[Pkg-openssl-changes] r648 - in openssl/branches/wheezy/debian: . patches

Mon Jan 6 19:29:42 UTC 2014

Author: kroeckx
Date: 2014-01-06 19:29:42 +0000 (Mon, 06 Jan 2014)
New Revision: 648

Added:
   openssl/branches/wheezy/debian/patches/dont_change_version.patch
Modified:
   openssl/branches/wheezy/debian/changelog
   openssl/branches/wheezy/debian/patches/series
Log:
Don't change version number if session established


Modified: openssl/branches/wheezy/debian/changelog
===================================================================

--- openssl/branches/wheezy/debian/changelog	2014-01-06 18:05:19 UTC (rev 647)
+++ openssl/branches/wheezy/debian/changelog	2014-01-06 19:29:42 UTC (rev 648)
@@ -1,3 +1,9 @@
+openssl (1.0.1e-2+deb7u3) stable-security; urgency=medium
+
+  * Don't change version number if session established
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Mon, 06 Jan 2014 20:28:20 +0100
+
 openssl (1.0.1e-2+deb7u2) stable-security; urgency=medium
 
   * The patch we applied for CVE-2013-6450 was causing segfaults,

Added: openssl/branches/wheezy/debian/patches/dont_change_version.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/dont_change_version.patch	                        (rev 0)
+++ openssl/branches/wheezy/debian/patches/dont_change_version.patch	2014-01-06 19:29:42 UTC (rev 648)
@@ -0,0 +1,47 @@
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Tue, 24 Dec 2013 18:17:00 +0000
+Subject: [PATCH] Don't change version number if session established
+Origin: upstream, commit:f3dcc8411e518fb0835c7d72df4a58718205260d
+
+When sending an invalid version number alert don't change the
+version number to the client version if a session is already
+established.
+
+Thanks to Marek Majkowski for additional analysis of this issue.
+
+PR#3191
+---
+ ssl/s3_pkt.c  | 2 +-
+ ssl/s3_srvr.c | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index c4bc4e7..96ba632 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
+ 			if (version != s->version)
+ 				{
+ 				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+-                                if ((s->version & 0xFF00) == (version & 0xFF00))
++                                if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
+                                 	/* Send back error using their minor version number :-) */
+ 					s->version = (unsigned short)version;
+ 				al=SSL_AD_PROTOCOL_VERSION;
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index e5a8b3f..52efed3 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
+ 	    (s->version != DTLS1_VERSION && s->client_version < s->version))
+ 		{
+ 		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
+-		if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
++		if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 
++			!s->enc_write_ctx && !s->write_hash)
+ 			{
+ 			/* similar to ssl3_get_record, send alert using remote version number */
+ 			s->version = s->client_version;
+-- 
+1.8.5.2
+

Modified: openssl/branches/wheezy/debian/patches/series
===================================================================
--- openssl/branches/wheezy/debian/patches/series	2014-01-06 18:05:19 UTC (rev 647)
+++ openssl/branches/wheezy/debian/patches/series	2014-01-06 19:29:42 UTC (rev 648)
@@ -41,3 +41,4 @@
 disable_rdrand.patch
 disable_dual_ec_drbg.patch
 CVE-2013-4353.patch
+dont_change_version.patch


