PR: 2704

Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr> Fix srp extension.

PR: 2704
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr> Fix srp extension.
1df80b65 · Dr. Stephen Henson · 3770b988 · 1df80b65 · 1df80b65
隐藏空白更改
内联并排

Showing with 35 addition and 19 deletion

ssl/s3_lib.c ssl/s3_lib.c +1 -1

ssl/t1_lib.c ssl/t1_lib.c +34 -18

未找到文件。
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3609,7 +3609,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 		ctx->srp_ctx.login = NULL;
 		if (parg == NULL)
 			break;
-		if (strlen((char *)parg) > 254)
+		if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1)
 			{
 			SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
 			return 0;

--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -432,25 +432,29 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
        }

 #ifndef OPENSSL_NO_SRP
-#define MIN(x,y) (((x)<(y))?(x):(y))
-	/* we add SRP username the first time only if we have one! */
+	/* Add SRP username if there is one */
 	if (s->srp_ctx.login != NULL)
-		{/* Add TLS extension SRP username to the Client Hello message */
-		int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
-		long lenmax; 
+		{ /* Add TLS extension SRP username to the Client Hello message */

-		if ((lenmax = limit - ret - 5) < 0) return NULL; 
-		if (login_len > lenmax) return NULL;
-		if (login_len > 255)
+		int login_len = strlen(s->srp_ctx.login);	
+		if (login_len > 255 || login_len == 0)
 			{
 			SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 			return NULL;
-			}
+			} 
+
+		/* check for enough space.
+		   4 for the srp type type and entension length
+		   1 for the srp user identity
+		   + srp user identity length 
+		*/
+		if ((limit - ret - 5 - login_len) < 0) return NULL; 
+
+		/* fill in the extension */
 		s2n(TLSEXT_TYPE_srp,ret);
 		s2n(login_len+1,ret);
-
-		(*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
-		memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
+		(*ret++) = (unsigned char) login_len;
+		memcpy(ret, s->srp_ctx.login, login_len);
 		ret+=login_len;
 		}
 #endif
@@ -1007,13 +1011,25 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 #ifndef OPENSSL_NO_SRP
 		else if (type == TLSEXT_TYPE_srp)
 			{
-			if (size > 0)
+			if (size <= 0 || ((len = data[0])) != (size -1))
 				{
-				len = data[0];
-				if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
-					return -1;
-				memcpy(s->srp_ctx.login, &data[1], len);
-				s->srp_ctx.login[len]='\0';  
+				*al = SSL_AD_DECODE_ERROR;
+				return 0;
+				}
+			if (s->srp_ctx.login != NULL)
+				{
+				*al = SSL_AD_DECODE_ERROR;
+				return 0;
+				}
+			if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
+				return -1;
+			memcpy(s->srp_ctx.login, &data[1], len);
+			s->srp_ctx.login[len]='\0';
+  
+			if (strlen(s->srp_ctx.login) != len) 
+				{
+				*al = SSL_AD_DECODE_ERROR;
+				return 0;
 				}
 			}
 #endif