Handle the unlikely event that BIO_get_mem_data() returns -ve.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 5cea73c..af97a7e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -871,7 +871,8 @@
}
}
s->s3->tmp.new_cipher=c;
- ssl3_digest_cached_records(s);
+ if (!ssl3_digest_cached_records(s))
+ goto f_err;
/* lets get the compression algorithm */
/* COMPRESSION */
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index a7943ab..8e484d3 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -580,37 +580,47 @@
}
}
}
-void ssl3_digest_cached_records(SSL *s)
- {
- int i;
- long mask;
- const EVP_MD *md;
- long hdatalen;
- void *hdata;
- /* Allocate handshake_dgst array */
- ssl3_free_digest_list(s);
- s->s3->handshake_dgst = OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
- memset(s->s3->handshake_dgst,0,SSL_MAX_DIGEST *sizeof(EVP_MD_CTX *));
- hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,&hdata);
- /* Loop through bitso of algorithm2 field and create MD_CTX-es */
- for (i=0;ssl_get_handshake_digest(i,&mask,&md); i++)
- {
- if ((mask & s->s3->tmp.new_cipher->algorithm2) && md)
- {
- s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
- EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
- EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
- }
- else
- {
- s->s3->handshake_dgst[i]=NULL;
- }
- }
- /* Free handshake_buffer BIO */
- BIO_free(s->s3->handshake_buffer);
- s->s3->handshake_buffer = NULL;
+int ssl3_digest_cached_records(SSL *s)
+ {
+ int i;
+ long mask;
+ const EVP_MD *md;
+ long hdatalen;
+ void *hdata;
+
+ /* Allocate handshake_dgst array */
+ ssl3_free_digest_list(s);
+ s->s3->handshake_dgst = OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
+ memset(s->s3->handshake_dgst,0,SSL_MAX_DIGEST *sizeof(EVP_MD_CTX *));
+ hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,&hdata);
+ if (hdatalen <= 0)
+ {
+ SSLerr(SSL_F_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
+ return 0;
+ }
+
+ /* Loop through bitso of algorithm2 field and create MD_CTX-es */
+ for (i=0;ssl_get_handshake_digest(i,&mask,&md); i++)
+ {
+ if ((mask & s->s3->tmp.new_cipher->algorithm2) && md)
+ {
+ s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
+ EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
+ EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
+ }
+ else
+ {
+ s->s3->handshake_dgst[i]=NULL;
+ }
+ }
+ /* Free handshake_buffer BIO */
+ BIO_free(s->s3->handshake_buffer);
+ s->s3->handshake_buffer = NULL;
+
+ return 1;
}
+
int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
{
return(ssl3_handshake_mac(s,md_nid,NULL,0,p));
@@ -632,8 +642,10 @@
unsigned int i;
unsigned char md_buf[EVP_MAX_MD_SIZE];
EVP_MD_CTX ctx,*d=NULL;
+
if (s->s3->handshake_buffer)
- ssl3_digest_cached_records(s);
+ if (!ssl3_digest_cached_records(s))
+ return 0;
/* Search for djgest of specified type in the handshake_dgst
* array*/
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 876d0caf..5cc3a19 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -531,7 +531,8 @@
* should be generalized. But it is next step
*/
if (s->s3->handshake_buffer)
- ssl3_digest_cached_records(s);
+ if (!ssl3_digest_cached_records(s))
+ return -1;
for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)
if (s->s3->handshake_dgst[dgst_num])
{
@@ -1158,7 +1159,8 @@
s->s3->tmp.new_cipher=s->session->cipher;
}
- ssl3_digest_cached_records(s);
+ if (!ssl3_digest_cached_records(s))
+ goto f_err;
/* we now have the following setup.
* client_random
diff --git a/ssl/ssl.h b/ssl/ssl.h
index e43b5c2..64173af 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1784,6 +1784,7 @@
#define SSL_F_CLIENT_HELLO 101
#define SSL_F_CLIENT_MASTER_KEY 102
#define SSL_F_D2I_SSL_SESSION 103
+#define SSL_F_DIGEST_CACHED_RECORDS 293
#define SSL_F_DO_DTLS1_WRITE 245
#define SSL_F_DO_SSL3_WRITE 104
#define SSL_F_DTLS1_ACCEPT 246
@@ -1945,6 +1946,7 @@
#define SSL_F_SSL_SET_RFD 194
#define SSL_F_SSL_SET_SESSION 195
#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218
+#define SSL_F_SSL_SET_SESSION_TICKET_EXT 294
#define SSL_F_SSL_SET_TRUST 228
#define SSL_F_SSL_SET_WFD 196
#define SSL_F_SSL_SHUTDOWN 224
@@ -1972,7 +1974,6 @@
#define SSL_F_TLS1_PRF 284
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
-#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
@@ -1991,6 +1992,7 @@
#define SSL_R_BAD_ECC_CERT 304
#define SSL_R_BAD_ECDSA_SIGNATURE 305
#define SSL_R_BAD_ECPOINT 306
+#define SSL_R_BAD_HANDSHAKE_LENGTH 332
#define SSL_R_BAD_HELLO_REQUEST 105
#define SSL_R_BAD_LENGTH 271
#define SSL_R_BAD_MAC_DECODE 113
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 817b67e..7879a31 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -75,6 +75,7 @@
{ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
{ERR_FUNC(SSL_F_CLIENT_MASTER_KEY), "CLIENT_MASTER_KEY"},
{ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"},
+{ERR_FUNC(SSL_F_DIGEST_CACHED_RECORDS), "DIGEST_CACHED_RECORDS"},
{ERR_FUNC(SSL_F_DO_DTLS1_WRITE), "DO_DTLS1_WRITE"},
{ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
{ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"},
@@ -236,6 +237,7 @@
{ERR_FUNC(SSL_F_SSL_SET_RFD), "SSL_set_rfd"},
{ERR_FUNC(SSL_F_SSL_SET_SESSION), "SSL_set_session"},
{ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
@@ -263,7 +265,6 @@
{ERR_FUNC(SSL_F_TLS1_PRF), "tls1_prf"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
-{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
{0,NULL}
};
@@ -285,6 +286,7 @@
{ERR_REASON(SSL_R_BAD_ECC_CERT) ,"bad ecc cert"},
{ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE) ,"bad ecdsa signature"},
{ERR_REASON(SSL_R_BAD_ECPOINT) ,"bad ecpoint"},
+{ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH) ,"bad handshake length"},
{ERR_REASON(SSL_R_BAD_HELLO_REQUEST) ,"bad hello request"},
{ERR_REASON(SSL_R_BAD_LENGTH) ,"bad length"},
{ERR_REASON(SSL_R_BAD_MAC_DECODE) ,"bad mac decode"},
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 30bd746..9df4be5 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -880,7 +880,7 @@
int ssl3_setup_write_buffer(SSL *s);
int ssl3_release_read_buffer(SSL *s);
int ssl3_release_write_buffer(SSL *s);
-void ssl3_digest_cached_records(SSL *s);
+int ssl3_digest_cached_records(SSL *s);
int ssl3_new(SSL *s);
void ssl3_free(SSL *s);
int ssl3_accept(SSL *s);
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 3a34992..4d9a18e 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -749,7 +749,9 @@
int i;
if (s->s3->handshake_buffer)
- ssl3_digest_cached_records(s);
+ if (!ssl3_digest_cached_records(s))
+ return 0;
+
for (i=0;i<SSL_MAX_DIGEST;i++)
{
if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid)
@@ -784,10 +786,11 @@
q=buf;
- EVP_MD_CTX_init(&ctx);
-
if (s->s3->handshake_buffer)
- ssl3_digest_cached_records(s);
+ if (!ssl3_digest_cached_records(s))
+ return 0;
+
+ EVP_MD_CTX_init(&ctx);
for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++)
{
