diff options
| author | jasper <> | 2010-11-17 19:09:32 +0000 |
|---|---|---|
| committer | jasper <> | 2010-11-17 19:09:32 +0000 |
| commit | 91750719c76a913b2ad3684dfda08254c6fbf371 (patch) | |
| tree | 54ffe7b5d07b839a112014a665f1963b9d9fc226 /src | |
| parent | d51422742b4a958b4ca9fa08554a9ed2351868f5 (diff) | |
| download | openbsd-91750719c76a913b2ad3684dfda08254c6fbf371.tar.gz openbsd-91750719c76a913b2ad3684dfda08254c6fbf371.tar.bz2 openbsd-91750719c76a913b2ad3684dfda08254c6fbf371.zip | |
- Apply security fix for CVE-2010-3864 (+commit 19998 which fixes the fix).
ok djm@ deraadt@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_lib.c | 60 | ||||
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 60 |
2 files changed, 84 insertions, 36 deletions
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index e8bc34c111..833fc172de 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c | |||
| @@ -714,14 +714,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 714 | switch (servname_type) | 714 | switch (servname_type) |
| 715 | { | 715 | { |
| 716 | case TLSEXT_NAMETYPE_host_name: | 716 | case TLSEXT_NAMETYPE_host_name: |
| 717 | if (s->session->tlsext_hostname == NULL) | 717 | if (!s->hit) |
| 718 | { | 718 | { |
| 719 | if (len > TLSEXT_MAXLEN_host_name || | 719 | if(s->session->tlsext_hostname) |
| 720 | ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) | 720 | { |
| 721 | *al = SSL_AD_DECODE_ERROR; | ||
| 722 | return 0; | ||
| 723 | } | ||
| 724 | if (len > TLSEXT_MAXLEN_host_name) | ||
| 721 | { | 725 | { |
| 722 | *al = TLS1_AD_UNRECOGNIZED_NAME; | 726 | *al = TLS1_AD_UNRECOGNIZED_NAME; |
| 723 | return 0; | 727 | return 0; |
| 724 | } | 728 | } |
| 729 | if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) | ||
| 730 | { | ||
| 731 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 732 | return 0; | ||
| 733 | } | ||
| 725 | memcpy(s->session->tlsext_hostname, sdata, len); | 734 | memcpy(s->session->tlsext_hostname, sdata, len); |
| 726 | s->session->tlsext_hostname[len]='\0'; | 735 | s->session->tlsext_hostname[len]='\0'; |
| 727 | if (strlen(s->session->tlsext_hostname) != len) { | 736 | if (strlen(s->session->tlsext_hostname) != len) { |
| @@ -734,7 +743,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 734 | 743 | ||
| 735 | } | 744 | } |
| 736 | else | 745 | else |
| 737 | s->servername_done = strlen(s->session->tlsext_hostname) == len | 746 | s->servername_done = s->session->tlsext_hostname |
| 747 | && strlen(s->session->tlsext_hostname) == len | ||
| 738 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; | 748 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; |
| 739 | 749 | ||
| 740 | break; | 750 | break; |
| @@ -765,15 +775,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 765 | *al = TLS1_AD_DECODE_ERROR; | 775 | *al = TLS1_AD_DECODE_ERROR; |
| 766 | return 0; | 776 | return 0; |
| 767 | } | 777 | } |
| 768 | s->session->tlsext_ecpointformatlist_length = 0; | 778 | if (!s->hit) |
| 769 | if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); | ||
| 770 | if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) | ||
| 771 | { | 779 | { |
| 772 | *al = TLS1_AD_INTERNAL_ERROR; | 780 | if(s->session->tlsext_ecpointformatlist) |
| 773 | return 0; | 781 | { |
| 782 | OPENSSL_free(s->session->tlsext_ecpointformatlist); | ||
| 783 | s->session->tlsext_ecpointformatlist = NULL; | ||
| 784 | } | ||
| 785 | s->session->tlsext_ecpointformatlist_length = 0; | ||
| 786 | if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) | ||
| 787 | { | ||
| 788 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 789 | return 0; | ||
| 790 | } | ||
| 791 | s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; | ||
| 792 | memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); | ||
| 774 | } | 793 | } |
| 775 | s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; | ||
| 776 | memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); | ||
| 777 | #if 0 | 794 | #if 0 |
| 778 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); | 795 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); |
| 779 | sdata = s->session->tlsext_ecpointformatlist; | 796 | sdata = s->session->tlsext_ecpointformatlist; |
| @@ -794,15 +811,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 794 | *al = TLS1_AD_DECODE_ERROR; | 811 | *al = TLS1_AD_DECODE_ERROR; |
| 795 | return 0; | 812 | return 0; |
| 796 | } | 813 | } |
| 797 | s->session->tlsext_ellipticcurvelist_length = 0; | 814 | if (!s->hit) |
| 798 | if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); | ||
| 799 | if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) | ||
| 800 | { | 815 | { |
| 801 | *al = TLS1_AD_INTERNAL_ERROR; | 816 | if(s->session->tlsext_ellipticcurvelist) |
| 802 | return 0; | 817 | { |
| 818 | *al = TLS1_AD_DECODE_ERROR; | ||
| 819 | return 0; | ||
| 820 | } | ||
| 821 | s->session->tlsext_ellipticcurvelist_length = 0; | ||
| 822 | if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) | ||
| 823 | { | ||
| 824 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 825 | return 0; | ||
| 826 | } | ||
| 827 | s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; | ||
| 828 | memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); | ||
| 803 | } | 829 | } |
| 804 | s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; | ||
| 805 | memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); | ||
| 806 | #if 0 | 830 | #if 0 |
| 807 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); | 831 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); |
| 808 | sdata = s->session->tlsext_ellipticcurvelist; | 832 | sdata = s->session->tlsext_ellipticcurvelist; |
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index e8bc34c111..833fc172de 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -714,14 +714,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 714 | switch (servname_type) | 714 | switch (servname_type) |
| 715 | { | 715 | { |
| 716 | case TLSEXT_NAMETYPE_host_name: | 716 | case TLSEXT_NAMETYPE_host_name: |
| 717 | if (s->session->tlsext_hostname == NULL) | 717 | if (!s->hit) |
| 718 | { | 718 | { |
| 719 | if (len > TLSEXT_MAXLEN_host_name || | 719 | if(s->session->tlsext_hostname) |
| 720 | ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) | 720 | { |
| 721 | *al = SSL_AD_DECODE_ERROR; | ||
| 722 | return 0; | ||
| 723 | } | ||
| 724 | if (len > TLSEXT_MAXLEN_host_name) | ||
| 721 | { | 725 | { |
| 722 | *al = TLS1_AD_UNRECOGNIZED_NAME; | 726 | *al = TLS1_AD_UNRECOGNIZED_NAME; |
| 723 | return 0; | 727 | return 0; |
| 724 | } | 728 | } |
| 729 | if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) | ||
| 730 | { | ||
| 731 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 732 | return 0; | ||
| 733 | } | ||
| 725 | memcpy(s->session->tlsext_hostname, sdata, len); | 734 | memcpy(s->session->tlsext_hostname, sdata, len); |
| 726 | s->session->tlsext_hostname[len]='\0'; | 735 | s->session->tlsext_hostname[len]='\0'; |
| 727 | if (strlen(s->session->tlsext_hostname) != len) { | 736 | if (strlen(s->session->tlsext_hostname) != len) { |
| @@ -734,7 +743,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 734 | 743 | ||
| 735 | } | 744 | } |
| 736 | else | 745 | else |
| 737 | s->servername_done = strlen(s->session->tlsext_hostname) == len | 746 | s->servername_done = s->session->tlsext_hostname |
| 747 | && strlen(s->session->tlsext_hostname) == len | ||
| 738 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; | 748 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; |
| 739 | 749 | ||
| 740 | break; | 750 | break; |
| @@ -765,15 +775,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 765 | *al = TLS1_AD_DECODE_ERROR; | 775 | *al = TLS1_AD_DECODE_ERROR; |
| 766 | return 0; | 776 | return 0; |
| 767 | } | 777 | } |
| 768 | s->session->tlsext_ecpointformatlist_length = 0; | 778 | if (!s->hit) |
| 769 | if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); | ||
| 770 | if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) | ||
| 771 | { | 779 | { |
| 772 | *al = TLS1_AD_INTERNAL_ERROR; | 780 | if(s->session->tlsext_ecpointformatlist) |
| 773 | return 0; | 781 | { |
| 782 | OPENSSL_free(s->session->tlsext_ecpointformatlist); | ||
| 783 | s->session->tlsext_ecpointformatlist = NULL; | ||
| 784 | } | ||
| 785 | s->session->tlsext_ecpointformatlist_length = 0; | ||
| 786 | if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) | ||
| 787 | { | ||
| 788 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 789 | return 0; | ||
| 790 | } | ||
| 791 | s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; | ||
| 792 | memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); | ||
| 774 | } | 793 | } |
| 775 | s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; | ||
| 776 | memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); | ||
| 777 | #if 0 | 794 | #if 0 |
| 778 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); | 795 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); |
| 779 | sdata = s->session->tlsext_ecpointformatlist; | 796 | sdata = s->session->tlsext_ecpointformatlist; |
| @@ -794,15 +811,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 794 | *al = TLS1_AD_DECODE_ERROR; | 811 | *al = TLS1_AD_DECODE_ERROR; |
| 795 | return 0; | 812 | return 0; |
| 796 | } | 813 | } |
| 797 | s->session->tlsext_ellipticcurvelist_length = 0; | 814 | if (!s->hit) |
| 798 | if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); | ||
| 799 | if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) | ||
| 800 | { | 815 | { |
| 801 | *al = TLS1_AD_INTERNAL_ERROR; | 816 | if(s->session->tlsext_ellipticcurvelist) |
| 802 | return 0; | 817 | { |
| 818 | *al = TLS1_AD_DECODE_ERROR; | ||
| 819 | return 0; | ||
| 820 | } | ||
| 821 | s->session->tlsext_ellipticcurvelist_length = 0; | ||
| 822 | if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) | ||
| 823 | { | ||
| 824 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 825 | return 0; | ||
| 826 | } | ||
| 827 | s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; | ||
| 828 | memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); | ||
| 803 | } | 829 | } |
| 804 | s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; | ||
| 805 | memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); | ||
| 806 | #if 0 | 830 | #if 0 |
| 807 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); | 831 | fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); |
| 808 | sdata = s->session->tlsext_ellipticcurvelist; | 832 | sdata = s->session->tlsext_ellipticcurvelist; |