Fix SRP ciphersuite DoS vulnerability.

snhenson · mattcaswell · commit 80bd7b41b30a · 2014-08-06T20:36:41.000+01:00
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-2970
Reviewed-by: Tim Hudson &lt;tjh@openssl.org&gt;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
@@ -1088,6 +1088,13 @@ void ssl_set_client_disabled(SSL *s)
 		c->mask_k |= SSL_kPSK;
 		}
 #endif /* OPENSSL_NO_PSK */
+#ifndef OPENSSL_NO_SRP
+	if (!(s->srp_ctx.srp_Mask & SSL_kSRP))
+		{
+		c->mask_a |= SSL_aSRP;
+		c->mask_k |= SSL_kSRP;
+		}
+#endif
 	c->valid = 1;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -1088,6 +1088,13 @@ void ssl_set_client_disabled(SSL *s)`
`1088`	`1088`	`c->mask_k \|= SSL_kPSK;`
`1089`	`1089`	`}`
`1090`	`1090`	`#endif /* OPENSSL_NO_PSK */`
	`1091`	`+#ifndef OPENSSL_NO_SRP`
	`1092`	`+ if (!(s->srp_ctx.srp_Mask & SSL_kSRP))`
	`1093`	`+ {`
	`1094`	`+ c->mask_a \|= SSL_aSRP;`
	`1095`	`+ c->mask_k \|= SSL_kSRP;`
	`1096`	`+ }`
	`1097`	`+#endif`
`1091`	`1098`	`c->valid = 1;`
`1092`	`1099`	`}`
`1093`	`1100`