summaryrefslogtreecommitdiff
path: root/src/lib/libssl/man/SSL_get_client_random.3
diff options
context:
space:
mode:
authortb <>2024-06-28 14:46:19 +0000
committertb <>2024-06-28 14:46:19 +0000
commit30515f1008f9f0aec1133dd2814ec607bbd5dc52 (patch)
treec397091725956bf38b38196bd78d9b65ce50ec56 /src/lib/libssl/man/SSL_get_client_random.3
parent3dd165fd803abceb639377d1993188d15117dc1e (diff)
downloadopenbsd-30515f1008f9f0aec1133dd2814ec607bbd5dc52.tar.gz
openbsd-30515f1008f9f0aec1133dd2814ec607bbd5dc52.tar.bz2
openbsd-30515f1008f9f0aec1133dd2814ec607bbd5dc52.zip
Fix SSL_select_next_proto()
SSL_select_next_proto() is already quite broken by its design: const in, non-const out, with the intention of pointing somewhere inside of the two input pointers. A length returned in an unsigned char (because, you know, the individual protocols are encoded in Pascal strings). Can't signal uailure either. It also has an unreachable public return code. Also, due to originally catering to NPN, this function opportunistically selects a protocol from the second input (client) parameters, which makes little sense for ALPN since that means the server falls back to a protocol it doesn't (want to) support. If there's no overlap, it's the callback's job to signal error to its caller for ALPN. As if that wasn't enough misdesign and bugs, the one we're concerned with here wasn't reported to us twice in ten years is that if you pass this API a zero-length (or a sufficiently malformed client protocol list), it would return a pointer pointing somewhere into the heap instead into one of the two input pointers. This pointer could then be interpreted as a Pascal string, resulting in an information disclosure of up to 255 bytes from the heap to the peer, or a crash. This can only happen for NPN (where it does happen in old python and node). A long time ago jsing removed NPN support from LibreSSL, because it had an utter garbage implementation and because it was practically unused. First it was already replaced by the somewhat less bad ALPN, and the only users were the always same language bindings that tend to use every feature they shouldn't use. There were a lot of complaints due to failing test cases in there, but in the end the decision turned out to be the right one: the consequence is that LibreSSL isn't vulnerable to CVE-2024-5535. Still, there is a bug here to fix. It is completely straightforward to do so. Rewrite this mess using CBS, preserving the current behavior. Also, we do not follow BoringSSL's renaming of the variables. It would result in confusing code in almost all alpn callbacks I've seen in the wild. The only exception is the accidental example of Qt. ok jsing
Diffstat (limited to 'src/lib/libssl/man/SSL_get_client_random.3')
0 files changed, 0 insertions, 0 deletions