CVS commit: [netbsd-5-0] src/crypto/dist/openssl/ssl

Fri, 10 Dec 2010 13:42:46 -0800 

Module Name:    src
Committed By:   bouyer
Date:           Fri Dec 10 21:42:43 UTC 2010

Modified Files:
        src/crypto/dist/openssl/ssl [netbsd-5-0]: s3_clnt.c s3_srvr.c

Log Message:
Pull up following revision(s) (requested by drochner in ticket #1509):
        crypto/external/bsd/openssl/dist/ssl/s3_srvr.c: revision 1.6 via patch
        crypto/external/bsd/openssl/dist/ssl/s3_clnt.c: revision 1.3 via patch
openssl security patch of the day:
Fix a flaw in the OpenSSL SSL/TLS server code where an old bug
workaround allows malicous clients to modify the stored session cache
ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one
on subsequent connections. See
http://www.openssl.org/news/secadv_20101202.txt
(CVE-2010-4180)


To generate a diff of this commit:
cvs rdiff -u -r1.12.4.1.2.1 -r1.12.4.1.2.2 \
    src/crypto/dist/openssl/ssl/s3_clnt.c
cvs rdiff -u -r1.15.4.1.2.2 -r1.15.4.1.2.3 \
    src/crypto/dist/openssl/ssl/s3_srvr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/crypto/dist/openssl/ssl/s3_clnt.c
diff -u src/crypto/dist/openssl/ssl/s3_clnt.c:1.12.4.1.2.1 src/crypto/dist/openssl/ssl/s3_clnt.c:1.12.4.1.2.2
--- src/crypto/dist/openssl/ssl/s3_clnt.c:1.12.4.1.2.1	Tue Sep  7 19:31:04 2010
+++ src/crypto/dist/openssl/ssl/s3_clnt.c	Fri Dec 10 21:42:43 2010
@@ -842,8 +842,11 @@
 		s->session->cipher_id = s->session->cipher->id;
 	if (s->hit && (s->session->cipher_id != c->id))
 		{
+/* Workaround is now obsolete */
+#if 0
 		if (!(s->options &
 			SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+#endif
 			{
 			al=SSL_AD_ILLEGAL_PARAMETER;
 			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);

Index: src/crypto/dist/openssl/ssl/s3_srvr.c
diff -u src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.2 src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.3
--- src/crypto/dist/openssl/ssl/s3_srvr.c:1.15.4.1.2.2	Mon Apr 12 00:46:57 2010
+++ src/crypto/dist/openssl/ssl/s3_srvr.c	Fri Dec 10 21:42:43 2010
@@ -959,12 +959,17 @@
 			}
 		if (j == 0)
 			{
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
 			if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
 				{
 				/* Very bad for multi-threading.... */
 				s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0);
 				}
 			else
+#endif
 				{
 				/* we need to have the cipher in the cipher
 				 * list if we are asked to reuse it */

Reply via email to