In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex()

to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail. Issue reported by David Ramos.
author: jsing <> 2014-06-10 14:46:11 +0000
committer: jsing <> 2014-06-10 14:46:11 +0000
commit: c9bf53b769d2bec4b62ca316d8e4dc83b401c5ca (patch)
tree: 3fcf6413d6fbf19e0db5edc02dec724b6db1f476 /src
parent: eab708047a937230584142a2714d5293b2c20176 (diff)
download: openbsd-c9bf53b769d2bec4b62ca316d8e4dc83b401c5ca.tar.gz
openbsd-c9bf53b769d2bec4b62ca316d8e4dc83b401c5ca.tar.bz2
openbsd-c9bf53b769d2bec4b62ca316d8e4dc83b401c5ca.zip
2 files changed, 10 insertions, 6 deletions
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 6dcb2c849f..922d44ad4e 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -819,8 +819,8 @@ tls1_enc(SSL *s, int send)
 int
 tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
 {
-        unsigned int ret;
        EVP_MD_CTX ctx, *d = NULL;
+        unsigned int ret;
        int i;
        if (s->s3->handshake_buffer)
@@ -834,15 +834,17 @@ tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
                        break;
                }
        }
-        if (!d) {
+        if (d == NULL) {
                SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST);
                return 0;
        }
        EVP_MD_CTX_init(&ctx);
-        EVP_MD_CTX_copy_ex(&ctx, d);
+        if (!EVP_MD_CTX_copy_ex(&ctx, d))
+                return 0;
        EVP_DigestFinal_ex(&ctx, out, &ret);
        EVP_MD_CTX_cleanup(&ctx);
        return ((int)ret);
 }
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 6dcb2c849f..922d44ad4e 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -819,8 +819,8 @@ tls1_enc(SSL *s, int send)
 int
 tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
 {
-        unsigned int ret;
        EVP_MD_CTX ctx, *d = NULL;
+        unsigned int ret;
        int i;
        if (s->s3->handshake_buffer)
@@ -834,15 +834,17 @@ tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
                        break;
                }
        }
-        if (!d) {
+        if (d == NULL) {
                SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST);
                return 0;
        }
        EVP_MD_CTX_init(&ctx);
-        EVP_MD_CTX_copy_ex(&ctx, d);
+        if (!EVP_MD_CTX_copy_ex(&ctx, d))
+                return 0;
        EVP_DigestFinal_ex(&ctx, out, &ret);
        EVP_MD_CTX_cleanup(&ctx);
        return ((int)ret);
 }
author	jsing <>	2014-06-10 14:46:11 +0000
committer	jsing <>	2014-06-10 14:46:11 +0000
commit	c9bf53b769d2bec4b62ca316d8e4dc83b401c5ca (patch)
tree	3fcf6413d6fbf19e0db5edc02dec724b6db1f476 /src
parent	eab708047a937230584142a2714d5293b2c20176 (diff)
download	openbsd-c9bf53b769d2bec4b62ca316d8e4dc83b401c5ca.tar.gz openbsd-c9bf53b769d2bec4b62ca316d8e4dc83b401c5ca.tar.bz2 openbsd-c9bf53b769d2bec4b62ca316d8e4dc83b401c5ca.zip