Fix for CVE-2014-0224
[openssl.git] / ssl / s3_srvr.c
index 789447e..fcc97f3 100644 (file)
@@ -166,7 +166,6 @@ int ssl3_accept(SSL *s)
        BUF_MEM *buf;
        unsigned long l,Time=(unsigned long)time(NULL);
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       long num1;
        int ret= -1;
        int new_state,state,skip=0;
 
@@ -236,6 +235,7 @@ int ssl3_accept(SSL *s)
                                }
 
                        s->init_num=0;
+                       s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
 
                        if (s->state != SSL_ST_RENEGOTIATE)
                                {
@@ -447,15 +447,24 @@ int ssl3_accept(SSL *s)
                        break;
                
                case SSL3_ST_SW_FLUSH:
-                       /* number of bytes to be flushed */
-                       num1=BIO_ctrl(s->wbio,BIO_CTRL_WPENDING,0,NULL);
-                       if (num1 > 0)
+
+                       /* This code originally checked to see if
+                        * any data was pending using BIO_CTRL_INFO
+                        * and then flushed. This caused problems
+                        * as documented in PR#1939. The proposed
+                        * fix doesn't completely resolve this issue
+                        * as buggy implementations of BIO_CTRL_PENDING
+                        * still exist. So instead we just flush
+                        * unconditionally.
+                        */
+
+                       s->rwstate=SSL_WRITING;
+                       if (BIO_flush(s->wbio) <= 0)
                                {
-                               s->rwstate=SSL_WRITING;
-                               num1=BIO_flush(s->wbio);
-                               if (num1 <= 0) { ret= -1; goto end; }
-                               s->rwstate=SSL_NOTHING;
+                               ret= -1;
+                               goto end;
                                }
+                       s->rwstate=SSL_NOTHING;
 
                        s->state=s->s3->tmp.next_state;
                        break;
@@ -514,6 +523,7 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SR_CERT_VRFY_A:
                case SSL3_ST_SR_CERT_VRFY_B:
 
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        /* we should decide if we expected this one */
                        ret=ssl3_get_cert_verify(s);
                        if (ret <= 0) goto end;
@@ -524,6 +534,7 @@ int ssl3_accept(SSL *s)
 
                case SSL3_ST_SR_FINISHED_A:
                case SSL3_ST_SR_FINISHED_B:
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
                                SSL3_ST_SR_FINISHED_B);
                        if (ret <= 0) goto end;
@@ -701,10 +712,15 @@ int ssl3_check_client_hello(SSL *s)
        s->s3->tmp.reuse_message = 1;
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
+               /* We only allow the client to restart the handshake once per
+                * negotiation. */
+               if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+                       {
+                       SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+                       return -1;
+                       }
                /* Throw away what we have done so far in the current handshake,
-                * which will now be aborted. (A full SSL_clear would be too much.)
-                * I hope that tmp.dh is the only thing that may need to be cleared
-                * when a handshake is not completed ... */
+                * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH
                if (s->s3->tmp.dh != NULL)
                        {
@@ -712,6 +728,14 @@ int ssl3_check_client_hello(SSL *s)
                        s->s3->tmp.dh = NULL;
                        }
 #endif
+#ifndef OPENSSL_NO_ECDH
+               if (s->s3->tmp.ecdh != NULL)
+                       {
+                       EC_KEY_free(s->s3->tmp.ecdh);
+                       s->s3->tmp.ecdh = NULL;
+                       }
+#endif
+               s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
                return 2;
                }
        return 1;
@@ -919,6 +943,10 @@ int ssl3_get_client_hello(SSL *s)
                                break;
                                }
                        }
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
                if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
                        {
                        /* Special case as client bug workaround: the previously used cipher may
@@ -933,6 +961,7 @@ int ssl3_get_client_hello(SSL *s)
                                j = 1;
                                }
                        }
+#endif
                if (j == 0)
                        {
                        /* we need to have the cipher in the cipher
@@ -978,7 +1007,7 @@ int ssl3_get_client_hello(SSL *s)
                        goto f_err;
                        }
                }
-               if (ssl_check_clienthello_tlsext(s) <= 0) {
+               if (ssl_check_clienthello_tlsext_early(s) <= 0) {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
                        goto err;
                }
@@ -1104,6 +1133,18 @@ int ssl3_get_client_hello(SSL *s)
         * s->tmp.new_cipher    - the new cipher to use.
         */
 
+#ifndef OPENSSL_NO_TLSEXT
+       /* Handles TLS extensions that we couldn't check earlier */
+       if (s->version >= SSL3_VERSION)
+               {
+               if (ssl_check_clienthello_tlsext_late(s) <= 0)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
+                       goto err;
+                       }
+               }
+#endif
+
        if (ret < 0) ret=1;
        if (0)
                {
@@ -1316,7 +1357,6 @@ int ssl3_send_server_key_exchange(SSL *s)
 
                        if (s->s3->tmp.dh != NULL)
                                {
-                               DH_free(dh);
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
@@ -1377,7 +1417,6 @@ int ssl3_send_server_key_exchange(SSL *s)
 
                        if (s->s3->tmp.ecdh != NULL)
                                {
-                               EC_KEY_free(s->s3->tmp.ecdh); 
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
@@ -1388,12 +1427,11 @@ int ssl3_send_server_key_exchange(SSL *s)
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
                                goto err;
                                }
-                       if (!EC_KEY_up_ref(ecdhp))
+                       if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
                                {
                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
                                goto err;
                                }
-                       ecdh = ecdhp;
 
                        s->s3->tmp.ecdh=ecdh;
                        if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
@@ -1547,6 +1585,7 @@ int ssl3_send_server_key_exchange(SSL *s)
                            (unsigned char *)encodedPoint, 
                            encodedlen);
                        OPENSSL_free(encodedPoint);
+                       encodedPoint = NULL;
                        p += encodedlen;
                        }
 #endif
@@ -1725,6 +1764,11 @@ int ssl3_send_certificate_request(SSL *s)
                s->init_num=n+4;
                s->init_off=0;
 #ifdef NETSCAPE_HANG_BUG
+               if (!BUF_MEM_grow_clean(buf, s->init_num + 4))
+                       {
+                       SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
+                       goto err;
+                       }
                p=(unsigned char *)s->init_buf->data + s->init_num;
 
                /* do the header */
@@ -1936,6 +1980,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                if (i <= 0)
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+                       BN_clear_free(pub);
                        goto err;
                        }
 
@@ -2249,6 +2294,12 @@ int ssl3_get_client_key_exchange(SSL *s)
                         /* Get encoded point length */
                         i = *p; 
                        p += 1;
+                       if (n != 1 + i)
+                               {
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                   ERR_R_EC_LIB);
+                               goto err;
+                               }
                         if (EC_POINT_oct2point(group, 
                            clnt_ecpoint, p, i, bn_ctx) == 0)
                                {