rpms / openssl

Clone
Source Code
GIT

Files

  1.   653b37a36fcfa8d53d73e34d10ac70e7aaafba1c
  2.   SOURCES
  3.   openssl-1.0.1e-cve-2014-3513.patch
Blob Blame History Raw 
diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c
--- openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak	2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/ssl/d1_srtp.c	2014-10-15 13:23:34.253040160 +0200
@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr
 	return 1;
 	}
 
-static int find_profile_by_num(unsigned profile_num,
-			       SRTP_PROTECTION_PROFILE **pptr)
-	{
-	SRTP_PROTECTION_PROFILE *p;
-
-	p=srtp_known_profiles;
-	while(p->name)
-		{
-		if(p->id == profile_num)
-			{
-			*pptr=p;
-			return 0;
-			}
-		p++;
-		}
-
-	return 1;
-	}
-
 static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
 	{
 	STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c
 		if(!find_profile_by_name(ptr,&p,
 					 col ? col-ptr : (int)strlen(ptr)))
 			{
+			if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
+				{
+				SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+				sk_SRTP_PROTECTION_PROFILE_free(profiles);
+				return 1;
+				}
+
 			sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
 			}
 		else
 			{
 			SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
+			sk_SRTP_PROTECTION_PROFILE_free(profiles);
 			return 1;
 			}
 
@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL
 
 int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
 	{
-	SRTP_PROTECTION_PROFILE *cprof,*sprof;
-	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
+	SRTP_PROTECTION_PROFILE *sprof;
+	STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
         int ct;
         int mki_len;
-	int i,j;
-	int id;
-	int ret;
+	int i, srtp_pref;
+	unsigned int id;
 
          /* Length value + the MKI length */
         if(len < 3)
@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S
 		return 1;
 		}
 
+	srvr=SSL_get_srtp_profiles(s);
+	s->srtp_profile = NULL;
+	/* Search all profiles for a match initially */
+	srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
         
-	clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
-
 	while(ct)
 		{
 		n2s(d,id);
 		ct-=2;
                 len-=2;
 
-		if(!find_profile_by_num(id,&cprof))
+		/*
+		 * Only look for match in profiles of higher preference than
+		 * current match.
+		 * If no profiles have been have been configured then this
+		 * does nothing.
+		 */
+		for (i = 0; i < srtp_pref; i++)
 			{
-			sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
-			}
-		else
-			{
-			; /* Ignore */
+			sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
+			if (sprof->id == id)
+				{
+				s->srtp_profile = sprof;
+				srtp_pref = i;
+				break;
+				}
 			}
 		}
 
@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S
 		return 1;
 		}
 
-	srvr=SSL_get_srtp_profiles(s);
-
-	/* Pick our most preferred profile. If no profiles have been
-	 configured then the outer loop doesn't run 
-	 (sk_SRTP_PROTECTION_PROFILE_num() = -1)
-	 and so we just return without doing anything */
-	for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
-		{
-		sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
-
-		for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
-			{
-			cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
-            
-			if(cprof->id==sprof->id)
-				{
-				s->srtp_profile=sprof;
-				*al=0;
-				ret=0;
-				goto done;
-				}
-			}
-		}
-
-	ret=0;
-    
-done:
-	if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
-
-	return ret;
+	return 0;
 	}
 
 int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c
--- openssl-1.0.1e/ssl/t1_lib.c.srtp-leak	2014-10-15 13:19:59.955202293 +0200
+++ openssl-1.0.1e/ssl/t1_lib.c	2014-10-15 13:23:34.254040182 +0200
@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex
 #endif
 
 #ifndef OPENSSL_NO_SRTP
-        if(SSL_get_srtp_profiles(s))
+	if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
                 {
                 int el;
 
@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex
 #endif
 
 #ifndef OPENSSL_NO_SRTP
-        if(s->srtp_profile)
+	if(SSL_IS_DTLS(s) && s->srtp_profile)
                 {
                 int el;
 
@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 
 		/* session ticket processed earlier */
 #ifndef OPENSSL_NO_SRTP
-		else if (type == TLSEXT_TYPE_use_srtp)
+		else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
+			 && type == TLSEXT_TYPE_use_srtp)
 			{
 			if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
 							      al))
@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
 			}
 #endif
 #ifndef OPENSSL_NO_SRTP
-		else if (type == TLSEXT_TYPE_use_srtp)
+		else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
 			{
                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
 							      al))

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation