Fix SRP ciphersuite DoS vulnerability.
authorDr. Stephen Henson <steve@openssl.org>
Thu, 24 Jul 2014 23:50:06 +0000 (00:50 +0100)
committerMatt Caswell <matt@openssl.org>
Wed, 6 Aug 2014 19:36:41 +0000 (20:36 +0100)
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-2970
Reviewed-by: Tim Hudson <tjh@openssl.org>
ssl/t1_lib.c

index 749d88d..3616c0a 100644 (file)
@@ -1088,6 +1088,13 @@ void ssl_set_client_disabled(SSL *s)
                c->mask_k |= SSL_kPSK;
                }
 #endif /* OPENSSL_NO_PSK */
+#ifndef OPENSSL_NO_SRP
+       if (!(s->srp_ctx.srp_Mask & SSL_kSRP))
+               {
+               c->mask_a |= SSL_aSRP;
+               c->mask_k |= SSL_kSRP;
+               }
+#endif
        c->valid = 1;
        }