[Bug 242861] Sendmail's STARTTLS broken for 12.1-RELEASE/12.0-RELEASE/12-STABLE/HEAD
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Dec 24 15:18:45 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242861
Bug ID: 242861
Summary: Sendmail's STARTTLS broken for
12.1-RELEASE/12.0-RELEASE/12-STABLE/HEAD
Product: Base System
Version: 12.1-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: dan+freebsd.org at obluda.cz
Created attachment 210201
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=210201&action=edit
tls.c::sm_RSA_generate_key() patch, based on revision 463590 of patch-tls.c
https://svnweb.freebsd.org/base?view=revision&revision=339260
Revision 339260 update made sendmail compatibible with OpenSSL 1.1.1. The
change has been based on patch-tls.c taken from mail/sendmail port.
It introduces sm_RSA_generate_key() function used replacement of original
RSA_generate_key/RSA_generate_key_ex function.
It's code is broken badly. It may use NULL pointer and it returns NULL all the
times.
Code fragment of sm_RSA_generate_key() starting with:
-----
bn_rsa_r4 = BN_new();
rc = BN_set_word(bn_rsa_r4, RSA_F4);
if ((bn_rsa_r4 != NULL) && BN_set_word(bn_rsa_r4, RSA_F4) && (rsa = RSA_new())
!= NULL)
-----
... is broken badly.
It calls BN_set_word(bn_rsa_r4, RSA_F4) twice, first time before the bn_rsa_r4
has been verified non-NULL causing possible NULL dereferrence.
The "if" body returns NULL if call to RSA_generate_key_ex() has succeeded. It's
main issue causing the sm_RSA_generate_key() is returning NULL all the times.
But it's not the only issue - code here is just wrong. It doesn't free
bn_rsa_r4 most of time causing memory leak. It doesn't honor function
parameters using hardcoded constants instead. The bug has been introduced in
revision 463887 of the patch-tls.c port's patch:
https://svnweb.freebsd.org/ports?view=revision&revision=463887
The patch I'm proposing here is based on correct version of port's patch-tls.c
(e.g. 463887):
https://svnweb.freebsd.org/ports?view=revision&revision=463590
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list