Fix SRP ciphersuite DoS vulnerability.

If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-2970
Reviewed-by: Tim Hudson <tjh@openssl.org>

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 749d88d1a9d9a6faa535437c236104497f0d1a66..3616c0a11ee0efd3f33d20d09e4aff04aa2f3168 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1088,6 +1088,13 @@ void ssl_set_client_disabled(SSL *s)
                c->mask_k |= SSL_kPSK;
                }
 #endif /* OPENSSL_NO_PSK */
+#ifndef OPENSSL_NO_SRP
+       if (!(s->srp_ctx.srp_Mask & SSL_kSRP))
+               {
+               c->mask_a |= SSL_aSRP;
+               c->mask_k |= SSL_kSRP;
+               }
+#endif
        c->valid = 1;
        }