isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone
Source Code
GIT

Blame SOURCES/openssl-1.0.1e-cve-2016-6302.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   653b37a36fcfa8d53d73e34d10ac70e7aaafba1c
  2.   SOURCES
  3.   openssl-1.0.1e-cve-2016-6302.patch
Blob History Raw
653b37 
diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-length openssl-1.0.1e/ssl/t1_lib.c
653b37 
--- openssl-1.0.1e/ssl/t1_lib.c.ticket-length	2016-09-20 15:37:34.000000000 +0200
653b37 
+++ openssl-1.0.1e/ssl/t1_lib.c	2016-09-20 18:09:26.057028290 +0200
653b37 
@@ -2230,9 +2230,7 @@ static int tls_decrypt_ticket(SSL *s, co
653b37 
 	HMAC_CTX hctx;
653b37 
 	EVP_CIPHER_CTX ctx;
653b37 
 	SSL_CTX *tctx = s->initial_ctx;
653b37 
-	/* Need at least keyname + iv + some encrypted data */
653b37 
-	if (eticklen < 48)
653b37 
-		return 2;
653b37 
+
653b37 
 	/* Initialize session ticket encryption and HMAC contexts */
653b37 
 	HMAC_CTX_init(&hctx);
653b37 
 	EVP_CIPHER_CTX_init(&ctx;;
653b37 
@@ -2267,6 +2265,14 @@ static int tls_decrypt_ticket(SSL *s, co
653b37 
 		EVP_CIPHER_CTX_cleanup(&ctx;;
653b37 
 		return -1;
653b37 
 		}
653b37 
+	/* Sanity check ticket length: must exceed keyname + IV + HMAC */
653b37 
+	if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen)
653b37 
+		{
653b37 
+		HMAC_CTX_cleanup(&hctx);
653b37 
+		EVP_CIPHER_CTX_cleanup(&ctx;;
653b37 
+		return 2;
653b37 
+		}
653b37 
+
653b37 
 	eticklen -= mlen;
653b37 
 	/* Check HMAC of encrypted ticket */
653b37 
 	HMAC_Update(&hctx, etick, eticklen);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation