Fix bug in CVE-2011-4619: check we have really received a client hello
before rejecting multiple SGC restarts.
diff --git a/CHANGES b/CHANGES
index a45aa8a..77f9e0d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -548,6 +548,13 @@
Add command line options to s_client/s_server.
[Steve Henson]
+ Changes between 1.0.0g and 1.0.0h [xx XXX xxxx]
+
+ *) Fix CVE-2011-4619: make sure we really are receiving a
+ client hello before rejecting multiple SGC restarts. Thanks to
+ Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+ [Steve Henson]
+
Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index b0c32bc..c5606b2 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -873,14 +873,6 @@
int ok;
long n;
- /* We only allow the client to restart the handshake once per
- * negotiation. */
- if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
- {
- SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
- return -1;
- }
-
/* this function is called when we really expect a Certificate message,
* so permit appropriate message length */
n=s->method->ssl_get_message(s,
@@ -893,6 +885,13 @@
s->s3->tmp.reuse_message = 1;
if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
{
+ /* We only allow the client to restart the handshake once per
+ * negotiation. */
+ if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+ {
+ SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+ return -1;
+ }
/* Throw away what we have done so far in the current handshake,
* which will now be aborted. (A full SSL_clear would be too much.) */
#ifndef OPENSSL_NO_DH
