← Back to branch summary

~ubuntu-branches/ubuntu/utopic/openssl/utopic-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-3572.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-01-09 09:47:17 UTC
  • Revision ID: package-import@ubuntu.com-20150109094717-8etwd95qlawwgkc7
Tags: 1.0.1f-1ubuntu9.1
* SECURITY UPDATE: denial of service via unexpected handshake when
  no-ssl3 build option is used (not the default)
  - debian/patches/CVE-2014-3569.patch: keep the old method for now in
    ssl/s23_srvr.c.
  - CVE-2014-3569
* SECURITY UPDATE: bignum squaring may produce incorrect results
  - debian/patches/CVE-2014-3570.patch: fix bignum logic in
    crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c,
    crypto/bn/bn_asm.c, removed crypto/bn/asm/mips3.s, added test to
    crypto/bn/bntest.c.
  - CVE-2014-3570
* SECURITY UPDATE: DTLS segmentation fault in dtls1_get_record
  - debian/patches/CVE-2014-3571-1.patch: fix crash in ssl/d1_pkt.c,
    ssl/s3_pkt.c.
  - debian/patches/CVE-2014-3571-2.patch: make code more obvious in
    ssl/d1_pkt.c.
  - CVE-2014-3571
* SECURITY UPDATE: ECDHE silently downgrades to ECDH [Client]
  - debian/patches/CVE-2014-3572.patch: don't skip server key exchange in
    ssl/s3_clnt.c.
  - CVE-2014-3572
* SECURITY UPDATE: certificate fingerprints can be modified
  - debian/patches/CVE-2014-8275.patch: fix various fingerprint issues in
    crypto/asn1/a_bitstr.c, crypto/asn1/a_type.c, crypto/asn1/a_verify.c,
    crypto/asn1/asn1.h, crypto/asn1/asn1_err.c, crypto/asn1/x_algor.c,
    crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, crypto/x509/x509.h,
    crypto/x509/x_all.c.
  - CVE-2014-8275
* SECURITY UPDATE: RSA silently downgrades to EXPORT_RSA [Client]
  - debian/patches/CVE-2015-0204.patch: only allow ephemeral RSA keys in
    export ciphersuites in ssl/d1_srvr.c, ssl/s3_clnt.c, ssl/s3_srvr.c,
    ssl/ssl.h, adjust documentation in doc/ssl/SSL_CTX_set_options.pod,
    doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.
  - CVE-2015-0204
* SECURITY UPDATE: DH client certificates accepted without verification
  - debian/patches/CVE-2015-0205.patch: prevent use of DH client
    certificates without sending certificate verify message in
    ssl/s3_srvr.c.
  - CVE-2015-0205
* SECURITY UPDATE: DTLS memory leak in dtls1_buffer_record
  - debian/patches/CVE-2015-0206.patch: properly handle failures in
    ssl/d1_pkt.c.
  - CVE-2015-0206

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2014-3572.patch
 
1
Backport of:
 
2
 
 
3
From ef28c6d6767a6a30df5add36171894c96628fe98 Mon Sep 17 00:00:00 2001
 
4
From: "Dr. Stephen Henson" <steve@openssl.org>
 
5
Date: Fri, 24 Oct 2014 12:30:33 +0100
 
6
Subject: [PATCH] ECDH downgrade bug fix.
 
7
 
 
8
Fix bug where an OpenSSL client would accept a handshake using an
 
9
ephemeral ECDH ciphersuites with the server key exchange message omitted.
 
10
 
 
11
Thanks to Karthikeyan Bhargavan for reporting this issue.
 
12
 
 
13
CVE-2014-3572
 
14
Reviewed-by: Matt Caswell <matt@openssl.org>
 
15
 
 
16
(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
 
17
---
 
18
 CHANGES       |    7 +++++++
 
19
 ssl/s3_clnt.c |   18 +++++++++++++++---
 
20
 2 files changed, 22 insertions(+), 3 deletions(-)
 
21
 
 
22
Index: openssl-1.0.1f/ssl/s3_clnt.c
 
23
===================================================================
 
24
--- openssl-1.0.1f.orig/ssl/s3_clnt.c   2015-01-09 07:56:21.527753974 -0500
 
25
+++ openssl-1.0.1f/ssl/s3_clnt.c        2015-01-09 07:59:51.177173529 -0500
 
26
@@ -1295,6 +1295,8 @@
 
27
        int encoded_pt_len = 0;
 
28
 #endif
 
29
 
 
30
+       EVP_MD_CTX_init(&md_ctx);
 
31
+
 
32
        /* use same message size as in ssl3_get_certificate_request()
 
33
         * as ServerKeyExchange message may be skipped */
 
34
        n=s->method->ssl_get_message(s,
 
35
@@ -1305,14 +1307,26 @@
 
36
                &ok);
 
37
        if (!ok) return((int)n);
 
38
 
 
39
+       alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
 
40
+
 
41
        if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
 
42
                {
 
43
+               /*
 
44
+                * Can't skip server key exchange if this is an ephemeral
 
45
+                * ciphersuite.
 
46
+                */
 
47
+               if (alg_k & (SSL_kEDH|SSL_kEECDH))
 
48
+                       {
 
49
+                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
 
50
+                       al = SSL_AD_UNEXPECTED_MESSAGE;
 
51
+                       goto f_err;
 
52
+                       }
 
53
 #ifndef OPENSSL_NO_PSK
 
54
                /* In plain PSK ciphersuite, ServerKeyExchange can be
 
55
                   omitted if no identity hint is sent. Set
 
56
                   session->sess_cert anyway to avoid problems
 
57
                   later.*/
 
58
-               if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
 
59
+               if (alg_k & SSL_kPSK)
 
60
                        {
 
61
                        s->session->sess_cert=ssl_sess_cert_new();
 
62
                        if (s->ctx->psk_identity_hint)
 
63
@@ -1355,9 +1369,7 @@
 
64
                }
 
65
 
 
66
        param_len=0;
 
67
-       alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
 
68
        alg_a=s->s3->tmp.new_cipher->algorithm_auth;
 
69
-       EVP_MD_CTX_init(&md_ctx);
 
70
 
 
71
 #ifndef OPENSSL_NO_PSK
 
72
        if (alg_k & SSL_kPSK)