[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

Matt Caswell matt at openssl.org
Tue Dec 1 15:29:37 UTC 2015 

The branch OpenSSL_1_0_1-stable has been updated
       via  41d049e1cda0e23ad45fbca94fc90cfe9cfee466 (commit)
      from  98b94544e5dcab065404de1892d2aeb726dd6491 (commit)


- Log -----------------------------------------------------------------
commit 41d049e1cda0e23ad45fbca94fc90cfe9cfee466
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Nov 30 10:38:54 2015 +0000

    Return errors even if the cookie validation has succeeded
    
    In the DTLS ClientHello processing the return value is stored in |ret| which
    by default is -1. We wish to return 1 on success or 2 on success *and* we
    have validated the DTLS cookie. Previously on successful validation of the
    cookie we were setting |ret| to 2. Unfortunately if we later encounter an
    error then we can end up returning a successful (positive) return code from
    the function because we already set |ret| to a positive value.
    
    This does not appear to have a security consequence because the handshake
    just fails at a later point.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 5c5914e..e2beb40 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -966,7 +966,7 @@ int ssl3_check_client_hello(SSL *s)
 
 int ssl3_get_client_hello(SSL *s)
 {
-    int i, j, ok, al, ret = -1;
+    int i, j, ok, al, ret = -1, cookie_valid = 0;;
     unsigned int cookie_len;
     long n;
     unsigned long id;
@@ -1154,8 +1154,7 @@ int ssl3_get_client_hello(SSL *s)
                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                 goto f_err;
             }
-
-            ret = 2;
+            cookie_valid = 1;
         }
 
         p += cookie_len;
@@ -1491,8 +1490,7 @@ int ssl3_get_client_hello(SSL *s)
         }
     }
 
-    if (ret < 0)
-        ret = 1;
+    ret = cookie_valid ? 2 : 1;
     if (0) {
  f_err:
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1502,7 +1500,7 @@ int ssl3_get_client_hello(SSL *s)
 
     if (ciphers != NULL)
         sk_SSL_CIPHER_free(ciphers);
-    return (ret);
+    return ret;
 }
 
 int ssl3_send_server_hello(SSL *s)

More information about the openssl-commits mailing list