[Pkg-openssl-changes] r763 - in openssl/branches/squeeze/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Sat Feb 20 12:15:33 UTC 2016
Author: kroeckx
Date: 2016-02-20 12:15:33 +0000 (Sat, 20 Feb 2016)
New Revision: 763
Added:
openssl/branches/squeeze/debian/patches/Always-generate-DH-keys-for-ephemeral-DH-cipher-suit.patch
openssl/branches/squeeze/debian/patches/CVE-2015-3197.patch
Modified:
openssl/branches/squeeze/debian/changelog
openssl/branches/squeeze/debian/patches/series
Log:
- Fix CVE-2015-3197
- Always generate new key for DHE.
Modified: openssl/branches/squeeze/debian/changelog
===================================================================
--- openssl/branches/squeeze/debian/changelog 2016-01-28 18:36:07 UTC (rev 762)
+++ openssl/branches/squeeze/debian/changelog 2016-02-20 12:15:33 UTC (rev 763)
@@ -1,3 +1,10 @@
+openssl (0.9.8o-4squeeze23) squeeze-lts; urgency=medium
+
+ * Fix CVE-2015-3197
+ * Always generate new key for DHE.
+
+ -- Kurt Roeckx <kurt at roeckx.be> Sat, 20 Feb 2016 12:31:42 +0100
+
openssl (0.9.8o-4squeeze22) squeeze-lts; urgency=medium
* Fix CVE-2015-3195
Added: openssl/branches/squeeze/debian/patches/Always-generate-DH-keys-for-ephemeral-DH-cipher-suit.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/Always-generate-DH-keys-for-ephemeral-DH-cipher-suit.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/Always-generate-DH-keys-for-ephemeral-DH-cipher-suit.patch 2016-02-20 12:15:33 UTC (rev 763)
@@ -0,0 +1,99 @@
+From 5475d108f64b8a56141dc0b29ac841695f9dfa5f Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Thu, 17 Dec 2015 02:57:20 +0000
+Subject: [PATCH 1/2] Always generate DH keys for ephemeral DH cipher suites
+
+Modified version of the commit ffaef3f15 in the master branch by Stephen
+Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
+generates a new DH key for every handshake regardless.
+
+This is a follow on from CVE-2016-0701. This branch is not impacted by
+that CVE because it does not support X9.42 style parameters. It is still
+possible to generate parameters based on primes that are not "safe",
+although by default OpenSSL does not do this. The documentation does
+sign post that using such parameters is unsafe if the private DH key is
+reused. However to avoid accidental problems or future attacks this commit
+has been backported to this branch.
+
+Issue reported by Antonio Sanso
+---
+ doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 29 +++++------------------------
+ ssl/s3_lib.c | 14 --------------
+ ssl/s3_srvr.c | 17 +++--------------
+ ssl/ssl.h | 2 +-
+ 4 files changed, 9 insertions(+), 53 deletions(-)
+
+Index: openssl-0.9.8o/ssl/s3_lib.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_lib.c
++++ openssl-0.9.8o/ssl/s3_lib.c
+@@ -1850,15 +1850,6 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
+ return(ret);
+ }
+- if (!(s->options & SSL_OP_SINGLE_DH_USE))
+- {
+- if (!DH_generate_key(dh))
+- {
+- DH_free(dh);
+- SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
+- return(ret);
+- }
+- }
+ if (s->cert->dh_tmp != NULL)
+ DH_free(s->cert->dh_tmp);
+ s->cert->dh_tmp = dh;
+@@ -2131,15 +2122,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd
+ SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
+ return 0;
+ }
+- if (!(ctx->options & SSL_OP_SINGLE_DH_USE))
+- {
+- if (!DH_generate_key(new))
+- {
+- SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
+- DH_free(new);
+- return 0;
+- }
+- }
+ if (cert->dh_tmp != NULL)
+ DH_free(cert->dh_tmp);
+ cert->dh_tmp=new;
+Index: openssl-0.9.8o/ssl/s3_srvr.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_srvr.c
++++ openssl-0.9.8o/ssl/s3_srvr.c
+@@ -1344,28 +1344,11 @@ int ssl3_send_server_key_exchange(SSL *s
+ }
+
+ s->s3->tmp.dh=dh;
+- if ((dhp->pub_key == NULL ||
+- dhp->priv_key == NULL ||
+- (s->options & SSL_OP_SINGLE_DH_USE)))
+- {
+- if(!DH_generate_key(dh))
+- {
+- SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+- ERR_R_DH_LIB);
+- goto err;
+- }
+- }
+- else
+- {
+- dh->pub_key=BN_dup(dhp->pub_key);
+- dh->priv_key=BN_dup(dhp->priv_key);
+- if ((dh->pub_key == NULL) ||
+- (dh->priv_key == NULL))
+- {
+- SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
+- goto err;
+- }
+- }
++ if (!DH_generate_key(dh))
++ {
++ SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
++ goto err;
++ }
+ r[0]=dh->p;
+ r[1]=dh->g;
+ r[2]=dh->pub_key;
Added: openssl/branches/squeeze/debian/patches/CVE-2015-3197.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2015-3197.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2015-3197.patch 2016-02-20 12:15:33 UTC (rev 763)
@@ -0,0 +1,57 @@
+From d9f4be0f98b7746037846859a4b7fa5d42b0e6b2 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users at dukhovni.org>
+Date: Wed, 30 Dec 2015 22:44:51 -0500
+Subject: [PATCH 2/2] Better SSLv2 cipher-suite enforcement
+
+Based on patch by: Nimrod Aviram <nimrod.aviram at gmail.com>
+
+CVE-2015-3197
+
+Reviewed-by: Tim Hudson <tjh at openssl.org>
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+---
+ ssl/s2_srvr.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+Index: openssl-0.9.8o/ssl/s2_srvr.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s2_srvr.c
++++ openssl-0.9.8o/ssl/s2_srvr.c
+@@ -393,7 +393,7 @@ static int get_client_master_key(SSL *s)
+ }
+
+ cp=ssl2_get_cipher_by_char(p);
+- if (cp == NULL)
++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
+ {
+ ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+@@ -691,9 +691,12 @@ static int get_client_hello(SSL *s)
+ prio = cs;
+ allow = cl;
+ }
++ /* Generate list of SSLv2 ciphers shared between client and server */
+ for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
+ {
+- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++ if ((cp->algorithms & SSL_SSLV2) == 0 ||
++ sk_SSL_CIPHER_find(allow, cp) < 0)
+ {
+ (void)sk_SSL_CIPHER_delete(prio,z);
+ z--;
+@@ -704,6 +707,14 @@ static int get_client_hello(SSL *s)
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
++
++ /* Make sure we have at least one cipher in common */
++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
++ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++ return -1;
++ }
++
+ /* s->session->ciphers should now have a list of
+ * ciphers that are on both the client and server.
+ * This list is ordered by the order the client sent
Modified: openssl/branches/squeeze/debian/patches/series
===================================================================
--- openssl/branches/squeeze/debian/patches/series 2016-01-28 18:36:07 UTC (rev 762)
+++ openssl/branches/squeeze/debian/patches/series 2016-02-20 12:15:33 UTC (rev 763)
@@ -88,3 +88,5 @@
CVE-2015-1791.patch
CVE-2015-1790.patch
CVE-2015-3195.patch
+Always-generate-DH-keys-for-ephemeral-DH-cipher-suit.patch
+CVE-2015-3197.patch
More information about the Pkg-openssl-changes
mailing list