Fix bug in CVE-2011-4619: check we have really received a client hello
authorDr. Stephen Henson <steve@openssl.org>
Thu, 16 Feb 2012 15:26:04 +0000 (15:26 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 16 Feb 2012 15:26:04 +0000 (15:26 +0000)
before rejecting multiple SGC restarts.

CHANGES
ssl/s3_srvr.c

diff --git a/CHANGES b/CHANGES
index a45aa8a..77f9e0d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
        Add command line options to s_client/s_server.
      [Steve Henson]
 
+ Changes between 1.0.0g and 1.0.0h [xx XXX xxxx]
+
+  *) Fix CVE-2011-4619: make sure we really are receiving a 
+     client hello before rejecting multiple SGC restarts. Thanks to
+     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+     [Steve Henson]
+
  Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
 
   *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
index b0c32bc..c5606b2 100644 (file)
@@ -873,14 +873,6 @@ int ssl3_check_client_hello(SSL *s)
        int ok;
        long n;
 
-       /* We only allow the client to restart the handshake once per
-        * negotiation. */
-       if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
-               {
-               SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
-               return -1;
-               }
-
        /* this function is called when we really expect a Certificate message,
         * so permit appropriate message length */
        n=s->method->ssl_get_message(s,
@@ -893,6 +885,13 @@ int ssl3_check_client_hello(SSL *s)
        s->s3->tmp.reuse_message = 1;
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
+               /* We only allow the client to restart the handshake once per
+                * negotiation. */
+               if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+                       {
+                       SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+                       return -1;
+                       }
                /* Throw away what we have done so far in the current handshake,
                 * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH