Date: Saturday, January 4, 2014 @ 00:42:52
Author: pierre
Revision: 203086
Fix CVE-2013-6449 and CVE-2013-6450
Added:
openssl/trunk/openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch
openssl/trunk/openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch
openssl/trunk/openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch
Modified:
openssl/trunk/PKGBUILD
-------------------------------------------------------------------+
PKGBUILD | 17 +-
openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch | 77
+++++++++
openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch | 78
++++++++++
openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch | 30 +++
4 files changed, 199 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-01-03 21:43:12 UTC (rev 203085)
+++ PKGBUILD 2014-01-03 23:42:52 UTC (rev 203086)
@@ -6,7 +6,7 @@
# use a pacman compatible version scheme
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
#pkgver=$_ver
-pkgrel=5
+pkgrel=6
pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer
Security'
arch=('i686' 'x86_64')
url='https://www.openssl.org'
@@ -21,7 +21,10 @@
'ca-dir.patch'
'openssl-1.0.1e-fix_pod_syntax-1.patch'
'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch'
-
'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch')
+
'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch'
+ 'openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch'
+ 'openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch'
+ 'openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch')
md5sums=('66bf6f10f060d561929de96f9dfe5b8c'
'SKIP'
'dc78d3d06baffc16217519242ce92478'
@@ -28,7 +31,10 @@
'3bf51be3a1bbd262be46dc619f92aa90'
'88d3bef4bbdc640b0412315d8d347bdf'
'ae7848bb152b8834ceff30c8c480d422'
- 'c5cc62a47cef72f4e5ad119a88e97ae4')
+ 'c5cc62a47cef72f4e5ad119a88e97ae4'
+ '3f674c14f07d9c7efd64c58e966eda83'
+ '756362dfdd40cee380d3158022415fc4'
+ 'fc0c0466ea2f4f8446d16050a9639dee')
prepare() {
cd $srcdir/$pkgname-$_ver
@@ -45,6 +51,11 @@
# Communication problems with 1.0.1e
# http://rt.openssl.org/Ticket/Display.html?id=3002
patch -p1 -i
$srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
+ # CVE-2013-6449; FS#38357
+ patch -p1 -i
$srcdir/openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch
+ patch -p1 -i
$srcdir/openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch
+ # CVE-2013-6450
+ patch -p1 -i
$srcdir/openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch
}
build() {
Added: openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch
===================================================================
--- openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch
(rev 0)
+++ openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch 2014-01-03
23:42:52 UTC (rev 203086)
@@ -0,0 +1,77 @@
+From 0294b2be5f4c11e60620c0018674ff0e17b14238 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <st...@openssl.org>
+Date: Sat, 14 Dec 2013 13:55:48 +0000
+Subject: Check EVP errors for handshake digests.
+
+Partial mitigation of PR#3200
+---
+ ssl/s3_both.c | 2 ++
+ ssl/s3_pkt.c | 8 +++++++-
+ ssl/t1_enc.c | 11 ++++++-----
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/ssl/s3_both.c b/ssl/s3_both.c
+index ead01c8..1e5dcab 100644
+--- a/ssl/s3_both.c
++++ b/ssl/s3_both.c
+@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char
*sender, int slen)
+
+ i=s->method->ssl3_enc->final_finish_mac(s,
+ sender,slen,s->s3->tmp.finish_md);
++ if (i == 0)
++ return 0;
+ s->s3->tmp.finish_md_len = i;
+ memcpy(p, s->s3->tmp.finish_md, i);
+ p+=i;
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index 804291e..c4bc4e7 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
+ slen=s->method->ssl3_enc->client_finished_label_len;
+ }
+
+- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
++ i = s->method->ssl3_enc->final_finish_mac(s,
+ sender,slen,s->s3->tmp.peer_finish_md);
++ if (i == 0)
++ {
++ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++ s->s3->tmp.peer_finish_md_len = i;
+
+ return(1);
+ }
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index 809ad2e..72015f5 100644
+--- a/ssl/t1_enc.c
++++ b/ssl/t1_enc.c
+@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
+ if (mask & ssl_get_algorithm2(s))
+ {
+ int hashsize = EVP_MD_size(md);
+- if (hashsize < 0 || hashsize > (int)(sizeof buf -
(size_t)(q-buf)))
++ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
++ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof
buf - (size_t)(q-buf)))
+ {
+ /* internal error: 'buf' is too small for this
cipersuite! */
+ err = 1;
+ }
+ else
+ {
+-
EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
+- EVP_DigestFinal_ex(&ctx,q,&i);
+- if (i != (unsigned int)hashsize) /* can't
really happen */
++ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
++ !EVP_DigestFinal_ex(&ctx,q,&i) ||
++ (i != (unsigned int)hashsize))
+ err = 1;
+- q+=i;
++ q+=hashsize;
+ }
+ }
+ }
+--
+1.8.5.2
+
Added: openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch
===================================================================
--- openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch
(rev 0)
+++ openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch
2014-01-03 23:42:52 UTC (rev 203086)
@@ -0,0 +1,78 @@
+From 34628967f1e65dc8f34e000f0f5518e21afbfc7b Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <st...@openssl.org>
+Date: Fri, 20 Dec 2013 15:26:50 +0000
+Subject: Fix DTLS retransmission from previous session.
+
+For DTLS we might need to retransmit messages from the previous session
+so keep a copy of write context in DTLS retransmission buffers instead
+of replacing it after sending CCS. CVE-2013-6450.
+---
+ ssl/d1_both.c | 6 ++++++
+ ssl/ssl_locl.h | 2 ++
+ ssl/t1_enc.c | 17 +++++++++++------
+ 3 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 65ec001..7a5596a 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int
reassembly)
+ static void
+ dtls1_hm_fragment_free(hm_fragment *frag)
+ {
++
++ if (frag->msg_header.is_ccs)
++ {
++
EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
++
EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
++ }
+ if (frag->fragment) OPENSSL_free(frag->fragment);
+ if (frag->reassembly) OPENSSL_free(frag->reassembly);
+ OPENSSL_free(frag);
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index 96ce9a7..e485907 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
+ extern SSL3_ENC_METHOD SSLv3_enc_data;
+ extern SSL3_ENC_METHOD DTLSv1_enc_data;
+
++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
++
+ #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
+ s_get_meth) \
+ const SSL_METHOD *func_name(void) \
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index 72015f5..56db834 100644
+--- a/ssl/t1_enc.c
++++ b/ssl/t1_enc.c
+@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
+ s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
+ else
+ s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
+- if (s->enc_write_ctx != NULL)
++ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
+ reuse_dd = 1;
+- else if
((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
++ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
+ goto err;
+- else
+- /* make sure it's intialized in case we exit later with
an error */
+- EVP_CIPHER_CTX_init(s->enc_write_ctx);
+ dd= s->enc_write_ctx;
+- mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
++ if (SSL_IS_DTLS(s))
++ {
++ mac_ctx = EVP_MD_CTX_create();
++ if (!mac_ctx)
++ goto err;
++ s->write_hash = mac_ctx;
++ }
++ else
++ mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
+ #ifndef OPENSSL_NO_COMP
+ if (s->compress != NULL)
+ {
+--
+1.8.5.2
+
Added: openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch
===================================================================
--- openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch
(rev 0)
+++ openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch
2014-01-03 23:42:52 UTC (rev 203086)
@@ -0,0 +1,30 @@
+From ca989269a2876bae79393bd54c3e72d49975fc75 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <st...@openssl.org>
+Date: Thu, 19 Dec 2013 14:37:39 +0000
+Subject: Use version in SSL_METHOD not SSL structure.
+
+When deciding whether to use TLS 1.2 PRF and record hash algorithms
+use the version number in the corresponding SSL_METHOD structure
+instead of the SSL structure. The SSL structure version is sometimes
+inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
+(CVE-2013-6449)
+---
+ ssl/s3_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index bf832bb..c4ef273 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
+ long ssl_get_algorithm2(SSL *s)
+ {
+ long alg2 = s->s3->tmp.new_cipher->algorithm2;
+- if (TLS1_get_version(s) >= TLS1_2_VERSION &&
++ if (s->method->version == TLS1_2_VERSION &&
+ alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
+ return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
+ return alg2;
+--
+1.8.5.2
+
