/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2011-4619.patch
ViewVC logotype

Contents of /rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2011-4619.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Feb 18 03:03:09 2014 UTC (10 years, 9 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Initial import

1 diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.sgc-dos openssl-fips-0.9.8e/ssl/s3_srvr.c
2 --- openssl-fips-0.9.8e/ssl/s3_srvr.c.sgc-dos 2012-03-19 17:42:34.490429863 +0100
3 +++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2012-03-19 17:44:42.928114348 +0100
4 @@ -236,6 +236,7 @@ int ssl3_accept(SSL *s)
5 }
6
7 s->init_num=0;
8 + s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
9
10 if (s->state != SSL_ST_RENEGOTIATE)
11 {
12 @@ -655,6 +656,13 @@ int ssl3_check_client_hello(SSL *s)
13 s->s3->tmp.reuse_message = 1;
14 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
15 {
16 + /* We only allow the client to restart the handshake once per
17 + * negotiation. */
18 + if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
19 + {
20 + SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
21 + return -1;
22 + }
23 /* Throw away what we have done so far in the current handshake,
24 * which will now be aborted. (A full SSL_clear would be too much.)
25 * I hope that tmp.dh is the only thing that may need to be cleared
26 @@ -666,6 +674,7 @@ int ssl3_check_client_hello(SSL *s)
27 s->s3->tmp.dh = NULL;
28 }
29 #endif
30 + s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
31 return 2;
32 }
33 return 1;
34 diff -up openssl-fips-0.9.8e/ssl/ssl3.h.sgc-dos openssl-fips-0.9.8e/ssl/ssl3.h
35 --- openssl-fips-0.9.8e/ssl/ssl3.h.sgc-dos 2012-03-19 17:42:34.465429341 +0100
36 +++ openssl-fips-0.9.8e/ssl/ssl3.h 2012-03-19 17:42:34.532430741 +0100
37 @@ -333,6 +333,17 @@ typedef struct ssl3_buffer_st
38 #define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
39 #define SSL3_FLAGS_POP_BUFFER 0x0004
40 #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
41 +
42 +/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
43 + * restart a handshake because of MS SGC and so prevents us
44 + * from restarting the handshake in a loop. It's reset on a
45 + * renegotiation, so effectively limits the client to one restart
46 + * per negotiation. This limits the possibility of a DDoS
47 + * attack where the client handshakes in a loop using SGC to
48 + * restart. Servers which permit renegotiation can still be
49 + * effected, but we can't prevent that.
50 + */
51 +#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
52
53 typedef struct ssl3_state_st
54 {
55 diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.sgc-dos openssl-fips-0.9.8e/ssl/ssl_err.c
56 --- openssl-fips-0.9.8e/ssl/ssl_err.c.sgc-dos 2012-03-19 17:42:34.462429280 +0100
57 +++ openssl-fips-0.9.8e/ssl/ssl_err.c 2012-03-19 17:42:34.532430741 +0100
58 @@ -134,6 +134,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
59 {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
60 {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
61 {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
62 +{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
63 {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
64 {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
65 {ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
66 @@ -361,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
67 {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
68 {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
69 {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
70 +{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
71 {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
72 {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
73 {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
74 diff -up openssl-fips-0.9.8e/ssl/ssl.h.sgc-dos openssl-fips-0.9.8e/ssl/ssl.h
75 --- openssl-fips-0.9.8e/ssl/ssl.h.sgc-dos 2012-03-19 17:42:34.488429820 +0100
76 +++ openssl-fips-0.9.8e/ssl/ssl.h 2012-03-19 17:42:34.533430762 +0100
77 @@ -1634,6 +1634,7 @@ void ERR_load_SSL_strings(void);
78 #define SSL_F_SSL3_CALLBACK_CTRL 233
79 #define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
80 #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
81 +#define SSL_F_SSL3_CHECK_CLIENT_HELLO 293
82 #define SSL_F_SSL3_CLIENT_HELLO 131
83 #define SSL_F_SSL3_CONNECT 132
84 #define SSL_F_SSL3_CTRL 213
85 @@ -1858,6 +1859,7 @@ void ERR_load_SSL_strings(void);
86 #define SSL_R_MISSING_TMP_RSA_KEY 172
87 #define SSL_R_MISSING_TMP_RSA_PKEY 173
88 #define SSL_R_MISSING_VERIFY_MESSAGE 174
89 +#define SSL_R_MULTIPLE_SGC_RESTARTS 325
90 #define SSL_R_NON_SSLV2_INITIAL_PACKET 175
91 #define SSL_R_NO_CERTIFICATES_RETURNED 176
92 #define SSL_R_NO_CERTIFICATE_ASSIGNED 177

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed