os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add SA-14:20 - SA-14:23.

Browse source
This commit is contained in:
Xin LI 2014-10-21 20:48:08 +00:00
parent a6ae266054
commit 80fa2f495c
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=45857
19 changed files with 3158 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

169
share/security/advisories/FreeBSD-SA-14:20.rtsold.asc Normal file
View file

@ -0,0 +1,169 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-14:20.rtsold Security Advisory
The FreeBSD Project
Topic: rtsold(8) remote buffer overflow vulnerability
Category: core
Module: rtsold
Announced: 2014-10-21
Credits: Florian Obser, Hiroki Sato
Affects: FreeBSD 9.1 and later.
Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE)
2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1)
2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1)
2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1)
2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10)
2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE)
2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3)
2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13)
2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20)
CVE Name: CVE-2014-3954
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
As part of the stateless addess autoconfiguration (SLAAC) mechanism,
IPv6 routers periodically broadcast router advertisement messages on
attached networks to inform hosts of the correct network prefix,
router address and MTU, as well as additional network parameters such
as the DNS servers (RDNSS), DNS search list (DNSSL) and whether a
stateful configuration service is available. Hosts that have recently
joined the network can broadcast a router solicitation message to
solicit an immediate advertisement instead of waiting for the next
periodic advertisement.
The router solicitation daemon, rtsold(8), broadcasts router
solicitation messages at startup or when the state of an interface
changes from passive to active. Incoming router advertisement
messages are first processed by the kernel and then passed on to
rtsold(8), which handles the DNS and stateful configuration options.
II. Problem Description
Due to a missing length check in the code that handles DNS parameters,
a malformed router advertisement message can result in a stack buffer
overflow in rtsold(8).
III. Impact
Receipt of a router advertisement message with a malformed DNSSL
option, for instance from a compromised host on the same network, can
cause rtsold(8) to crash.
While it is theoretically possible to inject code into rtsold(8)
through malformed router advertisement messages, it is normally
compiled with stack protection enabled, rendering such an attack
extremely difficult.
When rtsold(8) crashes, the existing DNS configuration will remain in
force, and the kernel will continue to receive and process periodic
router advertisements.
IV. Workaround
No workaround is available, but systems that do not run rtsold(8) are
not affected.
As a general rule, SLAAC should not be used on networks where trusted
and untrusted hosts coexist in the same broadcast domain.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch
# fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch.asc
# gpg --verify rtsold.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/rtsold.patch
c) Recompile rtsold. Execute the following commands as root:
# cd /usr/src/usr.sbin/rtsold
# make && make install
4) Restart the affected service
To restart the affected service after updating the system, either
reboot the system or execute the following command as root:
# service rtsold restart
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r273412
releng/9.1/ r273415
releng/9.2/ r273415
releng/9.3/ r273415
stable/10/ r273411
releng/10.0/ r273415
releng/10.1/ r273414
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3954>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:20.rtsold.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJURsSoAAoJEO1n7NZdz2rn5GsP/2y0fUJYVdsZjA4VtUcLFp4Q
nhjGO3I4NOXZAj3c+bWwbw/Bmg7juFVXiAdLgcpK8UuTT+0znAkEcGoG+uA9q6K1
PoFjTmXoukIqtu4sd5Gxp74+xVqY41XOuwanHNMiCbvGEbInxoCs3t56C7Ai1/9m
DXhDCukNEH9JZv5qUS5L7IcosuQs2l1viU9oUA/hSfVeI9IFKp8SItDthwtLVrXe
bgr50oQdCtwR3gx3Dwkg//er3JCsSJ0ixJO0bGGaqnGLPq7gwmJf8zKy10EE2fri
AMpUcYMsO+MqhE+PyyuW9MJaPpX+zghZac75UYPh0EckIn8m2p6QGYXcDtZ18qR8
uq4JCk5nDARKuy7kraEuNJgFzNIBN/wVwOSqaF4n43vhmsuiKF9uzePrtEhB7xoN
7vT66EXXkCgiqQrQVJ6IH5LzoUJtYVDZTWLWU66r919qbQzYQFU7uslaGF8rgVIg
HZOfEbDto3dvULmbVHkaWiyotKYSKXZROBTKvTOWVs+BX37zQgg4PGuU6CqatB8R
Sltg2kxycQXoIm5XiiSL18RTgxEWb+DKfw8e/691EM1/F3XIQVNX11wJpeZwL/sf
zE9TtTnmqpIBPGIe7aURgJWwX/iA4ljAqB1t5DmgIQrJMXovMXnAVMIu4L2jy+gY
eRy82+SI3pc3thChv2hv
=L56U
-----END PGP SIGNATURE-----

163
share/security/advisories/FreeBSD-SA-14:21.routed.asc Normal file
View file

@ -0,0 +1,163 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-14:21.routed Security Advisory
The FreeBSD Project
Topic: routed(8) remote denial of service vulnerability
Category: core
Module: routed
Announced: 2014-10-21
Credits: Hiroki Sato
Affects: All supported versions of FreeBSD.
Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE)
2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1)
2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1)
2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1)
2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10)
2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE)
2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3)
2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13)
2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20)
2014-10-21 20:20:26 UTC (stable/8, 8.4-STABLE)
2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17)
CVE Name: CVE-2014-3955
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The routing information protocol (RIP) is an older routing protocol
which, while not as capable as more recent protocols such as OSPF and
BGP, is sometimes preferred for its simplicity and therefore still
used as an interior gateway protocol on smaller networks.
Routers in a RIP network periodically broadcast their routing table on
all enabled interfaces. Neighboring routers and hosts receive these
broadcasts and update their routing tables accordingly.
The routed(8) daemon is a RIP implementation for FreeBSD. The
rtquery(8) utility can be used to send a RIP query to a router and
display the result without updating the routing table.
II. Problem Description
The input path in routed(8) will accept queries from any source and
attempt to answer them. However, the output path assumes that the
destination address for the response is on a directly connected
network.
III. Impact
Upon receipt of a query from a source which is not on a directly
connected network, routed(8) will trigger an assertion and terminate.
The affected system's routing table will no longer be updated. If the
affected system is a router, its routes will eventually expire from
other routers' routing tables, and its networks will no longer be
reachable unless they are also connected to another router.
IV. Workaround
Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP
packets with destination port 520 that did not originate on the same
subnet as the destination address.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch
# fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch.asc
# gpg --verify routed.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/routed.patch
c) Recompile routed. Execute the following commands as root:
# cd /usr/src/sbin/routed
# make && make install
4) Restart the affected service
To restart the affected service after updating the system, either
reboot the system or execute the following command as root:
# service routed restart
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r273413
releng/8.4/ r273416
stable/9/ r273412
releng/9.1/ r273415
releng/9.2/ r273415
releng/9.3/ r273415
stable/10/ r272872
releng/10.0/ r273415
releng/10.1/ r273414
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3955>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:21.routed.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJURsSrAAoJEO1n7NZdz2rneOIQAIXaYGwNAYmVFUqa/YOtxSlQ
l1ETThsuHxuDUrlkHD82uZu6yJi+HdGz1R2xBLYlxpwk/4GO3D/IdUZI0w1LgNJs
JRHmAikUpCgcMh0QfyoHD9KSp3wPiQJ9Cmp6ajrjsdIdjrNbFwczoaWHHQ1MyRwp
kv9OEC7t9rJkZRMuCjrSvGTQVqHFixoZUdJV42a2PNYTyWZmwE33GJ+Zgv/59mPw
bzGTTI3RTuj1WUJp4MmYV3Eb8y8SnM6szUs4Wlul/uVGfEI3dXYYo3iAHQNHWpAR
sUaqoVI16P5x952I9PbMA/J5wq/Nm2bVwEAsJN9NE/KPMdD1I4QzvyAlNRFCro8S
C7qS4a0X75nQ+pehRqPVDdnvJbkxfdgsWP+jwVZ4e0244DQfiKWTKTd+If/cPHa8
T0z1uZ4xE/BQ0DpJiu9r/ndcm5ych6TbIkNXmGI05jQPntvSYQzhyUTEp2Rmq3IX
rmre4CHWrTYT7/niTJonieErmtGDe5LrUyP2Odv13euKEsCIbSOPVnDFFhAwsAjJ
zu2Tm+BPXh0lXHuq/tQ+L5lWv1uoMi9hkLxh6zhFaX4li15sS5tR+GeBXmd9h2Wp
+iT5hvgxfnQPZI3Ey932J20+7LMULlkr2aV2h5NcvroolnQIehj12z0IQBelFsXN
wtFPveXqXWUfV8WVNBJ1
=uHh+
-----END PGP SIGNATURE-----

153
share/security/advisories/FreeBSD-SA-14:22.namei.asc Normal file
View file

@ -0,0 +1,153 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-14:22.namei Security Advisory
The FreeBSD Project
Topic: memory leak in sandboxed namei lookup
Category: core
Module: kernel
Announced: 2014-10-21
Credits: Mateusz Guzik
Affects: FreeBSD 9.1 and later.
Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE)
2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1)
2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1)
2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1)
2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10)
2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE)
2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3)
2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13)
2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20)
CVE Name: CVE-2014-3711
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The namei kernel facility is responsible for performing and caching
translations from path names to file system objects (vnodes).
Capsicum is a lightweight capability and sandbox framework using a
hybrid capability system model. It is often used to create sandboxes
for applications that process data from untrusted sources.
II. Problem Description
The namei facility will leak a small amount of kernel memory every
time a sandboxed process looks up a nonexistent path name.
III. Impact
A remote attacker that can cause a sandboxed process (for instance, a
web server) to look up a large number of nonexistent path names can
cause memory exhaustion.
IV. Workaround
Systems that do not have Capsicum enabled or do not run services that
use Capsicum are not vulnerable.
On systems that have Capsicum compiled into the kernel, it can be
disabled by executing the following command as root:
# sysctl kern.features.security_capabilities=0
Services that use Capsicum are usually able to run without it, albeit
with reduced security.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.x]
# fetch http://security.FreeBSD.org/patches/SA-14:22/namei-9.patch
# fetch http://security.FreeBSD.org/patches/SA-14:22/namei-9.patch.asc
# gpg --verify namei-9.patch.asc
[FreeBSD 10.x]
# fetch http://security.FreeBSD.org/patches/SA-14:22/namei-10.patch
# fetch http://security.FreeBSD.org/patches/SA-14:22/namei-10.patch.asc
# gpg --verify namei-10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r273412
releng/9.1/ r273415
releng/9.2/ r273415
releng/9.3/ r273415
stable/10/ r273411
releng/10.0/ r273415
releng/10.1/ r273414
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3711>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:22.namei.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJURsStAAoJEO1n7NZdz2rnoMoQAIuqKpDLi+sGXnWUQeYGPEZH
OqwkK9ZbvEiNDAeol03FvxfTg8LzI4OtzkceFDy7KWUTNUN3HnGq1MhFLo+s5r7x
KtJVIzKgitZVh/1ikr6+DObpuwVHQfdKws6NKqCssqOknDIcNhNG97B1wl/QwnDX
3/BmAWFYaf6+AG0+vQhxUBTuP9keu8DlpBJ4eEbhRqVCSuo6enJ4uTQXOet7lEOR
loGqhuMJB265qi2e/vkcnXnOrd6eGQ9vkVJTS0jKmKF3VG8HTcUmUvwLAGeqmTuV
LIJVpSaFgDX7BuG0tUhwmtmql4+ROU6tyHVWBAmVcSNTRgy9L/It/BdG0slNdVVq
2OG0ApKCQIukfK6xtz7adgxRYvClzVZZmyjEPzu0MGs/imdEpfgsUap9yrPhHyoe
KM98VaKtzz2e09KxoAxAezgioDCv5rLZnaX8IqBlFft3BvfPP7TPbKrPvvmETu4P
/4nthuEFE4jl9xyVINaHdKW9gVAOP44OAj+HlxvNxn4llkrA2v4Zbc3mjukK0ZEx
OKz++lf7SmfTPI1lD+oN6FJRWEkK0YnVytsw8taHYlqDYdxaL+OB60B+Ko2JoqpL
AROBT2tp9j/NsG46CgDFqA7oV5JWe/Kk67VrkOs8BL6nplKVD9M5m4XDyakn9wkk
PA3J/dN5bSd7VIxYExZD
=MO7y
-----END PGP SIGNATURE-----

193
share/security/advisories/FreeBSD-SA-14:23.openssl.asc Normal file
View file

@ -0,0 +1,193 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-14:23.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2014-10-21
Affects: All supported versions of FreeBSD.
Corrected: 2014-10-15 19:59:43 UTC (stable/10, 10.1-PRERELEASE)
2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC3)
2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC2-p1)
2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC1-p1)
2014-10-21 19:00:32 UTC (releng/10.1, 10.1-BETA3-p1)
2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10)
2014-10-15 20:28:31 UTC (stable/9, 9.3-STABLE)
2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3)
2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13)
2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20)
2014-10-15 20:28:31 UTC (stable/8, 8.4-STABLE)
2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17)
CVE Name: CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. [CVE-2014-3513].
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. [CVE-2014-3567].
The SSL protocol 3.0, as supported in OpenSSL and other products, supports
CBC mode encryption where it could not adequately check the integrity of
padding, because of the use of non-deterministic CBC padding. This
protocol weakness makes it possible for an attacker to obtain clear text
data through a padding-oracle attack.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE [CVE-2014-3566].
OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol downgrade.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them. [CVE-2014-3568].
III. Impact
A remote attacker can cause Denial of Service with OpenSSL 1.0.1
server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. [CVE-2014-3513]
By sending a large number of invalid session tickets an attacker
could exploit this issue in a Denial Of Service attack.
[CVE-2014-3567].
An active man-in-the-middle attacker can force a protocol downgrade
to SSLv3 and exploit the weakness of SSLv3 to obtain clear text data
from the connection. [CVE-2014-3566] [CVE-2014-3568]
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.0]
# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-10.0.patch
# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-10.0.patch.asc
# gpg --verify openssl-10.0.patch.asc
[FreeBSD 9.3]
# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-9.3.patch
# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-9.3.patch.asc
# gpg --verify openssl-9.3.patch.asc
[FreeBSD 8.4, 9.1 and 9.2]
# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-8.4.patch
# fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-8.4.patch.asc
# gpg --verify openssl-8.4.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r273151
releng/8.4/ r273416
stable/9/ r273151
releng/9.1/ r273415
releng/9.2/ r273415
releng/9.3/ r273415
stable/10/ r273149
releng/10.0/ r273415
releng/10.1/ r273399
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:23.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJURsSwAAoJEO1n7NZdz2rn3ekQANG9DnAGJq/yAXXtX4wdeP08
Ep35L3dkxJsthoqJhn7fc/pra5SZ5iS7NCRHdh5Xn1dsxRiOsffYt9zanWyTOgj+
RQy9jiNp0oIWQEkxZVoHMIKn6VeQk1I2llSXyERANjeDtKX6GV2gV+Zd4tcExW4T
Nn9jVHgkDL/doxJ3C1K0BrkdoEEwyPohAf8WLAg6ZKRm3Pys1Ewjm6fPBPtKUIEu
zWFruP5xFz3rM6i/4zcihj7b4BuIKtUBgHf28rgf0I3TKZTr75Xr9h4q/8ZG4H0G
Lk/1OoZTiMyjlBLufpTlCOdODjz7ORzDLif47Zyt52iZowq1hl4WO7Xo/C/kPUmG
o631wsLmO9tPS2Z0TmIQm1fwjlTvIZefZAlMpa1lDwnwZx2hRsu9TzauACdSbuWx
9i+e8/CSMEsr0qJo8KXjltpV9siULhkvl9xr3PwxMfvHFjGUAuur2zHUoTQZTpy0
nKJJXSs3kIW/4ivLMDuDYijdVnf4hrih6GTKEND6aNXtyXitiFK8J4a/q0T4BBnh
89A2QUFVeeDPmf7jzMh824s8W2uoPFGJqHgdtqv1bLT29rqh5ya/5zi7sci6Q/Mk
ov0U8X3Pwun7iwJDeYG6N38lUSdMqImHR12Ay7pOY04i4qau4Yf8B26lwcMk/HrU
cZ84y1sCp0qHtTqKuak9
=ywze
-----END PGP SIGNATURE-----

14
share/security/patches/SA-14:20/rtsold.patch Normal file
View file

@ -0,0 +1,14 @@
Index: usr.sbin/rtsold/rtsol.c
===================================================================
--- usr.sbin/rtsold/rtsol.c.orig
+++ usr.sbin/rtsold/rtsol.c
@@ -933,7 +933,8 @@
dst_origin = dst;
memset(dst, '\0', dlen);
while (src && (len = (uint8_t)(*src++) & 0x3f) &&
- (src + len) <= src_last) {
+ (src + len) <= src_last &&
+ (dst - dst_origin < (ssize_t)dlen)) {
if (dst != dst_origin)
*dst++ = '.';
warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len);

17
share/security/patches/SA-14:20/rtsold.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJURsQSAAoJEO1n7NZdz2rnmGoQAJz5xZjKbFt1RrArI+K7pF2E
qJ9V1trv6ltofAYF74m9BIrYJBodB7s+lwd+qIIfawd5wAK7eKvYtow8izloszP7
+f2Yl3AfXwqsJbStYfi+2OGqqYS/ruGOHRnCicILdHi2I2kH4L1/tUMiQbSe+oIj
Ro6sT236c2A1khmqChtTotaoNmFT4yyF1/wRqo0sFYu/LPav+hH3VysPTzejAIun
oLdXPe5ENKyqiMT8ikzB2NR2y4tk6a01iDBqeGjiyxo920uQBq176mAACFKzOAty
IXwWAOnomCSQBETNgl7pYcgR6hzpVEFAO/PtJjVBh/z2U1FyVfeYslGt8B6S7pUh
gBj68821d2jq56P4dKPsKQKJ8MORAZ+UcwnFqjFXF+op4ArM+9nA+MfuDUSdmBTx
j1DqhxRbH8E0v36hv+/a+LT5JZtqt0iGfAdmujjdo4kehjo5woYHd32scX5ezXrt
oq1GCckL7HACWd0cILo8CKoPTxzjr2VR3qfXqyekSDQgXXh9r+y11mmP6LwpVHa0
LjrbNtkNUoixYPozk0JMjaZ16Ie9/r4a+cUiacrJSTpSQyLucP8CJNoj5oUEac5L
l9GwgWGr8ipjeOdd0e81UmWbEZT5pdMokpW5Z31ZjIIpvnJRah8p77KE1IVnK56L
0lgyNXhm+wD9SaO7DM52
=l7Mg
-----END PGP SIGNATURE-----

15
share/security/patches/SA-14:21/routed.patch Normal file
View file

@ -0,0 +1,15 @@
Index: sbin/routed/input.c
===================================================================
--- sbin/routed/input.c.orig
+++ sbin/routed/input.c
@@ -288,6 +288,10 @@
/* Answer a query from a utility program
* with all we know.
*/
+ if (aifp == NULL) {
+ trace_pkt("ignore remote query");
+ return;
+ }
if (from->sin_port != htons(RIP_PORT)) {
supply(from, aifp, OUT_QUERY, 0,
rip->rip_vers, ap != 0);

17
share/security/patches/SA-14:21/routed.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJURsQVAAoJEO1n7NZdz2rnWtYP/2w38OHA+dJXuXZIV0Pf1dly
6u3hpDY17pFmLfeqGB56PXZ/LhXfbFTcu9b5oNyyQpSM280gipdpsryIZ+BU1zqY
dqf+NfTLIBHUgY+wJjxpPmh5c3ofdhSBJcoC3NMNruz/f5goZ/0yJ2suI0lff6G5
NkKs2IiFY/pfRaAxOMA63sGSVUcEzSH3GK4VeP8YpCXu0rIYjLpZJKBls/vdROMV
1YujzgdLPX7bDwClAvt0M0phfkuzt/sE/PNtMhSbFwumhkxFx8HH3pJwBABTR49h
afYvBogdV+lT4+mQV4dl+vXBgl5vT3oydOfzjlfSSXIhBQxmhnWb/vxF9vt5U6xK
5M8mhpuaYNqxq/+O3X/P/OI1eKE6f6k1ohuldHY+q2HTiCAFtaIViT1sKl4BenVQ
nDPhHx9kSNHKqc5HWwiW6jL4hlWhVXMPLTZ0EB2yoUBfbsIXiZL4/vXydjayNzOK
Q5+ke9C1khOTZ9Rw2f/BVB6s37KC5UwzinKBFuRtOnkDuKrkY9unke0fyuJ+qWK6
Vnz1bOy0y1l8fkB7sPM06IEodQUbK6E3338aYAsbWYxAm8+Vol4F+KY7hPEqHFZf
Cp8WcPQLOuYKCT3ZR1M045c4YwsnQjK648LzwrRVSVMGXzMeCJARreFT2ic8eY5X
YTokboyN50+mxMLU7EW5
=iu3B
-----END PGP SIGNATURE-----

94
share/security/patches/SA-14:22/namei-10.patch Normal file
View file

@ -0,0 +1,94 @@
Index: sys/kern/vfs_lookup.c
===================================================================
--- sys/kern/vfs_lookup.c (revision 273277)
+++ sys/kern/vfs_lookup.c (working copy)
@@ -121,6 +121,16 @@
* if symbolic link, massage name in buffer and continue
* }
*/
+static void
+namei_cleanup_cnp(struct componentname *cnp)
+{
+ uma_zfree(namei_zone, cnp->cn_pnbuf);
+#ifdef DIAGNOSTIC
+ cnp->cn_pnbuf = NULL;
+ cnp->cn_nameptr = NULL;
+#endif
+}
+
int
namei(struct nameidata *ndp)
{
@@ -185,11 +195,7 @@
}
#endif
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
ndp->ni_vp = NULL;
return (error);
}
@@ -256,11 +262,7 @@
}
}
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
return (error);
}
}
@@ -286,6 +288,7 @@
if (KTRPOINT(curthread, KTR_CAPFAIL))
ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL);
#endif
+ namei_cleanup_cnp(cnp);
return (ENOTCAPABLE);
}
while (*(cnp->cn_nameptr) == '/') {
@@ -298,11 +301,7 @@
ndp->ni_startdir = dp;
error = lookup(ndp);
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0,
0, 0);
return (error);
@@ -312,11 +311,7 @@
*/
if ((cnp->cn_flags & ISSYMLINK) == 0) {
if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
} else
cnp->cn_flags |= HASBUF;
@@ -378,11 +373,7 @@
vput(ndp->ni_vp);
dp = ndp->ni_dvp;
}
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
vput(ndp->ni_vp);
ndp->ni_vp = NULL;
vrele(ndp->ni_dvp);

17
share/security/patches/SA-14:22/namei-10.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJURsQYAAoJEO1n7NZdz2rndqIP/2KOMzeRy8OgxKuM634A88au
yoK6vBzkShyGaW/HrOQxdz6+5WElnrIgoeb+MZ2jA8IFo97SYwOS19ygBJrknDvn
u1XSwmZ3szDj/S70oOqbmKFFabP8fjIEhaHFa/OHakvv6KfcQdRIR7paLZc4ofGQ
Vq/Zoo+v2OO88Ais6Zkty70l4ZGcnBWpglp8j9qn+0J5tJwdt3raI52KHS+LKIWs
tP8MRxGf0GPQhuD2BI1Oh+XdETCxgF4yHav68eOAaJkjOi+ZHrhyXbnPMxTkkX1R
G6rOOYVdsJR+YpllWJowSgOB3M/HnkOKovalM2r0CtEn77rjsPK6cUBBqfdlSJAk
L42S85p7guE+oEZ0CwpdX8inKPwX5YjbRVpikQoNIPKjWak/+m2adq7sii455fJ0
yNYNb24CnOS4wiBeqbUOkAYiLplxDhmR6TbqeklaD76rEopuf8bdO04OmUPFVWkG
4uin6TIXHvtCknOEZWGnTaA00nDJoHqnlU5F5AGB1x1wJIal7zwarRfw/U3sI5uV
hZoF5iiPH7OOYy5T9p78aYvbAyyl0W4CzLlMp1HM/c/KWoxAMXTquejfDggqsUvR
abNT5XjSjw5+MA66ArZsv16SQUIedW5J8iqOsW/Fy8OXRLKJupfMHdoB8ofJ+1zF
EPc5P5t949W1/E6GZDAk
=aaVY
-----END PGP SIGNATURE-----

98
share/security/patches/SA-14:22/namei-9.patch Normal file
View file

@ -0,0 +1,98 @@
Index: sys/kern/vfs_lookup.c
===================================================================
--- sys/kern/vfs_lookup.c.orig
+++ sys/kern/vfs_lookup.c
@@ -121,6 +121,16 @@
* if symbolic link, massage name in buffer and continue
* }
*/
+static void
+namei_cleanup_cnp(struct componentname *cnp)
+{
+ uma_zfree(namei_zone, cnp->cn_pnbuf);
+#ifdef DIAGNOSTIC
+ cnp->cn_pnbuf = NULL;
+ cnp->cn_nameptr = NULL;
+#endif
+}
+
int
namei(struct nameidata *ndp)
{
@@ -182,11 +192,7 @@
}
#endif
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
ndp->ni_vp = NULL;
return (error);
}
@@ -248,11 +254,7 @@
}
}
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
return (error);
}
}
@@ -278,8 +280,10 @@
if (*(cnp->cn_nameptr) == '/') {
vrele(dp);
VFS_UNLOCK_GIANT(vfslocked);
- if (ndp->ni_strictrelative != 0)
+ if (ndp->ni_strictrelative != 0) {
+ namei_cleanup_cnp(cnp);
return (ENOTCAPABLE);
+ }
while (*(cnp->cn_nameptr) == '/') {
cnp->cn_nameptr++;
ndp->ni_pathlen--;
@@ -293,11 +297,7 @@
ndp->ni_startdir = dp;
error = lookup(ndp);
if (error) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0,
0, 0);
return (error);
@@ -309,11 +309,7 @@
*/
if ((cnp->cn_flags & ISSYMLINK) == 0) {
if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
} else
cnp->cn_flags |= HASBUF;
@@ -379,11 +375,7 @@
vput(ndp->ni_vp);
dp = ndp->ni_dvp;
}
- uma_zfree(namei_zone, cnp->cn_pnbuf);
-#ifdef DIAGNOSTIC
- cnp->cn_pnbuf = NULL;
- cnp->cn_nameptr = NULL;
-#endif
+ namei_cleanup_cnp(cnp);
vput(ndp->ni_vp);
ndp->ni_vp = NULL;
vrele(ndp->ni_dvp);

17
share/security/patches/SA-14:22/namei-9.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJURsQbAAoJEO1n7NZdz2rn7+YQAKhyf2yhQ+9oppNCmzuaFuFC
XzswwLhQwCUj8J7mkKtDHlhQuAO4Cmr/MEN37CFpvx5u9w4dnhCIuvKPICRju0bN
+KJoM/R/Szapx2x4Ntc0ld+qDH1CuECF3Vpm4A4d5x6I8rTggYAiIx70UTHMyzPs
xj9m9CKB2xpt6jZvz85a3eq/PW1A9qCumGX6da6Bo2NAO0sImpjlEiRzqmrmKKYZ
5wk1L1K71dPMo6TaRw234gMRYhhSn5GG7akRRWiB37UuJNC+Y8KwqinbG4eAXSiY
KFPkSqWPvdjLzpfGBaQTYpJvzm0Dzbwf7pjfOOLVOWfjqfMF/zn9huDMFIwtNFg6
mPg7pBK3eXz4X6p+roeImdiFKV/RVZ6IzwS5ND6uMgTk3WdrwITjfjxxXEwR423X
/olyNl+8WP3AkLn/7lE0h9l+ZDwX2cwHIEeiD3ZDUb9OAPDKO9Ip+rdN2Wgxr2PT
wTltlTKnGB1FICFY5Vw5nL8QbiRmyZ3AxxM+DJveaFPBDRYyNXLQCUpDrPXE/OOm
7ic6FWErhNJcRWR+ONzoasZgeDeggfez6IS0MzSXPTPRoERrYNwGAWcKznXzfNiw
kJPQQaKEz1FOjVD3DoPwiO6Tno/810/h+T6exy1aEr8XMe0xyangdC8fPwLP5ndh
g6mtkXNvEcgWWQU9cijX
=74vQ
-----END PGP SIGNATURE-----

717
share/security/patches/SA-14:23/openssl-10.0.patch Normal file
View file

@ -0,0 +1,717 @@
Index: crypto/openssl/apps/s_client.c
===================================================================
--- crypto/openssl/apps/s_client.c (revision 273303)
+++ crypto/openssl/apps/s_client.c (working copy)
@@ -335,6 +335,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
BIO_printf(bio_err," -mtu - set the link layer MTU\n");
BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
@@ -615,6 +616,7 @@ int MAIN(int argc, char **argv)
char *sess_out = NULL;
struct sockaddr peer;
int peerlen = sizeof(peer);
+ int fallback_scsv = 0;
int enable_timeouts = 0 ;
long socket_mtu = 0;
#ifndef OPENSSL_NO_JPAKE
@@ -821,6 +823,10 @@ int MAIN(int argc, char **argv)
meth=DTLSv1_client_method();
socket_type=SOCK_DGRAM;
}
+ else if (strcmp(*argv,"-fallback_scsv") == 0)
+ {
+ fallback_scsv = 1;
+ }
else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts=1;
else if (strcmp(*argv,"-mtu") == 0)
@@ -1233,6 +1239,10 @@ bad:
SSL_set_session(con, sess);
SSL_SESSION_free(sess);
}
+
+ if (fallback_scsv)
+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
+
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL)
{
Index: crypto/openssl/ssl/d1_lib.c
===================================================================
--- crypto/openssl/ssl/d1_lib.c (revision 273303)
+++ crypto/openssl/ssl/d1_lib.c (working copy)
@@ -262,6 +262,16 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *
case DTLS_CTRL_LISTEN:
ret = dtls1_listen(s, parg);
break;
+ case SSL_CTRL_CHECK_PROTO_VERSION:
+ /* For library-internal use; checks that the current protocol
+ * is the highest enabled version (according to s->ctx->method,
+ * as version negotiation may have changed s->method). */
+#if DTLS_MAX_VERSION != DTLS1_VERSION
+# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
+#endif
+ /* Just one protocol version is supported so far;
+ * fail closed if the version is not as expected. */
+ return s->version == DTLS_MAX_VERSION;
default:
ret = ssl3_ctrl(s, cmd, larg, parg);
Index: crypto/openssl/ssl/d1_srtp.c
===================================================================
--- crypto/openssl/ssl/d1_srtp.c (revision 273303)
+++ crypto/openssl/ssl/d1_srtp.c (working copy)
@@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name
return 1;
}
-static int find_profile_by_num(unsigned profile_num,
- SRTP_PROTECTION_PROFILE **pptr)
- {
- SRTP_PROTECTION_PROFILE *p;
-
- p=srtp_known_profiles;
- while(p->name)
- {
- if(p->id == profile_num)
- {
- *pptr=p;
- return 0;
- }
- p++;
- }
-
- return 1;
- }
-
static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
{
STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profi
if(!find_profile_by_name(ptr,&p,
col ? col-ptr : (int)strlen(ptr)))
{
+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
+ {
+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
+ return 1;
+ }
+
sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
}
else
{
SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
return 1;
}
@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsig
int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
{
- SRTP_PROTECTION_PROFILE *cprof,*sprof;
- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
+ SRTP_PROTECTION_PROFILE *sprof;
+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
int ct;
int mki_len;
- int i,j;
- int id;
- int ret;
+ int i, srtp_pref;
+ unsigned int id;
/* Length value + the MKI length */
if(len < 3)
@@ -341,9 +329,11 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, uns
return 1;
}
+ srvr=SSL_get_srtp_profiles(s);
+ s->srtp_profile = NULL;
+ /* Search all profiles for a match initially */
+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
-
while(ct)
{
n2s(d,id);
@@ -350,14 +340,22 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, uns
ct-=2;
len-=2;
- if(!find_profile_by_num(id,&cprof))
+ /*
+ * Only look for match in profiles of higher preference than
+ * current match.
+ * If no profiles have been have been configured then this
+ * does nothing.
+ */
+ for (i = 0; i < srtp_pref; i++)
{
- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
+ if (sprof->id == id)
+ {
+ s->srtp_profile = sprof;
+ srtp_pref = i;
+ break;
+ }
}
- else
- {
- ; /* Ignore */
- }
}
/* Now extract the MKI value as a sanity check, but discard it for now */
@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, uns
return 1;
}
- srvr=SSL_get_srtp_profiles(s);
-
- /* Pick our most preferred profile. If no profiles have been
- configured then the outer loop doesn't run
- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
- and so we just return without doing anything */
- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
- {
- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
-
- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
- {
- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
-
- if(cprof->id==sprof->id)
- {
- s->srtp_profile=sprof;
- *al=0;
- ret=0;
- goto done;
- }
- }
- }
-
- ret=0;
-
-done:
- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
-
- return ret;
+ return 0;
}
int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
Index: crypto/openssl/ssl/dtls1.h
===================================================================
--- crypto/openssl/ssl/dtls1.h (revision 273303)
+++ crypto/openssl/ssl/dtls1.h (working copy)
@@ -84,6 +84,8 @@ extern "C" {
#endif
#define DTLS1_VERSION 0xFEFF
+#define DTLS_MAX_VERSION DTLS1_VERSION
+
#define DTLS1_BAD_VER 0x0100
#if 0
@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st
}
#endif
#endif
-
Index: crypto/openssl/ssl/s23_clnt.c
===================================================================
--- crypto/openssl/ssl/s23_clnt.c (revision 273303)
+++ crypto/openssl/ssl/s23_clnt.c (working copy)
@@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_client_method(i
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
#endif
+#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_client_method());
- else if (ver == TLS1_VERSION)
+#endif
+ if (ver == TLS1_VERSION)
return(TLSv1_client_method());
else if (ver == TLS1_1_VERSION)
return(TLSv1_1_client_method());
@@ -677,6 +679,7 @@ static int ssl23_get_server_hello(SSL *s)
{
/* we have sslv3 or tls1 (server hello or alert) */
+#ifndef OPENSSL_NO_SSL3
if ((p[2] == SSL3_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_SSLv3))
{
@@ -691,7 +694,9 @@ static int ssl23_get_server_hello(SSL *s)
s->version=SSL3_VERSION;
s->method=SSLv3_client_method();
}
- else if ((p[2] == TLS1_VERSION_MINOR) &&
+ else
+#endif
+ if ((p[2] == TLS1_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_TLSv1))
{
s->version=TLS1_VERSION;
@@ -715,6 +720,9 @@ static int ssl23_get_server_hello(SSL *s)
goto err;
}
+ /* ensure that TLS_MAX_VERSION is up-to-date */
+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
+
if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
{
/* fatal alert */
Index: crypto/openssl/ssl/s23_srvr.c
===================================================================
--- crypto/openssl/ssl/s23_srvr.c (revision 273303)
+++ crypto/openssl/ssl/s23_srvr.c (working copy)
@@ -127,9 +127,11 @@ static const SSL_METHOD *ssl23_get_server_method(i
if (ver == SSL2_VERSION)
return(SSLv2_server_method());
#endif
+#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_server_method());
- else if (ver == TLS1_VERSION)
+#endif
+ if (ver == TLS1_VERSION)
return(TLSv1_server_method());
else if (ver == TLS1_1_VERSION)
return(TLSv1_1_server_method());
@@ -421,6 +423,9 @@ int ssl23_get_client_hello(SSL *s)
}
}
+ /* ensure that TLS_MAX_VERSION is up-to-date */
+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
+
#ifdef OPENSSL_FIPS
if (FIPS_mode() && (s->version < TLS1_VERSION))
{
@@ -597,6 +602,12 @@ int ssl23_get_client_hello(SSL *s)
if ((type == 2) || (type == 3))
{
/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+ s->method = ssl23_get_server_method(s->version);
+ if (s->method == NULL)
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ goto err;
+ }
if (!ssl_init_wbio_buffer(s,1)) goto err;
@@ -624,14 +635,6 @@ int ssl23_get_client_hello(SSL *s)
s->s3->rbuf.left=0;
s->s3->rbuf.offset=0;
}
- if (s->version == TLS1_2_VERSION)
- s->method = TLSv1_2_server_method();
- else if (s->version == TLS1_1_VERSION)
- s->method = TLSv1_1_server_method();
- else if (s->version == TLS1_VERSION)
- s->method = TLSv1_server_method();
- else
- s->method = SSLv3_server_method();
#if 0 /* ssl3_get_client_hello does this */
s->client_version=(v[0]<<8)|v[1];
#endif
Index: crypto/openssl/ssl/s2_lib.c
===================================================================
--- crypto/openssl/ssl/s2_lib.c (revision 273303)
+++ crypto/openssl/ssl/s2_lib.c (working copy)
@@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, void *p
case SSL_CTRL_GET_SESSION_REUSED:
ret=s->hit;
break;
+ case SSL_CTRL_CHECK_PROTO_VERSION:
+ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
default:
break;
}
@@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, u
if (p != NULL)
{
l=c->id;
- if ((l & 0xff000000) != 0x02000000) return(0);
+ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
p[0]=((unsigned char)(l>>16L))&0xFF;
p[1]=((unsigned char)(l>> 8L))&0xFF;
p[2]=((unsigned char)(l ))&0xFF;
Index: crypto/openssl/ssl/s3_enc.c
===================================================================
--- crypto/openssl/ssl/s3_enc.c (revision 273303)
+++ crypto/openssl/ssl/s3_enc.c (working copy)
@@ -892,7 +892,7 @@ int ssl3_alert_code(int code)
case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
default: return(-1);
}
}
-
Index: crypto/openssl/ssl/s3_lib.c
===================================================================
--- crypto/openssl/ssl/s3_lib.c (revision 273303)
+++ crypto/openssl/ssl/s3_lib.c (working copy)
@@ -3350,6 +3350,33 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *p
#endif
#endif /* !OPENSSL_NO_TLSEXT */
+
+ case SSL_CTRL_CHECK_PROTO_VERSION:
+ /* For library-internal use; checks that the current protocol
+ * is the highest enabled version (according to s->ctx->method,
+ * as version negotiation may have changed s->method). */
+ if (s->version == s->ctx->method->version)
+ return 1;
+ /* Apparently we're using a version-flexible SSL_METHOD
+ * (not at its highest protocol version). */
+ if (s->ctx->method->version == SSLv23_method()->version)
+ {
+#if TLS_MAX_VERSION != TLS1_2_VERSION
+# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
+#endif
+ if (!(s->options & SSL_OP_NO_TLSv1_2))
+ return s->version == TLS1_2_VERSION;
+ if (!(s->options & SSL_OP_NO_TLSv1_1))
+ return s->version == TLS1_1_VERSION;
+ if (!(s->options & SSL_OP_NO_TLSv1))
+ return s->version == TLS1_VERSION;
+ if (!(s->options & SSL_OP_NO_SSLv3))
+ return s->version == SSL3_VERSION;
+ if (!(s->options & SSL_OP_NO_SSLv2))
+ return s->version == SSL2_VERSION;
+ }
+ return 0; /* Unexpected state; fail closed. */
+
default:
break;
}
@@ -3709,6 +3736,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd,
break;
#endif
#endif
+
default:
return(0);
}
@@ -4279,4 +4307,3 @@ long ssl_get_algorithm2(SSL *s)
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
return alg2;
}
-
Index: crypto/openssl/ssl/ssl.h
===================================================================
--- crypto/openssl/ssl/ssl.h (revision 273303)
+++ crypto/openssl/ssl/ssl.h (working copy)
@@ -642,6 +642,10 @@ struct ssl_session_st
* TLS only.) "Released" buffers are put onto a free-list in the context
* or just freed (depending on the context's setting for freelist_max_len). */
#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
+/* Send TLS_FALLBACK_SCSV in the ClientHello.
+ * To be set by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
@@ -1500,6 +1504,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
@@ -1610,6 +1615,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
+#define SSL_CTRL_CHECK_PROTO_VERSION 119
+
#define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
#define DTLSv1_handle_timeout(ssl) \
@@ -2364,6 +2371,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_HTTPS_PROXY_REQUEST 155
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_ILLEGAL_PADDING 283
+#define SSL_R_INAPPROPRIATE_FALLBACK 373
#define SSL_R_INCONSISTENT_COMPRESSION 340
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
@@ -2510,6 +2518,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
Index: crypto/openssl/ssl/ssl3.h
===================================================================
--- crypto/openssl/ssl/ssl3.h (revision 273303)
+++ crypto/openssl/ssl/ssl3.h (working copy)
@@ -128,9 +128,14 @@
extern "C" {
#endif
-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+/* Signalling cipher suite value from RFC 5746
+ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
#define SSL3_CK_SCSV 0x030000FF
+/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
+ * (TLS_FALLBACK_SCSV) */
+#define SSL3_CK_FALLBACK_SCSV 0x03005600
+
#define SSL3_CK_RSA_NULL_MD5 0x03000001
#define SSL3_CK_RSA_NULL_SHA 0x03000002
#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
Index: crypto/openssl/ssl/ssl_err.c
===================================================================
--- crypto/openssl/ssl/ssl_err.c (revision 273303)
+++ crypto/openssl/ssl/ssl_err.c (working copy)
@@ -383,6 +383,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
+{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
@@ -529,6 +530,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
Index: crypto/openssl/ssl/ssl_lib.c
===================================================================
--- crypto/openssl/ssl/ssl_lib.c (revision 273303)
+++ crypto/openssl/ssl/ssl_lib.c (working copy)
@@ -1383,6 +1383,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_C
if (sk == NULL) return(0);
q=p;
+ if (put_cb == NULL)
+ put_cb = s->method->put_cipher_by_char;
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
@@ -1407,25 +1409,37 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_C
!(s->srp_ctx.srp_Mask & SSL_kSRP))
continue;
#endif /* OPENSSL_NO_SRP */
- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
+ j = put_cb(c,p);
p+=j;
}
- /* If p == q, no ciphers and caller indicates an error. Otherwise
- * add SCSV if not renegotiating.
- */
- if (p != q && !s->renegotiate)
+ /* If p == q, no ciphers; caller indicates an error.
+ * Otherwise, add applicable SCSVs. */
+ if (p != q)
{
- static SSL_CIPHER scsv =
+ if (!s->renegotiate)
{
- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
- };
- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
- p+=j;
+ static SSL_CIPHER scsv =
+ {
+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+ };
+ j = put_cb(&scsv,p);
+ p+=j;
#ifdef OPENSSL_RI_DEBUG
- fprintf(stderr, "SCSV sent by client\n");
+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
#endif
- }
+ }
+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
+ {
+ static SSL_CIPHER scsv =
+ {
+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+ };
+ j = put_cb(&scsv,p);
+ p+=j;
+ }
+ }
+
return(p-q);
}
@@ -1435,11 +1449,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL
const SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk;
int i,n;
+
if (s->s3)
s->s3->send_connection_binding = 0;
n=ssl_put_cipher_by_char(s,NULL,NULL);
- if ((num%n) != 0)
+ if (n == 0 || (num%n) != 0)
{
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
return(NULL);
@@ -1454,7 +1469,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL
for (i=0; i<num; i+=n)
{
- /* Check for SCSV */
+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
if (s->s3 && (n != 3 || !p[0]) &&
(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
(p[n-1] == (SSL3_CK_SCSV & 0xff)))
@@ -1474,6 +1489,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL
continue;
}
+ /* Check for TLS_FALLBACK_SCSV */
+ if ((n != 3 || !p[0]) &&
+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
+ {
+ /* The SCSV indicates that the client previously tried a higher version.
+ * Fail if the current version is an unexpected downgrade. */
+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
+ {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
+ if (s->s3)
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
+ goto err;
+ }
+ continue;
+ }
+
c=ssl_get_cipher_by_char(s,p);
p+=n;
if (c != NULL)
Index: crypto/openssl/ssl/t1_enc.c
===================================================================
--- crypto/openssl/ssl/t1_enc.c (revision 273303)
+++ crypto/openssl/ssl/t1_enc.c (working copy)
@@ -1243,6 +1243,7 @@ int tls1_alert_code(int code)
case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
#if 0 /* not appropriate for TLS, not used for DTLS */
case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
(DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
Index: crypto/openssl/ssl/t1_lib.c
===================================================================
--- crypto/openssl/ssl/t1_lib.c (revision 273303)
+++ crypto/openssl/ssl/t1_lib.c (working copy)
@@ -650,7 +650,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s,
#endif
#ifndef OPENSSL_NO_SRTP
- if(SSL_get_srtp_profiles(s))
+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
{
int el;
@@ -784,7 +784,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s,
#endif
#ifndef OPENSSL_NO_SRTP
- if(s->srtp_profile)
+ if(SSL_IS_DTLS(s) && s->srtp_profile)
{
int el;
@@ -1334,7 +1334,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned
/* session ticket processed earlier */
#ifndef OPENSSL_NO_SRTP
- else if (type == TLSEXT_TYPE_use_srtp)
+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
+ && type == TLSEXT_TYPE_use_srtp)
{
if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
al))
@@ -1589,7 +1590,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned
}
#endif
#ifndef OPENSSL_NO_SRTP
- else if (type == TLSEXT_TYPE_use_srtp)
+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
{
if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
al))
@@ -2238,7 +2239,10 @@ static int tls_decrypt_ticket(SSL *s, const unsign
HMAC_Final(&hctx, tick_hmac, NULL);
HMAC_CTX_cleanup(&hctx);
if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
+ {
+ EVP_CIPHER_CTX_cleanup(&ctx);
return 2;
+ }
/* Attempt to decrypt session data */
/* Move p after IV to start of encrypted ticket, update length */
p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
Index: crypto/openssl/ssl/tls1.h
===================================================================
--- crypto/openssl/ssl/tls1.h (revision 273303)
+++ crypto/openssl/ssl/tls1.h (working copy)
@@ -159,17 +159,19 @@ extern "C" {
#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
+#define TLS1_VERSION 0x0301
+#define TLS1_1_VERSION 0x0302
#define TLS1_2_VERSION 0x0303
-#define TLS1_2_VERSION_MAJOR 0x03
-#define TLS1_2_VERSION_MINOR 0x03
+#define TLS_MAX_VERSION TLS1_2_VERSION
-#define TLS1_1_VERSION 0x0302
+#define TLS1_VERSION_MAJOR 0x03
+#define TLS1_VERSION_MINOR 0x01
+
#define TLS1_1_VERSION_MAJOR 0x03
#define TLS1_1_VERSION_MINOR 0x02
-#define TLS1_VERSION 0x0301
-#define TLS1_VERSION_MAJOR 0x03
-#define TLS1_VERSION_MINOR 0x01
+#define TLS1_2_VERSION_MAJOR 0x03
+#define TLS1_2_VERSION_MINOR 0x03
#define TLS1_get_version(s) \
((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
@@ -187,6 +189,7 @@ extern "C" {
#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
#define TLS1_AD_USER_CANCELLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
/* codes 110-114 are from RFC3546 */

17
share/security/patches/SA-14:23/openssl-10.0.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJURsQeAAoJEO1n7NZdz2rnNmYP/i2vNILbMF0QctkF4QIXRSSX
nOay3VHrLb/KLtVT7dha6TlkcmnqTNbPHr9V34DODeWHFk6ayPSB/BBD6gXoPVPH
rEpUEXLvNpR4V7FoPdWuJ0G7Ywi5M4uthmYMKrZB3pW/WADgd6vllLgoNUZNNwa6
68f12oH/gsCPC78A6OklDA79jabpnjIZUQOXGfet1JVLoAWCssgOvQrhrOWX3oTt
EjvC1jX7maXn/FlWV02PKO0SAWoILiGmfoOcIXtmt2ts82oqaN1HFeLD62Iv4sZh
2J9ka87YeJU02/rRlPXphm72j4kJylsPsBn2mEnRMvkuffjebbOUAJ7B954RQqvz
99MJRJ4/VhJ0GHpKijNPak2TArIGJ4HFIsyXOGLaaqjS2FpbyfU2fz19nrJPR/uh
WdAgA3cniL2kPAh2FSUVPhjg87fdthaV3ZTle97mETO2AQVLO+abm35bPdPmNllS
OX8Ix+fat+QkIh0FZyyUv0XajgYY6pxAj6esRdQ/tUfFCgQsXAhNnBG0Ozc1UiKd
I1ZTeiDiJNndG8pEUyHFJrzXXRGlZsYXydZZXhYIXXpOrVxwxp5Ies4XvrTVSOwC
KUpvlTQwIEnDPi3lnrV/uYngvqOVeaphj3pXeMPjCoipFziOmsAfUHp30PLjB5sg
AJO/ygz+leKzWF2Gi43w
=WImS
-----END PGP SIGNATURE-----

804
share/security/patches/SA-14:23/openssl-8.4.patch Normal file
View file

@ -0,0 +1,804 @@
Index: crypto/openssl/apps/s_cb.c
===================================================================
--- crypto/openssl/apps/s_cb.c (revision 273303)
+++ crypto/openssl/apps/s_cb.c (working copy)
@@ -518,6 +518,24 @@ void MS_CALLBACK msg_cb(int write_p, int version,
case 100:
str_details2 = " no_renegotiation";
break;
+ case 110:
+ str_details2 = " unsupported_extension";
+ break;
+ case 111:
+ str_details2 = " certificate_unobtainable";
+ break;
+ case 112:
+ str_details2 = " unrecognized_name";
+ break;
+ case 113:
+ str_details2 = " bad_certificate_status_response";
+ break;
+ case 114:
+ str_details2 = " bad_certificate_hash_value";
+ break;
+ case 115:
+ str_details2 = " unknown_psk_identity";
+ break;
}
}
}
Index: crypto/openssl/apps/s_client.c
===================================================================
--- crypto/openssl/apps/s_client.c (revision 273303)
+++ crypto/openssl/apps/s_client.c (working copy)
@@ -226,6 +226,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
BIO_printf(bio_err," -mtu - set the link layer MTU\n");
BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
@@ -339,6 +340,7 @@ int MAIN(int argc, char **argv)
char *sess_out = NULL;
struct sockaddr peer;
int peerlen = sizeof(peer);
+ int fallback_scsv = 0;
int enable_timeouts = 0 ;
long socket_mtu = 0;
#ifndef OPENSSL_NO_JPAKE
@@ -488,6 +490,10 @@ int MAIN(int argc, char **argv)
socket_mtu = atol(*(++argv));
}
#endif
+ else if (strcmp(*argv,"-fallback_scsv") == 0)
+ {
+ fallback_scsv = 1;
+ }
else if (strcmp(*argv,"-bugs") == 0)
bugs=1;
else if (strcmp(*argv,"-keyform") == 0)
@@ -778,6 +784,10 @@ bad:
SSL_set_session(con, sess);
SSL_SESSION_free(sess);
}
+
+ if (fallback_scsv)
+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
+
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL)
{
Index: crypto/openssl/crypto/err/openssl.ec
===================================================================
--- crypto/openssl/crypto/err/openssl.ec (revision 273303)
+++ crypto/openssl/crypto/err/openssl.ec (working copy)
@@ -69,8 +69,14 @@ R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
+R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
+R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
+R SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
+R SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
+R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
+R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
R RSAREF_R_CONTENT_ENCODING 0x0400
R RSAREF_R_DATA 0x0401
Index: crypto/openssl/doc/apps/s_client.pod
===================================================================
--- crypto/openssl/doc/apps/s_client.pod (revision 273303)
+++ crypto/openssl/doc/apps/s_client.pod (working copy)
@@ -34,6 +34,7 @@ B<openssl> B<s_client>
[B<-no_ssl2>]
[B<-no_ssl3>]
[B<-no_tls1>]
+[B<-fallback_scsv>]
[B<-bugs>]
[B<-cipher cipherlist>]
[B<-starttls protocol>]
@@ -167,11 +168,14 @@ these options disable the use of certain SSL or TL
the initial handshake uses a method which should be compatible with all
servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-Unfortunately there are a lot of ancient and broken servers in use which
+Unfortunately there are still ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
-work if TLS is turned off with the B<-no_tls> option others will only
-support SSL v2 and may need the B<-ssl2> option.
+work if TLS is turned off.
+=item B<-fallback_scsv>
+
+Send TLS_FALLBACK_SCSV in the ClientHello.
+
=item B<-bugs>
there are several known bug in SSL and TLS implementations. Adding this
Index: crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
===================================================================
--- crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod (revision 273303)
+++ crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod (working copy)
@@ -61,6 +61,12 @@ deal with read/write operations returning without
flag SSL_MODE_AUTO_RETRY will cause read/write operations to only
return after the handshake and successful completion.
+=item SSL_MODE_FALLBACK_SCSV
+
+Send TLS_FALLBACK_SCSV in the ClientHello.
+To be set by applications that reconnect with a downgraded protocol
+version; see draft-ietf-tls-downgrade-scsv-00 for details.
+
=back
=head1 RETURN VALUES
Index: crypto/openssl/ssl/d1_lib.c
===================================================================
--- crypto/openssl/ssl/d1_lib.c (revision 273303)
+++ crypto/openssl/ssl/d1_lib.c (working copy)
@@ -301,6 +301,16 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *
case DTLS_CTRL_LISTEN:
ret = dtls1_listen(s, parg);
break;
+ case SSL_CTRL_CHECK_PROTO_VERSION:
+ /* For library-internal use; checks that the current protocol
+ * is the highest enabled version (according to s->ctx->method,
+ * as version negotiation may have changed s->method). */
+#if DTLS_MAX_VERSION != DTLS1_VERSION
+# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
+#endif
+ /* Just one protocol version is supported so far;
+ * fail closed if the version is not as expected. */
+ return s->version == DTLS_MAX_VERSION;
default:
ret = ssl3_ctrl(s, cmd, larg, parg);
Index: crypto/openssl/ssl/dtls1.h
===================================================================
--- crypto/openssl/ssl/dtls1.h (revision 273303)
+++ crypto/openssl/ssl/dtls1.h (working copy)
@@ -80,6 +80,8 @@ extern "C" {
#endif
#define DTLS1_VERSION 0xFEFF
+#define DTLS_MAX_VERSION DTLS1_VERSION
+
#define DTLS1_BAD_VER 0x0100
#if 0
@@ -262,4 +264,3 @@ typedef struct dtls1_record_data_st
}
#endif
#endif
-
Index: crypto/openssl/ssl/s23_clnt.c
===================================================================
--- crypto/openssl/ssl/s23_clnt.c (revision 273303)
+++ crypto/openssl/ssl/s23_clnt.c (working copy)
@@ -72,9 +72,11 @@ static SSL_METHOD *ssl23_get_client_method(int ver
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
#endif
+#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_client_method());
- else if (ver == TLS1_VERSION)
+#endif
+ if (ver == TLS1_VERSION)
return(TLSv1_client_method());
else
return(NULL);
@@ -509,7 +511,7 @@ static int ssl23_get_server_hello(SSL *s)
/* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
s->s2->ssl2_rollback=1;
- /* setup the 5 bytes we have read so we get them from
+ /* setup the 7 bytes we have read so we get them from
* the sslv2 buffer */
s->rstate=SSL_ST_READ_HEADER;
s->packet_length=n;
@@ -525,28 +527,15 @@ static int ssl23_get_server_hello(SSL *s)
s->handshake_func=s->method->ssl_connect;
#endif
}
- else if ((p[0] == SSL3_RT_HANDSHAKE) &&
- (p[1] == SSL3_VERSION_MAJOR) &&
- ((p[2] == SSL3_VERSION_MINOR) ||
- (p[2] == TLS1_VERSION_MINOR)) &&
- (p[5] == SSL3_MT_SERVER_HELLO))
+ else if (p[1] == SSL3_VERSION_MAJOR &&
+ ((p[2] == SSL3_VERSION_MINOR) ||
+ (p[2] == TLS1_VERSION_MINOR)) &&
+ ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
+ (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))
{
- /* we have sslv3 or tls1 */
+ /* we have sslv3 or tls1 (server hello or alert) */
- if (!ssl_init_wbio_buffer(s,1)) goto err;
-
- /* we are in this state */
- s->state=SSL3_ST_CR_SRVR_HELLO_A;
-
- /* put the 5 bytes we have read into the input buffer
- * for SSLv3 */
- s->rstate=SSL_ST_READ_HEADER;
- s->packet_length=n;
- s->packet= &(s->s3->rbuf.buf[0]);
- memcpy(s->packet,buf,n);
- s->s3->rbuf.left=n;
- s->s3->rbuf.offset=0;
-
+#ifndef OPENSSL_NO_SSL3
if ((p[2] == SSL3_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_SSLv3))
{
@@ -561,7 +550,9 @@ static int ssl23_get_server_hello(SSL *s)
s->version=SSL3_VERSION;
s->method=SSLv3_client_method();
}
- else if ((p[2] == TLS1_VERSION_MINOR) &&
+ else
+#endif
+ if ((p[2] == TLS1_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_TLSv1))
{
s->version=TLS1_VERSION;
@@ -572,35 +563,55 @@ static int ssl23_get_server_hello(SSL *s)
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
}
+
+ /* ensure that TLS_MAX_VERSION is up-to-date */
+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
+
+ if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
+ {
+ /* fatal alert */
+
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
+ int j;
+
+ if (s->info_callback != NULL)
+ cb=s->info_callback;
+ else if (s->ctx->info_callback != NULL)
+ cb=s->ctx->info_callback;
+
+ i=p[5];
+ if (cb != NULL)
+ {
+ j=(i<<8)|p[6];
+ cb(s,SSL_CB_READ_ALERT,j);
+ }
- s->handshake_func=s->method->ssl_connect;
- }
- else if ((p[0] == SSL3_RT_ALERT) &&
- (p[1] == SSL3_VERSION_MAJOR) &&
- ((p[2] == SSL3_VERSION_MINOR) ||
- (p[2] == TLS1_VERSION_MINOR)) &&
- (p[3] == 0) &&
- (p[4] == 2))
- {
- void (*cb)(const SSL *ssl,int type,int val)=NULL;
- int j;
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, SSL3_RT_ALERT, p+5, 2, s, s->msg_callback_arg);
- /* An alert */
- if (s->info_callback != NULL)
- cb=s->info_callback;
- else if (s->ctx->info_callback != NULL)
- cb=s->ctx->info_callback;
-
- i=p[5];
- if (cb != NULL)
- {
- j=(i<<8)|p[6];
- cb(s,SSL_CB_READ_ALERT,j);
+ s->rwstate=SSL_NOTHING;
+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]);
+ goto err;
}
- s->rwstate=SSL_NOTHING;
- SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]);
- goto err;
+ if (!ssl_init_wbio_buffer(s,1)) goto err;
+
+ /* we are in this state */
+ s->state=SSL3_ST_CR_SRVR_HELLO_A;
+
+ /* put the 7 bytes we have read into the input buffer
+ * for SSLv3 */
+ s->rstate=SSL_ST_READ_HEADER;
+ s->packet_length=n;
+ if (s->s3->rbuf.buf == NULL)
+ if (!ssl3_setup_buffers(s))
+ goto err;
+ s->packet= &(s->s3->rbuf.buf[0]);
+ memcpy(s->packet,buf,n);
+ s->s3->rbuf.left=n;
+ s->s3->rbuf.offset=0;
+
+ s->handshake_func=s->method->ssl_connect;
}
else
{
Index: crypto/openssl/ssl/s23_srvr.c
===================================================================
--- crypto/openssl/ssl/s23_srvr.c (revision 273303)
+++ crypto/openssl/ssl/s23_srvr.c (working copy)
@@ -124,9 +124,11 @@ static SSL_METHOD *ssl23_get_server_method(int ver
if (ver == SSL2_VERSION)
return(SSLv2_server_method());
#endif
+#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_server_method());
- else if (ver == TLS1_VERSION)
+#endif
+ if (ver == TLS1_VERSION)
return(TLSv1_server_method());
else
return(NULL);
@@ -398,6 +400,9 @@ int ssl23_get_client_hello(SSL *s)
}
#endif
+ /* ensure that TLS_MAX_VERSION is up-to-date */
+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
+
if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
{
/* we have SSLv3/TLSv1 in an SSLv2 header
@@ -554,6 +559,12 @@ int ssl23_get_client_hello(SSL *s)
if ((type == 2) || (type == 3))
{
/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+ s->method = ssl23_get_server_method(s->version);
+ if (s->method == NULL)
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ goto err;
+ }
if (!ssl_init_wbio_buffer(s,1)) goto err;
@@ -577,11 +588,6 @@ int ssl23_get_client_hello(SSL *s)
s->s3->rbuf.left=0;
s->s3->rbuf.offset=0;
}
-
- if (s->version == TLS1_VERSION)
- s->method = TLSv1_server_method();
- else
- s->method = SSLv3_server_method();
#if 0 /* ssl3_get_client_hello does this */
s->client_version=(v[0]<<8)|v[1];
#endif
Index: crypto/openssl/ssl/s2_lib.c
===================================================================
--- crypto/openssl/ssl/s2_lib.c (revision 273303)
+++ crypto/openssl/ssl/s2_lib.c (working copy)
@@ -314,6 +314,8 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, void *p
case SSL_CTRL_GET_SESSION_REUSED:
ret=s->hit;
break;
+ case SSL_CTRL_CHECK_PROTO_VERSION:
+ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
default:
break;
}
@@ -362,7 +364,7 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, u
if (p != NULL)
{
l=c->id;
- if ((l & 0xff000000) != 0x02000000) return(0);
+ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
p[0]=((unsigned char)(l>>16L))&0xFF;
p[1]=((unsigned char)(l>> 8L))&0xFF;
p[2]=((unsigned char)(l ))&0xFF;
Index: crypto/openssl/ssl/s3_enc.c
===================================================================
--- crypto/openssl/ssl/s3_enc.c (revision 273303)
+++ crypto/openssl/ssl/s3_enc.c (working copy)
@@ -758,7 +758,13 @@ int ssl3_alert_code(int code)
case SSL_AD_INTERNAL_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_USER_CANCELLED: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_NO_RENEGOTIATION: return(-1); /* Don't send it :-) */
+ case SSL_AD_UNSUPPORTED_EXTENSION: return(SSL3_AD_HANDSHAKE_FAILURE);
+ case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(SSL3_AD_HANDSHAKE_FAILURE);
+ case SSL_AD_UNRECOGNIZED_NAME: return(SSL3_AD_HANDSHAKE_FAILURE);
+ case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
+ case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
+ case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
default: return(-1);
}
}
-
Index: crypto/openssl/ssl/s3_lib.c
===================================================================
--- crypto/openssl/ssl/s3_lib.c (revision 273303)
+++ crypto/openssl/ssl/s3_lib.c (working copy)
@@ -1981,6 +1981,29 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *p
break;
#endif /* !OPENSSL_NO_TLSEXT */
+
+ case SSL_CTRL_CHECK_PROTO_VERSION:
+ /* For library-internal use; checks that the current protocol
+ * is the highest enabled version (according to s->ctx->method,
+ * as version negotiation may have changed s->method). */
+ if (s->version == s->ctx->method->version)
+ return 1;
+ /* Apparently we're using a version-flexible SSL_METHOD
+ * (not at its highest protocol version). */
+ if (s->ctx->method->version == SSLv23_method()->version)
+ {
+#if TLS_MAX_VERSION != TLS1_VERSION
+# error Code needs update for SSLv23_method() support beyond TLS1_VERSION.
+#endif
+ if (!(s->options & SSL_OP_NO_TLSv1))
+ return s->version == TLS1_VERSION;
+ if (!(s->options & SSL_OP_NO_SSLv3))
+ return s->version == SSL3_VERSION;
+ if (!(s->options & SSL_OP_NO_SSLv2))
+ return s->version == SSL2_VERSION;
+ }
+ return 0; /* Unexpected state; fail closed. */
+
default:
break;
}
@@ -2269,6 +2292,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd,
break;
#endif
+
default:
return(0);
}
Index: crypto/openssl/ssl/ssl.h
===================================================================
--- crypto/openssl/ssl/ssl.h (revision 273303)
+++ crypto/openssl/ssl/ssl.h (working copy)
@@ -560,6 +560,10 @@ typedef struct ssl_session_st
#define SSL_MODE_AUTO_RETRY 0x00000004L
/* Don't attempt to automatically build certificate chain */
#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
+/* Send TLS_FALLBACK_SCSV in the ClientHello.
+ * To be set by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
@@ -1204,6 +1208,9 @@ size_t SSL_get_peer_finished(const SSL *s, void *b
#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME
#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
+#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
+#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
@@ -1293,6 +1300,8 @@ size_t SSL_get_peer_finished(const SSL *s, void *b
#define SSL_CTRL_CLEAR_OPTIONS 77
#define SSL_CTRL_CLEAR_MODE 78
+#define SSL_CTRL_CHECK_PROTO_VERSION 119
+
#define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
#define DTLSv1_handle_timeout(ssl) \
@@ -1940,6 +1949,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_HTTPS_PROXY_REQUEST 155
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_ILLEGAL_PADDING 283
+#define SSL_R_INAPPROPRIATE_FALLBACK 373
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
#define SSL_R_INVALID_PURPOSE 278
@@ -2067,6 +2077,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
@@ -2074,6 +2085,11 @@ void ERR_load_SSL_strings(void);
#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
+#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
+#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
+#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
+#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
+#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227
#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
Index: crypto/openssl/ssl/ssl3.h
===================================================================
--- crypto/openssl/ssl/ssl3.h (revision 273303)
+++ crypto/openssl/ssl/ssl3.h (working copy)
@@ -129,9 +129,14 @@
extern "C" {
#endif
-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+/* Signalling cipher suite value from RFC 5746
+ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
#define SSL3_CK_SCSV 0x030000FF
+/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
+ * (TLS_FALLBACK_SCSV) */
+#define SSL3_CK_FALLBACK_SCSV 0x03005600
+
#define SSL3_CK_RSA_NULL_MD5 0x03000001
#define SSL3_CK_RSA_NULL_SHA 0x03000002
#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
Index: crypto/openssl/ssl/ssl_err.c
===================================================================
--- crypto/openssl/ssl/ssl_err.c (revision 273303)
+++ crypto/openssl/ssl/ssl_err.c (working copy)
@@ -341,6 +341,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
+{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
@@ -468,6 +469,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
@@ -475,6 +477,11 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"},
{ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"},
{ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"},
+{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE),"tlsv1 bad certificate hash value"},
+{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE),"tlsv1 bad certificate status response"},
+{ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),"tlsv1 certificate unobtainable"},
+{ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
+{ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
Index: crypto/openssl/ssl/ssl_lib.c
===================================================================
--- crypto/openssl/ssl/ssl_lib.c (revision 273303)
+++ crypto/openssl/ssl/ssl_lib.c (working copy)
@@ -1292,6 +1292,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_C
if (sk == NULL) return(0);
q=p;
+ if (put_cb == NULL)
+ put_cb = s->method->put_cipher_by_char;
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
@@ -1301,25 +1303,37 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_C
continue;
#endif /* OPENSSL_NO_KRB5 */
- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
+ j = put_cb(c,p);
p+=j;
}
- /* If p == q, no ciphers and caller indicates an error. Otherwise
- * add SCSV if not renegotiating.
- */
- if (p != q && !s->new_session)
+ /* If p == q, no ciphers; caller indicates an error.
+ * Otherwise, add applicable SCSVs. */
+ if (p != q)
{
- static SSL_CIPHER scsv =
+ if (!s->new_session)
{
- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,
- };
- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
- p+=j;
+ static SSL_CIPHER scsv =
+ {
+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,
+ };
+ j = put_cb(&scsv,p);
+ p+=j;
#ifdef OPENSSL_RI_DEBUG
- fprintf(stderr, "SCSV sent by client\n");
+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
#endif
- }
+ }
+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
+ {
+ static SSL_CIPHER scsv =
+ {
+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0,
+ };
+ j = put_cb(&scsv,p);
+ p+=j;
+ }
+ }
+
return(p-q);
}
@@ -1329,11 +1343,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL
SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk;
int i,n;
+
if (s->s3)
s->s3->send_connection_binding = 0;
n=ssl_put_cipher_by_char(s,NULL,NULL);
- if ((num%n) != 0)
+ if (n == 0 || (num%n) != 0)
{
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
return(NULL);
@@ -1348,7 +1363,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL
for (i=0; i<num; i+=n)
{
- /* Check for SCSV */
+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
if (s->s3 && (n != 3 || !p[0]) &&
(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
(p[n-1] == (SSL3_CK_SCSV & 0xff)))
@@ -1368,6 +1383,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL
continue;
}
+ /* Check for TLS_FALLBACK_SCSV */
+ if ((n != 3 || !p[0]) &&
+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
+ {
+ /* The SCSV indicates that the client previously tried a higher version.
+ * Fail if the current version is an unexpected downgrade. */
+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
+ {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
+ if (s->s3)
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
+ goto err;
+ }
+ continue;
+ }
+
c=ssl_get_cipher_by_char(s,p);
p+=n;
if (c != NULL)
Index: crypto/openssl/ssl/ssl_stat.c
===================================================================
--- crypto/openssl/ssl/ssl_stat.c (revision 273303)
+++ crypto/openssl/ssl/ssl_stat.c (working copy)
@@ -414,6 +414,12 @@ const char *SSL_alert_desc_string(int value)
case TLS1_AD_INTERNAL_ERROR: str="IE"; break;
case TLS1_AD_USER_CANCELLED: str="US"; break;
case TLS1_AD_NO_RENEGOTIATION: str="NR"; break;
+ case TLS1_AD_UNSUPPORTED_EXTENSION: str="UE"; break;
+ case TLS1_AD_CERTIFICATE_UNOBTAINABLE: str="CO"; break;
+ case TLS1_AD_UNRECOGNIZED_NAME: str="UN"; break;
+ case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str="BR"; break;
+ case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: str="BH"; break;
+ case TLS1_AD_UNKNOWN_PSK_IDENTITY: str="UP"; break;
default: str="UK"; break;
}
return(str);
@@ -497,6 +503,24 @@ const char *SSL_alert_desc_string_long(int value)
case TLS1_AD_NO_RENEGOTIATION:
str="no renegotiation";
break;
+ case TLS1_AD_UNSUPPORTED_EXTENSION:
+ str="unsupported extension";
+ break;
+ case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
+ str="certificate unobtainable";
+ break;
+ case TLS1_AD_UNRECOGNIZED_NAME:
+ str="unrecognized name";
+ break;
+ case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
+ str="bad certificate status response";
+ break;
+ case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
+ str="bad certificate hash value";
+ break;
+ case TLS1_AD_UNKNOWN_PSK_IDENTITY:
+ str="unknown PSK identity";
+ break;
default: str="unknown"; break;
}
return(str);
Index: crypto/openssl/ssl/t1_enc.c
===================================================================
--- crypto/openssl/ssl/t1_enc.c (revision 273303)
+++ crypto/openssl/ssl/t1_enc.c (working copy)
@@ -853,6 +853,13 @@ int tls1_alert_code(int code)
case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
+ case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION);
+ case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAINABLE);
+ case SSL_AD_UNRECOGNIZED_NAME: return(TLS1_AD_UNRECOGNIZED_NAME);
+ case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
+ case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
+ case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
(DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
@@ -860,4 +867,3 @@ int tls1_alert_code(int code)
default: return(-1);
}
}
-
Index: crypto/openssl/ssl/t1_lib.c
===================================================================
--- crypto/openssl/ssl/t1_lib.c (revision 273303)
+++ crypto/openssl/ssl/t1_lib.c (working copy)
@@ -1013,7 +1013,10 @@ static int tls_decrypt_ticket(SSL *s, const unsign
HMAC_Final(&hctx, tick_hmac, NULL);
HMAC_CTX_cleanup(&hctx);
if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
+ {
+ EVP_CIPHER_CTX_cleanup(&ctx);
goto tickerr;
+ }
/* Attempt to decrypt session data */
/* Move p after IV to start of encrypted ticket, update length */
p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
Index: crypto/openssl/ssl/tls1.h
===================================================================
--- crypto/openssl/ssl/tls1.h (revision 273303)
+++ crypto/openssl/ssl/tls1.h (working copy)
@@ -81,6 +81,15 @@ extern "C" {
#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
#define TLS1_VERSION 0x0301
+#define TLS1_1_VERSION 0x0302
+#define TLS1_2_VERSION 0x0303
+/* TLS 1.1 and 1.2 are not supported by this version of OpenSSL, so
+ * TLS_MAX_VERSION indicates TLS 1.0 regardless of the above
+ * definitions. (s23_clnt.c and s23_srvr.c have an OPENSSL_assert()
+ * check that would catch the error if TLS_MAX_VERSION was too low.)
+ */
+#define TLS_MAX_VERSION TLS1_VERSION
+
#define TLS1_VERSION_MAJOR 0x03
#define TLS1_VERSION_MINOR 0x01
@@ -94,6 +103,7 @@ extern "C" {
#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
#define TLS1_AD_USER_CANCELLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
/* codes 110-114 are from RFC3546 */
@@ -405,6 +415,3 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICK
}
#endif
#endif
-
-
-

17
share/security/patches/SA-14:23/openssl-8.4.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJURsQkAAoJEO1n7NZdz2rnRFoQAK7jBPWn7yxIyQGlqa4evqX9
vRNh3m95mAeQQUKKRBpqR6RkP2a7VMcCQXbRvoJzm/Tpbe+8tfUG1RlmusqFjNse
Obh/eYaVQrpl+LBfa/at2h1f+dKLe/pkDJc/2ZlHI4LXiM7Jvj1QCfsD+gnyJp3/
KsGBt51LZWAxwO9h3+Ng7Gdf0xT8/0fJW4ZWTzyTahslgCRAEodiZTvXAzraDnVj
h67c3KZfdmC5SxKkUl12ngd44naq0A3LSvxnAfktLFFxThgamhjdVawd/EN5Beyd
1etR5HX3WIH4GjxGqEbZ6uXYN3E4xK2Zx00LPUBvonaI7pwS093Hp3HZeuWW289V
feTS3r51s0y6sb78SzgKw1jQPDSw9friYxfYKBNGKNuzpLknX0fVNY6wRbeNc0yf
R3cPan+QiSSLACOG+MhryStMQxvOI1WQORlbCwUo6Ye7ZVI/SK332YOM4q3kyGhU
m22v3p9FpJ25vWaQoe2iwA6MYXBIbPj42rIKEk8xdCnGvXfmsE5fyYLYvbhzoxbz
dBzpfhP6QyHXz/1g8Fc/oqpdYhXg7leLOsJVkCbuu9pnMsqtXXoFgeYiUIDFgfvE
qLLfX1FAoLXQXlkMrDCpaQxtLLL9qDkt3zKkZG6H4kTULiaDH6mE+rhstFo8vURX
hLvDhCioMwFmK4lWOBD1
=1Ow8
-----END PGP SIGNATURE-----

595
share/security/patches/SA-14:23/openssl-9.3.patch Normal file
View file

@ -0,0 +1,595 @@
Index: crypto/openssl/apps/s_client.c
===================================================================
--- crypto/openssl/apps/s_client.c (revision 273303)
+++ crypto/openssl/apps/s_client.c (working copy)
@@ -226,6 +226,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
BIO_printf(bio_err," -mtu - set the link layer MTU\n");
BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
@@ -339,6 +340,7 @@ int MAIN(int argc, char **argv)
char *sess_out = NULL;
struct sockaddr peer;
int peerlen = sizeof(peer);
+ int fallback_scsv = 0;
int enable_timeouts = 0 ;
long socket_mtu = 0;
#ifndef OPENSSL_NO_JPAKE
@@ -488,6 +490,10 @@ int MAIN(int argc, char **argv)
socket_mtu = atol(*(++argv));
}
#endif
+ else if (strcmp(*argv,"-fallback_scsv") == 0)
+ {
+ fallback_scsv = 1;
+ }
else if (strcmp(*argv,"-bugs") == 0)
bugs=1;
else if (strcmp(*argv,"-keyform") == 0)
@@ -778,6 +784,10 @@ bad:
SSL_set_session(con, sess);
SSL_SESSION_free(sess);
}
+
+ if (fallback_scsv)
+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
+
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL)
{
Index: crypto/openssl/crypto/err/openssl.ec
===================================================================
--- crypto/openssl/crypto/err/openssl.ec (revision 273303)
+++ crypto/openssl/crypto/err/openssl.ec (working copy)
@@ -69,6 +69,7 @@ R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
+R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
Index: crypto/openssl/doc/apps/s_client.pod
===================================================================
--- crypto/openssl/doc/apps/s_client.pod (revision 273303)
+++ crypto/openssl/doc/apps/s_client.pod (working copy)
@@ -34,6 +34,7 @@ B<openssl> B<s_client>
[B<-no_ssl2>]
[B<-no_ssl3>]
[B<-no_tls1>]
+[B<-fallback_scsv>]
[B<-bugs>]
[B<-cipher cipherlist>]
[B<-starttls protocol>]
@@ -167,11 +168,14 @@ these options disable the use of certain SSL or TL
the initial handshake uses a method which should be compatible with all
servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-Unfortunately there are a lot of ancient and broken servers in use which
+Unfortunately there are still ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
-work if TLS is turned off with the B<-no_tls> option others will only
-support SSL v2 and may need the B<-ssl2> option.
+work if TLS is turned off.
+=item B<-fallback_scsv>
+
+Send TLS_FALLBACK_SCSV in the ClientHello.
+
=item B<-bugs>
there are several known bug in SSL and TLS implementations. Adding this
Index: crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
===================================================================
--- crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod (revision 273303)
+++ crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod (working copy)
@@ -61,6 +61,12 @@ deal with read/write operations returning without
flag SSL_MODE_AUTO_RETRY will cause read/write operations to only
return after the handshake and successful completion.
+=item SSL_MODE_FALLBACK_SCSV
+
+Send TLS_FALLBACK_SCSV in the ClientHello.
+To be set by applications that reconnect with a downgraded protocol
+version; see draft-ietf-tls-downgrade-scsv-00 for details.
+
=back
=head1 RETURN VALUES
Index: crypto/openssl/ssl/d1_lib.c
===================================================================
--- crypto/openssl/ssl/d1_lib.c (revision 273303)
+++ crypto/openssl/ssl/d1_lib.c (working copy)
@@ -305,6 +305,16 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *
case DTLS_CTRL_LISTEN:
ret = dtls1_listen(s, parg);
break;
+ case SSL_CTRL_CHECK_PROTO_VERSION:
+ /* For library-internal use; checks that the current protocol
+ * is the highest enabled version (according to s->ctx->method,
+ * as version negotiation may have changed s->method). */
+#if DTLS_MAX_VERSION != DTLS1_VERSION
+# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
+#endif
+ /* Just one protocol version is supported so far;
+ * fail closed if the version is not as expected. */
+ return s->version == DTLS_MAX_VERSION;
default:
ret = ssl3_ctrl(s, cmd, larg, parg);
Index: crypto/openssl/ssl/dtls1.h
===================================================================
--- crypto/openssl/ssl/dtls1.h (revision 273303)
+++ crypto/openssl/ssl/dtls1.h (working copy)
@@ -80,6 +80,8 @@ extern "C" {
#endif
#define DTLS1_VERSION 0xFEFF
+#define DTLS_MAX_VERSION DTLS1_VERSION
+
#define DTLS1_BAD_VER 0x0100
#if 0
@@ -262,4 +264,3 @@ typedef struct dtls1_record_data_st
}
#endif
#endif
-
Index: crypto/openssl/ssl/s23_clnt.c
===================================================================
--- crypto/openssl/ssl/s23_clnt.c (revision 273303)
+++ crypto/openssl/ssl/s23_clnt.c (working copy)
@@ -72,9 +72,11 @@ static SSL_METHOD *ssl23_get_client_method(int ver
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
#endif
+#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_client_method());
- else if (ver == TLS1_VERSION)
+#endif
+ if (ver == TLS1_VERSION)
return(TLSv1_client_method());
else
return(NULL);
@@ -533,6 +535,7 @@ static int ssl23_get_server_hello(SSL *s)
{
/* we have sslv3 or tls1 (server hello or alert) */
+#ifndef OPENSSL_NO_SSL3
if ((p[2] == SSL3_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_SSLv3))
{
@@ -547,7 +550,9 @@ static int ssl23_get_server_hello(SSL *s)
s->version=SSL3_VERSION;
s->method=SSLv3_client_method();
}
- else if ((p[2] == TLS1_VERSION_MINOR) &&
+ else
+#endif
+ if ((p[2] == TLS1_VERSION_MINOR) &&
!(s->options & SSL_OP_NO_TLSv1))
{
s->version=TLS1_VERSION;
@@ -559,6 +564,9 @@ static int ssl23_get_server_hello(SSL *s)
goto err;
}
+ /* ensure that TLS_MAX_VERSION is up-to-date */
+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
+
if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
{
/* fatal alert */
Index: crypto/openssl/ssl/s23_srvr.c
===================================================================
--- crypto/openssl/ssl/s23_srvr.c (revision 273303)
+++ crypto/openssl/ssl/s23_srvr.c (working copy)
@@ -124,9 +124,11 @@ static SSL_METHOD *ssl23_get_server_method(int ver
if (ver == SSL2_VERSION)
return(SSLv2_server_method());
#endif
+#ifndef OPENSSL_NO_SSL3
if (ver == SSL3_VERSION)
return(SSLv3_server_method());
- else if (ver == TLS1_VERSION)
+#endif
+ if (ver == TLS1_VERSION)
return(TLSv1_server_method());
else
return(NULL);
@@ -398,6 +400,9 @@ int ssl23_get_client_hello(SSL *s)
}
#endif
+ /* ensure that TLS_MAX_VERSION is up-to-date */
+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
+
if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
{
/* we have SSLv3/TLSv1 in an SSLv2 header
@@ -554,6 +559,12 @@ int ssl23_get_client_hello(SSL *s)
if ((type == 2) || (type == 3))
{
/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+ s->method = ssl23_get_server_method(s->version);
+ if (s->method == NULL)
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ goto err;
+ }
if (!ssl_init_wbio_buffer(s,1)) goto err;
@@ -577,11 +588,6 @@ int ssl23_get_client_hello(SSL *s)
s->s3->rbuf.left=0;
s->s3->rbuf.offset=0;
}
-
- if (s->version == TLS1_VERSION)
- s->method = TLSv1_server_method();
- else
- s->method = SSLv3_server_method();
#if 0 /* ssl3_get_client_hello does this */
s->client_version=(v[0]<<8)|v[1];
#endif
Index: crypto/openssl/ssl/s2_lib.c
===================================================================
--- crypto/openssl/ssl/s2_lib.c (revision 273303)
+++ crypto/openssl/ssl/s2_lib.c (working copy)
@@ -314,6 +314,8 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, void *p
case SSL_CTRL_GET_SESSION_REUSED:
ret=s->hit;
break;
+ case SSL_CTRL_CHECK_PROTO_VERSION:
+ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
default:
break;
}
@@ -362,7 +364,7 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, u
if (p != NULL)
{
l=c->id;
- if ((l & 0xff000000) != 0x02000000) return(0);
+ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
p[0]=((unsigned char)(l>>16L))&0xFF;
p[1]=((unsigned char)(l>> 8L))&0xFF;
p[2]=((unsigned char)(l ))&0xFF;
Index: crypto/openssl/ssl/s3_enc.c
===================================================================
--- crypto/openssl/ssl/s3_enc.c (revision 273303)
+++ crypto/openssl/ssl/s3_enc.c (working copy)
@@ -764,7 +764,7 @@ int ssl3_alert_code(int code)
case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
default: return(-1);
}
}
-
Index: crypto/openssl/ssl/s3_lib.c
===================================================================
--- crypto/openssl/ssl/s3_lib.c (revision 273303)
+++ crypto/openssl/ssl/s3_lib.c (working copy)
@@ -1986,6 +1986,29 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *p
break;
#endif /* !OPENSSL_NO_TLSEXT */
+
+ case SSL_CTRL_CHECK_PROTO_VERSION:
+ /* For library-internal use; checks that the current protocol
+ * is the highest enabled version (according to s->ctx->method,
+ * as version negotiation may have changed s->method). */
+ if (s->version == s->ctx->method->version)
+ return 1;
+ /* Apparently we're using a version-flexible SSL_METHOD
+ * (not at its highest protocol version). */
+ if (s->ctx->method->version == SSLv23_method()->version)
+ {
+#if TLS_MAX_VERSION != TLS1_VERSION
+# error Code needs update for SSLv23_method() support beyond TLS1_VERSION.
+#endif
+ if (!(s->options & SSL_OP_NO_TLSv1))
+ return s->version == TLS1_VERSION;
+ if (!(s->options & SSL_OP_NO_SSLv3))
+ return s->version == SSL3_VERSION;
+ if (!(s->options & SSL_OP_NO_SSLv2))
+ return s->version == SSL2_VERSION;
+ }
+ return 0; /* Unexpected state; fail closed. */
+
default:
break;
}
@@ -2274,6 +2297,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd,
break;
#endif
+
default:
return(0);
}
Index: crypto/openssl/ssl/ssl.h
===================================================================
--- crypto/openssl/ssl/ssl.h (revision 273303)
+++ crypto/openssl/ssl/ssl.h (working copy)
@@ -563,6 +563,10 @@ typedef struct ssl_session_st
#define SSL_MODE_AUTO_RETRY 0x00000004L
/* Don't attempt to automatically build certificate chain */
#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
+/* Send TLS_FALLBACK_SCSV in the ClientHello.
+ * To be set by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
@@ -1209,6 +1213,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *b
#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
@@ -1298,6 +1303,8 @@ size_t SSL_get_peer_finished(const SSL *s, void *b
#define SSL_CTRL_CLEAR_OPTIONS 77
#define SSL_CTRL_CLEAR_MODE 78
+#define SSL_CTRL_CHECK_PROTO_VERSION 119
+
#define DTLSv1_get_timeout(ssl, arg) \
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
#define DTLSv1_handle_timeout(ssl) \
@@ -1945,6 +1952,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_HTTPS_PROXY_REQUEST 155
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_ILLEGAL_PADDING 283
+#define SSL_R_INAPPROPRIATE_FALLBACK 373
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
#define SSL_R_INVALID_PURPOSE 278
@@ -2072,6 +2080,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
Index: crypto/openssl/ssl/ssl3.h
===================================================================
--- crypto/openssl/ssl/ssl3.h (revision 273303)
+++ crypto/openssl/ssl/ssl3.h (working copy)
@@ -129,9 +129,14 @@
extern "C" {
#endif
-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+/* Signalling cipher suite value from RFC 5746
+ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
#define SSL3_CK_SCSV 0x030000FF
+/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
+ * (TLS_FALLBACK_SCSV) */
+#define SSL3_CK_FALLBACK_SCSV 0x03005600
+
#define SSL3_CK_RSA_NULL_MD5 0x03000001
#define SSL3_CK_RSA_NULL_SHA 0x03000002
#define SSL3_CK_RSA_RC4_40_MD5 0x03000003
Index: crypto/openssl/ssl/ssl_err.c
===================================================================
--- crypto/openssl/ssl/ssl_err.c (revision 273303)
+++ crypto/openssl/ssl/ssl_err.c (working copy)
@@ -341,6 +341,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
+{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
@@ -468,6 +469,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
+{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
Index: crypto/openssl/ssl/ssl_lib.c
===================================================================
--- crypto/openssl/ssl/ssl_lib.c (revision 273303)
+++ crypto/openssl/ssl/ssl_lib.c (working copy)
@@ -1296,6 +1296,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_C
if (sk == NULL) return(0);
q=p;
+ if (put_cb == NULL)
+ put_cb = s->method->put_cipher_by_char;
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
@@ -1305,25 +1307,37 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_C
continue;
#endif /* OPENSSL_NO_KRB5 */
- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
+ j = put_cb(c,p);
p+=j;
}
- /* If p == q, no ciphers and caller indicates an error. Otherwise
- * add SCSV if not renegotiating.
- */
- if (p != q && !s->new_session)
+ /* If p == q, no ciphers; caller indicates an error.
+ * Otherwise, add applicable SCSVs. */
+ if (p != q)
{
- static SSL_CIPHER scsv =
+ if (!s->new_session)
{
- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,
- };
- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
- p+=j;
+ static SSL_CIPHER scsv =
+ {
+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0,
+ };
+ j = put_cb(&scsv,p);
+ p+=j;
#ifdef OPENSSL_RI_DEBUG
- fprintf(stderr, "SCSV sent by client\n");
+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
#endif
- }
+ }
+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
+ {
+ static SSL_CIPHER scsv =
+ {
+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0,
+ };
+ j = put_cb(&scsv,p);
+ p+=j;
+ }
+ }
+
return(p-q);
}
@@ -1333,11 +1347,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL
SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk;
int i,n;
+
if (s->s3)
s->s3->send_connection_binding = 0;
n=ssl_put_cipher_by_char(s,NULL,NULL);
- if ((num%n) != 0)
+ if (n == 0 || (num%n) != 0)
{
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
return(NULL);
@@ -1352,7 +1367,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL
for (i=0; i<num; i+=n)
{
- /* Check for SCSV */
+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
if (s->s3 && (n != 3 || !p[0]) &&
(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
(p[n-1] == (SSL3_CK_SCSV & 0xff)))
@@ -1372,6 +1387,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL
continue;
}
+ /* Check for TLS_FALLBACK_SCSV */
+ if ((n != 3 || !p[0]) &&
+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
+ {
+ /* The SCSV indicates that the client previously tried a higher version.
+ * Fail if the current version is an unexpected downgrade. */
+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
+ {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
+ if (s->s3)
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
+ goto err;
+ }
+ continue;
+ }
+
c=ssl_get_cipher_by_char(s,p);
p+=n;
if (c != NULL)
Index: crypto/openssl/ssl/t1_enc.c
===================================================================
--- crypto/openssl/ssl/t1_enc.c (revision 273303)
+++ crypto/openssl/ssl/t1_enc.c (working copy)
@@ -855,6 +855,7 @@ int tls1_alert_code(int code)
case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
(DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
@@ -862,4 +863,3 @@ int tls1_alert_code(int code)
default: return(-1);
}
}
-
Index: crypto/openssl/ssl/t1_lib.c
===================================================================
--- crypto/openssl/ssl/t1_lib.c (revision 273303)
+++ crypto/openssl/ssl/t1_lib.c (working copy)
@@ -1101,7 +1101,10 @@ static int tls_decrypt_ticket(SSL *s, const unsign
HMAC_Final(&hctx, tick_hmac, NULL);
HMAC_CTX_cleanup(&hctx);
if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
+ {
+ EVP_CIPHER_CTX_cleanup(&ctx);
goto tickerr;
+ }
/* Attempt to decrypt session data */
/* Move p after IV to start of encrypted ticket, update length */
p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
Index: crypto/openssl/ssl/tls1.h
===================================================================
--- crypto/openssl/ssl/tls1.h (revision 273303)
+++ crypto/openssl/ssl/tls1.h (working copy)
@@ -80,17 +80,24 @@ extern "C" {
#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
+#define TLS1_VERSION 0x0301
+#define TLS1_1_VERSION 0x0302
#define TLS1_2_VERSION 0x0303
-#define TLS1_2_VERSION_MAJOR 0x03
-#define TLS1_2_VERSION_MINOR 0x03
+/* TLS 1.1 and 1.2 are not supported by this version of OpenSSL, so
+ * TLS_MAX_VERSION indicates TLS 1.0 regardless of the above
+ * definitions. (s23_clnt.c and s23_srvr.c have an OPENSSL_assert()
+ * check that would catch the error if TLS_MAX_VERSION was too low.)
+ */
+#define TLS_MAX_VERSION TLS1_VERSION
-#define TLS1_1_VERSION 0x0302
+#define TLS1_VERSION_MAJOR 0x03
+#define TLS1_VERSION_MINOR 0x01
+
#define TLS1_1_VERSION_MAJOR 0x03
#define TLS1_1_VERSION_MINOR 0x02
-#define TLS1_VERSION 0x0301
-#define TLS1_VERSION_MAJOR 0x03
-#define TLS1_VERSION_MINOR 0x01
+#define TLS1_2_VERSION_MAJOR 0x03
+#define TLS1_2_VERSION_MINOR 0x03
#define TLS1_get_version(s) \
((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
@@ -108,6 +115,7 @@ extern "C" {
#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
#define TLS1_AD_USER_CANCELLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
/* codes 110-114 are from RFC3546 */
@@ -419,6 +427,3 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICK
}
#endif
#endif
-
-
-

17
share/security/patches/SA-14:23/openssl-9.3.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJURsQnAAoJEO1n7NZdz2rnX70P/22A3/E7ANHhWcYJldM/HgI7
47WrEpNcZGEE2UmJdGZsOuFnpG8/mBVUms6mtgQ7YoKVrJUfiCmKA6rwAM+LbNjd
druM27MDgg0QQZGEVKCvX0JXoWTJuQzBR/Amw62ccjFHlF9H5tINw1kWJp7yKMAp
GOzKiSpX8EVlYq/0AP6VGx5GSUmg0ArBSEthdvZn3KPDCyXeK3yjUI5Ss+aaTIq1
cV1dlxpmVstXoik/a7L0wVHX5fBoe4vvvMDvQioFPdklkNCka/h2L1YdmXBwii5P
hn83+r+FYc8PL36u1QU4UOP4qVRHapygWhLgIPoNcH1Bo2o/nrBiGnljWdIga+Ge
nvI2bf1qoX8VSqhx2UUVUYvzAMvpBkURNPHPzGxgExu9d0+/si0/HdPXTEUElhRd
3b79w7P1PQuTVSIjA/++3IVVQsAa8+8NLlh7ZkSR0cCPnfbpw4wHsa0rWnllrdym
49lRLS0L0tFUYugEVZCB6+wccT398OCM9NX2chNdIZ8ppN42xj4Al0X2T8w5HbwI
R93SQJnCf4/B1Eab0TkbCpFeo+tLUnX+LB4t2PygSMtOnWQBF9yFBQSNkL7ZTvMs
a9f5lEEJiCqjIkO8VJrwm8wZrq3jTKpGReS7cHezZsZ+/NxvEiAQ9k84BKGhSUz2
Hp6Cl/i/0POI8jssDukG
=h2PK
-----END PGP SIGNATURE-----

24
share/xml/advisories.xml
View file

@ -7,6 +7,30 @@
<year>
<name>2014</name>
<month>
<name>10</name>
<day>
<name>21</name>
<advisory>
<name>FreeBSD-SA-14:23.openssl</name>
</advisory>
<advisory>
<name>FreeBSD-SA-14:22.namei</name>
</advisory>
<advisory>
<name>FreeBSD-SA-14:21.routed</name>
</advisory>
<advisory>
<name>FreeBSD-SA-14:20.rtsold</name>
</advisory>
</day>
</month>
<month>
<name>9</name>