Blame SOURCES/openssl-1.0.1e-cve-2014-3513.patch

170643
diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c
170643
--- openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak	2013-02-11 16:26:04.000000000 +0100
170643
+++ openssl-1.0.1e/ssl/d1_srtp.c	2014-10-15 13:23:34.253040160 +0200
170643
@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr
170643
 	return 1;
170643
 	}
170643
 
170643
-static int find_profile_by_num(unsigned profile_num,
170643
-			       SRTP_PROTECTION_PROFILE **pptr)
170643
-	{
170643
-	SRTP_PROTECTION_PROFILE *p;
170643
-
170643
-	p=srtp_known_profiles;
170643
-	while(p->name)
170643
-		{
170643
-		if(p->id == profile_num)
170643
-			{
170643
-			*pptr=p;
170643
-			return 0;
170643
-			}
170643
-		p++;
170643
-		}
170643
-
170643
-	return 1;
170643
-	}
170643
-
170643
 static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
170643
 	{
170643
 	STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
170643
@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c
170643
 		if(!find_profile_by_name(ptr,&p,
170643
 					 col ? col-ptr : (int)strlen(ptr)))
170643
 			{
170643
+			if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
170643
+				{
170643
+				SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
170643
+				sk_SRTP_PROTECTION_PROFILE_free(profiles);
170643
+				return 1;
170643
+				}
170643
+
170643
 			sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
170643
 			}
170643
 		else
170643
 			{
170643
 			SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
170643
+			sk_SRTP_PROTECTION_PROFILE_free(profiles);
170643
 			return 1;
170643
 			}
170643
 
170643
@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL
170643
 
170643
 int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
170643
 	{
170643
-	SRTP_PROTECTION_PROFILE *cprof,*sprof;
170643
-	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
170643
+	SRTP_PROTECTION_PROFILE *sprof;
170643
+	STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
170643
         int ct;
170643
         int mki_len;
170643
-	int i,j;
170643
-	int id;
170643
-	int ret;
170643
+	int i, srtp_pref;
170643
+	unsigned int id;
170643
 
170643
          /* Length value + the MKI length */
170643
         if(len < 3)
170643
@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S
170643
 		return 1;
170643
 		}
170643
 
170643
+	srvr=SSL_get_srtp_profiles(s);
170643
+	s->srtp_profile = NULL;
170643
+	/* Search all profiles for a match initially */
170643
+	srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
170643
         
170643
-	clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
170643
-
170643
 	while(ct)
170643
 		{
170643
 		n2s(d,id);
170643
 		ct-=2;
170643
                 len-=2;
170643
 
170643
-		if(!find_profile_by_num(id,&cprof))
170643
+		/*
170643
+		 * Only look for match in profiles of higher preference than
170643
+		 * current match.
170643
+		 * If no profiles have been have been configured then this
170643
+		 * does nothing.
170643
+		 */
170643
+		for (i = 0; i < srtp_pref; i++)
170643
 			{
170643
-			sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
170643
-			}
170643
-		else
170643
-			{
170643
-			; /* Ignore */
170643
+			sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
170643
+			if (sprof->id == id)
170643
+				{
170643
+				s->srtp_profile = sprof;
170643
+				srtp_pref = i;
170643
+				break;
170643
+				}
170643
 			}
170643
 		}
170643
 
170643
@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S
170643
 		return 1;
170643
 		}
170643
 
170643
-	srvr=SSL_get_srtp_profiles(s);
170643
-
170643
-	/* Pick our most preferred profile. If no profiles have been
170643
-	 configured then the outer loop doesn't run 
170643
-	 (sk_SRTP_PROTECTION_PROFILE_num() = -1)
170643
-	 and so we just return without doing anything */
170643
-	for(i=0;i
170643
-		{
170643
-		sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
170643
-
170643
-		for(j=0;j
170643
-			{
170643
-			cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
170643
-            
170643
-			if(cprof->id==sprof->id)
170643
-				{
170643
-				s->srtp_profile=sprof;
170643
-				*al=0;
170643
-				ret=0;
170643
-				goto done;
170643
-				}
170643
-			}
170643
-		}
170643
-
170643
-	ret=0;
170643
-    
170643
-done:
170643
-	if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
170643
-
170643
-	return ret;
170643
+	return 0;
170643
 	}
170643
 
170643
 int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
170643
diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c
170643
--- openssl-1.0.1e/ssl/t1_lib.c.srtp-leak	2014-10-15 13:19:59.955202293 +0200
170643
+++ openssl-1.0.1e/ssl/t1_lib.c	2014-10-15 13:23:34.254040182 +0200
170643
@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex
170643
 #endif
170643
 
170643
 #ifndef OPENSSL_NO_SRTP
170643
-        if(SSL_get_srtp_profiles(s))
170643
+	if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
170643
                 {
170643
                 int el;
170643
 
170643
@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex
170643
 #endif
170643
 
170643
 #ifndef OPENSSL_NO_SRTP
170643
-        if(s->srtp_profile)
170643
+	if(SSL_IS_DTLS(s) && s->srtp_profile)
170643
                 {
170643
                 int el;
170643
 
170643
@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
170643
 
170643
 		/* session ticket processed earlier */
170643
 #ifndef OPENSSL_NO_SRTP
170643
-		else if (type == TLSEXT_TYPE_use_srtp)
170643
+		else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
170643
+			 && type == TLSEXT_TYPE_use_srtp)
170643
 			{
170643
 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
170643
 							      al))
170643
@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
170643
 			}
170643
 #endif
170643
 #ifndef OPENSSL_NO_SRTP
170643
-		else if (type == TLSEXT_TYPE_use_srtp)
170643
+		else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
170643
 			{
170643
                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
170643
 							      al))