src - OpenBSD base system

diff options


context:
space:
mode:

author	Jasper Lievisse Adriaanse <jasper@cvs.openbsd.org>	2010-11-17 19:09:33 +0000
committer	Jasper Lievisse Adriaanse <jasper@cvs.openbsd.org>	2010-11-17 19:09:33 +0000
commit	5119fe6753951dab8899b2bbd5630cad098045b9 (patch)
tree	6714916cff05e7bebb6bc992364c9b3c24b783c2 /lib
parent	52bbcd38c88143d9ec4a183cd3e5b2635e18e6e0 (diff)

- Apply security fix for CVE-2010-3864 (+commit 19998 which fixes the fix).

ok djm@ deraadt@

Diffstat (limited to 'lib')

-rw-r--r--

lib/libssl/src/ssl/t1_lib.c

1 files changed, 42 insertions, 18 deletions

diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c
index e8bc34c1113..833fc172de1 100644
--- a/lib/libssl/src/ssl/t1_lib.c
+++ b/lib/libssl/src/ssl/t1_lib.c

@@ -714,14 +714,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in

switch (servname_type)

{

case TLSEXT_NAMETYPE_host_name:

- if (s->session->tlsext_hostname == NULL)

+ if (!s->hit)

{

- if (len > TLSEXT_MAXLEN_host_name ||

- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))

+ if(s->session->tlsext_hostname)

+ {

+ *al = SSL_AD_DECODE_ERROR;

+ return 0;

+ }

+ if (len > TLSEXT_MAXLEN_host_name)

{

*al = TLS1_AD_UNRECOGNIZED_NAME;

return 0;

}

+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)

+ {

+ *al = TLS1_AD_INTERNAL_ERROR;

+ return 0;

+ }

memcpy(s->session->tlsext_hostname, sdata, len);

s->session->tlsext_hostname[len]='\0';

if (strlen(s->session->tlsext_hostname) != len) {

@@ -734,7 +743,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in

}

else

- s->servername_done = strlen(s->session->tlsext_hostname) == len

+ s->servername_done = s->session->tlsext_hostname

+ && strlen(s->session->tlsext_hostname) == len

&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;

break;

@@ -765,15 +775,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in

*al = TLS1_AD_DECODE_ERROR;

return 0;

}

- s->session->tlsext_ecpointformatlist_length = 0;

- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);

- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)

+ if (!s->hit)

{

- *al = TLS1_AD_INTERNAL_ERROR;

- return 0;

+ if(s->session->tlsext_ecpointformatlist)

+ {

+ OPENSSL_free(s->session->tlsext_ecpointformatlist);

+ s->session->tlsext_ecpointformatlist = NULL;

+ }

+ s->session->tlsext_ecpointformatlist_length = 0;

+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)

+ {

+ *al = TLS1_AD_INTERNAL_ERROR;

+ return 0;

+ }

+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;

+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);

}

- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;

- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);

#if 0

fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);

sdata = s->session->tlsext_ecpointformatlist;

@@ -794,15 +811,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in

*al = TLS1_AD_DECODE_ERROR;

return 0;

}

- s->session->tlsext_ellipticcurvelist_length = 0;

- if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);

- if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)

+ if (!s->hit)

{

- *al = TLS1_AD_INTERNAL_ERROR;

- return 0;

+ if(s->session->tlsext_ellipticcurvelist)

+ {

+ *al = TLS1_AD_DECODE_ERROR;

+ return 0;

+ }

+ s->session->tlsext_ellipticcurvelist_length = 0;

+ if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)

+ {

+ *al = TLS1_AD_INTERNAL_ERROR;

+ return 0;

+ }

+ s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;

+ memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);

}

- s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;

- memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);

#if 0

fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);

sdata = s->session->tlsext_ellipticcurvelist;