generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix SRP ciphersuite DoS vulnerability.

Browse Source 
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-5139
Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Dr. Stephen Henson
2014-07-29 21:23:30 +01:00
committed by Matt Caswell
parent 86788e1ee6
commit 83764a989d
2 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ssl/s3_clnt.c
View File

@@ -954,6 +954,15 @@ int ssl3_get_server_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
goto f_err; goto f_err;
} }
#ifndef OPENSSL_NO_SRP
if (((c->algorithm_mkey & SSL_kSRP) || (c->algorithm_auth & SSL_aSRP)) &&
!(s->srp_ctx.srp_Mask & SSL_kSRP))
{
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
goto f_err;
}
#endif /* OPENSSL_NO_SRP */
p+=ssl_put_cipher_by_char(s,NULL,NULL); p+=ssl_put_cipher_by_char(s,NULL,NULL);
sk=ssl_get_ciphers_by_id(s); sk=ssl_get_ciphers_by_id(s);

5
ssl/ssl_lib.c
View File

@@ -1406,6 +1406,11 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
s->psk_client_callback == NULL) s->psk_client_callback == NULL)
continue; continue;
#endif /* OPENSSL_NO_PSK */ #endif /* OPENSSL_NO_PSK */
#ifndef OPENSSL_NO_SRP
if (((c->algorithm_mkey & SSL_kSRP) || (c->algorithm_auth & SSL_aSRP)) &&
!(s->srp_ctx.srp_Mask & SSL_kSRP))
continue;
#endif /* OPENSSL_NO_SRP */
j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
p+=j; p+=j;
} }