Accepting request 212087 from Base:System

Fixed bnc#856687, openssl: crash when using TLS 1.2; Add file: CVE-2013-6449.patch (forwarded request 212077 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/212087
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=104
This commit is contained in:
Stephan Kulow 2013-12-23 21:16:55 +00:00 committed by Git OBS Bridge
parent 17914da9d0
commit 4a0df891cc
3 changed files with 85 additions and 0 deletions

77
CVE-2013-6449.patch Normal file
View File

@ -0,0 +1,77 @@
Index: openssl-1.0.1e/ssl/s3_lib.c
===================================================================
--- openssl-1.0.1e.orig/ssl/s3_lib.c
+++ openssl-1.0.1e/ssl/s3_lib.c
@@ -4274,7 +4274,7 @@ need to go to SSL_ST_ACCEPT.
long ssl_get_algorithm2(SSL *s)
{
long alg2 = s->s3->tmp.new_cipher->algorithm2;
- if (TLS1_get_version(s) >= TLS1_2_VERSION &&
+ if (s->method->version == TLS1_2_VERSION &&
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
return alg2;
Index: openssl-1.0.1e/ssl/s3_both.c
===================================================================
--- openssl-1.0.1e.orig/ssl/s3_both.c
+++ openssl-1.0.1e/ssl/s3_both.c
@@ -161,6 +161,10 @@ int ssl3_send_finished(SSL *s, int a, in
i=s->method->ssl3_enc->final_finish_mac(s,
sender,slen,s->s3->tmp.finish_md);
+
+ if (i == 0)
+ return 0;
+
s->s3->tmp.finish_md_len = i;
memcpy(p, s->s3->tmp.finish_md, i);
p+=i;
Index: openssl-1.0.1e/ssl/s3_pkt.c
===================================================================
--- openssl-1.0.1e.orig/ssl/s3_pkt.c
+++ openssl-1.0.1e/ssl/s3_pkt.c
@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
slen=s->method->ssl3_enc->client_finished_label_len;
}
- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
+ i = s->method->ssl3_enc->final_finish_mac(s,
sender,slen,s->s3->tmp.peer_finish_md);
+ if (i == 0)
+ {
+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ s->s3->tmp.peer_finish_md_len = i;
return(1);
}
Index: openssl-1.0.1e/ssl/t1_enc.c
===================================================================
--- openssl-1.0.1e.orig/ssl/t1_enc.c
+++ openssl-1.0.1e/ssl/t1_enc.c
@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
if (mask & ssl_get_algorithm2(s))
{
int hashsize = EVP_MD_size(md);
- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
+ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
+ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
{
/* internal error: 'buf' is too small for this cipersuite! */
err = 1;
}
else
{
- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
- EVP_DigestFinal_ex(&ctx,q,&i);
- if (i != (unsigned int)hashsize) /* can't really happen */
+ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
+ !EVP_DigestFinal_ex(&ctx,q,&i) ||
+ (i != (unsigned int)hashsize))
err = 1;
- q+=i;
+ q+=hashsize;
}
}
}

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Sun Dec 22 08:10:55 UTC 2013 - shchang@suse.com
- Fixed bnc#856687, openssl: crash when using TLS 1.2
Add file: CVE-2013-6449.patch
-------------------------------------------------------------------
Tue Dec 17 13:57:40 UTC 2013 - meissner@suse.com

View File

@ -63,6 +63,7 @@ Patch14: 0001-libcrypto-Hide-library-private-symbols.patch
Patch15: openssl-1.0.1e-fips.patch
Patch16: openssl-1.0.1e-fips-ec.patch
Patch17: openssl-1.0.1e-fips-ctor.patch
Patch18: CVE-2013-6449.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -169,6 +170,7 @@ this package's base documentation.
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
cp -p %{S:10} .
cp -p %{S:11} .