/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-dtls-dos.patch
ViewVC logotype

Contents of /rpms/openssl/sme8/openssl-fips-0.9.8e-dtls-dos.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Feb 18 03:03:09 2014 UTC (10 years, 8 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Initial import

1 Fixes CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-1387
2 DoS vulnerabilities in the DTLS implementation.
3 diff -up openssl-fips-0.9.8e/crypto/pqueue/pqueue.c.dtls-dos openssl-fips-0.9.8e/crypto/pqueue/pqueue.c
4 --- openssl-fips-0.9.8e/crypto/pqueue/pqueue.c.dtls-dos 2005-06-28 14:53:33.000000000 +0200
5 +++ openssl-fips-0.9.8e/crypto/pqueue/pqueue.c 2009-05-21 14:41:48.000000000 +0200
6 @@ -234,3 +234,17 @@ pqueue_next(pitem **item)
7
8 return ret;
9 }
10 +
11 +int
12 +pqueue_size(pqueue_s *pq)
13 +{
14 + pitem *item = pq->items;
15 + int count = 0;
16 +
17 + while(item != NULL)
18 + {
19 + count++;
20 + item = item->next;
21 + }
22 + return count;
23 +}
24 diff -up openssl-fips-0.9.8e/crypto/pqueue/pqueue.h.dtls-dos openssl-fips-0.9.8e/crypto/pqueue/pqueue.h
25 --- openssl-fips-0.9.8e/crypto/pqueue/pqueue.h.dtls-dos 2009-04-15 13:48:50.000000000 +0200
26 +++ openssl-fips-0.9.8e/crypto/pqueue/pqueue.h 2009-05-21 14:41:48.000000000 +0200
27 @@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
28 pitem *pqueue_next(piterator *iter);
29
30 void pqueue_print(pqueue pq);
31 +int pqueue_size(pqueue pq);
32
33 #endif /* ! HEADER_PQUEUE_H */
34 diff -up openssl-fips-0.9.8e/ssl/d1_both.c.dtls-dos openssl-fips-0.9.8e/ssl/d1_both.c
35 --- openssl-fips-0.9.8e/ssl/d1_both.c.dtls-dos 2009-04-15 13:48:51.000000000 +0200
36 +++ openssl-fips-0.9.8e/ssl/d1_both.c 2009-06-02 15:07:31.000000000 +0200
37 @@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
38
39 if ( s->d1->handshake_read_seq == frag->msg_header.seq)
40 {
41 + unsigned long frag_len = frag->msg_header.frag_len;
42 pqueue_pop(s->d1->buffered_messages);
43
44 al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
45 @@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
46 if (al==0)
47 {
48 *ok = 1;
49 - return frag->msg_header.frag_len;
50 + return frag_len;
51 }
52
53 ssl3_send_alert(s,SSL3_AL_FATAL,al);
54 @@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
55 if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
56 goto err;
57
58 - if (msg_hdr->seq <= s->d1->handshake_read_seq)
59 + /* Try to find item in queue, to prevent duplicate entries */
60 + pq_64bit_init(&seq64);
61 + pq_64bit_assign_word(&seq64, msg_hdr->seq);
62 + item = pqueue_find(s->d1->buffered_messages, seq64);
63 + pq_64bit_free(&seq64);
64 +
65 + /* Discard the message if sequence number was already there, is
66 + * too far in the future or the fragment is already in the queue */
67 + if (msg_hdr->seq <= s->d1->handshake_read_seq ||
68 + msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
69 {
70 unsigned char devnull [256];
71
72 @@ -575,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s,
73 }
74 }
75
76 - frag = dtls1_hm_fragment_new(frag_len);
77 - if ( frag == NULL)
78 - goto err;
79 + if (frag_len)
80 + {
81 + frag = dtls1_hm_fragment_new(frag_len);
82 + if ( frag == NULL)
83 + goto err;
84
85 - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
86 + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
87
88 - if (frag_len)
89 - {
90 - /* read the body of the fragment (header has already been read */
91 + /* read the body of the fragment (header has already been read) */
92 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
93 frag->fragment,frag_len,0);
94 - if (i<=0 || i!=frag_len)
95 + if (i<=0 || (unsigned long)i!=frag_len)
96 goto err;
97 - }
98
99 - pq_64bit_init(&seq64);
100 - pq_64bit_assign_word(&seq64, msg_hdr->seq);
101 + pq_64bit_init(&seq64);
102 + pq_64bit_assign_word(&seq64, msg_hdr->seq);
103
104 - item = pitem_new(seq64, frag);
105 - pq_64bit_free(&seq64);
106 - if ( item == NULL)
107 - goto err;
108 + item = pitem_new(seq64, frag);
109 + pq_64bit_free(&seq64);
110 + if ( item == NULL)
111 + goto err;
112 +
113 + pqueue_insert(s->d1->buffered_messages, item);
114 + }
115
116 - pqueue_insert(s->d1->buffered_messages, item);
117 return DTLS1_HM_FRAGMENT_RETRY;
118
119 err:
120 diff -up openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-dos openssl-fips-0.9.8e/ssl/d1_pkt.c
121 --- openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-dos 2009-04-15 13:48:51.000000000 +0200
122 +++ openssl-fips-0.9.8e/ssl/d1_pkt.c 2009-05-21 14:41:48.000000000 +0200
123 @@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
124 DTLS1_RECORD_DATA *rdata;
125 pitem *item;
126
127 + /* Limit the size of the queue to prevent DOS attacks */
128 + if (pqueue_size(queue->q) >= 100)
129 + return 0;
130 +
131 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
132 item = pitem_new(priority, rdata);
133 if (rdata == NULL || item == NULL)
134 diff -up openssl-fips-0.9.8e/ssl/s3_pkt.c.dtls-dos openssl-fips-0.9.8e/ssl/s3_pkt.c
135 --- openssl-fips-0.9.8e/ssl/s3_pkt.c.dtls-dos 2006-11-29 15:45:14.000000000 +0100
136 +++ openssl-fips-0.9.8e/ssl/s3_pkt.c 2009-06-02 14:57:16.000000000 +0200
137 @@ -1225,6 +1225,13 @@ int ssl3_do_change_cipher_spec(SSL *s)
138
139 if (s->s3->tmp.key_block == NULL)
140 {
141 + if (s->session == NULL)
142 + {
143 + /* might happen if dtls1_read_bytes() calls this */
144 + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
145 + return (0);
146 + }
147 +
148 s->session->cipher=s->s3->tmp.new_cipher;
149 if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
150 }
151 diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.dtls-dos openssl-fips-0.9.8e/ssl/ssl_err.c
152 --- openssl-fips-0.9.8e/ssl/ssl_err.c.dtls-dos 2009-04-15 13:48:51.000000000 +0200
153 +++ openssl-fips-0.9.8e/ssl/ssl_err.c 2009-06-02 14:57:16.000000000 +0200
154 @@ -138,6 +138,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
155 {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
156 {ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
157 {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
158 +{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"},
159 {ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
160 {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
161 {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
162 diff -up openssl-fips-0.9.8e/ssl/ssl.h.dtls-dos openssl-fips-0.9.8e/ssl/ssl.h
163 --- openssl-fips-0.9.8e/ssl/ssl.h.dtls-dos 2009-04-15 13:48:51.000000000 +0200
164 +++ openssl-fips-0.9.8e/ssl/ssl.h 2009-06-02 14:57:16.000000000 +0200
165 @@ -1620,6 +1620,7 @@ void ERR_load_SSL_strings(void);
166 #define SSL_F_SSL3_CONNECT 132
167 #define SSL_F_SSL3_CTRL 213
168 #define SSL_F_SSL3_CTX_CTRL 133
169 +#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
170 #define SSL_F_SSL3_ENC 134
171 #define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
172 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed