/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2011-4619.patch
ViewVC logotype

Annotation of /rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2011-4619.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Feb 18 03:03:09 2014 UTC (10 years, 8 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Initial import

1 wellsi 1.1 diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.sgc-dos openssl-fips-0.9.8e/ssl/s3_srvr.c
2     --- openssl-fips-0.9.8e/ssl/s3_srvr.c.sgc-dos 2012-03-19 17:42:34.490429863 +0100
3     +++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2012-03-19 17:44:42.928114348 +0100
4     @@ -236,6 +236,7 @@ int ssl3_accept(SSL *s)
5     }
6    
7     s->init_num=0;
8     + s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
9    
10     if (s->state != SSL_ST_RENEGOTIATE)
11     {
12     @@ -655,6 +656,13 @@ int ssl3_check_client_hello(SSL *s)
13     s->s3->tmp.reuse_message = 1;
14     if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
15     {
16     + /* We only allow the client to restart the handshake once per
17     + * negotiation. */
18     + if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
19     + {
20     + SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
21     + return -1;
22     + }
23     /* Throw away what we have done so far in the current handshake,
24     * which will now be aborted. (A full SSL_clear would be too much.)
25     * I hope that tmp.dh is the only thing that may need to be cleared
26     @@ -666,6 +674,7 @@ int ssl3_check_client_hello(SSL *s)
27     s->s3->tmp.dh = NULL;
28     }
29     #endif
30     + s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
31     return 2;
32     }
33     return 1;
34     diff -up openssl-fips-0.9.8e/ssl/ssl3.h.sgc-dos openssl-fips-0.9.8e/ssl/ssl3.h
35     --- openssl-fips-0.9.8e/ssl/ssl3.h.sgc-dos 2012-03-19 17:42:34.465429341 +0100
36     +++ openssl-fips-0.9.8e/ssl/ssl3.h 2012-03-19 17:42:34.532430741 +0100
37     @@ -333,6 +333,17 @@ typedef struct ssl3_buffer_st
38     #define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
39     #define SSL3_FLAGS_POP_BUFFER 0x0004
40     #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
41     +
42     +/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
43     + * restart a handshake because of MS SGC and so prevents us
44     + * from restarting the handshake in a loop. It's reset on a
45     + * renegotiation, so effectively limits the client to one restart
46     + * per negotiation. This limits the possibility of a DDoS
47     + * attack where the client handshakes in a loop using SGC to
48     + * restart. Servers which permit renegotiation can still be
49     + * effected, but we can't prevent that.
50     + */
51     +#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
52    
53     typedef struct ssl3_state_st
54     {
55     diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.sgc-dos openssl-fips-0.9.8e/ssl/ssl_err.c
56     --- openssl-fips-0.9.8e/ssl/ssl_err.c.sgc-dos 2012-03-19 17:42:34.462429280 +0100
57     +++ openssl-fips-0.9.8e/ssl/ssl_err.c 2012-03-19 17:42:34.532430741 +0100
58     @@ -134,6 +134,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
59     {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
60     {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
61     {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
62     +{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
63     {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
64     {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
65     {ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
66     @@ -361,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
67     {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
68     {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
69     {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
70     +{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
71     {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
72     {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
73     {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
74     diff -up openssl-fips-0.9.8e/ssl/ssl.h.sgc-dos openssl-fips-0.9.8e/ssl/ssl.h
75     --- openssl-fips-0.9.8e/ssl/ssl.h.sgc-dos 2012-03-19 17:42:34.488429820 +0100
76     +++ openssl-fips-0.9.8e/ssl/ssl.h 2012-03-19 17:42:34.533430762 +0100
77     @@ -1634,6 +1634,7 @@ void ERR_load_SSL_strings(void);
78     #define SSL_F_SSL3_CALLBACK_CTRL 233
79     #define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
80     #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
81     +#define SSL_F_SSL3_CHECK_CLIENT_HELLO 293
82     #define SSL_F_SSL3_CLIENT_HELLO 131
83     #define SSL_F_SSL3_CONNECT 132
84     #define SSL_F_SSL3_CTRL 213
85     @@ -1858,6 +1859,7 @@ void ERR_load_SSL_strings(void);
86     #define SSL_R_MISSING_TMP_RSA_KEY 172
87     #define SSL_R_MISSING_TMP_RSA_PKEY 173
88     #define SSL_R_MISSING_VERIFY_MESSAGE 174
89     +#define SSL_R_MULTIPLE_SGC_RESTARTS 325
90     #define SSL_R_NON_SSLV2_INITIAL_PACKET 175
91     #define SSL_R_NO_CERTIFICATES_RETURNED 176
92     #define SSL_R_NO_CERTIFICATE_ASSIGNED 177

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed