diff options
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 99b6a86983..782b57f57a 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -114,15 +114,16 @@ | |||
| 114 | 114 | ||
| 115 | 115 | ||
| 116 | #include <stdio.h> | 116 | #include <stdio.h> |
| 117 | #include "ssl_locl.h" | ||
| 118 | #include "kssl_lcl.h" | ||
| 117 | #include <openssl/buffer.h> | 119 | #include <openssl/buffer.h> |
| 118 | #include <openssl/rand.h> | 120 | #include <openssl/rand.h> |
| 119 | #include <openssl/objects.h> | 121 | #include <openssl/objects.h> |
| 120 | #include <openssl/evp.h> | 122 | #include <openssl/evp.h> |
| 121 | #include <openssl/x509.h> | 123 | #include <openssl/x509.h> |
| 122 | #include <openssl/krb5_asn.h> | 124 | #include <openssl/krb5_asn.h> |
| 123 | #include "ssl_locl.h" | ||
| 124 | #include "kssl_lcl.h" | ||
| 125 | #include <openssl/md5.h> | 125 | #include <openssl/md5.h> |
| 126 | #include "cryptlib.h" | ||
| 126 | 127 | ||
| 127 | static SSL_METHOD *ssl3_get_server_method(int ver); | 128 | static SSL_METHOD *ssl3_get_server_method(int ver); |
| 128 | static int ssl3_get_client_hello(SSL *s); | 129 | static int ssl3_get_client_hello(SSL *s); |
| @@ -964,6 +965,7 @@ static int ssl3_send_server_hello(SSL *s) | |||
| 964 | s->session->session_id_length=0; | 965 | s->session->session_id_length=0; |
| 965 | 966 | ||
| 966 | sl=s->session->session_id_length; | 967 | sl=s->session->session_id_length; |
| 968 | die(sl <= sizeof s->session->session_id); | ||
| 967 | *(p++)=sl; | 969 | *(p++)=sl; |
| 968 | memcpy(p,s->session->session_id,sl); | 970 | memcpy(p,s->session->session_id,sl); |
| 969 | p+=sl; | 971 | p+=sl; |
| @@ -1559,8 +1561,8 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1559 | EVP_CIPHER *enc = NULL; | 1561 | EVP_CIPHER *enc = NULL; |
| 1560 | unsigned char iv[EVP_MAX_IV_LENGTH]; | 1562 | unsigned char iv[EVP_MAX_IV_LENGTH]; |
| 1561 | unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH | 1563 | unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH |
| 1562 | + EVP_MAX_IV_LENGTH + 1]; | 1564 | + EVP_MAX_BLOCK_LENGTH]; |
| 1563 | int padl, outl = sizeof(pms); | 1565 | int padl, outl; |
| 1564 | krb5_timestamp authtime = 0; | 1566 | krb5_timestamp authtime = 0; |
| 1565 | krb5_ticket_times ttimes; | 1567 | krb5_ticket_times ttimes; |
| 1566 | 1568 | ||
| @@ -1583,6 +1585,16 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1583 | enc_pms.data = (char *)p; | 1585 | enc_pms.data = (char *)p; |
| 1584 | p+=enc_pms.length; | 1586 | p+=enc_pms.length; |
| 1585 | 1587 | ||
| 1588 | /* Note that the length is checked again below, | ||
| 1589 | ** after decryption | ||
| 1590 | */ | ||
| 1591 | if(enc.pms_length > sizeof pms) | ||
| 1592 | { | ||
| 1593 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | ||
| 1594 | SSL_R_DATA_LENGTH_TOO_LONG); | ||
| 1595 | goto err; | ||
| 1596 | } | ||
| 1597 | |||
| 1586 | if (n != enc_ticket.length + authenticator.length + | 1598 | if (n != enc_ticket.length + authenticator.length + |
| 1587 | enc_pms.length + 6) | 1599 | enc_pms.length + 6) |
| 1588 | { | 1600 | { |