From 6b5938cd3586ddafe3e369de19c73fccf73b8ba9 Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Wed, 6 Aug 2014 23:16:16 +0000
Subject: [PATCH] merge fix for CVE-2014-3509 -- basically a missing s->hit
 check; ok guenther

---
 lib/libssl/src/ssl/t1_lib.c | 22 +++++++++++++---------
 lib/libssl/t1_lib.c         | 22 +++++++++++++---------
 2 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c
index 0966e78b4d1..eebe6897ef6 100644
--- a/lib/libssl/src/ssl/t1_lib.c
+++ b/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.52 2014/07/13 16:33:01 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.53 2014/08/06 23:16:16 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1339,16 +1339,20 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
 			}
-			s->session->tlsext_ecpointformatlist_length = 0;
+			if (s->hit) {
+				free(s->session->tlsext_ecpointformatlist);
+				s->session->tlsext_ecpointformatlist_length = 0;
 
-			free(s->session->tlsext_ecpointformatlist);
-			if ((s->session->tlsext_ecpointformatlist =
-			    malloc(ecpointformatlist_length)) == NULL) {
-				*al = TLS1_AD_INTERNAL_ERROR;
-				return 0;
+				if ((s->session->tlsext_ecpointformatlist =
+				    malloc(ecpointformatlist_length)) == NULL) {
+					*al = TLS1_AD_INTERNAL_ERROR;
+					return 0;
+				}
+				s->session->tlsext_ecpointformatlist_length =
+				    ecpointformatlist_length;
+				memcpy(s->session->tlsext_ecpointformatlist,
+				    sdata, ecpointformatlist_length);
 			}
-			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 		}
 		else if (type == TLSEXT_TYPE_session_ticket) {
 			if (s->tls_session_ticket_ext_cb &&
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 0966e78b4d1..eebe6897ef6 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.52 2014/07/13 16:33:01 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.53 2014/08/06 23:16:16 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1339,16 +1339,20 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
 			}
-			s->session->tlsext_ecpointformatlist_length = 0;
+			if (s->hit) {
+				free(s->session->tlsext_ecpointformatlist);
+				s->session->tlsext_ecpointformatlist_length = 0;
 
-			free(s->session->tlsext_ecpointformatlist);
-			if ((s->session->tlsext_ecpointformatlist =
-			    malloc(ecpointformatlist_length)) == NULL) {
-				*al = TLS1_AD_INTERNAL_ERROR;
-				return 0;
+				if ((s->session->tlsext_ecpointformatlist =
+				    malloc(ecpointformatlist_length)) == NULL) {
+					*al = TLS1_AD_INTERNAL_ERROR;
+					return 0;
+				}
+				s->session->tlsext_ecpointformatlist_length =
+				    ecpointformatlist_length;
+				memcpy(s->session->tlsext_ecpointformatlist,
+				    sdata, ecpointformatlist_length);
 			}
-			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 		}
 		else if (type == TLSEXT_TYPE_session_ticket) {
 			if (s->tls_session_ticket_ext_cb &&
-- 
2.20.1