summaryrefslogtreecommitdiff
path: root/app/openvpn/src
diff options
context:
space:
mode:
Diffstat (limited to 'app/openvpn/src')
-rw-r--r--app/openvpn/src/openvpn/crypto_backend.h6
-rw-r--r--app/openvpn/src/openvpn/crypto_openssl.c4
-rw-r--r--app/openvpn/src/openvpn/crypto_polarssl.c4
-rw-r--r--app/openvpn/src/openvpn/ssl.c12
4 files changed, 18 insertions, 8 deletions
diff --git a/app/openvpn/src/openvpn/crypto_backend.h b/app/openvpn/src/openvpn/crypto_backend.h
index bc067a7d..87498785 100644
--- a/app/openvpn/src/openvpn/crypto_backend.h
+++ b/app/openvpn/src/openvpn/crypto_backend.h
@@ -223,7 +223,7 @@ int cipher_kt_block_size (const cipher_kt_t *cipher_kt);
/**
* Returns the mode that the cipher runs in.
*
- * @param cipher_kt Static cipher parameters
+ * @param cipher_kt Static cipher parameters. May not be NULL.
*
* @return Cipher mode, either \c OPENVPN_MODE_CBC, \c
* OPENVPN_MODE_OFB or \c OPENVPN_MODE_CFB
@@ -233,7 +233,7 @@ int cipher_kt_mode (const cipher_kt_t *cipher_kt);
/**
* Check if the supplied cipher is a supported CBC mode cipher.
*
- * @param cipher Static cipher parameters. May not be NULL.
+ * @param cipher Static cipher parameters.
*
* @return true iff the cipher is a CBC mode cipher.
*/
@@ -243,7 +243,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
/**
* Check if the supplied cipher is a supported OFB or CFB mode cipher.
*
- * @param cipher Static cipher parameters. May not be NULL.
+ * @param cipher Static cipher parameters.
*
* @return true iff the cipher is a OFB or CFB mode cipher.
*/
diff --git a/app/openvpn/src/openvpn/crypto_openssl.c b/app/openvpn/src/openvpn/crypto_openssl.c
index 0ac89a19..f7a491d6 100644
--- a/app/openvpn/src/openvpn/crypto_openssl.c
+++ b/app/openvpn/src/openvpn/crypto_openssl.c
@@ -492,7 +492,7 @@ cipher_kt_mode (const EVP_CIPHER *cipher_kt)
bool
cipher_kt_mode_cbc(const cipher_kt_t *cipher)
{
- return cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
+ return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
#ifdef EVP_CIPH_FLAG_AEAD_CIPHER
/* Exclude AEAD cipher modes, they require a different API */
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
@@ -503,7 +503,7 @@ cipher_kt_mode_cbc(const cipher_kt_t *cipher)
bool
cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
{
- return (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB ||
+ return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB ||
cipher_kt_mode(cipher) == OPENVPN_MODE_CFB)
#ifdef EVP_CIPH_FLAG_AEAD_CIPHER
/* Exclude AEAD cipher modes, they require a different API */
diff --git a/app/openvpn/src/openvpn/crypto_polarssl.c b/app/openvpn/src/openvpn/crypto_polarssl.c
index 1a986dbd..e083398f 100644
--- a/app/openvpn/src/openvpn/crypto_polarssl.c
+++ b/app/openvpn/src/openvpn/crypto_polarssl.c
@@ -419,13 +419,13 @@ cipher_kt_mode (const cipher_info_t *cipher_kt)
bool
cipher_kt_mode_cbc(const cipher_kt_t *cipher)
{
- return cipher_kt_mode(cipher) == OPENVPN_MODE_CBC;
+ return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC;
}
bool
cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
{
- return (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB ||
+ return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB ||
cipher_kt_mode(cipher) == OPENVPN_MODE_CFB);
}
diff --git a/app/openvpn/src/openvpn/ssl.c b/app/openvpn/src/openvpn/ssl.c
index 94b7b6d9..f79f42d9 100644
--- a/app/openvpn/src/openvpn/ssl.c
+++ b/app/openvpn/src/openvpn/ssl.c
@@ -2826,7 +2826,17 @@ tls_pre_decrypt (struct tls_multi *multi,
opt->flags &= multi->opt.crypto_flags_and;
opt->flags |= multi->opt.crypto_flags_or;
- ASSERT (buf_advance (buf, (op == P_DATA_V2) ? 4 : 1));
+ ASSERT (buf_advance (buf, 1));
+ if (op == P_DATA_V2)
+ {
+ if (buf->len < 4)
+ {
+ msg (D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
+ print_link_socket_actual (from, &gc));
+ goto error;
+ }
+ ASSERT (buf_advance (buf, 3));
+ }
++ks->n_packets;
ks->n_bytes += buf->len;