Fix bug in CVE-2011-4619: check we have really received a client hello

before rejecting multiple SGC restarts.
author: Dr. Stephen Henson <steve@openssl.org> 2012-02-16 15:25:39 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2012-02-16 15:25:39 +0000
commit: a8314df9023e4e1d92c04e09e2afb02c98ed5e2b (patch)
tree: b0d794f96d081038d449dec80391c1c80b3af324 /ssl
parent: 0cd7a0325fa31189d155c2789f1a38cad72d0982 (diff)
1 files changed, 7 insertions, 8 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a60e4d699c..5944d8c484 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -870,14 +870,6 @@ int ssl3_check_client_hello(SSL *s)
 	int ok;
 	long n;
 
-	/* We only allow the client to restart the handshake once per
-	 * negotiation. */
-	if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
-		{
-		SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
-		return -1;
-		}
-
 	/* this function is called when we really expect a Certificate message,
 	 * so permit appropriate message length */
 	n=s->method->ssl_get_message(s,
@@ -890,6 +882,13 @@ int ssl3_check_client_hello(SSL *s)
 	s->s3->tmp.reuse_message = 1;
 	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
 		{
+		/* We only allow the client to restart the handshake once per
+		 * negotiation. */
+		if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+			{
+			SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+			return -1;
+			}
 		/* Throw away what we have done so far in the current handshake,
 		 * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH
author	Dr. Stephen Henson <steve@openssl.org>	2012-02-16 15:25:39 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2012-02-16 15:25:39 +0000
commit	a8314df9023e4e1d92c04e09e2afb02c98ed5e2b (patch)
tree	b0d794f96d081038d449dec80391c1c80b3af324 /ssl
parent	0cd7a0325fa31189d155c2789f1a38cad72d0982 (diff)