/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-dtls-dos.patch
ViewVC logotype

Annotation of /rpms/openssl/sme8/openssl-fips-0.9.8e-dtls-dos.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Tue Feb 18 03:03:09 2014 UTC (10 years, 3 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream 
Initial import
1 wellsi 1.1 Fixes CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1386 CVE-2009-1387
2     DoS vulnerabilities in the DTLS implementation.
3     diff -up openssl-fips-0.9.8e/crypto/pqueue/pqueue.c.dtls-dos openssl-fips-0.9.8e/crypto/pqueue/pqueue.c
4     --- openssl-fips-0.9.8e/crypto/pqueue/pqueue.c.dtls-dos 2005-06-28 14:53:33.000000000 +0200
5     +++ openssl-fips-0.9.8e/crypto/pqueue/pqueue.c 2009-05-21 14:41:48.000000000 +0200
6     @@ -234,3 +234,17 @@ pqueue_next(pitem **item)
7    
8     return ret;
9     }
10     +
11     +int
12     +pqueue_size(pqueue_s *pq)
13     +{
14     + pitem *item = pq->items;
15     + int count = 0;
16     +
17     + while(item != NULL)
18     + {
19     + count++;
20     + item = item->next;
21     + }
22     + return count;
23     +}
24     diff -up openssl-fips-0.9.8e/crypto/pqueue/pqueue.h.dtls-dos openssl-fips-0.9.8e/crypto/pqueue/pqueue.h
25     --- openssl-fips-0.9.8e/crypto/pqueue/pqueue.h.dtls-dos 2009-04-15 13:48:50.000000000 +0200
26     +++ openssl-fips-0.9.8e/crypto/pqueue/pqueue.h 2009-05-21 14:41:48.000000000 +0200
27     @@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
28     pitem *pqueue_next(piterator *iter);
29    
30     void pqueue_print(pqueue pq);
31     +int pqueue_size(pqueue pq);
32    
33     #endif /* ! HEADER_PQUEUE_H */
34     diff -up openssl-fips-0.9.8e/ssl/d1_both.c.dtls-dos openssl-fips-0.9.8e/ssl/d1_both.c
35     --- openssl-fips-0.9.8e/ssl/d1_both.c.dtls-dos 2009-04-15 13:48:51.000000000 +0200
36     +++ openssl-fips-0.9.8e/ssl/d1_both.c 2009-06-02 15:07:31.000000000 +0200
37     @@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
38    
39     if ( s->d1->handshake_read_seq == frag->msg_header.seq)
40     {
41     + unsigned long frag_len = frag->msg_header.frag_len;
42     pqueue_pop(s->d1->buffered_messages);
43    
44     al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
45     @@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
46     if (al==0)
47     {
48     *ok = 1;
49     - return frag->msg_header.frag_len;
50     + return frag_len;
51     }
52    
53     ssl3_send_alert(s,SSL3_AL_FATAL,al);
54     @@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
55     if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
56     goto err;
57    
58     - if (msg_hdr->seq <= s->d1->handshake_read_seq)
59     + /* Try to find item in queue, to prevent duplicate entries */
60     + pq_64bit_init(&seq64);
61     + pq_64bit_assign_word(&seq64, msg_hdr->seq);
62     + item = pqueue_find(s->d1->buffered_messages, seq64);
63     + pq_64bit_free(&seq64);
64     +
65     + /* Discard the message if sequence number was already there, is
66     + * too far in the future or the fragment is already in the queue */
67     + if (msg_hdr->seq <= s->d1->handshake_read_seq ||
68     + msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
69     {
70     unsigned char devnull [256];
71    
72     @@ -575,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s,
73     }
74     }
75    
76     - frag = dtls1_hm_fragment_new(frag_len);
77     - if ( frag == NULL)
78     - goto err;
79     + if (frag_len)
80     + {
81     + frag = dtls1_hm_fragment_new(frag_len);
82     + if ( frag == NULL)
83     + goto err;
84    
85     - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
86     + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
87    
88     - if (frag_len)
89     - {
90     - /* read the body of the fragment (header has already been read */
91     + /* read the body of the fragment (header has already been read) */
92     i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
93     frag->fragment,frag_len,0);
94     - if (i<=0 || i!=frag_len)
95     + if (i<=0 || (unsigned long)i!=frag_len)
96     goto err;
97     - }
98    
99     - pq_64bit_init(&seq64);
100     - pq_64bit_assign_word(&seq64, msg_hdr->seq);
101     + pq_64bit_init(&seq64);
102     + pq_64bit_assign_word(&seq64, msg_hdr->seq);
103    
104     - item = pitem_new(seq64, frag);
105     - pq_64bit_free(&seq64);
106     - if ( item == NULL)
107     - goto err;
108     + item = pitem_new(seq64, frag);
109     + pq_64bit_free(&seq64);
110     + if ( item == NULL)
111     + goto err;
112     +
113     + pqueue_insert(s->d1->buffered_messages, item);
114     + }
115    
116     - pqueue_insert(s->d1->buffered_messages, item);
117     return DTLS1_HM_FRAGMENT_RETRY;
118    
119     err:
120     diff -up openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-dos openssl-fips-0.9.8e/ssl/d1_pkt.c
121     --- openssl-fips-0.9.8e/ssl/d1_pkt.c.dtls-dos 2009-04-15 13:48:51.000000000 +0200
122     +++ openssl-fips-0.9.8e/ssl/d1_pkt.c 2009-05-21 14:41:48.000000000 +0200
123     @@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
124     DTLS1_RECORD_DATA *rdata;
125     pitem *item;
126    
127     + /* Limit the size of the queue to prevent DOS attacks */
128     + if (pqueue_size(queue->q) >= 100)
129     + return 0;
130     +
131     rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
132     item = pitem_new(priority, rdata);
133     if (rdata == NULL || item == NULL)
134     diff -up openssl-fips-0.9.8e/ssl/s3_pkt.c.dtls-dos openssl-fips-0.9.8e/ssl/s3_pkt.c
135     --- openssl-fips-0.9.8e/ssl/s3_pkt.c.dtls-dos 2006-11-29 15:45:14.000000000 +0100
136     +++ openssl-fips-0.9.8e/ssl/s3_pkt.c 2009-06-02 14:57:16.000000000 +0200
137     @@ -1225,6 +1225,13 @@ int ssl3_do_change_cipher_spec(SSL *s)
138    
139     if (s->s3->tmp.key_block == NULL)
140     {
141     + if (s->session == NULL)
142     + {
143     + /* might happen if dtls1_read_bytes() calls this */
144     + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
145     + return (0);
146     + }
147     +
148     s->session->cipher=s->s3->tmp.new_cipher;
149     if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
150     }
151     diff -up openssl-fips-0.9.8e/ssl/ssl_err.c.dtls-dos openssl-fips-0.9.8e/ssl/ssl_err.c
152     --- openssl-fips-0.9.8e/ssl/ssl_err.c.dtls-dos 2009-04-15 13:48:51.000000000 +0200
153     +++ openssl-fips-0.9.8e/ssl/ssl_err.c 2009-06-02 14:57:16.000000000 +0200
154     @@ -138,6 +138,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
155     {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
156     {ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
157     {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
158     +{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"},
159     {ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
160     {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
161     {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
162     diff -up openssl-fips-0.9.8e/ssl/ssl.h.dtls-dos openssl-fips-0.9.8e/ssl/ssl.h
163     --- openssl-fips-0.9.8e/ssl/ssl.h.dtls-dos 2009-04-15 13:48:51.000000000 +0200
164     +++ openssl-fips-0.9.8e/ssl/ssl.h 2009-06-02 14:57:16.000000000 +0200
165     @@ -1620,6 +1620,7 @@ void ERR_load_SSL_strings(void);
166     #define SSL_F_SSL3_CONNECT 132
167     #define SSL_F_SSL3_CTRL 213
168     #define SSL_F_SSL3_CTX_CTRL 133
169     +#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
170     #define SSL_F_SSL3_ENC 134
171     #define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
172     #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed