diff options
Diffstat (limited to 'app/openvpn/src')
-rw-r--r-- | app/openvpn/src/openvpn/crypto_backend.h | 6 | ||||
-rw-r--r-- | app/openvpn/src/openvpn/crypto_openssl.c | 4 | ||||
-rw-r--r-- | app/openvpn/src/openvpn/crypto_polarssl.c | 4 | ||||
-rw-r--r-- | app/openvpn/src/openvpn/ssl.c | 12 |
4 files changed, 18 insertions, 8 deletions
diff --git a/app/openvpn/src/openvpn/crypto_backend.h b/app/openvpn/src/openvpn/crypto_backend.h index bc067a7d..87498785 100644 --- a/app/openvpn/src/openvpn/crypto_backend.h +++ b/app/openvpn/src/openvpn/crypto_backend.h @@ -223,7 +223,7 @@ int cipher_kt_block_size (const cipher_kt_t *cipher_kt); /** * Returns the mode that the cipher runs in. * - * @param cipher_kt Static cipher parameters + * @param cipher_kt Static cipher parameters. May not be NULL. * * @return Cipher mode, either \c OPENVPN_MODE_CBC, \c * OPENVPN_MODE_OFB or \c OPENVPN_MODE_CFB @@ -233,7 +233,7 @@ int cipher_kt_mode (const cipher_kt_t *cipher_kt); /** * Check if the supplied cipher is a supported CBC mode cipher. * - * @param cipher Static cipher parameters. May not be NULL. + * @param cipher Static cipher parameters. * * @return true iff the cipher is a CBC mode cipher. */ @@ -243,7 +243,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) /** * Check if the supplied cipher is a supported OFB or CFB mode cipher. * - * @param cipher Static cipher parameters. May not be NULL. + * @param cipher Static cipher parameters. * * @return true iff the cipher is a OFB or CFB mode cipher. */ diff --git a/app/openvpn/src/openvpn/crypto_openssl.c b/app/openvpn/src/openvpn/crypto_openssl.c index 0ac89a19..f7a491d6 100644 --- a/app/openvpn/src/openvpn/crypto_openssl.c +++ b/app/openvpn/src/openvpn/crypto_openssl.c @@ -492,7 +492,7 @@ cipher_kt_mode (const EVP_CIPHER *cipher_kt) bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) { - return cipher_kt_mode(cipher) == OPENVPN_MODE_CBC + return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC #ifdef EVP_CIPH_FLAG_AEAD_CIPHER /* Exclude AEAD cipher modes, they require a different API */ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) @@ -503,7 +503,7 @@ cipher_kt_mode_cbc(const cipher_kt_t *cipher) bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) { - return (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || + return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB) #ifdef EVP_CIPH_FLAG_AEAD_CIPHER /* Exclude AEAD cipher modes, they require a different API */ diff --git a/app/openvpn/src/openvpn/crypto_polarssl.c b/app/openvpn/src/openvpn/crypto_polarssl.c index 1a986dbd..e083398f 100644 --- a/app/openvpn/src/openvpn/crypto_polarssl.c +++ b/app/openvpn/src/openvpn/crypto_polarssl.c @@ -419,13 +419,13 @@ cipher_kt_mode (const cipher_info_t *cipher_kt) bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) { - return cipher_kt_mode(cipher) == OPENVPN_MODE_CBC; + return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC; } bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) { - return (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || + return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB); } diff --git a/app/openvpn/src/openvpn/ssl.c b/app/openvpn/src/openvpn/ssl.c index 94b7b6d9..f79f42d9 100644 --- a/app/openvpn/src/openvpn/ssl.c +++ b/app/openvpn/src/openvpn/ssl.c @@ -2826,7 +2826,17 @@ tls_pre_decrypt (struct tls_multi *multi, opt->flags &= multi->opt.crypto_flags_and; opt->flags |= multi->opt.crypto_flags_or; - ASSERT (buf_advance (buf, (op == P_DATA_V2) ? 4 : 1)); + ASSERT (buf_advance (buf, 1)); + if (op == P_DATA_V2) + { + if (buf->len < 4) + { + msg (D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", + print_link_socket_actual (from, &gc)); + goto error; + } + ASSERT (buf_advance (buf, 3)); + } ++ks->n_packets; ks->n_bytes += buf->len; |