From bb4c9ffd02a74057f7f6fd807c5be5d1f807b831 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Fri, 1 Aug 2014 14:56:56 +0100
Subject: Check SRP parameters early.

Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
---
 ssl/s3_clnt.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'ssl/s3_clnt.c')

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index d9b777701b..b4964f29e4 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1555,6 +1555,12 @@ int ssl3_get_key_exchange(SSL *s)
 		p+=i;
 		n-=param_len;
 
+		if (!srp_verify_server_param(s, &al))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_PARAMETERS);
+			goto f_err;
+			}
+
 /* We must check if there is a certificate */
 #ifndef OPENSSL_NO_RSA
 		if (alg_a & SSL_aRSA)
-- 
cgit v1.2.3