[Pkg-openssl-changes] r741 - in openssl/branches/squeeze/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Wed Jun 17 21:18:04 UTC 2015
Author: kroeckx
Date: 2015-06-17 21:18:04 +0000 (Wed, 17 Jun 2015)
New Revision: 741
Added:
openssl/branches/squeeze/debian/patches/CVE-2014-8176.patch
openssl/branches/squeeze/debian/patches/CVE-2015-1789.patch
openssl/branches/squeeze/debian/patches/CVE-2015-1790.patch
openssl/branches/squeeze/debian/patches/CVE-2015-1791.patch
openssl/branches/squeeze/debian/patches/CVE-2015-1792.patch
openssl/branches/squeeze/debian/patches/CVE-2015-4000.patch
Modified:
openssl/branches/squeeze/debian/changelog
openssl/branches/squeeze/debian/patches/series
Log:
Security update
Modified: openssl/branches/squeeze/debian/changelog
===================================================================
--- openssl/branches/squeeze/debian/changelog 2015-06-13 10:24:49 UTC (rev 740)
+++ openssl/branches/squeeze/debian/changelog 2015-06-17 21:18:04 UTC (rev 741)
@@ -1,3 +1,14 @@
+openssl (0.9.8o-4squeeze21) squeeze-lts; urgency=medium
+
+ * Fix CVE-2015-1791
+ * Fix CVE-2015-1792
+ * Fix CVE-2015-1790
+ * Fix CVE-2015-1789
+ * Fix CVE-2014-8176
+ * CVE-2015-4000: Have minimum of 768 bit for DH
+
+ -- Kurt Roeckx <kurt at roeckx.be> Wed, 17 Jun 2015 22:56:27 +0200
+
openssl (0.9.8o-4squeeze20) squeeze-lts; urgency=medium
* Fix CVE-2015-0286
Added: openssl/branches/squeeze/debian/patches/CVE-2014-8176.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2014-8176.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2014-8176.patch 2015-06-17 21:18:04 UTC (rev 741)
@@ -0,0 +1,31 @@
+From b79e6e3a276634582012d531f4150a5fcf84fab3 Mon Sep 17 00:00:00 2001
+From: zhu qun-ying <qunying at yahoo.com>
+Date: Mon, 2 Jun 2014 14:38:52 +0100
+Subject: [PATCH] Free up s->d1->buffered_app_data.q properly.
+
+PR#3286
+(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)
+---
+ ssl/d1_lib.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+Index: openssl-0.9.8o/ssl/d1_lib.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/d1_lib.c 2015-06-17 20:58:57.000000000 +0000
++++ openssl-0.9.8o/ssl/d1_lib.c 2015-06-17 21:08:12.585842615 +0000
+@@ -186,9 +186,12 @@
+
+ while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
+ {
+- frag = (hm_fragment *)item->data;
+- OPENSSL_free(frag->fragment);
+- OPENSSL_free(frag);
++ rdata = (DTLS1_RECORD_DATA *) item->data;
++ if (rdata->rbuf.buf)
++ {
++ OPENSSL_free(rdata->rbuf.buf);
++ }
++ OPENSSL_free(item->data);
+ pitem_free(item);
+ }
+ pqueue_free(s->d1->buffered_app_data.q);
Added: openssl/branches/squeeze/debian/patches/CVE-2015-1789.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2015-1789.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2015-1789.patch 2015-06-17 21:18:04 UTC (rev 741)
@@ -0,0 +1,134 @@
+From 370ac320301e28bb615cee80124c042649c95d14 Mon Sep 17 00:00:00 2001
+From: Emilia Kasper <emilia at openssl.org>
+Date: Wed, 8 Apr 2015 16:56:43 +0200
+Subject: [PATCH] Fix length checks in X509_cmp_time to avoid out-of-bounds
+ reads.
+
+Also tighten X509_cmp_time to reject more than three fractional
+seconds in the time; and to reject trailing garbage after the offset.
+
+CVE-2015-1789
+
+Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+---
+ crypto/x509/x509_vfy.c | 57 +++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 47 insertions(+), 10 deletions(-)
+
+Index: openssl-0.9.8o/crypto/x509/x509_vfy.c
+===================================================================
+--- openssl-0.9.8o.orig/crypto/x509/x509_vfy.c 2015-06-17 20:58:57.065876527 +0000
++++ openssl-0.9.8o/crypto/x509/x509_vfy.c 2015-06-17 21:15:45.376035414 +0000
+@@ -1078,54 +1078,93 @@
+ ASN1_TIME atm;
+ long offset;
+ char buff1[24],buff2[24],*p;
+- int i,j;
++ int i,j,remaining;
+
+ p=buff1;
+- i=ctm->length;
++ remaining = ctm->length;
+ str=(char *)ctm->data;
++ /*
++ * Note that the following (historical) code allows much more slack in the
++ * time format than RFC5280. In RFC5280, the representation is fixed:
++ * UTCTime: YYMMDDHHMMSSZ
++ * GeneralizedTime: YYYYMMDDHHMMSSZ
++ */
+ if (ctm->type == V_ASN1_UTCTIME)
+ {
+- if ((i < 11) || (i > 17)) return 0;
++ /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
++ int min_length = sizeof("YYMMDDHHMMZ") - 1;
++ int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
++ if (remaining < min_length || remaining > max_length)
++ return 0;
+ memcpy(p,str,10);
+ p+=10;
+ str+=10;
++ remaining -= 10;
+ }
+ else
+ {
+- if (i < 13) return 0;
++ /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
++ int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
++ int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
++ if (remaining < min_length || remaining > max_length)
++ return 0;
+ memcpy(p,str,12);
+ p+=12;
+ str+=12;
++ remaining -= 12;
+ }
+
+ if ((*str == 'Z') || (*str == '-') || (*str == '+'))
+ { *(p++)='0'; *(p++)='0'; }
+ else
+ {
++ /* SS (seconds) */
++ if (remaining < 2)
++ return 0;
+ *(p++)= *(str++);
+ *(p++)= *(str++);
+- /* Skip any fractional seconds... */
+- if (*str == '.')
++ remaining -= 2;
++ /*
++ * Skip any (up to three) fractional seconds...
++ * TODO(emilia): in RFC5280, fractional seconds are forbidden.
++ * Can we just kill them altogether?
++ */
++ if (remaining && *str == '.')
+ {
+ str++;
+- while ((*str >= '0') && (*str <= '9')) str++;
++ remaining--;
++ for (i = 0; i < 3 && remaining; i++, str++, remaining--)
++ {
++ if (*str < '0' || *str > '9')
++ break;
++ }
+ }
+-
+ }
+ *(p++)='Z';
+ *(p++)='\0';
+
+- if (*str == 'Z')
+- offset=0;
+- else
+- {
+- if ((*str != '+') && (*str != '-'))
+- return 0;
+- offset=((str[1]-'0')*10+(str[2]-'0'))*60;
+- offset+=(str[3]-'0')*10+(str[4]-'0');
+- if (*str == '-')
+- offset= -offset;
+- }
++ /* We now need either a terminating 'Z' or an offset. */
++ if (!remaining)
++ return 0;
++ if (*str == 'Z') {
++ if (remaining != 1)
++ return 0;
++ offset=0;
++ } else {
++ /* (+-)HHMM */
++ if ((*str != '+') && (*str != '-'))
++ return 0;
++ /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
++ if (remaining != 5)
++ return 0;
++ if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
++ str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
++ return 0;
++ offset=((str[1]-'0')*10+(str[2]-'0'))*60;
++ offset+=(str[3]-'0')*10+(str[4]-'0');
++ if (*str == '-')
++ offset= -offset;
++ }
+ atm.type=ctm->type;
+ atm.length=sizeof(buff2);
+ atm.data=(unsigned char *)buff2;
Added: openssl/branches/squeeze/debian/patches/CVE-2015-1790.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2015-1790.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2015-1790.patch 2015-06-17 21:18:04 UTC (rev 741)
@@ -0,0 +1,66 @@
+From 5fbc59cac60db4d7c3172152b8bdafe0c675fabd Mon Sep 17 00:00:00 2001
+From: Emilia Kasper <emilia at openssl.org>
+Date: Tue, 12 May 2015 19:00:30 +0200
+Subject: [PATCH] PKCS#7: Fix NULL dereference with missing EncryptedContent.
+
+CVE-2015-1790
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+---
+ crypto/pkcs7/pk7_doit.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+Index: openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/pkcs7/pk7_doit.c 2015-06-13 10:23:02.711151000 +0000
++++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-06-13 10:23:05.231096980 +0000
+@@ -468,12 +468,19 @@
+ switch (i)
+ {
+ case NID_pkcs7_signed:
++ /*
++ * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
++ * field and optional content.
++ * data_body is NULL if that structure has no (=detached) content
++ * or if the contentType is wrong (i.e., not "data").
++ */
+ data_body=PKCS7_get_octet_string(p7->d.sign->contents);
+ md_sk=p7->d.sign->md_algs;
+ break;
+ case NID_pkcs7_signedAndEnveloped:
+ rsk=p7->d.signed_and_enveloped->recipientinfo;
+ md_sk=p7->d.signed_and_enveloped->md_algs;
++ /* data_body is NULL if the optional EncryptedContent is missing. */
+ data_body=p7->d.signed_and_enveloped->enc_data->enc_data;
+ enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm;
+ evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
+@@ -486,6 +493,7 @@
+ case NID_pkcs7_enveloped:
+ rsk=p7->d.enveloped->recipientinfo;
+ enc_alg=p7->d.enveloped->enc_data->algorithm;
++ /* data_body is NULL if the optional EncryptedContent is missing. */
+ data_body=p7->d.enveloped->enc_data->enc_data;
+ evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
+ if (evp_cipher == NULL)
+@@ -499,6 +507,12 @@
+ goto err;
+ }
+
++ /* Detached content must be supplied via in_bio instead. */
++ if (data_body == NULL && in_bio == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
++ goto err;
++ }
++
+ /* We will be checking the signature */
+ if (md_sk != NULL)
+ {
+@@ -655,7 +669,7 @@
+ }
+
+ #if 1
+- if (PKCS7_is_detached(p7) || (in_bio != NULL))
++ if (in_bio != NULL)
+ {
+ bio=in_bio;
+ }
Added: openssl/branches/squeeze/debian/patches/CVE-2015-1791.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2015-1791.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2015-1791.patch 2015-06-17 21:18:04 UTC (rev 741)
@@ -0,0 +1,222 @@
+This is a combination of the following upstream commits:
+98ece4eebfb6cd45cc8d550c6ac0022965071afc
+dcad51bc13c9b716d9a66248bcc4038c071ff158
+708cf593587e2fda67dae9782991ff9fccc781eb
+
+
+Index: openssl-0.9.8o/ssl/s3_clnt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_clnt.c 2015-06-17 21:15:36.532227023 +0000
++++ openssl-0.9.8o/ssl/s3_clnt.c 2015-06-17 21:15:45.396034981 +0000
+@@ -1741,6 +1741,38 @@
+ }
+
+ p=d=(unsigned char *)s->init_msg;
++
++ if (s->session->session_id_length > 0) {
++ int i = s->session_ctx->session_cache_mode;
++ SSL_SESSION *new_sess;
++ /*
++ * We reused an existing session, so we need to replace it with a new
++ * one
++ */
++ if (i & SSL_SESS_CACHE_CLIENT) {
++ /*
++ * Remove the old session from the cache
++ */
++ if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE) {
++ if (s->session_ctx->remove_session_cb != NULL)
++ s->session_ctx->remove_session_cb(s->session_ctx,
++ s->session);
++ } else {
++ /* We carry on if this fails */
++ SSL_CTX_remove_session(s->session_ctx, s->session);
++ }
++ }
++
++ if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
++ al = SSL_AD_INTERNAL_ERROR;
++ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
++ goto f_err;
++ }
++
++ SSL_SESSION_free(s->session);
++ s->session = new_sess;
++ }
++
+ n2l(p, s->session->tlsext_tick_lifetime_hint);
+ n2s(p, ticklen);
+ /* ticket_lifetime_hint + ticket_length + ticket */
+Index: openssl-0.9.8o/ssl/ssl.h
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl.h 2015-06-17 21:08:56.612889273 +0000
++++ openssl-0.9.8o/ssl/ssl.h 2015-06-17 21:15:45.468033421 +0000
+@@ -1839,6 +1839,7 @@
+ #define SSL_F_SSL_READ 223
+ #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
+ #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
++#define SSL_F_SSL_SESSION_DUP 348
+ #define SSL_F_SSL_SESSION_NEW 189
+ #define SSL_F_SSL_SESSION_PRINT_FP 190
+ #define SSL_F_SSL_SESS_CERT_NEW 225
+Index: openssl-0.9.8o/ssl/ssl_err.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl_err.c 2015-06-17 21:08:56.680887802 +0000
++++ openssl-0.9.8o/ssl/ssl_err.c 2015-06-17 21:15:45.468033421 +0000
+@@ -231,6 +231,7 @@
+ {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
+ {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
+ {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
++{ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"},
+ {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
+ {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
+ {ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"},
+Index: openssl-0.9.8o/ssl/ssl_locl.h
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl_locl.h 2015-06-17 20:58:57.189873833 +0000
++++ openssl-0.9.8o/ssl/ssl_locl.h 2015-06-17 21:15:45.468033421 +0000
+@@ -731,6 +731,7 @@
+ int ssl_set_peer_cert_type(SESS_CERT *c, int type);
+ int ssl_get_new_session(SSL *s, int session);
+ int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
++SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
+ int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
+ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
+ const SSL_CIPHER * const *bp);
+Index: openssl-0.9.8o/ssl/ssl_sess.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl_sess.c 2010-02-01 16:48:40.000000000 +0000
++++ openssl-0.9.8o/ssl/ssl_sess.c 2015-06-17 21:15:45.468033421 +0000
+@@ -132,6 +132,132 @@
+ return(ss);
+ }
+
++
++/*
++ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
++ * ticket == 0 then no ticket information is duplicated, otherwise it is.
++ */
++SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
++{
++ SSL_SESSION *dest;
++
++ dest = OPENSSL_malloc(sizeof(*src));
++ if (dest == NULL) {
++ goto err;
++ }
++ memcpy(dest, src, sizeof(*dest));
++
++ /*
++ * Set the various pointers to NULL so that we can call SSL_SESSION_free in
++ * the case of an error whilst halfway through constructing dest
++ */
++#ifndef OPENSSL_NO_PSK
++ dest->psk_identity_hint = NULL;
++ dest->psk_identity = NULL;
++#endif
++ dest->ciphers = NULL;
++#ifndef OPENSSL_NO_TLSEXT
++ dest->tlsext_hostname = NULL;
++# ifndef OPENSSL_NO_EC
++ dest->tlsext_ecpointformatlist = NULL;
++ dest->tlsext_ellipticcurvelist = NULL;
++# endif
++#endif
++ dest->tlsext_tick = NULL;
++#ifndef OPENSSL_NO_SRP
++ dest->srp_username = NULL;
++#endif
++ memset(&dest->ex_data, 0, sizeof(dest->ex_data));
++
++ /* We deliberately don't copy the prev and next pointers */
++ dest->prev = NULL;
++ dest->next = NULL;
++
++ dest->references = 1;
++
++ if (src->sess_cert != NULL)
++ CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
++
++ if (src->peer != NULL)
++ CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
++
++#ifndef OPENSSL_NO_PSK
++ if (src->psk_identity_hint) {
++ dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint);
++ if (dest->psk_identity_hint == NULL) {
++ goto err;
++ }
++ }
++ if (src->psk_identity) {
++ dest->psk_identity = BUF_strdup(src->psk_identity);
++ if (dest->psk_identity == NULL) {
++ goto err;
++ }
++ }
++#endif
++
++ if(src->ciphers != NULL) {
++ dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
++ if (dest->ciphers == NULL)
++ goto err;
++ }
++
++ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
++ &dest->ex_data, &src->ex_data)) {
++ goto err;
++ }
++
++#ifndef OPENSSL_NO_TLSEXT
++ if (src->tlsext_hostname) {
++ dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname);
++ if (dest->tlsext_hostname == NULL) {
++ goto err;
++ }
++ }
++# ifndef OPENSSL_NO_EC
++ if (src->tlsext_ecpointformatlist) {
++ dest->tlsext_ecpointformatlist =
++ BUF_memdup(src->tlsext_ecpointformatlist,
++ src->tlsext_ecpointformatlist_length);
++ if (dest->tlsext_ecpointformatlist == NULL)
++ goto err;
++ }
++ if (src->tlsext_ellipticcurvelist) {
++ dest->tlsext_ellipticcurvelist =
++ BUF_memdup(src->tlsext_ellipticcurvelist,
++ src->tlsext_ellipticcurvelist_length);
++ if (dest->tlsext_ellipticcurvelist == NULL)
++ goto err;
++ }
++# endif
++#endif
++
++ if (ticket != 0) {
++ dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen);
++ if(dest->tlsext_tick == NULL)
++ goto err;
++ } else {
++ dest->tlsext_tick_lifetime_hint = 0;
++ dest->tlsext_ticklen = 0;
++ }
++
++#ifndef OPENSSL_NO_SRP
++ if (src->srp_username) {
++ dest->srp_username = BUF_strdup(src->srp_username);
++ if (dest->srp_username == NULL) {
++ goto err;
++ }
++ }
++#endif
++
++ return dest;
++err:
++ SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
++ SSL_SESSION_free(dest);
++ return NULL;
++}
++
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+ if(len)
Added: openssl/branches/squeeze/debian/patches/CVE-2015-1792.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2015-1792.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2015-1792.patch 2015-06-17 21:18:04 UTC (rev 741)
@@ -0,0 +1,28 @@
+From dd90a91d8771fd1ad5083fd46a2b3da16a587757 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Fri, 5 Jun 2015 12:11:25 +0100
+Subject: [PATCH] Fix infinite loop in CMS
+
+Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
+to verify and a digest is not recognised. Reported by Johannes Bauer.
+
+CVE-2015-1792
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+---
+ crypto/cms/cms_smime.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: openssl-1.0.1k/crypto/cms/cms_smime.c
+===================================================================
+--- openssl-1.0.1k.orig/crypto/cms/cms_smime.c
++++ openssl-1.0.1k/crypto/cms/cms_smime.c
+@@ -141,7 +141,7 @@ static void do_free_upto(BIO *f, BIO *up
+ BIO_free(f);
+ f = tbio;
+ }
+- while (f != upto);
++ while (f && f != upto);
+ }
+ else
+ BIO_free_all(f);
Added: openssl/branches/squeeze/debian/patches/CVE-2015-4000.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2015-4000.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2015-4000.patch 2015-06-17 21:18:04 UTC (rev 741)
@@ -0,0 +1,91 @@
+From 63830384e90d9b36d2793d4891501ec024827433 Mon Sep 17 00:00:00 2001
+From: Emilia Kasper <emilia at openssl.org>
+Date: Tue, 19 May 2015 12:05:22 +0200
+Subject: [PATCH] client: reject handshakes with DH parameters < 768 bits.
+
+Since the client has no way of communicating her supported parameter
+range to the server, connections to servers that choose weak DH will
+simply fail.
+
+Reviewed-by: Kurt Roeckx <kurt at openssl.org>
+---
+ CHANGES | 3 ++-
+ ssl/s3_clnt.c | 22 ++++++++++++++++------
+ ssl/ssl.h | 1 +
+ ssl/ssl_err.c | 1 +
+ 4 files changed, 20 insertions(+), 7 deletions(-)
+
+Index: openssl-0.9.8o/ssl/s3_clnt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_clnt.c 2015-06-17 20:58:57.000000000 +0000
++++ openssl-0.9.8o/ssl/s3_clnt.c 2015-06-17 21:15:36.532227023 +0000
+@@ -2650,25 +2650,32 @@
+ }
+ #endif
+ #ifndef OPENSSL_NO_DH
+- if ((algs & SSL_kEDH) &&
+- !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
+- {
+- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
+- goto f_err;
+- }
+- else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
+- {
+- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
+- goto f_err;
+- }
++ if ((alg_k & SSL_kEDH) && dh == NULL) {
++ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
++ goto f_err;
++ }
++ if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) {
++ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
++ SSL_R_MISSING_DH_RSA_CERT);
++ goto f_err;
++ }
+ #ifndef OPENSSL_NO_DSA
+- else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
++ if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
+ {
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
+ goto f_err;
+ }
+ #endif
+-#endif
++ /* Check DHE only: static DH not implemented. */
++ if (alg_k & SSL_kEDH) {
++ int dh_size = BN_num_bits(dh->p);
++ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
++ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
++ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
++ goto f_err;
++ }
++ }
++#endif /* !OPENSSL_NO_DH */
+
+ if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
+ {
+Index: openssl-0.9.8o/ssl/ssl.h
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl.h 2015-06-17 20:58:57.000000000 +0000
++++ openssl-0.9.8o/ssl/ssl.h 2015-06-17 21:08:56.612889273 +0000
+@@ -1930,6 +1930,7 @@
+ #define SSL_R_DATA_LENGTH_TOO_LONG 146
+ #define SSL_R_DECRYPTION_FAILED 147
+ #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
++#define SSL_R_DH_KEY_TOO_SMALL 372
+ #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
+ #define SSL_R_DIGEST_CHECK_FAILED 149
+ #define SSL_R_DTLS_MESSAGE_TOO_BIG 318
+Index: openssl-0.9.8o/ssl/ssl_err.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/ssl_err.c 2015-06-17 20:58:57.000000000 +0000
++++ openssl-0.9.8o/ssl/ssl_err.c 2015-06-17 21:08:56.680887802 +0000
+@@ -325,6 +325,7 @@
+ {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
+ {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
+ {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
++{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL), "dh key too small"},
+ {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
+ {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
+ {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"},
Modified: openssl/branches/squeeze/debian/patches/series
===================================================================
--- openssl/branches/squeeze/debian/patches/series 2015-06-13 10:24:49 UTC (rev 740)
+++ openssl/branches/squeeze/debian/patches/series 2015-06-17 21:18:04 UTC (rev 741)
@@ -81,3 +81,9 @@
0001-evp-prevent-underflow-in-base64-decoding.patch
0008-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
0001-Disable-export-and-SSLv2-ciphers-by-default.patch
+CVE-2014-8176.patch
+CVE-2015-4000.patch
+CVE-2015-1789.patch
+CVE-2015-1792.patch
+CVE-2015-1791.patch
+CVE-2015-1790.patch
More information about the Pkg-openssl-changes
mailing list