1 files changed, 18 insertions, 17 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index cf8b2ec41d..1bbe2e686b 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.114 2015/06/24 09:44:18 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.115 2015/07/14 03:27:20 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -970,10 +970,10 @@ int
 ssl3_get_server_certificate(SSL *s)
 {
        int                      al, i, ok, ret = -1;
-        unsigned long            n, nc, llen, l;
+        long                     n;
+        CBS                      cbs, cert_list;
        X509                    *x = NULL;
-        const unsigned char     *q, *p;
+        const unsigned char     *q;
-        unsigned char           *d;
        STACK_OF(X509)          *sk = NULL;
        SESS_CERT               *sc;
        EVP_PKEY                *pkey = NULL;
@@ -995,7 +995,8 @@ ssl3_get_server_certificate(SSL *s)
                    SSL_R_BAD_MESSAGE_TYPE);
                goto f_err;
        }
-        p = d = (unsigned char *)s->init_msg;
+        CBS_init(&cbs, s->init_msg, n);
        if ((sk = sk_X509_new_null()) == NULL) {
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1003,35 +1004,37 @@ ssl3_get_server_certificate(SSL *s)
                goto err;
        }
-        if (p + 3 - d > n)
+        if (n < 0 || CBS_len(&cbs) < 3)
                goto truncated;
-        n2l3(p, llen);
+        if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) ||
-        if (llen + 3 != n) {
+            CBS_len(&cbs) != 0) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
                    SSL_R_LENGTH_MISMATCH);
                goto f_err;
        }
-        for (nc = 0; nc < llen; ) {
-                if (p + 3 - d > n)
+        while (CBS_len(&cert_list) > 0) {
+                CBS cert;
+                if (CBS_len(&cert_list) < 3)
                        goto truncated;
-                n2l3(p, l);
+                if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) {
-                if ((l + nc + 3) > llen) {
                        al = SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
                            SSL_R_CERT_LENGTH_MISMATCH);
                        goto f_err;
                }
-                q = p;
+                q = CBS_data(&cert);
-                x = d2i_X509(NULL, &q, l);
+                x = d2i_X509(NULL, &q, CBS_len(&cert));
                if (x == NULL) {
                        al = SSL_AD_BAD_CERTIFICATE;
                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
                            ERR_R_ASN1_LIB);
                        goto f_err;
                }
-                if (q != (p + l)) {
+                if (q != CBS_data(&cert) + CBS_len(&cert)) {
                        al = SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
                            SSL_R_CERT_LENGTH_MISMATCH);
@@ -1043,8 +1046,6 @@ ssl3_get_server_certificate(SSL *s)
                        goto err;
                }
                x = NULL;
-                nc += l + 3;
-                p = q;
        }
        i = ssl_verify_cert_chain(s, sk);

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index cf8b2ec41d..1bbe2e686b 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.114 2015/06/24 09:44:18 jsing Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.115 2015/07/14 03:27:20 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -970,10 +970,10 @@ int
970	ssl3_get_server_certificate(SSL *s)	970	ssl3_get_server_certificate(SSL *s)
971	{	971	{
972	int al, i, ok, ret = -1;	972	int al, i, ok, ret = -1;
973	unsigned long n, nc, llen, l;	973	long n;
		974	CBS cbs, cert_list;
974	X509 *x = NULL;	975	X509 *x = NULL;
975	const unsigned char q, p;	976	const unsigned char *q;
976	unsigned char *d;
977	STACK_OF(X509) *sk = NULL;	977	STACK_OF(X509) *sk = NULL;
978	SESS_CERT *sc;	978	SESS_CERT *sc;
979	EVP_PKEY *pkey = NULL;	979	EVP_PKEY *pkey = NULL;
@@ -995,7 +995,8 @@ ssl3_get_server_certificate(SSL *s)
995	SSL_R_BAD_MESSAGE_TYPE);	995	SSL_R_BAD_MESSAGE_TYPE);
996	goto f_err;	996	goto f_err;
997	}	997	}
998	p = d = (unsigned char *)s->init_msg;	998
		999	CBS_init(&cbs, s->init_msg, n);
999		1000
1000	if ((sk = sk_X509_new_null()) == NULL) {	1001	if ((sk = sk_X509_new_null()) == NULL) {
1001	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1002	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1003,35 +1004,37 @@ ssl3_get_server_certificate(SSL *s)
1003	goto err;	1004	goto err;
1004	}	1005	}
1005		1006
1006	if (p + 3 - d > n)	1007	if (n < 0 \|\| CBS_len(&cbs) < 3)
1007	goto truncated;	1008	goto truncated;
1008	n2l3(p, llen);	1009	if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) \|\|
1009	if (llen + 3 != n) {	1010	CBS_len(&cbs) != 0) {
1010	al = SSL_AD_DECODE_ERROR;	1011	al = SSL_AD_DECODE_ERROR;
1011	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1012	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1012	SSL_R_LENGTH_MISMATCH);	1013	SSL_R_LENGTH_MISMATCH);
1013	goto f_err;	1014	goto f_err;
1014	}	1015	}
1015	for (nc = 0; nc < llen; ) {	1016
1016	if (p + 3 - d > n)	1017	while (CBS_len(&cert_list) > 0) {
		1018	CBS cert;
		1019
		1020	if (CBS_len(&cert_list) < 3)
1017	goto truncated;	1021	goto truncated;
1018	n2l3(p, l);	1022	if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) {
1019	if ((l + nc + 3) > llen) {
1020	al = SSL_AD_DECODE_ERROR;	1023	al = SSL_AD_DECODE_ERROR;
1021	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1024	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1022	SSL_R_CERT_LENGTH_MISMATCH);	1025	SSL_R_CERT_LENGTH_MISMATCH);
1023	goto f_err;	1026	goto f_err;
1024	}	1027	}
1025		1028
1026	q = p;	1029	q = CBS_data(&cert);
1027	x = d2i_X509(NULL, &q, l);	1030	x = d2i_X509(NULL, &q, CBS_len(&cert));
1028	if (x == NULL) {	1031	if (x == NULL) {
1029	al = SSL_AD_BAD_CERTIFICATE;	1032	al = SSL_AD_BAD_CERTIFICATE;
1030	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1033	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1031	ERR_R_ASN1_LIB);	1034	ERR_R_ASN1_LIB);
1032	goto f_err;	1035	goto f_err;
1033	}	1036	}
1034	if (q != (p + l)) {	1037	if (q != CBS_data(&cert) + CBS_len(&cert)) {
1035	al = SSL_AD_DECODE_ERROR;	1038	al = SSL_AD_DECODE_ERROR;
1036	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1039	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
1037	SSL_R_CERT_LENGTH_MISMATCH);	1040	SSL_R_CERT_LENGTH_MISMATCH);
@@ -1043,8 +1046,6 @@ ssl3_get_server_certificate(SSL *s)
1043	goto err;	1046	goto err;
1044	}	1047	}
1045	x = NULL;	1048	x = NULL;
1046	nc += l + 3;
1047	p = q;
1048	}	1049	}
1049		1050
1050	i = ssl_verify_cert_chain(s, sk);	1051	i = ssl_verify_cert_chain(s, sk);