diff options
author | Serguei E. Leontiev <leo@sai.msu.ru> | 2014-05-11 19:46:42 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-05-12 18:41:52 +0100 |
commit | 4a56d9a2ed306ad28946894eb73a3e504910e1c9 (patch) | |
tree | bbc62d19f982e183ebf4281b408a54e43f0a5af7 | |
parent | 89e674744d910d9ab03f44e4e8ca68cf96a2b4a0 (diff) |
Replace manual ASN1 decoder with ASN1_get_object
Replace manual ASN.1 decoder with ASN1_get object. This
will decode the tag and length properly and check against
it does not exceed the supplied buffer length.
PR#3335
-rw-r--r-- | ssl/s3_srvr.c | 23 |
1 files changed, 7 insertions, 16 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 9434923d0d..63ede49479 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2979,6 +2979,8 @@ int ssl3_get_client_key_exchange(SSL *s) unsigned char premaster_secret[32], *start; size_t outlen=32, inlen; unsigned long alg_a; + int Ttag, Tclass; + long Tlen; /* Get our certificate private key*/ alg_a = s->s3->tmp.new_cipher->algorithm_auth; @@ -3000,26 +3002,15 @@ int ssl3_get_client_key_exchange(SSL *s) ERR_clear_error(); } /* Decrypt session key */ - if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED))) - { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); - goto gerr; - } - if (p[1] == 0x81) - { - start = p+3; - inlen = p[2]; - } - else if (p[1] < 0x80) - { - start = p+2; - inlen = p[1]; - } - else + if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag, &Tclass, n) != V_ASN1_CONSTRUCTED || + Ttag != V_ASN1_SEQUENCE || + Tclass != V_ASN1_UNIVERSAL) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED); goto gerr; } + start = p; + inlen = Tlen; if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0) { |