CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: riz Date: Tue May 22 18:52:40 UTC 2012 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: d1_enc.c Log Message: Pull up following revision(s) (requested by drochner in ticket #1762): crypto/dist/openssl/ssl/d1_enc.c: patch pull in upstream rev.22547: Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and DTLS to fix DoS attack. (CVE-2012-2333) To generate a diff of this commit: cvs rdiff -u -r1.1.1.3 -r1.1.1.3.8.1 src/crypto/dist/openssl/ssl/d1_enc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/d1_enc.c diff -u src/crypto/dist/openssl/ssl/d1_enc.c:1.1.1.3 src/crypto/dist/openssl/ssl/d1_enc.c:1.1.1.3.8.1 --- src/crypto/dist/openssl/ssl/d1_enc.c:1.1.1.3 Fri May 9 21:34:43 2008 +++ src/crypto/dist/openssl/ssl/d1_enc.c Tue May 22 18:52:40 2012 @@ -254,7 +254,7 @@ int dtls1_enc(SSL *s, int send) } /* TLS 1.0 does not bound the number of padding bytes by the block size. * All of them must have value 'padding_length'. */ - if (i (int)rec-length) + if (i + bs (int)rec-length) { /* Incorrect padding. SSLerr() and ssl3_alert are done * by caller: we don't want to reveal whether this is
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: riz Date: Wed Jan 25 18:55:04 UTC 2012 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: d1_pkt.c Log Message: Apply patch (requested by drochner in ticket #1710): crypto/dist/openssl/ssl/d1_pkt.c Address CVS-2012-0050. To generate a diff of this commit: cvs rdiff -u -r1.1.1.5.8.1 -r1.1.1.5.8.2 src/crypto/dist/openssl/ssl/d1_pkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/d1_pkt.c diff -u src/crypto/dist/openssl/ssl/d1_pkt.c:1.1.1.5.8.1 src/crypto/dist/openssl/ssl/d1_pkt.c:1.1.1.5.8.2 --- src/crypto/dist/openssl/ssl/d1_pkt.c:1.1.1.5.8.1 Sun Jul 5 00:31:20 2009 +++ src/crypto/dist/openssl/ssl/d1_pkt.c Wed Jan 25 18:55:04 2012 @@ -375,6 +375,8 @@ dtls1_process_record(SSL *s) SSL3_RECORD *rr; unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; + int decryption_failed_or_bad_record_mac = 0; + unsigned char *mac = NULL; rr= (s-s3-rrec); @@ -409,12 +411,10 @@ dtls1_process_record(SSL *s) enc_err = s-method-ssl3_enc-enc(s,0); if (enc_err = 0) { - if (enc_err == 0) - /* SSLerr() and ssl3_send_alert() have been called */ - goto err; - - /* otherwise enc_err == -1 */ - goto decryption_failed_or_bad_record_mac; + /* To minimize information leaked via timing, we will always + * perform all computations before discarding the message. + */ + decryption_failed_or_bad_record_mac = 1; } #ifdef TLS_DEBUG @@ -440,28 +440,32 @@ printf(\n); SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; #endif } /* check the MAC for rr-input (it's in mac_size bytes at the tail) */ - if (rr-length mac_size) + if (rr-length = mac_size) { -#if 0 /* OK only for stream ciphers */ - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); - goto f_err; -#else - goto decryption_failed_or_bad_record_mac; -#endif + rr-length -= mac_size; + mac = rr-data[rr-length]; } - rr-length-=mac_size; + else + rr-length = 0; i=s-method-ssl3_enc-mac(s,md,0); - if (memcmp(md,(rr-data[rr-length]),mac_size) != 0) + if (i 0 || mac == NULL || memcmp(md, mac, mac_size) != 0) { - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; } } + if (decryption_failed_or_bad_record_mac) + { + /* decryption failed, silently discard message */ + rr-length = 0; + s-packet_length = 0; + goto err; + } + /* r-length is now just compressed */ if (s-expand != NULL) { @@ -500,14 +504,6 @@ printf(\n); dtls1_record_bitmap_update(s, (s-d1-bitmap));/* Mark receipt of record. */ return(1); -decryption_failed_or_bad_record_mac: - /* Separate 'decryption_failed' alert was introduced with TLS 1.0, - * SSL 3.0 only has 'bad_record_mac'. But unless a decryption - * failure is directly visible from the ciphertext anyway, - * we should not reveal which kind of error occured -- this - * might become visible to an attacker (e.g. via logfile) */ - al=SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err:
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: riz Date: Wed Jan 25 20:34:26 UTC 2012 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: s3_enc.c Log Message: Apply patch (requested by drochner in ticket #1713): crypto/dist/openssl/ssl/s3_enc.cpatch Address CVE-2011-4576. [drochner, ticket #1713] To generate a diff of this commit: cvs rdiff -u -r1.1.1.12.8.1 -r1.1.1.12.8.2 \ src/crypto/dist/openssl/ssl/s3_enc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/s3_enc.c diff -u src/crypto/dist/openssl/ssl/s3_enc.c:1.1.1.12.8.1 src/crypto/dist/openssl/ssl/s3_enc.c:1.1.1.12.8.2 --- src/crypto/dist/openssl/ssl/s3_enc.c:1.1.1.12.8.1 Mon Apr 12 00:46:57 2010 +++ src/crypto/dist/openssl/ssl/s3_enc.c Wed Jan 25 20:34:26 2012 @@ -504,6 +504,9 @@ int ssl3_enc(SSL *s, int send) /* we need to add 'i-1' padding bytes */ l+=i; + /* the last of these zero bytes will be overwritten + * with the padding length. */ + memset(rec-input[rec-length], 0, i); rec-length+=i; rec-input[l-1]=(i-1); }
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: bouyer Date: Wed Feb 16 21:00:32 UTC 2011 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: t1_lib.c Log Message: Pull up following revision(s) (requested by spz in ticket #1545): crypto/external/bsd/openssl/dist/ssl/t1_lib.c: revision 1.4 via patch fix for CVE-2011-0014 (OCSP stapling vulnerability in OpenSSL) patch taken from http://www.openssl.org/news/secadv_20110208.txt To generate a diff of this commit: cvs rdiff -u -r1.2.8.2 -r1.2.8.3 src/crypto/dist/openssl/ssl/t1_lib.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/t1_lib.c diff -u src/crypto/dist/openssl/ssl/t1_lib.c:1.2.8.2 src/crypto/dist/openssl/ssl/t1_lib.c:1.2.8.3 --- src/crypto/dist/openssl/ssl/t1_lib.c:1.2.8.2 Fri Dec 10 21:44:33 2010 +++ src/crypto/dist/openssl/ssl/t1_lib.c Wed Feb 16 21:00:32 2011 @@ -810,6 +810,7 @@ } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize 0) { *al = SSL_AD_DECODE_ERROR; @@ -848,9 +849,14 @@ } /* Read in request_extensions */ +if (size 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; -if (dsize size) +if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0;
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: bouyer Date: Fri Dec 10 21:42:43 UTC 2010 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: s3_clnt.c s3_srvr.c Log Message: Pull up following revision(s) (requested by drochner in ticket #1509): crypto/external/bsd/openssl/dist/ssl/s3_srvr.c: revision 1.6 via patch crypto/external/bsd/openssl/dist/ssl/s3_clnt.c: revision 1.3 via patch openssl security patch of the day: Fix a flaw in the OpenSSL SSL/TLS server code where an old bug workaround allows malicous clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections. See http://www.openssl.org/news/secadv_20101202.txt (CVE-2010-4180) To generate a diff of this commit: cvs rdiff -u -r1.12.4.1.2.1 -r1.12.4.1.2.2 \ src/crypto/dist/openssl/ssl/s3_clnt.c cvs rdiff -u -r1.15.4.1.2.2 -r1.15.4.1.2.3 \ src/crypto/dist/openssl/ssl/s3_srvr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/s3_clnt.c diff -u src/crypto/dist/openssl/ssl/s3_clnt.c:1.12.4.1.2.1 src/crypto/dist/openssl/ssl/s3_clnt.c:1.12.4.1.2.2 --- src/crypto/dist/openssl/ssl/s3_clnt.c:1.12.4.1.2.1 Tue Sep 7 19:31:04 2010 +++ src/crypto/dist/openssl/ssl/s3_clnt.c Fri Dec 10 21:42:43 2010 @@ -842,8 +842,11 @@ s-session-cipher_id = s-session-cipher-id; if (s-hit (s-session-cipher_id != c-id)) { +/* Workaround is now obsolete */ +#if 0 if (!(s-options SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) +#endif { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); Index: src/crypto/dist/openssl/ssl/s3_srvr.c diff -u src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.2 src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.3 --- src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.2 Mon Apr 12 00:46:57 2010 +++ src/crypto/dist/openssl/ssl/s3_srvr.c Fri Dec 10 21:42:43 2010 @@ -959,12 +959,17 @@ } if (j == 0) { +/* Disabled because it can be used in a ciphersuite downgrade + * attack: CVE-2010-4180. + */ +#if 0 if ((s-options SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Very bad for multi-threading */ s-session-cipher=sk_SSL_CIPHER_value(ciphers, 0); } else +#endif { /* we need to have the cipher in the cipher * list if we are asked to reuse it */
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: bouyer Date: Fri Dec 10 21:44:33 UTC 2010 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: t1_lib.c Log Message: Pull up following revision(s) (requested by drochner in ticket #1510): crypto/external/bsd/openssl/dist/ssl/t1_lib.c: revision 1.3 via patch fix bug introduced by last security patch, from upstream CVS: Don't assume a decode error if session tlsext_ecpointformatlist is not NULL: it can be legitimately set elsewhere. To generate a diff of this commit: cvs rdiff -u -r1.2.8.1 -r1.2.8.2 src/crypto/dist/openssl/ssl/t1_lib.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/t1_lib.c diff -u src/crypto/dist/openssl/ssl/t1_lib.c:1.2.8.1 src/crypto/dist/openssl/ssl/t1_lib.c:1.2.8.2 --- src/crypto/dist/openssl/ssl/t1_lib.c:1.2.8.1 Fri Nov 19 21:12:02 2010 +++ src/crypto/dist/openssl/ssl/t1_lib.c Fri Dec 10 21:44:33 2010 @@ -689,8 +689,8 @@ { if(s-session-tlsext_ecpointformatlist) { - *al = TLS1_AD_DECODE_ERROR; - return 0; + OPENSSL_free(s-session-tlsext_ecpointformatlist); + s-session-tlsext_ecpointformatlist = NULL; } s-session-tlsext_ecpointformatlist_length = 0; if ((s-session-tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: riz Date: Fri Nov 19 21:12:02 UTC 2010 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: t1_lib.c Log Message: Pull up following revision(s) (requested by christos in ticket #1479): crypto/dist/openssl/ssl/t1_lib.c: patch apply patch from a rel=nofollow href=http://www.openssl.org/news/secadv_20101116.txt;http://www.openssl.org/news/secadv_20101116.txt/a to fix a race condition which can be exploited in a buffer overrun attack (CVE-2010-3864) To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.2.8.1 src/crypto/dist/openssl/ssl/t1_lib.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/t1_lib.c diff -u src/crypto/dist/openssl/ssl/t1_lib.c:1.2 src/crypto/dist/openssl/ssl/t1_lib.c:1.2.8.1 --- src/crypto/dist/openssl/ssl/t1_lib.c:1.2 Thu Jun 5 15:30:10 2008 +++ src/crypto/dist/openssl/ssl/t1_lib.c Fri Nov 19 21:12:02 2010 @@ -625,14 +625,23 @@ switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - if (s-session-tlsext_hostname == NULL) + if (!s-hit) { - if (len TLSEXT_MAXLEN_host_name || - ((s-session-tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) + if(s-session-tlsext_hostname) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + if (len TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } + if ((s-session-tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } memcpy(s-session-tlsext_hostname, sdata, len); s-session-tlsext_hostname[len]='\0'; if (strlen(s-session-tlsext_hostname) != len) { @@ -645,7 +654,8 @@ } else - s-servername_done = strlen(s-session-tlsext_hostname) == len + s-servername_done = s-session-tlsext_hostname + strlen(s-session-tlsext_hostname) == len strncmp(s-session-tlsext_hostname, (char *)sdata, len) == 0; break; @@ -675,15 +685,22 @@ *al = TLS1_AD_DECODE_ERROR; return 0; } - s-session-tlsext_ecpointformatlist_length = 0; - if (s-session-tlsext_ecpointformatlist != NULL) OPENSSL_free(s-session-tlsext_ecpointformatlist); - if ((s-session-tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + if (!s-hit) { -*al = TLS1_AD_INTERNAL_ERROR; -return 0; +if(s-session-tlsext_ecpointformatlist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } +s-session-tlsext_ecpointformatlist_length = 0; +if ((s-session-tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } +s-session-tlsext_ecpointformatlist_length = ecpointformatlist_length; +memcpy(s-session-tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } - s-session-tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s-session-tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,ssl_parse_clienthello_tlsext s-session-tlsext_ecpointformatlist (length=%i) , s-session-tlsext_ecpointformatlist_length); sdata = s-session-tlsext_ecpointformatlist; @@ -703,15 +720,22 @@ *al = TLS1_AD_DECODE_ERROR; return 0; } - s-session-tlsext_ellipticcurvelist_length = 0; - if (s-session-tlsext_ellipticcurvelist != NULL) OPENSSL_free(s-session-tlsext_ellipticcurvelist); - if ((s-session-tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + if (!s-hit) { -*al = TLS1_AD_INTERNAL_ERROR; -return 0; +if(s-session-tlsext_ellipticcurvelist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } +s-session-tlsext_ellipticcurvelist_length = 0; +if ((s-session-tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } +s-session-tlsext_ellipticcurvelist_length = ellipticcurvelist_length; +memcpy(s-session-tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); } - s-session-tlsext_ellipticcurvelist_length = ellipticcurvelist_length; - memcpy(s-session-tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,ssl_parse_clienthello_tlsext s-session-tlsext_ellipticcurvelist (length=%i) , s-session-tlsext_ellipticcurvelist_length); sdata = s-session-tlsext_ellipticcurvelist;
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: bouyer Date: Tue Sep 7 19:31:04 UTC 2010 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: s3_clnt.c Log Message: Pull up following revision(s) (requested by drochner in ticket #1447): crypto/external/bsd/openssl/dist/ssl/s3_clnt.c: revision 1.2 via patch fix a double free() in error case, see the thread openssl-1.0.0a and glibc detected sthg ;) in openssl-dev. I was getting a SEGV with the example posted there. To generate a diff of this commit: cvs rdiff -u -r1.12.4.1 -r1.12.4.1.2.1 src/crypto/dist/openssl/ssl/s3_clnt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/s3_clnt.c diff -u src/crypto/dist/openssl/ssl/s3_clnt.c:1.12.4.1 src/crypto/dist/openssl/ssl/s3_clnt.c:1.12.4.1.2.1 --- src/crypto/dist/openssl/ssl/s3_clnt.c:1.12.4.1 Tue Jan 20 21:28:09 2009 +++ src/crypto/dist/openssl/ssl/s3_clnt.c Tue Sep 7 19:31:04 2010 @@ -1460,6 +1460,7 @@ s-session-sess_cert-peer_ecdh_tmp=ecdh; ecdh=NULL; BN_CTX_free(bn_ctx); + bn_ctx = NULL; EC_POINT_free(srvr_ecpoint); srvr_ecpoint = NULL; }
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: snj Date: Sun Mar 28 15:22:01 UTC 2010 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: s3_pkt.c Log Message: Apply patch (requested by bouyer in ticket #1355): Apply patchset 19476 from openssl repository, fixing CVE-2010-0740. from http://www.openssl.org/news/secadv_20100324.txt: In TLS connections, certain incorrectly formatted records can cause an OpenSSL client or server to crash due to a read attempt at NULL. To generate a diff of this commit: cvs rdiff -u -r1.9.8.2 -r1.9.8.3 src/crypto/dist/openssl/ssl/s3_pkt.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/s3_pkt.c diff -u src/crypto/dist/openssl/ssl/s3_pkt.c:1.9.8.2 src/crypto/dist/openssl/ssl/s3_pkt.c:1.9.8.3 --- src/crypto/dist/openssl/ssl/s3_pkt.c:1.9.8.2 Tue Jan 12 09:08:45 2010 +++ src/crypto/dist/openssl/ssl/s3_pkt.c Sun Mar 28 15:22:01 2010 @@ -313,9 +313,9 @@ if (version != s-version) { SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); -/* Send back error using their - * version number :-) */ -s-version=version; +if ((s-version 0xFF00) == (version 0xFF00)) + /* Send back error using their minor version number :-) */ + s-version = (unsigned short)version; al=SSL_AD_PROTOCOL_VERSION; goto f_err; }
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: snj Date: Tue Jan 12 09:08:45 UTC 2010 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: s3_lib.c s3_pkt.c s3_srvr.c ssl_locl.h Log Message: Apply patch (requested by tonnerre in ticket #1237): Disable OpenSSL renegotiation, thus avoiding CVE-2009-3555. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.14.8.1 src/crypto/dist/openssl/ssl/s3_lib.c cvs rdiff -u -r1.9.8.1 -r1.9.8.2 src/crypto/dist/openssl/ssl/s3_pkt.c cvs rdiff -u -r1.15.4.1 -r1.15.4.1.2.1 src/crypto/dist/openssl/ssl/s3_srvr.c cvs rdiff -u -r1.13 -r1.13.8.1 src/crypto/dist/openssl/ssl/ssl_locl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/s3_lib.c diff -u src/crypto/dist/openssl/ssl/s3_lib.c:1.14 src/crypto/dist/openssl/ssl/s3_lib.c:1.14.8.1 --- src/crypto/dist/openssl/ssl/s3_lib.c:1.14 Tue Jun 10 19:45:00 2008 +++ src/crypto/dist/openssl/ssl/s3_lib.c Tue Jan 12 09:08:44 2010 @@ -3289,6 +3289,9 @@ if (s-s3-flags SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return(0); + if (!(s-s3-flags SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + return(0); + s-s3-renegotiate=1; return(1); } Index: src/crypto/dist/openssl/ssl/s3_pkt.c diff -u src/crypto/dist/openssl/ssl/s3_pkt.c:1.9.8.1 src/crypto/dist/openssl/ssl/s3_pkt.c:1.9.8.2 --- src/crypto/dist/openssl/ssl/s3_pkt.c:1.9.8.1 Sun Jul 5 00:31:20 2009 +++ src/crypto/dist/openssl/ssl/s3_pkt.c Tue Jan 12 09:08:45 2010 @@ -1041,6 +1041,7 @@ if (SSL_is_init_finished(s) !(s-s3-flags SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) + (s-s3-flags SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) !s-s3-renegotiate) { ssl3_renegotiate(s); @@ -1173,7 +1174,8 @@ if ((s-s3-handshake_fragment_len = 4) !s-in_handshake) { if (((s-stateSSL_ST_MASK) == SSL_ST_OK) - !(s-s3-flags SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) + !(s-s3-flags SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) + (s-s3-flags SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { #if 0 /* worked only because C operator preferences are not as expected (and * because this is not really needed for clients except for detecting Index: src/crypto/dist/openssl/ssl/s3_srvr.c diff -u src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1 src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.1 --- src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1 Tue Jan 20 21:28:09 2009 +++ src/crypto/dist/openssl/ssl/s3_srvr.c Tue Jan 12 09:08:45 2010 @@ -763,6 +763,14 @@ #endif STACK_OF(SSL_CIPHER) *ciphers=NULL; + if (s-new_session + !(s-s3-flagsSSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto f_err; + } + /* We do this so that we will respond with our native type. * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, * This down switching should be handled by a different method. Index: src/crypto/dist/openssl/ssl/ssl_locl.h diff -u src/crypto/dist/openssl/ssl/ssl_locl.h:1.13 src/crypto/dist/openssl/ssl/ssl_locl.h:1.13.8.1 --- src/crypto/dist/openssl/ssl/ssl_locl.h:1.13 Tue Jun 10 19:45:00 2008 +++ src/crypto/dist/openssl/ssl/ssl_locl.h Tue Jan 12 09:08:45 2010 @@ -450,6 +450,8 @@ #define NAMED_CURVE_TYPE 3 #endif /* OPENSSL_NO_EC */ +#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010 + typedef struct cert_pkey_st { X509 *x509;
CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl
Module Name:src Committed By: snj Date: Sun Jul 5 14:19:35 UTC 2009 Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: d1_both.c Log Message: Pull up following revision(s) (requested by tonnerre in ticket #850): crypto/dist/openssl/ssl/d1_both.c: revision 1.4 Forgot to commit this last night with the rest of ticket 850. Sigh. Fix various vulnerabilities in OpenSSL which have not previously been addressed: CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387. Changes deal mostly with size checking of various elements and fixes to various error paths. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.3.8.1 src/crypto/dist/openssl/ssl/d1_both.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/crypto/dist/openssl/ssl/d1_both.c diff -u src/crypto/dist/openssl/ssl/d1_both.c:1.3 src/crypto/dist/openssl/ssl/d1_both.c:1.3.8.1 --- src/crypto/dist/openssl/ssl/d1_both.c:1.3 Fri May 9 21:49:42 2008 +++ src/crypto/dist/openssl/ssl/d1_both.c Sun Jul 5 14:19:35 2009 @@ -518,6 +518,7 @@ if ( s-d1-handshake_read_seq == frag-msg_header.seq) { + unsigned long frag_len = frag-msg_header.frag_len; pqueue_pop(s-d1-buffered_messages); al=dtls1_preprocess_fragment(s,frag-msg_header,max); @@ -535,7 +536,7 @@ if (al==0) { *ok = 1; - return frag-msg_header.frag_len; + return frag_len; } ssl3_send_alert(s,SSL3_AL_FATAL,al); @@ -560,7 +561,16 @@ if ((msg_hdr-frag_off+frag_len) msg_hdr-msg_len) goto err; - if (msg_hdr-seq = s-d1-handshake_read_seq) + /* Try to find item in queue, to prevent duplicate entries */ + memset(seq64be,0,sizeof(seq64be)); + seq64be[6] = (unsigned char) (msg_hdr-seq8); + seq64be[7] = (unsigned char) msg_hdr-seq; + item = pqueue_find(s-d1-buffered_messages, seq64be); + + /* Discard the message if sequence number was already there, is + * too far in the future or the fragment is already in the queue */ + if (msg_hdr-seq = s-d1-handshake_read_seq || + msg_hdr-seq s-d1-handshake_read_seq + 10 || item != NULL) { unsigned char devnull [256]; @@ -574,30 +584,31 @@ } } - frag = dtls1_hm_fragment_new(frag_len); - if ( frag == NULL) - goto err; + if (frag_len) + { + frag = dtls1_hm_fragment_new(frag_len); + if ( frag == NULL) + goto err; - memcpy((frag-msg_header), msg_hdr, sizeof(*msg_hdr)); + memcpy((frag-msg_header), msg_hdr, sizeof(*msg_hdr)); - if (frag_len) - { /* read the body of the fragment (header has already been read */ i = s-method-ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag-fragment,frag_len,0); if (i=0 || (unsigned long)i!=frag_len) goto err; - } - memset(seq64be,0,sizeof(seq64be)); - seq64be[6] = (unsigned char)(msg_hdr-seq8); - seq64be[7] = (unsigned char)(msg_hdr-seq); + pq_64bit_init(seq64); + pq_64bit_assign_word(seq64, msg_hdr-seq); - item = pitem_new(seq64be, frag); - if ( item == NULL) - goto err; + item = pitem_new(seq64be, frag); + pq_64bit_free(seq64); + if ( item == NULL) + goto err; + + pqueue_insert(s-d1-buffered_messages, item); + } - pqueue_insert(s-d1-buffered_messages, item); return DTLS1_HM_FRAGMENT_RETRY; err: