Module Name: src Committed By: bouyer Date: Fri Apr 9 04:34:13 UTC 2010
Modified Files: src/crypto/external/bsd/openssl/dist/ssl: s3_enc.c s3_srvr.c t1_enc.c Log Message: Fix crash in openssl (I suspect caused by malformed packets): handshake_dgst[] may be used without being allocated, causing NULL pointer dereference. Fix by checking that handshake_dgst is not NULL before use. Reported to openssl as ticket openssl.org #2214. Fix tested on netbsd-5 by Luke Mewburn with apache, and by me with freeradius (fixing segmentation fault in both cases). To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.2 \ src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c cvs rdiff -u -r1.4 -r1.5 src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c cvs rdiff -u -r1.1.1.2 -r1.2 \ src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c:1.1.1.1 src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c:1.2 --- src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c:1.1.1.1 Sun Jul 19 23:05:47 2009 +++ src/crypto/external/bsd/openssl/dist/ssl/s3_enc.c Fri Apr 9 04:34:13 2010 @@ -578,7 +578,7 @@ { BIO_write (s->s3->handshake_buffer,(void *)buf,len); } - else + else if (s->s3->handshake_dgst != NULL) { int i; for (i=0;i< SSL_MAX_DIGEST;i++) Index: src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.4 src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.5 --- src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.4 Sun Jan 10 16:39:10 2010 +++ src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c Fri Apr 9 04:34:13 2010 @@ -537,20 +537,22 @@ if (s->s3->handshake_buffer) if (!ssl3_digest_cached_records(s)) return -1; - for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) - if (s->s3->handshake_dgst[dgst_num]) - { - int dgst_size; - - s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); - dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); - if (dgst_size < 0) + if (s->s3->handshake_dgst != NULL) { + for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) + if (s->s3->handshake_dgst[dgst_num]) { - ret = -1; - goto end; - } - offset+=dgst_size; - } + int dgst_size; + + s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); + dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); + if (dgst_size < 0) + { + ret = -1; + goto end; + } + offset+=dgst_size; + } + } } break; Index: src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c diff -u src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c:1.1.1.2 src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c:1.2 --- src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c:1.1.1.2 Sat Dec 26 23:34:36 2009 +++ src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c Fri Apr 9 04:34:13 2010 @@ -788,14 +788,16 @@ if (!ssl3_digest_cached_records(s)) return 0; - for (i=0;i<SSL_MAX_DIGEST;i++) - { - if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) - { - d=s->s3->handshake_dgst[i]; - break; + if (s->s3->handshake_dgst) { + for (i=0;i<SSL_MAX_DIGEST;i++) + { + if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) + { + d=s->s3->handshake_dgst[i]; + break; + } } - } + } if (!d) { SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST); return 0; @@ -833,7 +835,7 @@ if (mask & s->s3->tmp.new_cipher->algorithm2) { int hashsize = EVP_MD_size(md); - if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) + if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)) || s->s3->handshake_dgst == NULL) { /* internal error: 'buf' is too small for this cipersuite! */ err = 1;