65 | #include <openssl/evp.h> | 65 | #include <openssl/evp.h> |
66 | #include "ssl_locl.h" | ||
66 | 67 | ||
67 | static SSL_METHOD *ssl2_get_client_method(int ver); | 68 | static SSL_METHOD *ssl2_get_client_method(int ver); |
68 | static int get_server_finished(SSL *s); | 69 | static int get_server_finished(SSL *s); |
@@ -458,6 +459,7 @@ static int get_server_hello(SSL *s) | |||
458 | } | 459 | } |
459 | 460 | ||
460 | s->s2->conn_id_length=s->s2->tmp.conn_id_length; | 461 | s->s2->conn_id_length=s->s2->tmp.conn_id_length; |
462 | die(s->s2->conn_id_length <= sizeof s->s2->conn_id); | ||
461 | memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length); | 463 | memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length); |
462 | return(1); | 464 | return(1); |
463 | } | 465 | } |
@@ -559,6 +561,7 @@ static int client_master_key(SSL *s) | |||
559 | /* make key_arg data */ | 561 | /* make key_arg data */ |
560 | i=EVP_CIPHER_iv_length(c); | 562 | i=EVP_CIPHER_iv_length(c); |
561 | sess->key_arg_length=i; | 563 | sess->key_arg_length=i; |
564 | die(i <= SSL_MAX_KEY_ARG_LENGTH); | ||
562 | if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); | 565 | if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); |
563 | 566 | ||
564 | /* make a master key */ | 567 | /* make a master key */ |
@@ -566,6 +569,7 @@ static int client_master_key(SSL *s) | |||
566 | sess->master_key_length=i; | 569 | sess->master_key_length=i; |
567 | if (i > 0) | 570 | if (i > 0) |
568 | { | 571 | { |
572 | die(i <= sizeof sess->master_key); | ||
569 | if (RAND_bytes(sess->master_key,i) <= 0) | 573 | if (RAND_bytes(sess->master_key,i) <= 0) |
570 | { | 574 | { |
571 | ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); | 575 | ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); |
@@ -609,6 +613,7 @@ static int client_master_key(SSL *s) | |||
609 | d+=enc; | 613 | d+=enc; |
610 | karg=sess->key_arg_length; | 614 | karg=sess->key_arg_length; |
611 | s2n(karg,p); /* key arg size */ | 615 | s2n(karg,p); /* key arg size */ |
616 | die(karg <= sizeof sess->key_arg); | ||
612 | memcpy(d,sess->key_arg,(unsigned int)karg); | 617 | memcpy(d,sess->key_arg,(unsigned int)karg); |
613 | d+=karg; | 618 | d+=karg; |
614 | 619 | ||
@@ -629,6 +634,7 @@ static int client_finished(SSL *s) | |||
629 | { | 634 | { |
630 | p=(unsigned char *)s->init_buf->data; | 635 | p=(unsigned char *)s->init_buf->data; |
631 | *(p++)=SSL2_MT_CLIENT_FINISHED; | 636 | *(p++)=SSL2_MT_CLIENT_FINISHED; |
637 | die(s->s2->conn_id_length <= sizeof s->s2->conn_id); | ||
632 | memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length); | 638 | memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length); |
633 | 639 | ||
634 | s->state=SSL2_ST_SEND_CLIENT_FINISHED_B; | 640 | s->state=SSL2_ST_SEND_CLIENT_FINISHED_B; |
@@ -878,6 +884,8 @@ static int get_server_finished(SSL *s) | |||
878 | { | 884 | { |
879 | if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) | 885 | if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) |
880 | { | 886 | { |
887 | die(s->session->session_id_length | ||
888 | <= sizeof s->session->session_id); | ||
881 | if (memcmp(buf,s->session->session_id, | 889 | if (memcmp(buf,s->session->session_id, |
882 | (unsigned int)s->session->session_id_length) != 0) | 890 | (unsigned int)s->session->session_id_length) != 0) |
883 | { | 891 | { |
diff --git a/src/lib/libssl/src/ssl/s2_lib.c b/src/lib/libssl/src/ssl/s2_lib.c index a590dbfa5c..e3acdb189a 100644 --- a/src/lib/libssl/src/ssl/s2_lib.c +++ b/src/lib/libssl/src/ssl/s2_lib.c | |||
@@ -62,6 +62,7 @@ | |||
62 | #include <openssl/rsa.h> | 62 | #include <openssl/rsa.h> |
63 | #include <openssl/objects.h> | 63 | #include <openssl/objects.h> |
64 | #include <openssl/md5.h> | 64 | #include <openssl/md5.h> |
65 | #include "ssl_locl.h" | ||
65 | 66 | ||
66 | static long ssl2_default_timeout(void ); | 67 | static long ssl2_default_timeout(void ); |
67 | const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; | 68 | const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; |
@@ -425,10 +426,14 @@ void ssl2_generate_key_material(SSL *s) | |||
425 | #endif | 426 | #endif |
426 | 427 | ||
427 | km=s->s2->key_material; | 428 | km=s->s2->key_material; |
429 | die(s->s2->key_material_length <= sizeof s->s2->key_material); | ||
428 | for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH) | 430 | for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH) |
429 | { | 431 | { |
430 | MD5_Init(&ctx); | 432 | MD5_Init(&ctx); |
431 | 433 | ||
434 | die(s->session->master_key_length >= 0 | ||
435 | && s->session->master_key_length | ||
436 | < sizeof s->session->master_key); | ||
432 | MD5_Update(&ctx,s->session->master_key,s->session->master_key_length); | 437 | MD5_Update(&ctx,s->session->master_key,s->session->master_key_length); |
433 | MD5_Update(&ctx,&c,1); | 438 | MD5_Update(&ctx,&c,1); |
434 | c++; | 439 | c++; |
@@ -463,6 +468,7 @@ void ssl2_write_error(SSL *s) | |||
463 | /* state=s->rwstate;*/ | 468 | /* state=s->rwstate;*/ |
464 | error=s->error; | 469 | error=s->error; |
465 | s->error=0; | 470 | s->error=0; |
471 | die(error >= 0 && error <= 3); | ||
466 | i=ssl2_write(s,&(buf[3-error]),error); | 472 | i=ssl2_write(s,&(buf[3-error]),error); |
467 | /* if (i == error) s->rwstate=state; */ | 473 | /* if (i == error) s->rwstate=state; */ |
468 | 474 | ||
diff --git a/src/lib/libssl/src/ssl/s2_srvr.c b/src/lib/libssl/src/ssl/s2_srvr.c index 2fa2f310a8..31c48d64e5 100644 --- a/src/lib/libssl/src/ssl/s2_srvr.c +++ b/src/lib/libssl/src/ssl/s2_srvr.c | |||
@@ -63,6 +63,7 @@ | |||
63 | #include <openssl/rand.h> | 63 | #include <openssl/rand.h> |
64 | #include <openssl/objects.h> | 64 | #include <openssl/objects.h> |
65 | #include <openssl/evp.h> | 65 | #include <openssl/evp.h> |
66 | #include "ssl_locl.h" | ||
66 | 67 | ||
67 | static SSL_METHOD *ssl2_get_server_method(int ver); | 68 | static SSL_METHOD *ssl2_get_server_method(int ver); |
68 | static int get_client_master_key(SSL *s); | 69 | static int get_client_master_key(SSL *s); |
@@ -361,12 +362,19 @@ static int get_client_master_key(SSL *s) | |||
361 | n2s(p,i); s->s2->tmp.clear=i; | 362 | n2s(p,i); s->s2->tmp.clear=i; |
362 | n2s(p,i); s->s2->tmp.enc=i; | 363 | n2s(p,i); s->s2->tmp.enc=i; |
363 | n2s(p,i); s->session->key_arg_length=i; | 364 | n2s(p,i); s->session->key_arg_length=i; |
365 | if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH) | ||
366 | { | ||
367 | SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, | ||
368 | SSL_R_KEY_ARG_TOO_LONG); | ||
369 | return -1; | ||
370 | } | ||
364 | s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; | 371 | s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; |
365 | s->init_num=0; | 372 | s->init_num=0; |
366 | } | 373 | } |
367 | 374 | ||
368 | /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ | 375 | /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ |
369 | p=(unsigned char *)s->init_buf->data; | 376 | p=(unsigned char *)s->init_buf->data; |
377 | die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER); | ||
370 | keya=s->session->key_arg_length; | 378 | keya=s->session->key_arg_length; |
371 | n=s->s2->tmp.clear+s->s2->tmp.enc+keya - s->init_num; | 379 | n=s->s2->tmp.clear+s->s2->tmp.enc+keya - s->init_num; |
372 | i=ssl2_read(s,(char *)&(p[s->init_num]),n); | 380 | i=ssl2_read(s,(char *)&(p[s->init_num]),n); |
@@ -440,6 +448,7 @@ static int get_client_master_key(SSL *s) | |||
440 | #endif | 448 | #endif |
441 | 449 | ||
442 | if (is_export) i+=s->s2->tmp.clear; | 450 | if (is_export) i+=s->s2->tmp.clear; |
451 | die(i <= SSL_MAX_MASTER_KEY_LENGTH); | ||
443 | s->session->master_key_length=i; | 452 | s->session->master_key_length=i; |
444 | memcpy(s->session->master_key,p,(unsigned int)i); | 453 | memcpy(s->session->master_key,p,(unsigned int)i); |
445 | return(1); | 454 | return(1); |
@@ -580,6 +589,7 @@ static int get_client_hello(SSL *s) | |||
580 | p+=s->s2->tmp.session_id_length; | 589 | p+=s->s2->tmp.session_id_length; |
581 | 590 | ||
582 | /* challenge */ | 591 | /* challenge */ |
592 | die(s->s2->challenge_length <= sizeof s->s2->challenge); | ||
583 | memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); | 593 | memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); |
584 | return(1); | 594 | return(1); |
585 | mem_err: | 595 | mem_err: |
@@ -730,6 +740,7 @@ static int get_client_finished(SSL *s) | |||
730 | } | 740 | } |
731 | 741 | ||
732 | /* SSL2_ST_GET_CLIENT_FINISHED_B */ | 742 | /* SSL2_ST_GET_CLIENT_FINISHED_B */ |
743 | die(s->s2->conn_id_length <= sizeof s->s2->conn_id); | ||
733 | i=ssl2_read(s,(char *)&(p[s->init_num]),s->s2->conn_id_length-s->init_num); | 744 | i=ssl2_read(s,(char *)&(p[s->init_num]),s->s2->conn_id_length-s->init_num); |
734 | if (i < (int)s->s2->conn_id_length-s->init_num) | 745 | if (i < (int)s->s2->conn_id_length-s->init_num) |
735 | { | 746 | { |
@@ -752,6 +763,7 @@ static int server_verify(SSL *s) | |||
752 | { | 763 | { |
753 | p=(unsigned char *)s->init_buf->data; | 764 | p=(unsigned char *)s->init_buf->data; |
754 | *(p++)=SSL2_MT_SERVER_VERIFY; | 765 | *(p++)=SSL2_MT_SERVER_VERIFY; |
766 | die(s->s2->challenge_length <= sizeof s->s2->challenge); | ||
755 | memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); | 767 | memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); |
756 | /* p+=s->s2->challenge_length; */ | 768 | /* p+=s->s2->challenge_length; */ |
757 | 769 | ||
@@ -771,6 +783,8 @@ static int server_finish(SSL *s) | |||
771 | p=(unsigned char *)s->init_buf->data; | 783 | p=(unsigned char *)s->init_buf->data; |
772 | *(p++)=SSL2_MT_SERVER_FINISHED; | 784 | *(p++)=SSL2_MT_SERVER_FINISHED; |
773 | 785 | ||
786 | die(s->session->session_id_length | ||
787 | <= sizeof s->session->session_id); | ||
774 | memcpy(p,s->session->session_id, | 788 | memcpy(p,s->session->session_id, |
775 | (unsigned int)s->session->session_id_length); | 789 | (unsigned int)s->session->session_id_length); |
776 | /* p+=s->session->session_id_length; */ | 790 | /* p+=s->session->session_id_length; */ |
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index eec45cfa48..0c932696fe 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c | |||
@@ -64,6 +64,7 @@ | |||
64 | #include <openssl/sha.h> | 64 | #include <openssl/sha.h> |
65 | #include <openssl/evp.h> | 65 | #include <openssl/evp.h> |
66 | #include "ssl_locl.h" | 66 | #include "ssl_locl.h" |
67 | #include "ssl_locl.h" | ||
67 | 68 | ||
68 | static SSL_METHOD *ssl3_get_client_method(int ver); | 69 | static SSL_METHOD *ssl3_get_client_method(int ver); |
69 | static int ssl3_client_hello(SSL *s); | 70 | static int ssl3_client_hello(SSL *s); |
@@ -492,6 +493,7 @@ static int ssl3_client_hello(SSL *s) | |||
492 | *(p++)=i; | 493 | *(p++)=i; |
493 | if (i != 0) | 494 | if (i != 0) |
494 | { | 495 | { |
496 | die(i <= sizeof s->session->session_id); | ||
495 | memcpy(p,s->session->session_id,i); | 497 | memcpy(p,s->session->session_id,i); |
496 | p+=i; | 498 | p+=i; |
497 | } | 499 | } |
@@ -573,6 +575,14 @@ static int ssl3_get_server_hello(SSL *s) | |||
573 | /* get the session-id */ | 575 | /* get the session-id */ |
574 | j= *(p++); | 576 | j= *(p++); |
575 | 577 | ||
578 | if(j > sizeof s->session->session_id) | ||
579 | { | ||
580 | al=SSL_AD_ILLEGAL_PARAMETER; | ||
581 | SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, | ||
582 | SSL_R_SSL3_SESSION_ID_TOO_LONG); | ||
583 | goto f_err; | ||
584 | } | ||
585 | |||
576 | if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) | 586 | if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) |
577 | { | 587 | { |
578 | /* SSLref returns 16 :-( */ | 588 | /* SSLref returns 16 :-( */ |
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 258af84867..20a6f5cd3f 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c | |||
@@ -69,6 +69,7 @@ | |||
69 | #include <openssl/evp.h> | 69 | #include <openssl/evp.h> |
70 | #include <openssl/x509.h> | 70 | #include <openssl/x509.h> |
71 | #include "ssl_locl.h" | 71 | #include "ssl_locl.h" |
72 | #include "ssl_locl.h" | ||
72 | 73 | ||
73 | static SSL_METHOD *ssl3_get_server_method(int ver); | 74 | static SSL_METHOD *ssl3_get_server_method(int ver); |
74 | static int ssl3_get_client_hello(SSL *s); | 75 | static int ssl3_get_client_hello(SSL *s); |
@@ -863,6 +864,7 @@ static int ssl3_send_server_hello(SSL *s) | |||
863 | s->session->session_id_length=0; | 864 | s->session->session_id_length=0; |
864 | 865 | ||
865 | sl=s->session->session_id_length; | 866 | sl=s->session->session_id_length; |
867 | die(sl <= sizeof s->session->session_id); | ||
866 | *(p++)=sl; | 868 | *(p++)=sl; |
867 | memcpy(p,s->session->session_id,sl); | 869 | memcpy(p,s->session->session_id,sl); |
868 | p+=sl; | 870 | p+=sl; |
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 9de9e611ab..a673c0d97d 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h | |||
@@ -1418,6 +1418,7 @@ void ERR_load_SSL_strings(void); | |||
1418 | #define SSL_R_INVALID_COMMAND 280 | 1418 | #define SSL_R_INVALID_COMMAND 280 |
1419 | #define SSL_R_INVALID_PURPOSE 278 | 1419 | #define SSL_R_INVALID_PURPOSE 278 |
1420 | #define SSL_R_INVALID_TRUST 279 | 1420 | #define SSL_R_INVALID_TRUST 279 |
1421 | #define SSL_R_KEY_ARG_TOO_LONG 1112 | ||
1421 | #define SSL_R_LENGTH_MISMATCH 159 | 1422 | #define SSL_R_LENGTH_MISMATCH 159 |
1422 | #define SSL_R_LENGTH_TOO_SHORT 160 | 1423 | #define SSL_R_LENGTH_TOO_SHORT 160 |
1423 | #define SSL_R_LIBRARY_BUG 274 | 1424 | #define SSL_R_LIBRARY_BUG 274 |
@@ -1485,6 +1486,7 @@ void ERR_load_SSL_strings(void); | |||
1485 | #define SSL_R_SHORT_READ 219 | 1486 | #define SSL_R_SHORT_READ 219 |
1486 | #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 | 1487 | #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 |
1487 | #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 | 1488 | #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 |
1489 | #define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 | ||
1488 | #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 | 1490 | #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 |
1489 | #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 | 1491 | #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 |
1490 | #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 | 1492 | #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 |
diff --git a/src/lib/libssl/src/ssl/ssl_asn1.c b/src/lib/libssl/src/ssl/ssl_asn1.c index fa6456e4f5..fd983a4dcf 100644 --- a/src/lib/libssl/src/ssl/ssl_asn1.c +++ b/src/lib/libssl/src/ssl/ssl_asn1.c | |||
@@ -275,6 +275,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, | |||
275 | os.length=i; | 275 | os.length=i; |
276 | 276 | ||
277 | ret->session_id_length=os.length; | 277 | ret->session_id_length=os.length; |
278 | die(os.length <= sizeof ret->session_id); | ||
278 | memcpy(ret->session_id,os.data,os.length); | 279 | memcpy(ret->session_id,os.data,os.length); |
279 | 280 | ||
280 | M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); | 281 | M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); |
diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c index 1ae3333407..8c7c571a77 100644 --- a/src/lib/libssl/src/ssl/ssl_err.c +++ b/src/lib/libssl/src/ssl/ssl_err.c | |||
@@ -1,6 +1,6 @@ | |||
1 | /* ssl/ssl_err.c */ | 1 | /* ssl/ssl_err.c */ |
2 | /* ==================================================================== | 2 | /* ==================================================================== |
3 | * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. |
4 | * | 4 | * |
5 | * Redistribution and use in source and binary forms, with or without | 5 | * Redistribution and use in source and binary forms, with or without |
6 | * modification, are permitted provided that the following conditions | 6 | * modification, are permitted provided that the following conditions |
@@ -273,6 +273,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= | |||
273 | {SSL_R_INVALID_COMMAND ,"invalid command"}, | 273 | {SSL_R_INVALID_COMMAND ,"invalid command"}, |
274 | {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, | 274 | {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, |
275 | {SSL_R_INVALID_TRUST ,"invalid trust"}, | 275 | {SSL_R_INVALID_TRUST ,"invalid trust"}, |
276 | {SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, | ||
276 | {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, | 277 | {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, |
277 | {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, | 278 | {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, |
278 | {SSL_R_LIBRARY_BUG ,"library bug"}, | 279 | {SSL_R_LIBRARY_BUG ,"library bug"}, |
@@ -340,6 +341,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= | |||
340 | {SSL_R_SHORT_READ ,"short read"}, | 341 | {SSL_R_SHORT_READ ,"short read"}, |
341 | {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, | 342 | {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, |
342 | {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, | 343 | {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, |
344 | {SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, | ||
343 | {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, | 345 | {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, |
344 | {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, | 346 | {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, |
345 | {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, | 347 | {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, |
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 1fe85b6cb7..e6f468517d 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c | |||
@@ -2072,3 +2072,10 @@ void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, | |||
2072 | 2072 | ||
2073 | IMPLEMENT_STACK_OF(SSL_CIPHER) | 2073 | IMPLEMENT_STACK_OF(SSL_CIPHER) |
2074 | IMPLEMENT_STACK_OF(SSL_COMP) | 2074 | IMPLEMENT_STACK_OF(SSL_COMP) |
2075 | |||
2076 | void OpenSSLDie(const char *file,int line,const char *assertion) | ||
2077 | { | ||
2078 | fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n", | ||
2079 | file,line,assertion); | ||
2080 | abort(); | ||
2081 | } | ||
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index 516d3cc5ae..a3343edcf6 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h | |||
@@ -605,5 +605,8 @@ int ssl_ok(SSL *s); | |||
605 | SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); | 605 | SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); |
606 | STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); | 606 | STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); |
607 | 607 | ||
608 | /* die if we have to */ | ||
609 | void OpenSSLDie(const char *file,int line,const char *assertion); | ||
610 | #define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) | ||
608 | 611 | ||
609 | #endif | 612 | #endif |
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c index 7064262def..f5ad2eea80 100644 --- a/src/lib/libssl/src/ssl/ssl_sess.c +++ b/src/lib/libssl/src/ssl/ssl_sess.c | |||
@@ -199,6 +199,7 @@ int ssl_get_new_session(SSL *s, int session) | |||
199 | ss->session_id_length=0; | 199 | ss->session_id_length=0; |
200 | } | 200 | } |
201 | 201 | ||
202 | die(s->sid_ctx_length <= sizeof ss->sid_ctx); | ||
202 | memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); | 203 | memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); |
203 | ss->sid_ctx_length=s->sid_ctx_length; | 204 | ss->sid_ctx_length=s->sid_ctx_length; |
204 | s->session=ss; | 205 | s->session=ss; |