[openssl-dev] [PATCH] Fix missing return value checks in SCTP

David Woodhouse dwmw2 at infradead.org
Fri Jul 8 19:41:51 UTC 2016 

On Tue, 2015-08-11 at 19:36 +0100, Matt Caswell wrote:
> There are some missing return value checks in the SCTP code. In master this
> was causing a compilation failure when config'd with
> "--strict-warnings sctp".
> 
> Reviewed-by: Tim Hudson <tjh at openssl.org>
> ---
>  ssl/d1_clnt.c | 16 ++++++++++++----
>  ssl/d1_srvr.c | 18 +++++++++++++-----
>  2 files changed, 25 insertions(+), 9 deletions(-)
> 
> diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
> index 566c154..d411614 100644
> --- a/ssl/d1_clnt.c
> +++ b/ssl/d1_clnt.c
> @@ -364,11 +364,15 @@ int dtls1_connect(SSL *s)
>                               sizeof(DTLS1_SCTP_AUTH_LABEL),
>                               DTLS1_SCTP_AUTH_LABEL);
>  
> -                    SSL_export_keying_material(s, sctpauthkey,
> +                    if (SSL_export_keying_material(s, sctpauthkey,
>                                                 sizeof(sctpauthkey),
>                                                 labelbuffer,
>                                                 sizeof(labelbuffer), NULL, 0,
> -                                               0);
> +                                               0) <= 0) {
> +                        ret = -1;
> +                        s->state = SSL_ST_ERR;
> +                        goto end;
> +                    }
>  
>                      BIO_ctrl(SSL_get_wbio(s),
>                               BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,

This commit (d8e8590e) and its backport to 1.0.2 (b3a62dc0) have broken
OpenConnect when SCTP is enabled, because SSL_export_keying_material()
*does* fail there. Perhaps it shouldn't...

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 08e3673..6db4f3a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2231,7 +2231,7 @@ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
                                const unsigned char *p, size_t plen,
                                int use_context)
 {
-    if (s->version < TLS1_VERSION)
+    if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
         return -1;
 
     return s->method->ssl3_enc->export_keying_material(s, out, olen, label,

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160708/8990db06/attachment.bin>

More information about the openssl-dev mailing list