Module Name: src Committed By: snj Date: Mon Apr 12 00:40:12 UTC 2010
Modified Files: src/crypto/dist/openssl/ssl [netbsd-5]: s3_enc.c s3_srvr.c t1_enc.c Log Message: Pull up following revision(s) (requested by bouyer in ticket #1365): crypto/external/bsd/openssl/dist/ssl/s3_enc.c: revision 1.2 via patch crypto/external/bsd/openssl/dist/ssl/s3_srvr.c: revision 1.5 via patch crypto/external/bsd/openssl/dist/ssl/t1_enc.c: revision 1.2 via patch Fix crash in openssl (I suspect caused by malformed packets): handshake_dgst[] may be used without being allocated, causing NULL pointer dereference. Fix by checking that handshake_dgst is not NULL before use. Reported to openssl as ticket openssl.org #2214. Fix tested on netbsd-5 by Luke Mewburn with apache, and by me with freeradius (fixing segmentation fault in both cases). To generate a diff of this commit: cvs rdiff -u -r1.1.1.12 -r1.1.1.12.4.1 src/crypto/dist/openssl/ssl/s3_enc.c \ src/crypto/dist/openssl/ssl/t1_enc.c cvs rdiff -u -r1.15.4.2 -r1.15.4.3 src/crypto/dist/openssl/ssl/s3_srvr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/dist/openssl/ssl/s3_enc.c diff -u src/crypto/dist/openssl/ssl/s3_enc.c:1.1.1.12 src/crypto/dist/openssl/ssl/s3_enc.c:1.1.1.12.4.1 --- src/crypto/dist/openssl/ssl/s3_enc.c:1.1.1.12 Fri May 9 21:34:44 2008 +++ src/crypto/dist/openssl/ssl/s3_enc.c Mon Apr 12 00:40:12 2010 @@ -570,7 +570,7 @@ { BIO_write (s->s3->handshake_buffer,(void *)buf,len); } - else + else if (s->s3->handshake_dgst != NULL) { int i; for (i=0;i< SSL_MAX_DIGEST;i++) Index: src/crypto/dist/openssl/ssl/t1_enc.c diff -u src/crypto/dist/openssl/ssl/t1_enc.c:1.1.1.12 src/crypto/dist/openssl/ssl/t1_enc.c:1.1.1.12.4.1 --- src/crypto/dist/openssl/ssl/t1_enc.c:1.1.1.12 Fri May 9 21:34:46 2008 +++ src/crypto/dist/openssl/ssl/t1_enc.c Mon Apr 12 00:40:12 2010 @@ -750,14 +750,16 @@ if (s->s3->handshake_buffer) ssl3_digest_cached_records(s); - for (i=0;i<SSL_MAX_DIGEST;i++) - { - if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) - { - d=s->s3->handshake_dgst[i]; - break; + if (s->s3->handshake_dgst) { + for (i=0;i<SSL_MAX_DIGEST;i++) + { + if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) + { + d=s->s3->handshake_dgst[i]; + break; + } } - } + } if (!d) { SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST); return 0; @@ -794,7 +796,8 @@ if (mask & s->s3->tmp.new_cipher->algorithm2) { unsigned int hashsize = EVP_MD_size(md); - if (hashsize > (sizeof buf - (size_t)(q-buf))) + if (hashsize > (sizeof buf - (size_t)(q-buf)) || + s->s3->handshake_dgst == NULL) { /* internal error: 'buf' is too small for this cipersuite! */ err = 1; Index: src/crypto/dist/openssl/ssl/s3_srvr.c diff -u src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.2 src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.3 --- src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.2 Tue Jan 12 09:07:51 2010 +++ src/crypto/dist/openssl/ssl/s3_srvr.c Mon Apr 12 00:40:12 2010 @@ -532,12 +532,14 @@ */ if (s->s3->handshake_buffer) ssl3_digest_cached_records(s); - for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) - if (s->s3->handshake_dgst[dgst_num]) - { - s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); - offset+=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); - } + if (s->s3->handshake_dgst != NULL) { + for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++) + if (s->s3->handshake_dgst[dgst_num]) + { + s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset])); + offset+=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); + } + } } break;