From 950fd771fb8908968cce67a38fdde69ef0cd2b80 Mon Sep 17 00:00:00 2001

From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>

Date: Fri, 27 Nov 2015 21:24:30 +0000

Subject: [PATCH] merge revision(s) 52227,52228: [Backport #11369]

	* ext/openssl/ossl_ssl.c (ssl_npn_select_cb): explicitly raise error

	  in ext/openssl instead of OpenSSL itself because LibreSSL

	  silently truncate the selected protocol name by casting the length

	  from int to unsigned char. [Bug #11369]

	  Patch by Jeremy Evans <merch-redmine@jeremyevans.net>

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@52772 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

---

 ChangeLog              |  8 ++++++++

 ext/openssl/ossl_ssl.c | 43 +++++++++++++++++++++++++++++++------------

 2 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/ChangeLog b/ChangeLog

index 161a4b9..160143c 100644

--- a/ChangeLog

+++ b/ChangeLog

@@ -36,6 +36,14 @@

 	* ext/dl/handle.c (rb_dlhandle_sym): ditto

+Sat Nov 28 06:12:32 2015  NARUSE, Yui  <naruse@ruby-lang.org>

+

+	* ext/openssl/ossl_ssl.c (ssl_npn_select_cb): explicitly raise error

+	  in ext/openssl instead of OpenSSL itself because LibreSSL

+	  silently truncate the selected protocol name by casting the length

+	  from int to unsigned char. [Bug #11369]

+	  Patch by Jeremy Evans <merch-redmine@jeremyevans.net>

+

 Tue Aug 18 22:00:12 2015  SHIBATA Hiroshi  <hsbt@ruby-lang.org>

 	* lib/rubygems.rb: bump version to 2.0.14.1. this version fixed

diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c

index 75e26a4..6e777c9 100644

--- a/ext/openssl/ossl_ssl.c

+++ b/ext/openssl/ossl_ssl.c

@@ -601,29 +601,48 @@ ssl_npn_advertise_cb(SSL *ssl, const unsigned char **out, unsigned int *outlen,

 }

 static int

-ssl_npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)

+ssl_npn_select_cb_common(VALUE cb, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen)

 {

-    int i = 0;

-    VALUE sslctx_obj, cb, protocols, selected;

-

-    sslctx_obj = (VALUE) arg;

-    cb = rb_iv_get(sslctx_obj, "@npn_select_cb");

-    protocols = rb_ary_new();

+    VALUE selected;

+    long len;

+    unsigned char l;

+    VALUE protocols = rb_ary_new();

     /* The format is len_1|proto_1|...|len_n|proto_n\0 */

-    while (in[i]) {

-	VALUE protocol = rb_str_new((const char *) &in[i + 1], in[i]);

+    while (l = *in++) {

+	VALUE protocol;

+	if (l > inlen) {

+	    ossl_raise(eSSLError, "Invalid protocol name list");

+	}

+	protocol = rb_str_new((const char *)in, l);

 	rb_ary_push(protocols, protocol);

-	i += in[i] + 1;

+	in += l;

+	inlen -= l;

     }

     selected = rb_funcall(cb, rb_intern("call"), 1, protocols);

     StringValue(selected);

-    *out = (unsigned char *) StringValuePtr(selected);

-    *outlen = RSTRING_LENINT(selected);

+    len = RSTRING_LEN(selected);

+    if (len < 1 || len >= 256) {

+	ossl_raise(eSSLError, "Selected protocol name must have length 1..255");

+    }

+    *out = (unsigned char *)RSTRING_PTR(selected);

+    *outlen = (unsigned char)len;

     return SSL_TLSEXT_ERR_OK;

 }

+

+static int

+ssl_npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)

+{

+    VALUE sslctx_obj, cb;

+

+    sslctx_obj = (VALUE) arg;

+    cb = rb_iv_get(sslctx_obj, "@npn_select_cb");

+

+    return ssl_npn_select_cb_common(cb, (const unsigned char **)out, outlen, in, inlen);

+}

+

 #endif

 /* This function may serve as the entry point to support further