Date: Saturday, January 4, 2014 @ 00:42:52 Author: pierre Revision: 203086
Fix CVE-2013-6449 and CVE-2013-6450 Added: openssl/trunk/openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch openssl/trunk/openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch openssl/trunk/openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch Modified: openssl/trunk/PKGBUILD -------------------------------------------------------------------+ PKGBUILD | 17 +- openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch | 77 +++++++++ openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch | 78 ++++++++++ openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch | 30 +++ 4 files changed, 199 insertions(+), 3 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-01-03 21:43:12 UTC (rev 203085) +++ PKGBUILD 2014-01-03 23:42:52 UTC (rev 203086) @@ -6,7 +6,7 @@ # use a pacman compatible version scheme pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} #pkgver=$_ver -pkgrel=5 +pkgrel=6 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security' arch=('i686' 'x86_64') url='https://www.openssl.org' @@ -21,7 +21,10 @@ 'ca-dir.patch' 'openssl-1.0.1e-fix_pod_syntax-1.patch' 'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch' - 'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch') + 'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch' + 'openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch' + 'openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch' + 'openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch') md5sums=('66bf6f10f060d561929de96f9dfe5b8c' 'SKIP' 'dc78d3d06baffc16217519242ce92478' @@ -28,7 +31,10 @@ '3bf51be3a1bbd262be46dc619f92aa90' '88d3bef4bbdc640b0412315d8d347bdf' 'ae7848bb152b8834ceff30c8c480d422' - 'c5cc62a47cef72f4e5ad119a88e97ae4') + 'c5cc62a47cef72f4e5ad119a88e97ae4' + '3f674c14f07d9c7efd64c58e966eda83' + '756362dfdd40cee380d3158022415fc4' + 'fc0c0466ea2f4f8446d16050a9639dee') prepare() { cd $srcdir/$pkgname-$_ver @@ -45,6 +51,11 @@ # Communication problems with 1.0.1e # http://rt.openssl.org/Ticket/Display.html?id=3002 patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch + # CVE-2013-6449; FS#38357 + patch -p1 -i $srcdir/openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch + patch -p1 -i $srcdir/openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch + # CVE-2013-6450 + patch -p1 -i $srcdir/openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch } build() { Added: openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch =================================================================== --- openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch (rev 0) +++ openssl-1.0.1-Check-EVP-errors-for-handshake-digests.patch 2014-01-03 23:42:52 UTC (rev 203086) @@ -0,0 +1,77 @@ +From 0294b2be5f4c11e60620c0018674ff0e17b14238 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <st...@openssl.org> +Date: Sat, 14 Dec 2013 13:55:48 +0000 +Subject: Check EVP errors for handshake digests. + +Partial mitigation of PR#3200 +--- + ssl/s3_both.c | 2 ++ + ssl/s3_pkt.c | 8 +++++++- + ssl/t1_enc.c | 11 ++++++----- + 3 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/ssl/s3_both.c b/ssl/s3_both.c +index ead01c8..1e5dcab 100644 +--- a/ssl/s3_both.c ++++ b/ssl/s3_both.c +@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) + + i=s->method->ssl3_enc->final_finish_mac(s, + sender,slen,s->s3->tmp.finish_md); ++ if (i == 0) ++ return 0; + s->s3->tmp.finish_md_len = i; + memcpy(p, s->s3->tmp.finish_md, i); + p+=i; +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index 804291e..c4bc4e7 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s) + slen=s->method->ssl3_enc->client_finished_label_len; + } + +- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, ++ i = s->method->ssl3_enc->final_finish_mac(s, + sender,slen,s->s3->tmp.peer_finish_md); ++ if (i == 0) ++ { ++ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ s->s3->tmp.peer_finish_md_len = i; + + return(1); + } +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 809ad2e..72015f5 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s, + if (mask & ssl_get_algorithm2(s)) + { + int hashsize = EVP_MD_size(md); +- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) ++ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; ++ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) + { + /* internal error: 'buf' is too small for this cipersuite! */ + err = 1; + } + else + { +- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); +- EVP_DigestFinal_ex(&ctx,q,&i); +- if (i != (unsigned int)hashsize) /* can't really happen */ ++ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || ++ !EVP_DigestFinal_ex(&ctx,q,&i) || ++ (i != (unsigned int)hashsize)) + err = 1; +- q+=i; ++ q+=hashsize; + } + } + } +-- +1.8.5.2 + Added: openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch =================================================================== --- openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch (rev 0) +++ openssl-1.0.1-Fix-DTLS-retransmission-from-previous-session.patch 2014-01-03 23:42:52 UTC (rev 203086) @@ -0,0 +1,78 @@ +From 34628967f1e65dc8f34e000f0f5518e21afbfc7b Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <st...@openssl.org> +Date: Fri, 20 Dec 2013 15:26:50 +0000 +Subject: Fix DTLS retransmission from previous session. + +For DTLS we might need to retransmit messages from the previous session +so keep a copy of write context in DTLS retransmission buffers instead +of replacing it after sending CCS. CVE-2013-6450. +--- + ssl/d1_both.c | 6 ++++++ + ssl/ssl_locl.h | 2 ++ + ssl/t1_enc.c | 17 +++++++++++------ + 3 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 65ec001..7a5596a 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) + static void + dtls1_hm_fragment_free(hm_fragment *frag) + { ++ ++ if (frag->msg_header.is_ccs) ++ { ++ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); ++ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); ++ } + if (frag->fragment) OPENSSL_free(frag->fragment); + if (frag->reassembly) OPENSSL_free(frag->reassembly); + OPENSSL_free(frag); +diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h +index 96ce9a7..e485907 100644 +--- a/ssl/ssl_locl.h ++++ b/ssl/ssl_locl.h +@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; + extern SSL3_ENC_METHOD SSLv3_enc_data; + extern SSL3_ENC_METHOD DTLSv1_enc_data; + ++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) ++ + #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ + s_get_meth) \ + const SSL_METHOD *func_name(void) \ +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 72015f5..56db834 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which) + s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; + else + s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; +- if (s->enc_write_ctx != NULL) ++ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) + reuse_dd = 1; +- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) ++ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) + goto err; +- else +- /* make sure it's intialized in case we exit later with an error */ +- EVP_CIPHER_CTX_init(s->enc_write_ctx); + dd= s->enc_write_ctx; +- mac_ctx = ssl_replace_hash(&s->write_hash,NULL); ++ if (SSL_IS_DTLS(s)) ++ { ++ mac_ctx = EVP_MD_CTX_create(); ++ if (!mac_ctx) ++ goto err; ++ s->write_hash = mac_ctx; ++ } ++ else ++ mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + #ifndef OPENSSL_NO_COMP + if (s->compress != NULL) + { +-- +1.8.5.2 + Added: openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch =================================================================== --- openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch (rev 0) +++ openssl-1.0.1-Use-version-in-SSL_METHOD-not-SSL-structure.patch 2014-01-03 23:42:52 UTC (rev 203086) @@ -0,0 +1,30 @@ +From ca989269a2876bae79393bd54c3e72d49975fc75 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <st...@openssl.org> +Date: Thu, 19 Dec 2013 14:37:39 +0000 +Subject: Use version in SSL_METHOD not SSL structure. + +When deciding whether to use TLS 1.2 PRF and record hash algorithms +use the version number in the corresponding SSL_METHOD structure +instead of the SSL structure. The SSL structure version is sometimes +inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already. +(CVE-2013-6449) +--- + ssl/s3_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index bf832bb..c4ef273 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT. + long ssl_get_algorithm2(SSL *s) + { + long alg2 = s->s3->tmp.new_cipher->algorithm2; +- if (TLS1_get_version(s) >= TLS1_2_VERSION && ++ if (s->method->version == TLS1_2_VERSION && + alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) + return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; + return alg2; +-- +1.8.5.2 +