Warmcat homepage andy@warmcat.com
libwebsockets
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1753167736, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"ced30fdee00a5abb75afba1e62a8bbb8", "commit": {"type":"commit", "time": 1519211951, "time_ofs": 0, "oid_tree": { "oid": "1e1b16cb83733d283fa1342eb63c7549a1266471", "alias": []}, "oid":{ "oid": "ee763495250b29fd32cb4026f17678ba30a59342", "alias": []}, "msg": "Sanity check the ticket length before using key name/IV", "sig_commit": { "git_time": { "time": 1519211951, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1519122020, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }}, "body": "Sanity check the ticket length before using key name/IV\n\nThis could in theory result in an overread - but due to the over allocation\nof the underlying buffer does not represent a security issue.\n\nThanks to Fedor Indutny for reporting this issue.\n\nReviewed-by: Rich Salz \u003crsalz@openssl.org\u003e\nReviewed-by: Ben Kaduk \u003ckaduk@mit.edu\u003e\n(Merged from https://github.com/openssl/openssl/pull/5414)\n" , "diff": "diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c\nindex 3965be9..57f9559 100644\n--- a/ssl/t1_lib.c\n+++ b/ssl/t1_lib.c\n@@ -1280,9 +1280,15 @@ TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,\n size_t mlen;\n unsigned char tick_hmac[EVP_MAX_MD_SIZE];\n HMAC_CTX *hctx \u003d NULL;\n- EVP_CIPHER_CTX *ctx;\n+ EVP_CIPHER_CTX *ctx \u003d NULL;\n SSL_CTX *tctx \u003d s-\u003esession_ctx;\n \n+ /* Need at least keyname + iv */\n+ if (eticklen \u003c TLSEXT_KEYNAME_LENGTH + EVP_MAX_IV_LENGTH) {\n+ ret \u003d TICKET_NO_DECRYPT;\n+ goto err;\n+ }\n+\n /* Initialize session ticket encryption and HMAC contexts */\n hctx \u003d HMAC_CTX_new();\n if (hctx \u003d\u003d NULL)\n@@ -1294,8 +1300,9 @@ TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,\n }\n if (tctx-\u003eext.ticket_key_cb) {\n unsigned char *nctick \u003d (unsigned char *)etick;\n- int rv \u003d tctx-\u003eext.ticket_key_cb(s, nctick, nctick + 16,\n- ctx, hctx, 0);\n+ int rv \u003d tctx-\u003eext.ticket_key_cb(s, nctick,\n+ nctick + TLSEXT_KEYNAME_LENGTH,\n+ ctx, hctx, 0);\n if (rv \u003c 0)\n goto err;\n if (rv \u003d\u003d 0) {\n@@ -1307,7 +1314,7 @@ TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,\n } else {\n /* Check key name matches */\n if (memcmp(etick, tctx-\u003eext.tick_key_name,\n- sizeof(tctx-\u003eext.tick_key_name)) !\u003d 0) {\n+ TLSEXT_KEYNAME_LENGTH) !\u003d 0) {\n ret \u003d TICKET_NO_DECRYPT;\n goto err;\n }\n@@ -1316,8 +1323,7 @@ TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,\n EVP_sha256(), NULL) \u003c\u003d 0\n || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,\n tctx-\u003eext.tick_aes_key,\n- etick\n- + sizeof(tctx-\u003eext.tick_key_name)) \u003c\u003d 0) {\n+ etick + TLSEXT_KEYNAME_LENGTH) \u003c\u003d 0) {\n goto err;\n }\n }\n","s":{"c":1753167736,"u": 36915}} ],"g": 38290,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}