Fix bug in CVE-2011-4619: check we have really received a client hello
authorDr. Stephen Henson <steve@openssl.org>
Thu, 16 Feb 2012 15:21:17 +0000 (15:21 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 16 Feb 2012 15:21:17 +0000 (15:21 +0000)
before rejecting multiple SGC restarts.

CHANGES
ssl/s3_srvr.c

diff --git a/CHANGES b/CHANGES
index db908c2c238e421452ed44e8a9e0e99f27f4d33c..59de4639fa699ea1d8478746045e4425a1cbf301 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,10 @@
 
  Changes between 0.9.8t and 0.9.8u [xx XXX xxxx]
 
-  *)
+  *) Fix CVE-2011-4619: make sure we really are receiving a 
+     client hello before rejecting multiple SGC restarts. Thanks to
+     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+     [Steve Henson]
 
  Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
 
index f6102123d43a7bf28b0ea6da102ff7739f4cb0dc..5ada1f155070cbd258555ed03889d50255e038cc 100644 (file)
@@ -698,14 +698,6 @@ int ssl3_check_client_hello(SSL *s)
        int ok;
        long n;
 
-       /* We only allow the client to restart the handshake once per
-        * negotiation. */
-       if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
-               {
-               SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
-               return -1;
-               }
-
        /* this function is called when we really expect a Certificate message,
         * so permit appropriate message length */
        n=s->method->ssl_get_message(s,
@@ -718,6 +710,13 @@ int ssl3_check_client_hello(SSL *s)
        s->s3->tmp.reuse_message = 1;
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
+               /* We only allow the client to restart the handshake once per
+                * negotiation. */
+               if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+                       {
+                       SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+                       return -1;
+                       }
                /* Throw away what we have done so far in the current handshake,
                 * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH