summaryrefslogtreecommitdiff
path: root/dtls.c
diff options
context:
space:
mode:
authorLinus Nordberg <linus@torproject.org>2012-10-19 23:23:04 +0200
committerLinus Nordberg <linus@nordu.net>2012-10-22 18:13:45 +0200
commit3682c935facf5ccd7fa600644bbb76957155c680 (patch)
tree2e59dc6f7e89aac6a8e220d56849890a99b615b6 /dtls.c
parentb04eb90fde13f88772c338ca32a55a7063f2e33d (diff)
Don't mix up pre- and post-handshake verification of DTLS clients.
Commit db965c9b addressed TLS clients only. When verifying DTLS clients, don't consider config blocks with CA settings ('tls') which differ from the one used for verifying the certificate chain. Original issue reported and analysed by Ralf Paffrath. DTLS being vulnerable reported by Raphael Geisser. Addresses issue RADSECPROXY-43, CVE-2012-4523.
Diffstat (limited to 'dtls.c')
-rw-r--r--dtls.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/dtls.c b/dtls.c
index bbebfef..3772113 100644
--- a/dtls.c
+++ b/dtls.c
@@ -354,6 +354,7 @@ void *dtlsservernew(void *arg) {
X509 *cert = NULL;
SSL_CTX *ctx = NULL;
uint8_t delay = 60;
+ struct tls *accepted_tls = NULL;
debug(DBG_DBG, "dtlsservernew: starting");
conf = find_clconf(handle, (struct sockaddr *)&params->addr, NULL);
@@ -367,10 +368,11 @@ void *dtlsservernew(void *arg) {
cert = verifytlscert(ssl);
if (!cert)
goto exit;
+ accepted_tls = conf->tlsconf;
}
while (conf) {
- if (verifyconfcert(cert, conf)) {
+ if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
X509_free(cert);
client = addclient(conf, 1);
if (client) {