CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl

Sun, 11 Apr 2010 17:47:08 -0700 

Module Name:    src
Committed By:   snj
Date:           Mon Apr 12 00:46:57 UTC 2010

Modified Files:
        src/crypto/dist/openssl/ssl [netbsd-5-0]: s3_enc.c s3_srvr.c t1_enc.c

Log Message:
Pull up following revision(s) (requested by bouyer in ticket #1365):
        crypto/external/bsd/openssl/dist/ssl/s3_enc.c: revision 1.2 via patch
        crypto/external/bsd/openssl/dist/ssl/s3_srvr.c: revision 1.5 via patch
        crypto/external/bsd/openssl/dist/ssl/t1_enc.c: revision 1.2 via patch
Fix crash in openssl (I suspect caused by malformed packets):
handshake_dgst[] may be used without being allocated, causing NULL
pointer dereference.
Fix by checking that handshake_dgst is not NULL before use.
Reported to openssl as ticket openssl.org #2214.
Fix tested on netbsd-5 by Luke Mewburn with apache, and by me with
freeradius (fixing segmentation fault in both cases).


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.12 -r1.1.1.12.8.1 src/crypto/dist/openssl/ssl/s3_enc.c \
    src/crypto/dist/openssl/ssl/t1_enc.c
cvs rdiff -u -r1.15.4.1.2.1 -r1.15.4.1.2.2 \
    src/crypto/dist/openssl/ssl/s3_srvr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/crypto/dist/openssl/ssl/s3_enc.c
diff -u src/crypto/dist/openssl/ssl/s3_enc.c:1.1.1.12 src/crypto/dist/openssl/ssl/s3_enc.c:1.1.1.12.8.1
--- src/crypto/dist/openssl/ssl/s3_enc.c:1.1.1.12	Fri May  9 21:34:44 2008
+++ src/crypto/dist/openssl/ssl/s3_enc.c	Mon Apr 12 00:46:57 2010
@@ -570,7 +570,7 @@
 		{
 		BIO_write (s->s3->handshake_buffer,(void *)buf,len);
 		} 
-	else 
+	else if (s->s3->handshake_dgst != NULL)
 		{
 		int i;
 		for (i=0;i< SSL_MAX_DIGEST;i++) 
Index: src/crypto/dist/openssl/ssl/t1_enc.c
diff -u src/crypto/dist/openssl/ssl/t1_enc.c:1.1.1.12 src/crypto/dist/openssl/ssl/t1_enc.c:1.1.1.12.8.1
--- src/crypto/dist/openssl/ssl/t1_enc.c:1.1.1.12	Fri May  9 21:34:46 2008
+++ src/crypto/dist/openssl/ssl/t1_enc.c	Mon Apr 12 00:46:57 2010
@@ -750,14 +750,16 @@
 
 	if (s->s3->handshake_buffer) 
 		ssl3_digest_cached_records(s);
-	for (i=0;i<SSL_MAX_DIGEST;i++) 
-		{
-		  if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) 
-		  	{
-		  	d=s->s3->handshake_dgst[i];
-			break;
+	if (s->s3->handshake_dgst) {
+		for (i=0;i<SSL_MAX_DIGEST;i++) 
+			{
+			  if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) 
+				{
+				d=s->s3->handshake_dgst[i];
+				break;
+				}
 			}
-		}
+	}
 	if (!d) {
 		SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST);
 		return 0;
@@ -794,7 +796,8 @@
 		if (mask & s->s3->tmp.new_cipher->algorithm2)
 			{
 			unsigned int hashsize = EVP_MD_size(md);
-			if (hashsize > (sizeof buf - (size_t)(q-buf)))
+			if (hashsize > (sizeof buf - (size_t)(q-buf)) ||
+			    s->s3->handshake_dgst == NULL)
 				{
 				/* internal error: 'buf' is too small for this cipersuite! */
 				err = 1;

Index: src/crypto/dist/openssl/ssl/s3_srvr.c
diff -u src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.1 src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.2
--- src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.1	Tue Jan 12 09:08:45 2010
+++ src/crypto/dist/openssl/ssl/s3_srvr.c	Mon Apr 12 00:46:57 2010
@@ -532,12 +532,14 @@
 				 */
 				if (s->s3->handshake_buffer)
 					ssl3_digest_cached_records(s);
-				for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)	
-					if (s->s3->handshake_dgst[dgst_num]) 
-						{
-						s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset]));
-						offset+=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
-						}		
+				if (s->s3->handshake_dgst != NULL) {
+					for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)	
+						if (s->s3->handshake_dgst[dgst_num]) 
+							{
+							s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset]));
+							offset+=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
+							}		
+					}
 				}
 			break;

Reply via email to