Fix for CVE-2014-0224
[openssl.git] / ssl / s3_srvr.c
index f610212..fcc97f3 100644 (file)
@@ -523,6 +523,7 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SR_CERT_VRFY_A:
                case SSL3_ST_SR_CERT_VRFY_B:
 
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        /* we should decide if we expected this one */
                        ret=ssl3_get_cert_verify(s);
                        if (ret <= 0) goto end;
@@ -533,6 +534,7 @@ int ssl3_accept(SSL *s)
 
                case SSL3_ST_SR_FINISHED_A:
                case SSL3_ST_SR_FINISHED_B:
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
                                SSL3_ST_SR_FINISHED_B);
                        if (ret <= 0) goto end;
@@ -698,14 +700,6 @@ int ssl3_check_client_hello(SSL *s)
        int ok;
        long n;
 
-       /* We only allow the client to restart the handshake once per
-        * negotiation. */
-       if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
-               {
-               SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
-               return -1;
-               }
-
        /* this function is called when we really expect a Certificate message,
         * so permit appropriate message length */
        n=s->method->ssl_get_message(s,
@@ -718,6 +712,13 @@ int ssl3_check_client_hello(SSL *s)
        s->s3->tmp.reuse_message = 1;
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
+               /* We only allow the client to restart the handshake once per
+                * negotiation. */
+               if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+                       {
+                       SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+                       return -1;
+                       }
                /* Throw away what we have done so far in the current handshake,
                 * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH
@@ -1006,7 +1007,7 @@ int ssl3_get_client_hello(SSL *s)
                        goto f_err;
                        }
                }
-               if (ssl_check_clienthello_tlsext(s) <= 0) {
+               if (ssl_check_clienthello_tlsext_early(s) <= 0) {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
                        goto err;
                }
@@ -1132,6 +1133,18 @@ int ssl3_get_client_hello(SSL *s)
         * s->tmp.new_cipher    - the new cipher to use.
         */
 
+#ifndef OPENSSL_NO_TLSEXT
+       /* Handles TLS extensions that we couldn't check earlier */
+       if (s->version >= SSL3_VERSION)
+               {
+               if (ssl_check_clienthello_tlsext_late(s) <= 0)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
+                       goto err;
+                       }
+               }
+#endif
+
        if (ret < 0) ret=1;
        if (0)
                {
@@ -1751,6 +1764,11 @@ int ssl3_send_certificate_request(SSL *s)
                s->init_num=n+4;
                s->init_off=0;
 #ifdef NETSCAPE_HANG_BUG
+               if (!BUF_MEM_grow_clean(buf, s->init_num + 4))
+                       {
+                       SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
+                       goto err;
+                       }
                p=(unsigned char *)s->init_buf->data + s->init_num;
 
                /* do the header */