testing/openssl
SHA256
3
0
Fork 0
forked from pool/openssl
Code Pull Requests Activity
42aa3a9eb7
openssl/openssl-CVE-2015-0293.patch
Dominique Leuenberger 42aa3a9eb7 Accepting request 291607 from Base:System 
- security update:
 * CVE-2015-0209 (bnc#919648)
   - Fix a failure to NULL a pointer freed on error
 * CVE-2015-0286 (bnc#922496)
   - Segmentation fault in ASN1_TYPE_cmp
 * CVE-2015-0287 (bnc#922499)
   - ASN.1 structure reuse memory corruption
 * CVE-2015-0288 x509: (bnc#920236)
   - added missing public key is not NULL check
 * CVE-2015-0289 (bnc#922500)
   - PKCS7 NULL pointer dereferences
 * CVE-2015-0293 (bnc#922488)
   - Fix reachable assert in SSLv2 servers
 * added patches:
   openssl-CVE-2015-0209.patch
   openssl-CVE-2015-0286.patch
   openssl-CVE-2015-0287.patch
   openssl-CVE-2015-0288.patch
   openssl-CVE-2015-0289.patch
   openssl-CVE-2015-0293.patch (forwarded request 291606 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/291607
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=126
2015-03-23 11:16:06 +00:00

125 lines
4.6 KiB
Diff
Raw Blame History

commit a40c1bcb8c37fbad24d8f28f0fb0204d76f0fee2
Author: Emilia Kasper <emilia@openssl.org>
Date: Wed Mar 4 09:05:02 2015 -0800
Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.
Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.
CVE-2015-0293
This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Index: openssl-1.0.1i/ssl/s2_lib.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s2_lib.c 2015-03-17 14:05:13.745459798 +0100
+++ openssl-1.0.1i/ssl/s2_lib.c 2015-03-17 14:05:14.763474757 +0100
@@ -487,7 +487,7 @@ int ssl2_generate_key_material(SSL *s)
OPENSSL_assert(s->session->master_key_length >= 0
&& s->session->master_key_length
- < (int)sizeof(s->session->master_key));
+ <= (int)sizeof(s->session->master_key));
EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
EVP_DigestUpdate(&ctx,&c,1);
c++;
Index: openssl-1.0.1i/ssl/s2_srvr.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s2_srvr.c 2015-03-17 14:05:13.721459445 +0100
+++ openssl-1.0.1i/ssl/s2_srvr.c 2015-03-17 14:07:43.262655766 +0100
@@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s)
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
return(-1);
}
- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
is_export=SSL_C_IS_EXPORT(s->session->cipher);
@@ -467,21 +464,59 @@ static int get_client_master_key(SSL *s)
else
ek=5;
+ /*
+ * The format of the CLIENT-MASTER-KEY message is
+ * 1 byte message type
+ * 3 bytes cipher
+ * 2-byte clear key length (stored in s->s2->tmp.clear)
+ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
+ * 2-byte key args length (IV etc)
+ * clear key
+ * encrypted key
+ * key args
+ *
+ * If the cipher is an export cipher, then the encrypted key bytes
+ * are a fixed portion of the total key (5 or 8 bytes). The size of
+ * this portion is in |ek|. If the cipher is not an export cipher,
+ * then the entire key material is encrypted (i.e., clear key length
+ * must be zero).
+ */
+ if ((!is_export && s->s2->tmp.clear != 0) ||
+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
+ return -1;
+ }
+ /*
+ * The encrypted blob must decrypt to the encrypted portion of the key.
+ * Decryption can't be expanding, so if we don't have enough encrypted
+ * bytes to fit the key in the buffer, stop now.
+ */
+ if ((is_export && s->s2->tmp.enc < ek) ||
+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
+ return -1;
+ }
+
+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
+ &(p[s->s2->tmp.clear]),
+ &(p[s->s2->tmp.clear]),
+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
+ RSA_PKCS1_PADDING);
+
/* bad decrypt */
#if 1
/* If a bad decrypt, continue with protocol but with a
* random master secret (Bleichenbacher attack) */
- if ((i < 0) ||
- ((!is_export && (i != EVP_CIPHER_key_length(c)))
- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
- (unsigned int)EVP_CIPHER_key_length(c))))))
- {
+ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
+ || (is_export && i != ek))) {
ERR_clear_error();
if (is_export)
i=ek;
else
i=EVP_CIPHER_key_length(c);
- if (RAND_pseudo_bytes(p,i) <= 0)
+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
return 0;
}
#else
@@ -505,7 +540,8 @@ static int get_client_master_key(SSL *s)
}
#endif
- if (is_export) i+=s->s2->tmp.clear;
+ if (is_export)
+ i = EVP_CIPHER_key_length(c);
if (i > SSL_MAX_MASTER_KEY_LENGTH)
{
View Git Blame Copy Permalink