From a8c6c27cad118b49ec795223edb620022a4334a5 Mon Sep 17 00:00:00 2001
From: Georgiy Lebedev <g.lebedev@tarantool.org>
Date: Fri, 10 Feb 2023 11:23:52 +0300
Subject: [PATCH] static-build: fix potential NULL dereference in openssl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`set_client_ciphersuite` can potentially dereference NULL if the session's
cipher is not set — add a check for this condition.

Closes tarantool/security#27

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<third-party security fix>
---
 static-build/cmake/AddDependencyProjects.cmake       |  1 +
 .../patches/openssl-tarantool-security-27.patch      | 12 ++++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 static-build/patches/openssl-tarantool-security-27.patch

diff --git a/static-build/cmake/AddDependencyProjects.cmake b/static-build/cmake/AddDependencyProjects.cmake
index 9496b4a314..d52dae7a35 100644
--- a/static-build/cmake/AddDependencyProjects.cmake
+++ b/static-build/cmake/AddDependencyProjects.cmake
@@ -75,6 +75,7 @@ ExternalProject_Add(openssl
         no-shared
     INSTALL_COMMAND ${CMAKE_MAKE_PROGRAM} install_sw
     PATCH_COMMAND patch -d <SOURCE_DIR> -p1 -i "${PATCHES_DIR}/openssl-111q-gh-18720.patch"
+    COMMAND       patch -d <SOURCE_DIR> -p1 -i "${PATCHES_DIR}/openssl-tarantool-security-27.patch"
     COMMAND       patch -d <SOURCE_DIR> -p1 -i "${PATCHES_DIR}/openssl-tarantool-security-54.patch"
 )
 set(TARANTOOL_DEPENDS openssl ${TARANTOOL_DEPENDS})
diff --git a/static-build/patches/openssl-tarantool-security-27.patch b/static-build/patches/openssl-tarantool-security-27.patch
new file mode 100644
index 0000000000..ce6600e3b5
--- /dev/null
+++ b/static-build/patches/openssl-tarantool-security-27.patch
@@ -0,0 +1,12 @@
+diff -ru a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
+--- a/ssl/statem/statem_clnt.c	2023-02-10 11:02:21.000000000 +0300
++++ b/ssl/statem/statem_clnt.c	2023-02-10 11:02:55.000000000 +0300
+@@ -1375,7 +1375,7 @@
+              * In TLSv1.3 it is valid for the server to select a different
+              * ciphersuite as long as the hash is the same.
+              */
+-            if (ssl_md(c->algorithm2)
++            if (s->session->cipher == NULL || ssl_md(c->algorithm2)
+                     != ssl_md(s->session->cipher->algorithm2)) {
+                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+                          SSL_F_SET_CLIENT_CIPHERSUITE,
-- 
GitLab