Date: Tue, 24 Dec 2019 15:18:44 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 242861] Sendmail's STARTTLS broken for 12.1-RELEASE/12.0-RELEASE/12-STABLE/HEAD Message-ID: <bug-242861-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242861 Bug ID: 242861 Summary: Sendmail's STARTTLS broken for 12.1-RELEASE/12.0-RELEASE/12-STABLE/HEAD Product: Base System Version: 12.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: dan+freebsd.org@obluda.cz Created attachment 210201 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=210201&action=edit tls.c::sm_RSA_generate_key() patch, based on revision 463590 of patch-tls.c https://svnweb.freebsd.org/base?view=revision&revision=339260 Revision 339260 update made sendmail compatibible with OpenSSL 1.1.1. The change has been based on patch-tls.c taken from mail/sendmail port. It introduces sm_RSA_generate_key() function used replacement of original RSA_generate_key/RSA_generate_key_ex function. It's code is broken badly. It may use NULL pointer and it returns NULL all the times. Code fragment of sm_RSA_generate_key() starting with: ----- bn_rsa_r4 = BN_new(); rc = BN_set_word(bn_rsa_r4, RSA_F4); if ((bn_rsa_r4 != NULL) && BN_set_word(bn_rsa_r4, RSA_F4) && (rsa = RSA_new()) != NULL) ----- ... is broken badly. It calls BN_set_word(bn_rsa_r4, RSA_F4) twice, first time before the bn_rsa_r4 has been verified non-NULL causing possible NULL dereferrence. The "if" body returns NULL if call to RSA_generate_key_ex() has succeeded. It's main issue causing the sm_RSA_generate_key() is returning NULL all the times. But it's not the only issue - code here is just wrong. It doesn't free bn_rsa_r4 most of time causing memory leak. It doesn't honor function parameters using hardcoded constants instead. The bug has been introduced in revision 463887 of the patch-tls.c port's patch: https://svnweb.freebsd.org/ports?view=revision&revision=463887 The patch I'm proposing here is based on correct version of port's patch-tls.c (e.g. 463887): https://svnweb.freebsd.org/ports?view=revision&revision=463590 -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-242861-227>