Sanity check ticket length.

If a ticket callback changes the HMAC digest to SHA512 the existing sanity checks are not sufficient and an attacker could perform a DoS attack with a malformed ticket. Add additional checks based on HMAC size. Thanks to Shi Lei for reporting this bug. CVE-2016-6302 Reviewed-by: N Viktor Dukhovni <viktor@openssl.org>

Sanity check ticket length.
If a ticket callback changes the HMAC digest to SHA512 the existing sanity checks are not sufficient and an attacker could perform a DoS attack with a malformed ticket. Add additional checks based on HMAC size. Thanks to Shi Lei for reporting this bug. CVE-2016-6302 Reviewed-by: N Viktor Dukhovni <viktor@openssl.org>
e97763c9 · Dr. Stephen Henson · Matt Caswell · 652c52a6 · e97763c9
显示空白变更内容
内联并排

Showing with 7 addition and 3 deletion

ssl/t1_lib.c ssl/t1_lib.c +7 -3

未找到文件。
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2969,9 +2969,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
    HMAC_CTX *hctx = NULL;
    EVP_CIPHER_CTX *ctx;
    SSL_CTX *tctx = s->initial_ctx;
-    /* Need at least keyname + iv + some encrypted data */
-    if (eticklen < 48)
-        return 2;
+
    /* Initialize session ticket encryption and HMAC contexts */
    hctx = HMAC_CTX_new();
    if (hctx == NULL)
@@ -3018,6 +3016,12 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
    if (mlen < 0) {
        goto err;
    }
+    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
+    if (eticklen <=
+        TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
+        ret = 2;
+        goto err;
+    }
    eticklen -= mlen;
    /* Check HMAC of encrypted ticket */
    if (HMAC_Update(hctx, etick, eticklen) <= 0