diff options
| -rw-r--r-- | external/openssl/CVE-2014-3505.patch | 52 | ||||
| -rw-r--r-- | external/openssl/CVE-2014-3506.patch | 87 | ||||
| -rw-r--r-- | external/openssl/CVE-2014-3507.patch | 53 | ||||
| -rw-r--r-- | external/openssl/CVE-2014-3508.patch | 138 | ||||
| -rw-r--r-- | external/openssl/CVE-2014-3509.patch | 45 | ||||
| -rw-r--r-- | external/openssl/CVE-2014-3510.patch | 86 | ||||
| -rw-r--r-- | external/openssl/CVE-2014-3511.patch | 85 | ||||
| -rw-r--r-- | external/openssl/CVE-2014-3513.patch | 186 | ||||
| -rw-r--r-- | external/openssl/CVE-2014-3566.patch | 466 | ||||
| -rw-r--r-- | external/openssl/CVE-2014-3567.patch | 14 | ||||
| -rw-r--r-- | external/openssl/UnpackedTarball_openssl.mk | 10 |
11 files changed, 1222 insertions, 0 deletions
diff --git a/external/openssl/CVE-2014-3505.patch b/external/openssl/CVE-2014-3505.patch new file mode 100644 index 000000000000..69284d5fc230 --- /dev/null +++ b/external/openssl/CVE-2014-3505.patch @@ -0,0 +1,52 @@ +From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001 +From: Adam Langley <agl@imperialviolet.org> +Date: Fri, 6 Jun 2014 14:19:21 -0700 +Subject: [PATCH] Avoid double free when processing DTLS packets. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The |item| variable, in both of these cases, may contain a pointer to a +|pitem| structure within |s->d1->buffered_messages|. It was being freed +in the error case while still being in |buffered_messages|. When the +error later caused the |SSL*| to be destroyed, the item would be double +freed. + +Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was +inconsistent with the other error paths (but correct). + +Fixes CVE-2014-3505 + +Reviewed-by: Matt Caswell <matt@openssl.org> +Reviewed-by: Emilia Käsper <emilia@openssl.org> +--- + ssl/d1_both.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index c1eb970..cdb83b6 100644 +--- a/a/ssl/d1_both.c ++++ b/b/ssl/d1_both.c +@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + return DTLS1_HM_FRAGMENT_RETRY; + + err: +- if (frag != NULL) dtls1_hm_fragment_free(frag); +- if (item != NULL) OPENSSL_free(item); ++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); + *ok = 0; + return i; + } +@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) + return DTLS1_HM_FRAGMENT_RETRY; + + err: +- if ( frag != NULL) dtls1_hm_fragment_free(frag); +- if ( item != NULL) OPENSSL_free(item); ++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); + *ok = 0; + return i; + } +-- +1.8.3.1 + diff --git a/external/openssl/CVE-2014-3506.patch b/external/openssl/CVE-2014-3506.patch new file mode 100644 index 000000000000..45b87dc5f43c --- /dev/null +++ b/external/openssl/CVE-2014-3506.patch @@ -0,0 +1,87 @@ +From fc7804ec392fcf8051abe6bc9da9108744d2ae35 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 6 Jun 2014 14:25:52 -0700 +Subject: [PATCH] Fix DTLS handshake message size checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In |dtls1_reassemble_fragment|, the value of +|msg_hdr->frag_off+frag_len| was being checked against the maximum +handshake message size, but then |msg_len| bytes were allocated for the +fragment buffer. This means that so long as the fragment was within the +allowed size, the pending handshake message could consume 16MB + 2MB +(for the reassembly bitmap). Approx 10 outstanding handshake messages +are allowed, meaning that an attacker could consume ~180MB per DTLS +connection. + +In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no +check was applied. + +Fixes CVE-2014-3506 + +Wholly based on patch by Adam Langley with one minor amendment. + +Reviewed-by: Emilia Käsper <emilia@openssl.org> +--- + ssl/d1_both.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 6559dfc..b9e15df 100644 +--- a/a/ssl/d1_both.c ++++ b/b/ssl/d1_both.c +@@ -587,6 +587,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) + return 0; + } + ++/* dtls1_max_handshake_message_len returns the maximum number of bytes ++ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may ++ * be greater if the maximum certificate list size requires it. */ ++static unsigned long dtls1_max_handshake_message_len(const SSL *s) ++ { ++ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ if (max_len < (unsigned long)s->max_cert_list) ++ return s->max_cert_list; ++ return max_len; ++ } + + static int + dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) +@@ -595,20 +605,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + pitem *item = NULL; + int i = -1, is_complete; + unsigned char seq64be[8]; +- unsigned long frag_len = msg_hdr->frag_len, max_len; +- +- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) +- goto err; +- +- /* Determine maximum allowed message size. Depends on (user set) +- * maximum certificate length, but 16k is minimum. +- */ +- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) +- max_len = s->max_cert_list; +- else +- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ unsigned long frag_len = msg_hdr->frag_len; + +- if ((msg_hdr->frag_off+frag_len) > max_len) ++ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len || ++ msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) + goto err; + + /* Try to find item in queue */ +@@ -749,6 +749,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) + if (frag_len && frag_len < msg_hdr->msg_len) + return dtls1_reassemble_fragment(s, msg_hdr, ok); + ++ if (frag_len > dtls1_max_handshake_message_len(s)) ++ goto err; ++ + frag = dtls1_hm_fragment_new(frag_len, 0); + if ( frag == NULL) + goto err; +-- +1.8.3.1 + diff --git a/external/openssl/CVE-2014-3507.patch b/external/openssl/CVE-2014-3507.patch new file mode 100644 index 000000000000..4ea0b69ab21a --- /dev/null +++ b/external/openssl/CVE-2014-3507.patch @@ -0,0 +1,53 @@ +diff -up openssl-1.0.1e/ssl/d1_both.c.dtls-memleak openssl-1.0.1e/ssl/d1_both.c +--- a/a/ssl/d1_both.c.dtls-memleak 2014-08-07 17:51:18.457493922 +0200 ++++ b/b/ssl/d1_both.c 2014-08-07 17:58:28.478558785 +0200 +@@ -610,6 +610,9 @@ dtls1_reassemble_fragment(SSL *s, struct + msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) + goto err; + ++ if (frag_len == 0) ++ return DTLS1_HM_FRAGMENT_RETRY; ++ + /* Try to find item in queue */ + memset(seq64be,0,sizeof(seq64be)); + seq64be[6] = (unsigned char) (msg_hdr->seq>>8); +@@ -686,7 +689,12 @@ dtls1_reassemble_fragment(SSL *s, struct + i = -1; + } + +- pqueue_insert(s->d1->buffered_messages, item); ++ item = pqueue_insert(s->d1->buffered_messages, item); ++ /* pqueue_insert fails iff a duplicate item is inserted. ++ * However, |item| cannot be a duplicate. If it were, ++ * |pqueue_find|, above, would have returned it and control ++ * would never have reached this branch. */ ++ OPENSSL_assert(item != NULL); + } + + return DTLS1_HM_FRAGMENT_RETRY; +@@ -744,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s, + } + else + { +- if (frag_len && frag_len < msg_hdr->msg_len) ++ if (frag_len < msg_hdr->msg_len) + return dtls1_reassemble_fragment(s, msg_hdr, ok); + + if (frag_len > dtls1_max_handshake_message_len(s)) +@@ -773,7 +781,15 @@ dtls1_process_out_of_seq_message(SSL *s, + if ( item == NULL) + goto err; + +- pqueue_insert(s->d1->buffered_messages, item); ++ item = pqueue_insert(s->d1->buffered_messages, item); ++ /* pqueue_insert fails iff a duplicate item is inserted. ++ * However, |item| cannot be a duplicate. If it were, ++ * |pqueue_find|, above, would have returned it. Then, either ++ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set ++ * to NULL and it will have been processed with ++ * |dtls1_reassemble_fragment|, above, or the record will have ++ * been discarded. */ ++ OPENSSL_assert(item != NULL); + } + + return DTLS1_HM_FRAGMENT_RETRY; diff --git a/external/openssl/CVE-2014-3508.patch b/external/openssl/CVE-2014-3508.patch new file mode 100644 index 000000000000..513608d44b98 --- /dev/null +++ b/external/openssl/CVE-2014-3508.patch @@ -0,0 +1,138 @@ +From 03b04ddac162c7b7fa3c57eadccc5a583a00d291 Mon Sep 17 00:00:00 2001 +From: Emilia Kasper <emilia@openssl.org> +Date: Wed, 2 Jul 2014 19:02:33 +0200 +Subject: [PATCH] Fix OID handling: + +- Upon parsing, reject OIDs with invalid base-128 encoding. +- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function. + +CVE-2014-3508 + +Reviewed-by: Dr. Stephen Henson <steve@openssl.org> +Reviewed-by: Kurt Roeckx <kurt@openssl.org> +Reviewed-by: Tim Hudson <tjh@openssl.org> +--- + crypto/asn1/a_object.c | 30 +++++++++++++++++++++--------- + crypto/objects/obj_dat.c | 16 +++++++++------- + 2 files changed, 30 insertions(+), 16 deletions(-) + +diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c +index 3978c91..77b2768 100644 +--- a/a/crypto/asn1/a_object.c ++++ b/b/crypto/asn1/a_object.c +@@ -283,17 +283,29 @@ err: + ASN1err(ASN1_F_D2I_ASN1_OBJECT,i); + return(NULL); + } ++ + ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, + long len) + { + ASN1_OBJECT *ret=NULL; + const unsigned char *p; + unsigned char *data; +- int i; +- /* Sanity check OID encoding: can't have leading 0x80 in +- * subidentifiers, see: X.690 8.19.2 ++ int i, length; ++ ++ /* Sanity check OID encoding. ++ * Need at least one content octet. ++ * MSB must be clear in the last octet. ++ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2 + */ +- for (i = 0, p = *pp; i < len; i++, p++) ++ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL || ++ p[len - 1] & 0x80) ++ { ++ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); ++ return NULL; ++ } ++ /* Now 0 < len <= INT_MAX, so the cast is safe. */ ++ length = (int)len; ++ for (i = 0; i < length; i++, p++) + { + if (*p == 0x80 && (!i || !(p[-1] & 0x80))) + { +@@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, + data = (unsigned char *)ret->data; + ret->data = NULL; + /* once detached we can change it */ +- if ((data == NULL) || (ret->length < len)) ++ if ((data == NULL) || (ret->length < length)) + { + ret->length=0; + if (data != NULL) OPENSSL_free(data); +- data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1); ++ data=(unsigned char *)OPENSSL_malloc(length); + if (data == NULL) + { i=ERR_R_MALLOC_FAILURE; goto err; } + ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; + } +- memcpy(data,p,(int)len); ++ memcpy(data,p,length); + /* reattach data to object, after which it remains const */ + ret->data =data; +- ret->length=(int)len; ++ ret->length=length; + ret->sn=NULL; + ret->ln=NULL; + /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ +- p+=len; ++ p+=length; + + if (a != NULL) (*a)=ret; + *pp=p; +diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c +index 8a342ba..0b2f442 100644 +--- a/a/crypto/objects/obj_dat.c ++++ b/b/crypto/objects/obj_dat.c +@@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + const unsigned char *p; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; + +- if ((a == NULL) || (a->data == NULL)) { +- buf[0]='\0'; +- return(0); +- } ++ /* Ensure that, at every state, |buf| is NUL-terminated. */ ++ if (buf && buf_len > 0) ++ buf[0] = '\0'; + ++ if ((a == NULL) || (a->data == NULL)) ++ return(0); + + if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef) + { +@@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + i=(int)(l/40); + l-=(long)(i*40); + } +- if (buf && (buf_len > 0)) ++ if (buf && (buf_len > 1)) + { + *buf++ = i + '0'; ++ *buf = '\0'; + buf_len--; + } + n++; +@@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + i = strlen(bndec); + if (buf) + { +- if (buf_len > 0) ++ if (buf_len > 1) + { + *buf++ = '.'; ++ *buf = '\0'; + buf_len--; + } + BUF_strlcpy(buf,bndec,buf_len); +@@ -807,4 +810,3 @@ err: + OPENSSL_free(buf); + return(ok); + } +- +-- +1.8.3.1 + diff --git a/external/openssl/CVE-2014-3509.patch b/external/openssl/CVE-2014-3509.patch new file mode 100644 index 000000000000..45c94624f177 --- /dev/null +++ b/external/openssl/CVE-2014-3509.patch @@ -0,0 +1,45 @@ +From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001 +From: Gabor Tyukasz <Gabor.Tyukasz@logmein.com> +Date: Wed, 23 Jul 2014 23:42:06 +0200 +Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext + +CVE-2014-3509 +Reviewed-by: Tim Hudson <tjh@openssl.org> +Reviewed-by: Dr. Stephen Henson <steve@openssl.org> +--- + ssl/t1_lib.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 8167a51..022a4fb 100644 +--- a/a/ssl/t1_lib.c ++++ b/b/ssl/t1_lib.c +@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in + *al = TLS1_AD_DECODE_ERROR; + return 0; + } +- s->session->tlsext_ecpointformatlist_length = 0; +- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); +- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) ++ if (!s->hit) + { +- *al = TLS1_AD_INTERNAL_ERROR; +- return 0; ++ s->session->tlsext_ecpointformatlist_length = 0; ++ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); ++ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) ++ { ++ *al = TLS1_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; ++ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); + } +- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; +- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); + #if 0 + fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); + sdata = s->session->tlsext_ecpointformatlist; +-- +1.8.3.1 + diff --git a/external/openssl/CVE-2014-3510.patch b/external/openssl/CVE-2014-3510.patch new file mode 100644 index 000000000000..5cdc5d79bcf4 --- /dev/null +++ b/external/openssl/CVE-2014-3510.patch @@ -0,0 +1,86 @@ +From 88ae012c8092852f03c50f6461175271104b4c8a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Emilia=20K=C3=A4sper?= <emilia@openssl.org> +Date: Thu, 24 Jul 2014 22:15:29 +0200 +Subject: [PATCH] Fix DTLS anonymous EC(DH) denial of service + +CVE-2014-3510 + +Reviewed-by: Dr. Stephen Henson <steve@openssl.org> +--- + ssl/d1_clnt.c | 23 +++++++++++++++++++++-- + ssl/s3_clnt.c | 7 +++++++ + 2 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c +index 65dbb4a..fd6562c 100644 +--- a/a/ssl/d1_clnt.c ++++ b/b/ssl/d1_clnt.c +@@ -996,6 +996,13 @@ int dtls1_send_client_key_exchange(SSL *s) + RSA *rsa; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + ++ if (s->session->sess_cert == NULL) ++ { ++ /* We should always have a server certificate with SSL_kRSA. */ ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_rsa_tmp != NULL) + rsa=s->session->sess_cert->peer_rsa_tmp; + else +@@ -1186,6 +1193,13 @@ int dtls1_send_client_key_exchange(SSL *s) + { + DH *dh_srvr,*dh_clnt; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_dh_tmp != NULL) + dh_srvr=s->session->sess_cert->peer_dh_tmp; + else +@@ -1245,6 +1259,13 @@ int dtls1_send_client_key_exchange(SSL *s) + int ecdh_clnt_cert = 0; + int field_size = 0; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + /* Did we send out the client's + * ECDH share for use in premaster + * computation as part of client certificate? +@@ -1720,5 +1741,3 @@ int dtls1_send_client_certificate(SSL *s) + /* SSL3_ST_CW_CERT_D */ + return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); + } +- +- +diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c +index 2afb892..df05f78 100644 +--- a/a/ssl/s3_clnt.c ++++ b/b/ssl/s3_clnt.c +@@ -2253,6 +2253,13 @@ int ssl3_send_client_key_exchange(SSL *s) + RSA *rsa; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + ++ if (s->session->sess_cert == NULL) ++ { ++ /* We should always have a server certificate with SSL_kRSA. */ ++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_rsa_tmp != NULL) + rsa=s->session->sess_cert->peer_rsa_tmp; + else +-- +1.8.3.1 + diff --git a/external/openssl/CVE-2014-3511.patch b/external/openssl/CVE-2014-3511.patch new file mode 100644 index 000000000000..4b5b9c6a150f --- /dev/null +++ b/external/openssl/CVE-2014-3511.patch @@ -0,0 +1,85 @@ +From fc4f4cdb8bf9981904e652abf69b892a45bddacf Mon Sep 17 00:00:00 2001 +From: David Benjamin <davidben@google.com> +Date: Wed, 23 Jul 2014 22:32:21 +0200 +Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2014-3511 + +Reviewed-by: Emilia Käsper <emilia@openssl.org> +Reviewed-by: Bodo Möller <bodo@openssl.org> +--- + ssl/s23_srvr.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c +index 4877849..2901a6b 100644 +--- a/a/ssl/s23_srvr.c ++++ b/b/ssl/s23_srvr.c +@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s) + * Client Hello message, this would be difficult, and we'd have + * to read more records to find out. + * No known SSL 3.0 client fragments ClientHello like this, +- * so we simply assume TLS 1.0 to avoid protocol version downgrade +- * attacks. */ ++ * so we simply reject such connections to avoid ++ * protocol version downgrade attacks. */ + if (p[3] == 0 && p[4] < 6) + { +-#if 0 + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL); + goto err; +-#else +- v[1] = TLS1_VERSION_MINOR; +-#endif + } + /* if major version number > 3 set minor to a value + * which will use the highest version 3 we support. + * If TLS 2.0 ever appears we will need to revise + * this.... + */ +- else if (p[9] > SSL3_VERSION_MAJOR) ++ if (p[9] > SSL3_VERSION_MAJOR) + v[1]=0xff; + else + v[1]=p[10]; /* minor version according to client_version */ +@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s) + v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ + v[1] = p[4]; + ++ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 ++ * header is sent directly on the wire, not wrapped as a TLS ++ * record. It's format is: ++ * Byte Content ++ * 0-1 msg_length ++ * 2 msg_type ++ * 3-4 version ++ * 5-6 cipher_spec_length ++ * 7-8 session_id_length ++ * 9-10 challenge_length ++ * ... ... ++ */ + n=((p[0]&0x7f)<<8)|p[1]; + if (n > (1024*4)) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE); + goto err; + } ++ if (n < 9) ++ { ++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH); ++ goto err; ++ } + + j=ssl23_read_bytes(s,n+2); ++ /* We previously read 11 bytes, so if j > 0, we must have ++ * j == n+2 == s->packet_length. We have at least 11 valid ++ * packet bytes. */ + if (j <= 0) return(j); + + ssl3_finish_mac(s, s->packet+2, s->packet_length-2); +-- +1.8.3.1 + diff --git a/external/openssl/CVE-2014-3513.patch b/external/openssl/CVE-2014-3513.patch new file mode 100644 index 000000000000..96d4584c38ea --- /dev/null +++ b/external/openssl/CVE-2014-3513.patch @@ -0,0 +1,186 @@ +diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c +--- a/a/ssl/d1_srtp.c.srtp-leak 2013-02-11 16:26:04.000000000 +0100 ++++ b/b/ssl/d1_srtp.c 2014-10-15 13:23:34.253040160 +0200 +@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr + return 1; + } + +-static int find_profile_by_num(unsigned profile_num, +- SRTP_PROTECTION_PROFILE **pptr) +- { +- SRTP_PROTECTION_PROFILE *p; +- +- p=srtp_known_profiles; +- while(p->name) +- { +- if(p->id == profile_num) +- { +- *pptr=p; +- return 0; +- } +- p++; +- } +- +- return 1; +- } +- + static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out) + { + STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; +@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c + if(!find_profile_by_name(ptr,&p, + col ? col-ptr : (int)strlen(ptr))) + { ++ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0) ++ { ++ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); ++ sk_SRTP_PROTECTION_PROFILE_free(profiles); ++ return 1; ++ } ++ + sk_SRTP_PROTECTION_PROFILE_push(profiles,p); + } + else + { + SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); ++ sk_SRTP_PROTECTION_PROFILE_free(profiles); + return 1; + } + +@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL + + int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) + { +- SRTP_PROTECTION_PROFILE *cprof,*sprof; +- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr; ++ SRTP_PROTECTION_PROFILE *sprof; ++ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; + int ct; + int mki_len; +- int i,j; +- int id; +- int ret; ++ int i, srtp_pref; ++ unsigned int id; + + /* Length value + the MKI length */ + if(len < 3) +@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S + return 1; + } + ++ srvr=SSL_get_srtp_profiles(s); ++ s->srtp_profile = NULL; ++ /* Search all profiles for a match initially */ ++ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); + +- clnt=sk_SRTP_PROTECTION_PROFILE_new_null(); +- + while(ct) + { + n2s(d,id); + ct-=2; + len-=2; + +- if(!find_profile_by_num(id,&cprof)) ++ /* ++ * Only look for match in profiles of higher preference than ++ * current match. ++ * If no profiles have been have been configured then this ++ * does nothing. ++ */ ++ for (i = 0; i < srtp_pref; i++) + { +- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof); +- } +- else +- { +- ; /* Ignore */ ++ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); ++ if (sprof->id == id) ++ { ++ s->srtp_profile = sprof; ++ srtp_pref = i; ++ break; ++ } + } + } + +@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S + return 1; + } + +- srvr=SSL_get_srtp_profiles(s); +- +- /* Pick our most preferred profile. If no profiles have been +- configured then the outer loop doesn't run +- (sk_SRTP_PROTECTION_PROFILE_num() = -1) +- and so we just return without doing anything */ +- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++) +- { +- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i); +- +- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++) +- { +- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j); +- +- if(cprof->id==sprof->id) +- { +- s->srtp_profile=sprof; +- *al=0; +- ret=0; +- goto done; +- } +- } +- } +- +- ret=0; +- +-done: +- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt); +- +- return ret; ++ return 0; + } + + int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) +diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c +--- a/a/ssl/t1_lib.c.srtp-leak 2014-10-15 13:19:59.955202293 +0200 ++++ b/b/ssl/t1_lib.c 2014-10-15 13:23:34.254040182 +0200 +@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex + #endif + + #ifndef OPENSSL_NO_SRTP +- if(SSL_get_srtp_profiles(s)) ++ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) + { + int el; + +@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex + #endif + + #ifndef OPENSSL_NO_SRTP +- if(s->srtp_profile) ++ if(SSL_IS_DTLS(s) && s->srtp_profile) + { + int el; + +@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, + + /* session ticket processed earlier */ + #ifndef OPENSSL_NO_SRTP +- else if (type == TLSEXT_TYPE_use_srtp) ++ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) ++ && type == TLSEXT_TYPE_use_srtp) + { + if(ssl_parse_clienthello_use_srtp_ext(s, data, size, + al)) +@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + } + #endif + #ifndef OPENSSL_NO_SRTP +- else if (type == TLSEXT_TYPE_use_srtp) ++ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) + { + if(ssl_parse_serverhello_use_srtp_ext(s, data, size, + al)) diff --git a/external/openssl/CVE-2014-3566.patch b/external/openssl/CVE-2014-3566.patch new file mode 100644 index 000000000000..c9b37a7c08fa --- /dev/null +++ b/external/openssl/CVE-2014-3566.patch @@ -0,0 +1,466 @@ +diff -up openssl-1.0.1e/apps/s_client.c.fallback-scsv openssl-1.0.1e/apps/s_client.c +--- a/a/apps/s_client.c.fallback-scsv 2014-10-15 17:06:01.000000000 +0200 ++++ b/b/apps/s_client.c 2014-10-15 17:07:36.392502320 +0200 +@@ -336,6 +336,7 @@ static void sc_usage(void) + BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); + BIO_printf(bio_err," -tls1 - just use TLSv1\n"); + BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); ++ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); + BIO_printf(bio_err," -mtu - set the link layer MTU\n"); + BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); + BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); +@@ -616,6 +617,7 @@ int MAIN(int argc, char **argv) + char *sess_out = NULL; + struct sockaddr peer; + int peerlen = sizeof(peer); ++ int fallback_scsv = 0; + int enable_timeouts = 0 ; + long socket_mtu = 0; + #ifndef OPENSSL_NO_JPAKE +@@ -829,6 +831,10 @@ int MAIN(int argc, char **argv) + socket_mtu = atol(*(++argv)); + } + #endif ++ else if (strcmp(*argv,"-fallback_scsv") == 0) ++ { ++ fallback_scsv = 1; ++ } + else if (strcmp(*argv,"-bugs") == 0) + bugs=1; + else if (strcmp(*argv,"-keyform") == 0) +@@ -1240,6 +1246,10 @@ bad: + SSL_set_session(con, sess); + SSL_SESSION_free(sess); + } ++ ++ if (fallback_scsv) ++ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); ++ + #ifndef OPENSSL_NO_TLSEXT + if (servername != NULL) + { +diff -up openssl-1.0.1e/doc/apps/s_client.pod.fallback-scsv openssl-1.0.1e/doc/apps/s_client.pod +--- a/a/doc/apps/s_client.pod.fallback-scsv 2014-10-15 17:06:01.000000000 +0200 ++++ b/b/doc/apps/s_client.pod 2014-10-15 17:08:17.354427053 +0200 +@@ -34,6 +34,7 @@ + [B<-no_ssl2>] + [B<-no_ssl3>] + [B<-no_tls1>] ++[B<-fallback_scsv>] + [B<-bugs>] + [B<-cipher cipherlist>] + [B<-starttls protocol>] +@@ -187,6 +188,10 @@ + work if TLS is turned off with the B<-no_tls> option others will only + support SSL v2 and may need the B<-ssl2> option. + ++=item B<-fallback_scsv> ++ ++Send TLS_FALLBACK_SCSV in the ClientHello. ++ + =item B<-bugs> + + there are several known bug in SSL and TLS implementations. Adding this +diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod +--- a/a/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv 2013-02-11 16:26:04.000000000 +0100 ++++ b/b/doc/ssl/SSL_CTX_set_mode.pod 2014-10-15 17:09:57.577689637 +0200 +@@ -71,6 +71,12 @@ SSL_CTX->freelist_max_len, which default + save around 34k per idle SSL connection. + This flag has no effect on SSL v2 connections, or on DTLS connections. + ++=item SSL_MODE_SEND_FALLBACK_SCSV ++ ++Send TLS_FALLBACK_SCSV in the ClientHello. ++To be set by applications that reconnect with a downgraded protocol ++version; see draft-ietf-tls-downgrade-scsv-00 for details. ++ + =back + + =head1 RETURN VALUES +diff -up openssl-1.0.1e/ssl/dtls1.h.fallback-scsv openssl-1.0.1e/ssl/dtls1.h +--- a/a/ssl/dtls1.h.fallback-scsv 2014-10-15 14:39:30.862907615 +0200 ++++ b/b/ssl/dtls1.h 2014-10-15 14:39:30.973910121 +0200 +@@ -84,6 +84,8 @@ extern "C" { + #endif + + #define DTLS1_VERSION 0xFEFF ++#define DTLS_MAX_VERSION DTLS1_VERSION ++ + #define DTLS1_BAD_VER 0x0100 + + #if 0 +@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st + } + #endif + #endif +- +diff -up openssl-1.0.1e/ssl/d1_lib.c.fallback-scsv openssl-1.0.1e/ssl/d1_lib.c +--- a/a/ssl/d1_lib.c.fallback-scsv 2014-10-15 14:39:30.911908721 +0200 ++++ b/b/ssl/d1_lib.c 2014-10-15 14:39:30.973910121 +0200 +@@ -263,6 +263,16 @@ long dtls1_ctrl(SSL *s, int cmd, long la + case DTLS_CTRL_LISTEN: + ret = dtls1_listen(s, parg); + break; ++ case SSL_CTRL_CHECK_PROTO_VERSION: ++ /* For library-internal use; checks that the current protocol ++ * is the highest enabled version (according to s->ctx->method, ++ * as version negotiation may have changed s->method). */ ++#if DTLS_MAX_VERSION != DTLS1_VERSION ++# error Code needs update for DTLS_method() support beyond DTLS1_VERSION. ++#endif ++ /* Just one protocol version is supported so far; ++ * fail closed if the version is not as expected. */ ++ return s->version == DTLS_MAX_VERSION; + + default: + ret = ssl3_ctrl(s, cmd, larg, parg); +diff -up openssl-1.0.1e/ssl/ssl_err.c.fallback-scsv openssl-1.0.1e/ssl/ssl_err.c +--- a/a/ssl/ssl_err.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100 ++++ b/b/ssl/ssl_err.c 2014-10-15 14:39:30.973910121 +0200 +@@ -382,6 +382,7 @@ static ERR_STRING_DATA SSL_str_reasons[] + {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, + {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, + {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, ++{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"}, + {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"}, + {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, + {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, +@@ -528,6 +529,7 @@ static ERR_STRING_DATA SSL_str_reasons[] + {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"}, + {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"}, + {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"}, ++{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"}, + {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"}, + {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"}, + {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"}, +diff -up openssl-1.0.1e/ssl/ssl.h.fallback-scsv openssl-1.0.1e/ssl/ssl.h +--- a/a/ssl/ssl.h.fallback-scsv 2014-10-15 14:39:30.940909375 +0200 ++++ b/b/ssl/ssl.h 2014-10-15 14:41:46.174962343 +0200 +@@ -641,6 +641,10 @@ + * TLS only.) "Released" buffers are put onto a free-list in the context + * or just freed (depending on the context's setting for freelist_max_len). */ + #define SSL_MODE_RELEASE_BUFFERS 0x00000010L ++/* Send TLS_FALLBACK_SCSV in the ClientHello. ++ * To be set by applications that reconnect with a downgraded protocol ++ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ ++#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L + + /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, + * they cannot be used to clear bits. */ +@@ -1499,6 +1503,7 @@ + #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE + #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE + #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ ++#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ + + #define SSL_ERROR_NONE 0 + #define SSL_ERROR_SSL 1 +@@ -1609,6 +1614,8 @@ + #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 + #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 + ++#define SSL_CTRL_CHECK_PROTO_VERSION 119 ++ + #define DTLSv1_get_timeout(ssl, arg) \ + SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) + #define DTLSv1_handle_timeout(ssl) \ +@@ -2362,6 +2369,7 @@ + #define SSL_R_HTTPS_PROXY_REQUEST 155 + #define SSL_R_HTTP_REQUEST 156 + #define SSL_R_ILLEGAL_PADDING 283 ++#define SSL_R_INAPPROPRIATE_FALLBACK 373 + #define SSL_R_INCONSISTENT_COMPRESSION 340 + #define SSL_R_INVALID_CHALLENGE_LENGTH 158 + #define SSL_R_INVALID_COMMAND 280 +@@ -2508,6 +2516,7 @@ + #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 + #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 + #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 ++#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 + #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 + #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 + #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 +diff -up openssl-1.0.1e/ssl/ssl_lib.c.fallback-scsv openssl-1.0.1e/ssl/ssl_lib.c +--- a/a/ssl/ssl_lib.c.fallback-scsv 2014-10-15 14:39:30.912908743 +0200 ++++ b/b/ssl/ssl_lib.c 2014-10-15 14:39:30.975910166 +0200 +@@ -1383,6 +1383,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC + + if (sk == NULL) return(0); + q=p; ++ if (put_cb == NULL) ++ put_cb = s->method->put_cipher_by_char; + + for (i=0; i<sk_SSL_CIPHER_num(sk); i++) + { +@@ -1402,24 +1404,36 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC + s->psk_client_callback == NULL) + continue; + #endif /* OPENSSL_NO_PSK */ +- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); ++ j = put_cb(c,p); + p+=j; + } +- /* If p == q, no ciphers and caller indicates an error. Otherwise +- * add SCSV if not renegotiating. +- */ +- if (p != q && !s->renegotiate) ++ /* If p == q, no ciphers; caller indicates an error. ++ * Otherwise, add applicable SCSVs. */ ++ if (p != q) + { +- static SSL_CIPHER scsv = ++ if (!s->renegotiate) + { +- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 +- }; +- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); +- p+=j; ++ static SSL_CIPHER scsv = ++ { ++ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 ++ }; ++ j = put_cb(&scsv,p); ++ p+=j; + #ifdef OPENSSL_RI_DEBUG +- fprintf(stderr, "SCSV sent by client\n"); ++ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); + #endif +- } ++ } ++ ++ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) ++ { ++ static SSL_CIPHER scsv = ++ { ++ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 ++ }; ++ j = put_cb(&scsv,p); ++ p+=j; ++ } ++ } + + return(p-q); + } +@@ -1430,11 +1444,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe + const SSL_CIPHER *c; + STACK_OF(SSL_CIPHER) *sk; + int i,n; ++ + if (s->s3) + s->s3->send_connection_binding = 0; + + n=ssl_put_cipher_by_char(s,NULL,NULL); +- if ((num%n) != 0) ++ if (n == 0 || (num%n) != 0) + { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); + return(NULL); +@@ -1449,7 +1464,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe + + for (i=0; i<num; i+=n) + { +- /* Check for SCSV */ ++ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ + if (s->s3 && (n != 3 || !p[0]) && + (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && + (p[n-1] == (SSL3_CK_SCSV & 0xff))) +@@ -1469,6 +1484,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe + continue; + } + ++ /* Check for TLS_FALLBACK_SCSV */ ++ if ((n != 3 || !p[0]) && ++ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && ++ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) ++ { ++ /* The SCSV indicates that the client previously tried a higher version. ++ * Fail if the current version is an unexpected downgrade. */ ++ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) ++ { ++ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK); ++ if (s->s3) ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); ++ goto err; ++ } ++ continue; ++ } ++ + c=ssl_get_cipher_by_char(s,p); + p+=n; + if (c != NULL) +diff -up openssl-1.0.1e/ssl/ssl3.h.fallback-scsv openssl-1.0.1e/ssl/ssl3.h +--- a/a/ssl/ssl3.h.fallback-scsv 2014-10-15 14:39:30.949909579 +0200 ++++ b/b/ssl/ssl3.h 2014-10-15 14:39:30.975910166 +0200 +@@ -128,9 +128,14 @@ + extern "C" { + #endif + +-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ ++/* Signalling cipher suite value from RFC 5746 ++ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */ + #define SSL3_CK_SCSV 0x030000FF + ++/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00 ++ * (TLS_FALLBACK_SCSV) */ ++#define SSL3_CK_FALLBACK_SCSV 0x03005600 ++ + #define SSL3_CK_RSA_NULL_MD5 0x03000001 + #define SSL3_CK_RSA_NULL_SHA 0x03000002 + #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 +diff -up openssl-1.0.1e/ssl/s2_lib.c.fallback-scsv openssl-1.0.1e/ssl/s2_lib.c +--- a/a/ssl/s2_lib.c.fallback-scsv 2014-10-15 14:39:30.901908495 +0200 ++++ b/b/ssl/s2_lib.c 2014-10-15 14:39:30.975910166 +0200 +@@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long lar + case SSL_CTRL_GET_SESSION_REUSED: + ret=s->hit; + break; ++ case SSL_CTRL_CHECK_PROTO_VERSION: ++ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg); + default: + break; + } +@@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CI + if (p != NULL) + { + l=c->id; +- if ((l & 0xff000000) != 0x02000000) return(0); ++ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0); + p[0]=((unsigned char)(l>>16L))&0xFF; + p[1]=((unsigned char)(l>> 8L))&0xFF; + p[2]=((unsigned char)(l ))&0xFF; +diff -up openssl-1.0.1e/ssl/s23_clnt.c.fallback-scsv openssl-1.0.1e/ssl/s23_clnt.c +--- a/a/ssl/s23_clnt.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100 ++++ b/b/ssl/s23_clnt.c 2014-10-15 14:39:30.975910166 +0200 +@@ -715,6 +715,9 @@ static int ssl23_get_server_hello(SSL *s + goto err; + } + ++ /* ensure that TLS_MAX_VERSION is up-to-date */ ++ OPENSSL_assert(s->version <= TLS_MAX_VERSION); ++ + if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) + { + /* fatal alert */ +diff -up openssl-1.0.1e/ssl/s23_srvr.c.fallback-scsv openssl-1.0.1e/ssl/s23_srvr.c +--- a/a/ssl/s23_srvr.c.fallback-scsv 2014-10-15 14:39:30.966909962 +0200 ++++ b/b/ssl/s23_srvr.c 2014-10-15 14:39:30.976910188 +0200 +@@ -421,6 +421,9 @@ int ssl23_get_client_hello(SSL *s) + } + } + ++ /* ensure that TLS_MAX_VERSION is up-to-date */ ++ OPENSSL_assert(s->version <= TLS_MAX_VERSION); ++ + #ifdef OPENSSL_FIPS + if (FIPS_mode() && (s->version < TLS1_VERSION)) + { +diff -up openssl-1.0.1e/ssl/s3_enc.c.fallback-scsv openssl-1.0.1e/ssl/s3_enc.c +--- a/a/ssl/s3_enc.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100 ++++ b/b/ssl/s3_enc.c 2014-10-15 14:39:30.976910188 +0200 +@@ -892,7 +892,7 @@ int ssl3_alert_code(int code) + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE); + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE); + case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); ++ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); + default: return(-1); + } + } +- +diff -up openssl-1.0.1e/ssl/s3_lib.c.fallback-scsv openssl-1.0.1e/ssl/s3_lib.c +--- a/a/ssl/s3_lib.c.fallback-scsv 2014-10-15 14:39:30.941909398 +0200 ++++ b/b/ssl/s3_lib.c 2014-10-15 14:39:30.976910188 +0200 +@@ -3350,6 +3350,33 @@ + #endif + + #endif /* !OPENSSL_NO_TLSEXT */ ++ ++ case SSL_CTRL_CHECK_PROTO_VERSION: ++ /* For library-internal use; checks that the current protocol ++ * is the highest enabled version (according to s->ctx->method, ++ * as version negotiation may have changed s->method). */ ++ if (s->version == s->ctx->method->version) ++ return 1; ++ /* Apparently we're using a version-flexible SSL_METHOD ++ * (not at its highest protocol version). */ ++ if (s->ctx->method->version == SSLv23_method()->version) ++ { ++#if TLS_MAX_VERSION != TLS1_2_VERSION ++# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION. ++#endif ++ if (!(s->options & SSL_OP_NO_TLSv1_2)) ++ return s->version == TLS1_2_VERSION; ++ if (!(s->options & SSL_OP_NO_TLSv1_1)) ++ return s->version == TLS1_1_VERSION; ++ if (!(s->options & SSL_OP_NO_TLSv1)) ++ return s->version == TLS1_VERSION; ++ if (!(s->options & SSL_OP_NO_SSLv3)) ++ return s->version == SSL3_VERSION; ++ if (!(s->options & SSL_OP_NO_SSLv2)) ++ return s->version == SSL2_VERSION; ++ } ++ return 0; /* Unexpected state; fail closed. */ ++ + default: + break; + } +@@ -3709,6 +3736,7 @@ + break; + #endif + #endif ++ + default: + return(0); + } +@@ -4279,4 +4307,3 @@ + return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; + return alg2; + } +- +diff -up openssl-1.0.1e/ssl/tls1.h.fallback-scsv openssl-1.0.1e/ssl/tls1.h +--- a/a/ssl/tls1.h.fallback-scsv 2014-10-15 14:39:30.775905650 +0200 ++++ b/b/ssl/tls1.h 2014-10-15 14:39:30.976910188 +0200 +@@ -159,17 +159,19 @@ extern "C" { + + #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 + ++#define TLS1_VERSION 0x0301 ++#define TLS1_1_VERSION 0x0302 + #define TLS1_2_VERSION 0x0303 +-#define TLS1_2_VERSION_MAJOR 0x03 +-#define TLS1_2_VERSION_MINOR 0x03 ++#define TLS_MAX_VERSION TLS1_2_VERSION ++ ++#define TLS1_VERSION_MAJOR 0x03 ++#define TLS1_VERSION_MINOR 0x01 + +-#define TLS1_1_VERSION 0x0302 + #define TLS1_1_VERSION_MAJOR 0x03 + #define TLS1_1_VERSION_MINOR 0x02 + +-#define TLS1_VERSION 0x0301 +-#define TLS1_VERSION_MAJOR 0x03 +-#define TLS1_VERSION_MINOR 0x01 ++#define TLS1_2_VERSION_MAJOR 0x03 ++#define TLS1_2_VERSION_MINOR 0x03 + + #define TLS1_get_version(s) \ + ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) +@@ -187,6 +189,7 @@ extern "C" { + #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ + #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ + #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ ++#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ + #define TLS1_AD_USER_CANCELLED 90 + #define TLS1_AD_NO_RENEGOTIATION 100 + /* codes 110-114 are from RFC3546 */ +diff -up openssl-1.0.1e/ssl/t1_enc.c.fallback-scsv openssl-1.0.1e/ssl/t1_enc.c +--- a/a/ssl/t1_enc.c.fallback-scsv 2014-10-15 14:39:30.936909285 +0200 ++++ b/b/ssl/t1_enc.c 2014-10-15 14:39:30.977910211 +0200 +@@ -1265,6 +1265,7 @@ int tls1_alert_code(int code) + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); + case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); ++ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); + #if 0 /* not appropriate for TLS, not used for DTLS */ + case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return + (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); diff --git a/external/openssl/CVE-2014-3567.patch b/external/openssl/CVE-2014-3567.patch new file mode 100644 index 000000000000..db158f30b506 --- /dev/null +++ b/external/openssl/CVE-2014-3567.patch @@ -0,0 +1,14 @@ +diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-leak openssl-1.0.1e/ssl/t1_lib.c +--- a/a/ssl/t1_lib.c.ticket-leak 2014-10-15 13:19:26.825454374 +0200 ++++ b/b/ssl/t1_lib.c 2014-10-15 13:19:59.955202293 +0200 +@@ -2280,7 +2280,10 @@ static int tls_decrypt_ticket(SSL *s, co + HMAC_Final(&hctx, tick_hmac, NULL); + HMAC_CTX_cleanup(&hctx); + if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) ++ { ++ EVP_CIPHER_CTX_cleanup(&ctx); + return 2; ++ } + /* Attempt to decrypt session data */ + /* Move p after IV to start of encrypted ticket, update length */ + p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk index 07a775e38930..cbb77458c50c 100644 --- a/external/openssl/UnpackedTarball_openssl.mk +++ b/external/openssl/UnpackedTarball_openssl.mk @@ -101,6 +101,16 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\ external/openssl/CVE-2014-0221.patch \ external/openssl/CVE-2014-0224.patch \ external/openssl/CVE-2014-3470.patch \ + external/openssl/CVE-2014-3505.patch \ + external/openssl/CVE-2014-3506.patch \ + external/openssl/CVE-2014-3507.patch \ + external/openssl/CVE-2014-3508.patch \ + external/openssl/CVE-2014-3509.patch \ + external/openssl/CVE-2014-3510.patch \ + external/openssl/CVE-2014-3511.patch \ + external/openssl/CVE-2014-3513.patch \ + external/openssl/CVE-2014-3567.patch \ + external/openssl/CVE-2014-3566.patch \ $(if $(filter LINUX FREEBSD ANDROID,$(OS)),external/openssl/openssllnx.patch) \ $(if $(filter WNTGCC,$(OS)$(COM)),external/openssl/opensslmingw.patch) \ $(if $(filter MSC,$(COM)),external/openssl/opensslwnt.patch) \ |