Date: Tue, 24 Dec 2019 15:18:44 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 242861] Sendmail's STARTTLS broken for 12.1-RELEASE/12.0-RELEASE/12-STABLE/HEAD Message-ID: <bug-242861-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D242861 Bug ID: 242861 Summary: Sendmail's STARTTLS broken for 12.1-RELEASE/12.0-RELEASE/12-STABLE/HEAD Product: Base System Version: 12.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: dan+freebsd.org@obluda.cz Created attachment 210201 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D210201&action= =3Dedit tls.c::sm_RSA_generate_key() patch, based on revision 463590 of patch-tls.c https://svnweb.freebsd.org/base?view=3Drevision&revision=3D339260 Revision 339260 update made sendmail compatibible with OpenSSL 1.1.1. The change has been based on patch-tls.c taken from mail/sendmail port. It introduces sm_RSA_generate_key() function used replacement of original RSA_generate_key/RSA_generate_key_ex function. It's code is broken badly. It may use NULL pointer and it returns NULL all = the times. Code fragment of sm_RSA_generate_key() starting with: ----- bn_rsa_r4 =3D BN_new(); rc =3D BN_set_word(bn_rsa_r4, RSA_F4); if ((bn_rsa_r4 !=3D NULL) && BN_set_word(bn_rsa_r4, RSA_F4) && (rsa =3D RSA= _new()) !=3D NULL) ----- ... is broken badly. It calls BN_set_word(bn_rsa_r4, RSA_F4) twice, first time before the bn_rsa= _r4 has been verified non-NULL causing possible NULL dereferrence.=20 The "if" body returns NULL if call to RSA_generate_key_ex() has succeeded. = It's main issue causing the sm_RSA_generate_key() is returning NULL all the time= s. But it's not the only issue - code here is just wrong. It doesn't free bn_rsa_r4 most of time causing memory leak. It doesn't honor function parameters using hardcoded constants instead. The bug has been introduced in revision 463887 of the patch-tls.c port's patch: https://svnweb.freebsd.org/ports?view=3Drevision&revision=3D463887 The patch I'm proposing here is based on correct version of port's patch-tl= s.c (e.g. 463887): https://svnweb.freebsd.org/ports?view=3Drevision&revision=3D463590 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-242861-227>