openssl/sme8/openssl-fips-0.9.8e-cve-2011-4619.patch

diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.sgc-dos openssl-fips-0.9.8e/ssl/s3_srvr.c
--- openssl-fips-0.9.8e/ssl/s3_srvr.c.sgc-dos   2012-03-19 17:42:34.490429863 +0100
+++ openssl-fips-0.9.8e/ssl/s3_srvr.c   2012-03-19 17:44:42.928114348 +0100
@@ -236,6 +236,7 @@ int ssl3_accept(SSL *s)
                                }
 
                        s->init_num=0;
+                       s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
 
                        if (s->state != SSL_ST_RENEGOTIATE)
                                {
@@ -655,6 +656,13 @@ int ssl3_check_client_hello(SSL *s)
        s->s3->tmp.reuse_message = 1;
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
+               /* We only allow the client to restart the handshake once per
+                * negotiation. */
+               if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+                       {
+                       SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+                       return -1;
+                       }
                /* Throw away what we have done so far in the current handshake,
                 * which will now be aborted. (A full SSL_clear would be too much.)
                 * I hope that tmp.dh is the only thing that may need to be cleared
@@ -666,6 +674,7 @@ int ssl3_check_client_hello(SSL *s)
                        s->s3->tmp.dh = NULL;
                        }
 #endif
+               s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
                return 2;
                }
        return 1;
diff -up openssl-fips-0.9.8e/ssl/ssl3.h.sgc-dos openssl-fips-0.9.8e/ssl/ssl3.h
--- openssl-fips-0.9.8e/ssl/ssl3.h.sgc-dos      2012-03-19 17:42:34.465429341 +0100
+++ openssl-fips-0.9.8e/ssl/ssl3.h      2012-03-19 17:42:34.532430741 +0100
@@ -333,6 +333,17 @@ typedef struct ssl3_buffer_st
 #define SSL3_FLAGS_DELAY_CLIENT_FINISHED       0x0002
 #define SSL3_FLAGS_POP_BUFFER                  0x0004
 #define TLS1_FLAGS_TLS_PADDING_BUG             0x0008
+ 
+/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
+ * from restarting the handshake in a loop. It's reset on a
+ * renegotiation, so effectively limits the client to one restart
+ * per negotiation. This limits the possibility of a DDoS
+ * attack where the client handshakes in a loop using SGC to
+ * restart. Servers which permit renegotiation can still be
+ * effected, but we can't prevent that.
+ */
+#define SSL3_FLAGS_SGC_RESTART_DONE            0x0040
 
 typedef struct ssl3_state_st
        {
diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.sgc-dos openssl-fips-0.9.8e/ssl/ssl_err.c
--- openssl-fips-0.9.8e/ssl/ssl_err.c.sgc-dos   2012-03-19 17:42:34.462429280 +0100
+++ openssl-fips-0.9.8e/ssl/ssl_err.c   2012-03-19 17:42:34.532430741 +0100
@@ -134,6 +134,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),   "SSL3_CALLBACK_CTRL"},
 {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE),     "SSL3_CHANGE_CIPHER_STATE"},
 {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM),        "SSL3_CHECK_CERT_AND_ALGORITHM"},
+{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO),      "SSL3_CHECK_CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO),    "SSL3_CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
 {ERR_FUNC(SSL_F_SSL3_CTRL),    "SSL3_CTRL"},
@@ -361,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
 {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY)   ,"missing tmp rsa key"},
 {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY)  ,"missing tmp rsa pkey"},
 {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
+{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
 {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
 {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
 {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
diff -up openssl-fips-0.9.8e/ssl/ssl.h.sgc-dos openssl-fips-0.9.8e/ssl/ssl.h
--- openssl-fips-0.9.8e/ssl/ssl.h.sgc-dos       2012-03-19 17:42:34.488429820 +0100
+++ openssl-fips-0.9.8e/ssl/ssl.h       2012-03-19 17:42:34.533430762 +0100
@@ -1634,6 +1634,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL3_CALLBACK_CTRL                        233
 #define SSL_F_SSL3_CHANGE_CIPHER_STATE                  129
 #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM             130
+#define SSL_F_SSL3_CHECK_CLIENT_HELLO                   293
 #define SSL_F_SSL3_CLIENT_HELLO                                 131
 #define SSL_F_SSL3_CONNECT                              132
 #define SSL_F_SSL3_CTRL                                         213
@@ -1858,6 +1859,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_MISSING_TMP_RSA_KEY                       172
 #define SSL_R_MISSING_TMP_RSA_PKEY                      173
 #define SSL_R_MISSING_VERIFY_MESSAGE                    174
+#define SSL_R_MULTIPLE_SGC_RESTARTS                     325
 #define SSL_R_NON_SSLV2_INITIAL_PACKET                  175
 #define SSL_R_NO_CERTIFICATES_RETURNED                  176
 #define SSL_R_NO_CERTIFICATE_ASSIGNED                   177
1	diff -up openssl-fips-0.9.8e/ssl/s3_srvr.c.sgc-dos openssl-fips-0.9.8e/ssl/s3_srvr.c
2	--- openssl-fips-0.9.8e/ssl/s3_srvr.c.sgc-dos 2012-03-19 17:42:34.490429863 +0100
3	+++ openssl-fips-0.9.8e/ssl/s3_srvr.c 2012-03-19 17:44:42.928114348 +0100
4	@@ -236,6 +236,7 @@ int ssl3_accept(SSL *s)
5	}
6
7	s->init_num=0;
8	+ s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
9
10	if (s->state != SSL_ST_RENEGOTIATE)
11	{
12	@@ -655,6 +656,13 @@ int ssl3_check_client_hello(SSL *s)
13	s->s3->tmp.reuse_message = 1;
14	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
15	{
16	+ /* We only allow the client to restart the handshake once per
17	+ * negotiation. */
18	+ if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
19	+ {
20	+ SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
21	+ return -1;
22	+ }
23	/* Throw away what we have done so far in the current handshake,
24	* which will now be aborted. (A full SSL_clear would be too much.)
25	* I hope that tmp.dh is the only thing that may need to be cleared
26	@@ -666,6 +674,7 @@ int ssl3_check_client_hello(SSL *s)
27	s->s3->tmp.dh = NULL;
28	}
29	#endif
30	+ s->s3->flags \|= SSL3_FLAGS_SGC_RESTART_DONE;
31	return 2;
32	}
33	return 1;
34	diff -up openssl-fips-0.9.8e/ssl/ssl3.h.sgc-dos openssl-fips-0.9.8e/ssl/ssl3.h
35	--- openssl-fips-0.9.8e/ssl/ssl3.h.sgc-dos 2012-03-19 17:42:34.465429341 +0100
36	+++ openssl-fips-0.9.8e/ssl/ssl3.h 2012-03-19 17:42:34.532430741 +0100
37	@@ -333,6 +333,17 @@ typedef struct ssl3_buffer_st
38	#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
39	#define SSL3_FLAGS_POP_BUFFER 0x0004
40	#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
41	+
42	+/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
43	+ * restart a handshake because of MS SGC and so prevents us
44	+ * from restarting the handshake in a loop. It's reset on a
45	+ * renegotiation, so effectively limits the client to one restart
46	+ * per negotiation. This limits the possibility of a DDoS
47	+ * attack where the client handshakes in a loop using SGC to
48	+ * restart. Servers which permit renegotiation can still be
49	+ * effected, but we can't prevent that.
50	+ */
51	+#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
52
53	typedef struct ssl3_state_st
54	{
55	diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.sgc-dos openssl-fips-0.9.8e/ssl/ssl_err.c
56	--- openssl-fips-0.9.8e/ssl/ssl_err.c.sgc-dos 2012-03-19 17:42:34.462429280 +0100
57	+++ openssl-fips-0.9.8e/ssl/ssl_err.c 2012-03-19 17:42:34.532430741 +0100
58	@@ -134,6 +134,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
59	{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
60	{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
61	{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
62	+{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
63	{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
64	{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
65	{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
66	@@ -361,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
67	{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
68	{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
69	{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
70	+{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
71	{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
72	{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
73	{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
74	diff -up openssl-fips-0.9.8e/ssl/ssl.h.sgc-dos openssl-fips-0.9.8e/ssl/ssl.h
75	--- openssl-fips-0.9.8e/ssl/ssl.h.sgc-dos 2012-03-19 17:42:34.488429820 +0100
76	+++ openssl-fips-0.9.8e/ssl/ssl.h 2012-03-19 17:42:34.533430762 +0100
77	@@ -1634,6 +1634,7 @@ void ERR_load_SSL_strings(void);
78	#define SSL_F_SSL3_CALLBACK_CTRL 233
79	#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
80	#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
81	+#define SSL_F_SSL3_CHECK_CLIENT_HELLO 293
82	#define SSL_F_SSL3_CLIENT_HELLO 131
83	#define SSL_F_SSL3_CONNECT 132
84	#define SSL_F_SSL3_CTRL 213
85	@@ -1858,6 +1859,7 @@ void ERR_load_SSL_strings(void);
86	#define SSL_R_MISSING_TMP_RSA_KEY 172
87	#define SSL_R_MISSING_TMP_RSA_PKEY 173
88	#define SSL_R_MISSING_VERIFY_MESSAGE 174
89	+#define SSL_R_MULTIPLE_SGC_RESTARTS 325
90	#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
91	#define SSL_R_NO_CERTIFICATES_RETURNED 176
92	#define SSL_R_NO_CERTIFICATE_ASSIGNED 177