diff options
author | delphij <delphij@FreeBSD.org> | 2014-12-22 19:07:16 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2014-12-22 19:07:16 +0000 |
commit | 77f68eb34a5227ee871dceac46abbd1db966388b (patch) | |
tree | d6d4485aa1ef497ee3283b4612cd1f9319518b28 /contrib/ntp/ntpd/ntp_crypto.c | |
parent | 2b345a08edde7a77b1eccf22395f90aec2d3adac (diff) | |
download | FreeBSD-src-77f68eb34a5227ee871dceac46abbd1db966388b.zip FreeBSD-src-77f68eb34a5227ee871dceac46abbd1db966388b.tar.gz |
MFC r276071:
Fix multiple ntp vulnerabilities.
Reviewed by: roberto (earlier revision), philip
Security: CVE-2014-9293, CVE-2014-9294
Security: CVE-2014-9295, CVE-2014-9296
Security: FreeBSD-SA-14:31.ntp
Diffstat (limited to 'contrib/ntp/ntpd/ntp_crypto.c')
-rw-r--r-- | contrib/ntp/ntpd/ntp_crypto.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/contrib/ntp/ntpd/ntp_crypto.c b/contrib/ntp/ntpd/ntp_crypto.c index cce95a8..37427f4 100644 --- a/contrib/ntp/ntpd/ntp_crypto.c +++ b/contrib/ntp/ntpd/ntp_crypto.c @@ -864,12 +864,24 @@ crypto_recv( * errors. */ if (vallen == (u_int) EVP_PKEY_size(host_pkey)) { - RSA_private_decrypt(vallen, + u_int32 *cookiebuf = malloc( + RSA_size(host_pkey->pkey.rsa)); + if (cookiebuf == NULL) { + rval = XEVNT_CKY; + break; + } + if (RSA_private_decrypt(vallen, (u_char *)ep->pkt, - (u_char *)&temp32, + (u_char *)cookiebuf, host_pkey->pkey.rsa, - RSA_PKCS1_OAEP_PADDING); - cookie = ntohl(temp32); + RSA_PKCS1_OAEP_PADDING) != 4) { + rval = XEVNT_CKY; + free(cookiebuf); + break; + } else { + cookie = ntohl(*cookiebuf); + free(cookiebuf); + } } else { rval = XEVNT_CKY; break; @@ -3914,7 +3926,7 @@ crypto_setup(void) rand_file); exit (-1); } - get_systime(&seed); + arc4random_buf(&seed, sizeof(l_fp)); RAND_seed(&seed, sizeof(l_fp)); RAND_write_file(rand_file); OpenSSL_add_all_algorithms(); |