[Pkg-openssl-changes] r436 - in openssl/trunk/debian: . patches
Kurt Roeckx
kroeckx at alioth.debian.org
Thu Nov 12 18:23:14 UTC 2009
Author: kroeckx
Date: 2009-11-12 18:23:14 +0000 (Thu, 12 Nov 2009)
New Revision: 436
Added:
openssl/trunk/debian/patches/CVE-2009-3555.patch
Modified:
openssl/trunk/debian/changelog
openssl/trunk/debian/patches/series
Log:
Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829)
Modified: openssl/trunk/debian/changelog
===================================================================
--- openssl/trunk/debian/changelog 2009-09-11 15:08:40 UTC (rev 435)
+++ openssl/trunk/debian/changelog 2009-11-12 18:23:14 UTC (rev 436)
@@ -1,3 +1,9 @@
+openssl (0.9.8k-6) unstable; urgency=low
+
+ * Disable SSL/TLS renegotiation (CVE-2009-3555) (Closes: #555829)
+
+ -- Kurt Roeckx <kurt at roeckx.be> Thu, 12 Nov 2009 18:10:31 +0000
+
openssl (0.9.8k-5) unstable; urgency=low
* Don't check self signed certificate signatures in X509_verify_cert()
Added: openssl/trunk/debian/patches/CVE-2009-3555.patch
===================================================================
--- openssl/trunk/debian/patches/CVE-2009-3555.patch (rev 0)
+++ openssl/trunk/debian/patches/CVE-2009-3555.patch 2009-11-12 18:23:14 UTC (rev 436)
@@ -0,0 +1,118 @@
+diff -ur openssl-0.9.8k/crypto/asn1/asn1_err.c openssl-0.9.8l/crypto/asn1/asn1_err.c
+--- openssl-0.9.8k/crypto/asn1/asn1_err.c 2009-03-25 11:35:57.000000000 +0100
++++ openssl-0.9.8l/crypto/asn1/asn1_err.c 2009-11-05 14:52:55.000000000 +0100
+@@ -132,6 +132,7 @@
+ {ERR_FUNC(ASN1_F_ASN1_VERIFY), "ASN1_verify"},
+ {ERR_FUNC(ASN1_F_B64_READ_ASN1), "B64_READ_ASN1"},
+ {ERR_FUNC(ASN1_F_B64_WRITE_ASN1), "B64_WRITE_ASN1"},
++{ERR_FUNC(ASN1_F_BIO_NEW_NDEF), "BIO_NEW_NDEF"},
+ {ERR_FUNC(ASN1_F_BITSTR_CB), "BITSTR_CB"},
+ {ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED), "BN_to_ASN1_ENUMERATED"},
+ {ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER), "BN_to_ASN1_INTEGER"},
+diff -ur openssl-0.9.8k/crypto/asn1/asn1.h openssl-0.9.8l/crypto/asn1/asn1.h
+--- openssl-0.9.8k/crypto/asn1/asn1.h 2009-03-25 11:35:57.000000000 +0100
++++ openssl-0.9.8l/crypto/asn1/asn1.h 2009-11-05 14:52:55.000000000 +0100
+@@ -1158,6 +1158,7 @@
+ #define ASN1_F_ASN1_VERIFY 137
+ #define ASN1_F_B64_READ_ASN1 208
+ #define ASN1_F_B64_WRITE_ASN1 209
++#define ASN1_F_BIO_NEW_NDEF 212
+ #define ASN1_F_BITSTR_CB 180
+ #define ASN1_F_BN_TO_ASN1_ENUMERATED 138
+ #define ASN1_F_BN_TO_ASN1_INTEGER 139
+diff -ur openssl-0.9.8k/ssl/s3_lib.c openssl-0.9.8l/ssl/s3_lib.c
+--- openssl-0.9.8k/ssl/s3_lib.c 2008-06-16 18:56:41.000000000 +0200
++++ openssl-0.9.8l/ssl/s3_lib.c 2009-11-05 16:51:53.000000000 +0100
+@@ -2592,6 +2592,9 @@
+ if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+ return(0);
+
++ if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++ return(0);
++
+ s->s3->renegotiate=1;
+ return(1);
+ }
+diff -ur openssl-0.9.8k/ssl/s3_pkt.c openssl-0.9.8l/ssl/s3_pkt.c
+--- openssl-0.9.8k/ssl/s3_pkt.c 2008-10-10 12:41:32.000000000 +0200
++++ openssl-0.9.8l/ssl/s3_pkt.c 2009-11-05 16:52:53.000000000 +0100
+@@ -985,6 +985,7 @@
+
+ if (SSL_is_init_finished(s) &&
+ !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
++ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) &&
+ !s->s3->renegotiate)
+ {
+ ssl3_renegotiate(s);
+@@ -1117,7 +1118,8 @@
+ if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
+ {
+ if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
+- !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
++ !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
++ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ #if 0 /* worked only because C operator preferences are not as expected (and
+ * because this is not really needed for clients except for detecting
+Only in openssl-0.9.8l/ssl: s3_pkt.c.~1.57.2.4.~
+diff -ur openssl-0.9.8k/ssl/s3_srvr.c openssl-0.9.8l/ssl/s3_srvr.c
+--- openssl-0.9.8k/ssl/s3_srvr.c 2009-01-07 11:48:23.000000000 +0100
++++ openssl-0.9.8l/ssl/s3_srvr.c 2009-11-05 16:52:11.000000000 +0100
+@@ -718,6 +718,14 @@
+ #endif
+ STACK_OF(SSL_CIPHER) *ciphers=NULL;
+
++ if (s->new_session
++ && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++ {
++ al=SSL_AD_HANDSHAKE_FAILURE;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
++ goto f_err;
++ }
++
+ /* We do this so that we will respond with our native type.
+ * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
+ * This down switching should be handled by a different method.
+diff -ur openssl-0.9.8k/ssl/ssl3.h openssl-0.9.8l/ssl/ssl3.h
+--- openssl-0.9.8k/ssl/ssl3.h 2007-10-12 02:00:30.000000000 +0200
++++ openssl-0.9.8l/ssl/ssl3.h 2009-11-05 16:52:03.000000000 +0100
+@@ -326,10 +326,11 @@
+ #define SSL3_CT_NUMBER 7
+
+
+-#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
+-#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
+-#define SSL3_FLAGS_POP_BUFFER 0x0004
+-#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
++#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
++#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
++#define SSL3_FLAGS_POP_BUFFER 0x0004
++#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
++#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
+
+ typedef struct ssl3_state_st
+ {
+diff -ur openssl-0.9.8k/ssl/ssl_err.c openssl-0.9.8l/ssl/ssl_err.c
+--- openssl-0.9.8k/ssl/ssl_err.c 2008-08-13 21:44:44.000000000 +0200
++++ openssl-0.9.8l/ssl/ssl_err.c 2009-11-05 13:15:05.000000000 +0100
+@@ -384,6 +384,7 @@
+ {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
+ {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
+ {ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
++{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
+ {ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
+ {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
+ {ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
+Only in openssl-0.9.8l/ssl: ssl_err.c.orig
+diff -ur openssl-0.9.8k/ssl/ssl.h openssl-0.9.8l/ssl/ssl.h
+--- openssl-0.9.8k/ssl/ssl.h 2008-08-13 21:44:44.000000000 +0200
++++ openssl-0.9.8l/ssl/ssl.h 2009-11-05 13:15:41.000000000 +0100
+@@ -1952,6 +1952,7 @@
+ #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
+ #define SSL_R_NO_PROTOCOLS_AVAILABLE 191
+ #define SSL_R_NO_PUBLICKEY 192
++#define SSL_R_NO_RENEGOTIATION 318
+ #define SSL_R_NO_SHARED_CIPHER 193
+ #define SSL_R_NO_VERIFY_CALLBACK 194
+ #define SSL_R_NULL_SSL_CTX 195
+
Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series 2009-09-11 15:08:40 UTC (rev 435)
+++ openssl/trunk/debian/patches/series 2009-11-12 18:23:14 UTC (rev 436)
@@ -25,3 +25,4 @@
CVE-2009-1387.patch
CVE-2009-2409.patch
no_check_self_signed.patch
+CVE-2009-3555.patch
More information about the Pkg-openssl-changes
mailing list