Overview

File openssl-CVE-2015-3196.patch of Package openssl.1634

From d6be3124f22870f1888c532523b74ea5d89795eb Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 1 Jul 2015 23:40:03 +0100
Subject: [PATCH] Fix PSK handling.

The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).

Use BUF_strndup when copying identity as it may not be null terminated.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3c66a669dfc7b3792f7af0758ea26fe8502ce70c)
---
 ssl/s3_clnt.c | 17 +++--------------
 ssl/s3_srvr.c |  2 +-
 2 files changed, 4 insertions(+), 15 deletions(-)

Index: openssl-1.0.1i/ssl/s3_clnt.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s3_clnt.c	2015-12-04 14:10:29.276897903 +0100
+++ openssl-1.0.1i/ssl/s3_clnt.c	2015-12-04 14:10:30.131911388 +0100
@@ -1374,8 +1374,6 @@ int ssl3_get_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_PSK
 	if (alg_k & SSL_kPSK)
 		{
-		char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
-
 		al=SSL_AD_HANDSHAKE_FAILURE;
 		n2s(p,i);
 		param_len=i+2;
@@ -1396,16 +1394,9 @@ int ssl3_get_key_exchange(SSL *s)
 				SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
 			goto f_err;
 			}
-		/* If received PSK identity hint contains NULL
-		 * characters, the hint is truncated from the first
-		 * NULL. p may not be ending with NULL, so create a
-		 * NULL-terminated string. */
-		memcpy(tmp_id_hint, p, i);
-		memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
-		if (s->ctx->psk_identity_hint != NULL)
-			OPENSSL_free(s->ctx->psk_identity_hint);
-		s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
-		if (s->ctx->psk_identity_hint == NULL)
+
+	        s->session->psk_identity_hint = BUF_strndup((char *)p, i);
+        	if (s->session->psk_identity_hint == NULL)
 			{
 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
 			goto f_err;
@@ -2911,7 +2902,7 @@ int ssl3_send_client_key_exchange(SSL *s
 				goto err;
 				}
 
-			psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
+			psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
 				identity, PSK_MAX_IDENTITY_LEN,
 				psk_or_pre_ms, sizeof(psk_or_pre_ms));
 			if (psk_len > PSK_MAX_PSK_LEN)
Index: openssl-1.0.1i/ssl/s3_srvr.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s3_srvr.c	2015-12-04 14:10:30.132911404 +0100
+++ openssl-1.0.1i/ssl/s3_srvr.c	2015-12-04 14:11:57.400287544 +0100
@@ -2782,7 +2782,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 
 			if (s->session->psk_identity != NULL)
 				OPENSSL_free(s->session->psk_identity);
-			s->session->psk_identity = BUF_strdup((char *)p);
+			s->session->psk_identity = BUF_strndup((char *)p, i);
 			if (s->session->psk_identity == NULL)
 				{
 				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
openSUSE Build Service is sponsored by
Places