Pull up following revision(s) (requested by tonnerre in ticket #850): crypto/dist/openssl/crypto/pqueue/pqueue.c: revision 1.2 crypto/dist/openssl/crypto/pqueue/pqueue.h: revision 1.2 crypto/dist/openssl/ssl/d1_both.c: revision 1.4 crypto/dist/openssl/ssl/d1_pkt.c: revision 1.2 crypto/dist/openssl/ssl/s3_pkt.c: revision 1.10 crypto/dist/openssl/ssl/ssl.h: revision 1.19 crypto/dist/openssl/ssl/ssl_err.c: revision 1.13 Fix various vulnerabilities in OpenSSL which have not previously been addressed: CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387. Changes deal mostly with size checking of various elements and fixes to various error paths.diff -r1.1.1.2 -r1.1.1.2.8.1 src/crypto/dist/openssl/crypto/pqueue/pqueue.c
(snj)
--- src/crypto/dist/openssl/crypto/pqueue/Attic/pqueue.c 2008/05/09 21:34:33 1.1.1.2
+++ src/crypto/dist/openssl/crypto/pqueue/Attic/pqueue.c 2009/07/05 00:31:20 1.1.1.2.8.1
@@ -227,13 +227,27 @@ pqueue_next(pitem **item) | @@ -227,13 +227,27 @@ pqueue_next(pitem **item) | |||
227 | { | 227 | { | |
228 | pitem *ret; | 228 | pitem *ret; | |
229 | 229 | |||
230 | if ( item == NULL || *item == NULL) | 230 | if ( item == NULL || *item == NULL) | |
231 | return NULL; | 231 | return NULL; | |
232 | 232 | |||
233 | 233 | |||
234 | /* *item != NULL */ | 234 | /* *item != NULL */ | |
235 | ret = *item; | 235 | ret = *item; | |
236 | *item = (*item)->next; | 236 | *item = (*item)->next; | |
237 | 237 | |||
238 | return ret; | 238 | return ret; | |
239 | } | 239 | } | |
240 | ||||
241 | int | |||
242 | pqueue_size(pqueue_s *pq) | |||
243 | { | |||
244 | pitem *item = pq->items; | |||
245 | int count = 0; | |||
246 | ||||
247 | while(item != NULL) | |||
248 | { | |||
249 | count++; | |||
250 | item = item->next; | |||
251 | } | |||
252 | return count; | |||
253 | } |
--- src/crypto/dist/openssl/crypto/pqueue/Attic/pqueue.h 2008/05/09 21:34:33 1.1.1.2
+++ src/crypto/dist/openssl/crypto/pqueue/Attic/pqueue.h 2009/07/05 00:31:20 1.1.1.2.8.1
@@ -79,15 +79,16 @@ pitem *pitem_new(unsigned char *prio64be | @@ -79,15 +79,16 @@ pitem *pitem_new(unsigned char *prio64be | |||
79 | void pitem_free(pitem *item); | 79 | void pitem_free(pitem *item); | |
80 | 80 | |||
81 | pqueue pqueue_new(void); | 81 | pqueue pqueue_new(void); | |
82 | void pqueue_free(pqueue pq); | 82 | void pqueue_free(pqueue pq); | |
83 | 83 | |||
84 | pitem *pqueue_insert(pqueue pq, pitem *item); | 84 | pitem *pqueue_insert(pqueue pq, pitem *item); | |
85 | pitem *pqueue_peek(pqueue pq); | 85 | pitem *pqueue_peek(pqueue pq); | |
86 | pitem *pqueue_pop(pqueue pq); | 86 | pitem *pqueue_pop(pqueue pq); | |
87 | pitem *pqueue_find(pqueue pq, unsigned char *prio64be); | 87 | pitem *pqueue_find(pqueue pq, unsigned char *prio64be); | |
88 | pitem *pqueue_iterator(pqueue pq); | 88 | pitem *pqueue_iterator(pqueue pq); | |
89 | pitem *pqueue_next(piterator *iter); | 89 | pitem *pqueue_next(piterator *iter); | |
90 | 90 | |||
91 | void pqueue_print(pqueue pq); | 91 | void pqueue_print(pqueue pq); | |
92 | int pqueue_size(pqueue pq); | |||
92 | 93 | |||
93 | #endif /* ! HEADER_PQUEUE_H */ | 94 | #endif /* ! HEADER_PQUEUE_H */ |
--- src/crypto/dist/openssl/ssl/Attic/d1_pkt.c 2008/05/09 21:34:43 1.1.1.5
+++ src/crypto/dist/openssl/ssl/Attic/d1_pkt.c 2009/07/05 00:31:20 1.1.1.5.8.1
@@ -197,26 +197,30 @@ dtls1_copy_record(SSL *s, pitem *item) | @@ -197,26 +197,30 @@ dtls1_copy_record(SSL *s, pitem *item) | |||
197 | memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | 197 | memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | |
198 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); | 198 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); | |
199 | 199 | |||
200 | return(1); | 200 | return(1); | |
201 | } | 201 | } | |
202 | 202 | |||
203 | 203 | |||
204 | static int | 204 | static int | |
205 | dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) | 205 | dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) | |
206 | { | 206 | { | |
207 | DTLS1_RECORD_DATA *rdata; | 207 | DTLS1_RECORD_DATA *rdata; | |
208 | pitem *item; | 208 | pitem *item; | |
209 | 209 | |||
210 | /* Limit the size of the queue to prevent DOS attacks */ | |||
211 | if (pqueue_size(queue->q) >= 100) | |||
212 | return 0; | |||
213 | ||||
210 | rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); | 214 | rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); | |
211 | item = pitem_new(priority, rdata); | 215 | item = pitem_new(priority, rdata); | |
212 | if (rdata == NULL || item == NULL) | 216 | if (rdata == NULL || item == NULL) | |
213 | { | 217 | { | |
214 | if (rdata != NULL) OPENSSL_free(rdata); | 218 | if (rdata != NULL) OPENSSL_free(rdata); | |
215 | if (item != NULL) pitem_free(item); | 219 | if (item != NULL) pitem_free(item); | |
216 | 220 | |||
217 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | 221 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | |
218 | return(0); | 222 | return(0); | |
219 | } | 223 | } | |
220 | 224 | |||
221 | rdata->packet = s->packet; | 225 | rdata->packet = s->packet; | |
222 | rdata->packet_length = s->packet_length; | 226 | rdata->packet_length = s->packet_length; |
--- src/crypto/dist/openssl/ssl/Attic/s3_pkt.c 2008/06/10 19:45:00 1.9
+++ src/crypto/dist/openssl/ssl/Attic/s3_pkt.c 2009/07/05 00:31:20 1.9.8.1
@@ -1278,26 +1278,33 @@ err: | @@ -1278,26 +1278,33 @@ err: | |||
1278 | int ssl3_do_change_cipher_spec(SSL *s) | 1278 | int ssl3_do_change_cipher_spec(SSL *s) | |
1279 | { | 1279 | { | |
1280 | int i; | 1280 | int i; | |
1281 | const char *sender; | 1281 | const char *sender; | |
1282 | int slen; | 1282 | int slen; | |
1283 | 1283 | |||
1284 | if (s->state & SSL_ST_ACCEPT) | 1284 | if (s->state & SSL_ST_ACCEPT) | |
1285 | i=SSL3_CHANGE_CIPHER_SERVER_READ; | 1285 | i=SSL3_CHANGE_CIPHER_SERVER_READ; | |
1286 | else | 1286 | else | |
1287 | i=SSL3_CHANGE_CIPHER_CLIENT_READ; | 1287 | i=SSL3_CHANGE_CIPHER_CLIENT_READ; | |
1288 | 1288 | |||
1289 | if (s->s3->tmp.key_block == NULL) | 1289 | if (s->s3->tmp.key_block == NULL) | |
1290 | { | 1290 | { | |
1291 | if (s->session == NULL) | |||
1292 | { | |||
1293 | /* might happen if dtls1_read_bytes() calls this */ | |||
1294 | SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); | |||
1295 | return (0); | |||
1296 | } | |||
1297 | ||||
1291 | s->session->cipher=s->s3->tmp.new_cipher; | 1298 | s->session->cipher=s->s3->tmp.new_cipher; | |
1292 | if (!s->method->ssl3_enc->setup_key_block(s)) return(0); | 1299 | if (!s->method->ssl3_enc->setup_key_block(s)) return(0); | |
1293 | } | 1300 | } | |
1294 | 1301 | |||
1295 | if (!s->method->ssl3_enc->change_cipher_state(s,i)) | 1302 | if (!s->method->ssl3_enc->change_cipher_state(s,i)) | |
1296 | return(0); | 1303 | return(0); | |
1297 | 1304 | |||
1298 | /* we have to record the message digest at | 1305 | /* we have to record the message digest at | |
1299 | * this point so we can get it before we read | 1306 | * this point so we can get it before we read | |
1300 | * the finished message */ | 1307 | * the finished message */ | |
1301 | if (s->state & SSL_ST_CONNECT) | 1308 | if (s->state & SSL_ST_CONNECT) | |
1302 | { | 1309 | { | |
1303 | sender=s->method->ssl3_enc->server_finished_label; | 1310 | sender=s->method->ssl3_enc->server_finished_label; |
--- src/crypto/dist/openssl/ssl/Attic/ssl.h 2008/05/09 21:49:42 1.18
+++ src/crypto/dist/openssl/ssl/Attic/ssl.h 2009/07/05 00:31:20 1.18.8.1
@@ -1796,26 +1796,27 @@ void ERR_load_SSL_strings(void); | @@ -1796,26 +1796,27 @@ void ERR_load_SSL_strings(void); | |||
1796 | #define SSL_F_SSL2_PEEK 234 | 1796 | #define SSL_F_SSL2_PEEK 234 | |
1797 | #define SSL_F_SSL2_READ 125 | 1797 | #define SSL_F_SSL2_READ 125 | |
1798 | #define SSL_F_SSL2_READ_INTERNAL 236 | 1798 | #define SSL_F_SSL2_READ_INTERNAL 236 | |
1799 | #define SSL_F_SSL2_SET_CERTIFICATE 126 | 1799 | #define SSL_F_SSL2_SET_CERTIFICATE 126 | |
1800 | #define SSL_F_SSL2_WRITE 127 | 1800 | #define SSL_F_SSL2_WRITE 127 | |
1801 | #define SSL_F_SSL3_ACCEPT 128 | 1801 | #define SSL_F_SSL3_ACCEPT 128 | |
1802 | #define SSL_F_SSL3_CALLBACK_CTRL 233 | 1802 | #define SSL_F_SSL3_CALLBACK_CTRL 233 | |
1803 | #define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 | 1803 | #define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 | |
1804 | #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 | 1804 | #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 | |
1805 | #define SSL_F_SSL3_CLIENT_HELLO 131 | 1805 | #define SSL_F_SSL3_CLIENT_HELLO 131 | |
1806 | #define SSL_F_SSL3_CONNECT 132 | 1806 | #define SSL_F_SSL3_CONNECT 132 | |
1807 | #define SSL_F_SSL3_CTRL 213 | 1807 | #define SSL_F_SSL3_CTRL 213 | |
1808 | #define SSL_F_SSL3_CTX_CTRL 133 | 1808 | #define SSL_F_SSL3_CTX_CTRL 133 | |
1809 | #define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292 | |||
1809 | #define SSL_F_SSL3_ENC 134 | 1810 | #define SSL_F_SSL3_ENC 134 | |
1810 | #define SSL_F_SSL3_GENERATE_KEY_BLOCK 238 | 1811 | #define SSL_F_SSL3_GENERATE_KEY_BLOCK 238 | |
1811 | #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 | 1812 | #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 | |
1812 | #define SSL_F_SSL3_GET_CERT_STATUS 289 | 1813 | #define SSL_F_SSL3_GET_CERT_STATUS 289 | |
1813 | #define SSL_F_SSL3_GET_CERT_VERIFY 136 | 1814 | #define SSL_F_SSL3_GET_CERT_VERIFY 136 | |
1814 | #define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137 | 1815 | #define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137 | |
1815 | #define SSL_F_SSL3_GET_CLIENT_HELLO 138 | 1816 | #define SSL_F_SSL3_GET_CLIENT_HELLO 138 | |
1816 | #define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139 | 1817 | #define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139 | |
1817 | #define SSL_F_SSL3_GET_FINISHED 140 | 1818 | #define SSL_F_SSL3_GET_FINISHED 140 | |
1818 | #define SSL_F_SSL3_GET_KEY_EXCHANGE 141 | 1819 | #define SSL_F_SSL3_GET_KEY_EXCHANGE 141 | |
1819 | #define SSL_F_SSL3_GET_MESSAGE 142 | 1820 | #define SSL_F_SSL3_GET_MESSAGE 142 | |
1820 | #define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283 | 1821 | #define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283 | |
1821 | #define SSL_F_SSL3_GET_RECORD 143 | 1822 | #define SSL_F_SSL3_GET_RECORD 143 |
--- src/crypto/dist/openssl/ssl/Attic/ssl_err.c 2008/05/09 21:49:42 1.12
+++ src/crypto/dist/openssl/ssl/Attic/ssl_err.c 2009/07/05 00:31:20 1.12.8.1
@@ -128,26 +128,27 @@ static ERR_STRING_DATA SSL_str_functs[]= | @@ -128,26 +128,27 @@ static ERR_STRING_DATA SSL_str_functs[]= | |||
128 | {ERR_FUNC(SSL_F_SSL2_PEEK), "SSL2_PEEK"}, | 128 | {ERR_FUNC(SSL_F_SSL2_PEEK), "SSL2_PEEK"}, | |
129 | {ERR_FUNC(SSL_F_SSL2_READ), "SSL2_READ"}, | 129 | {ERR_FUNC(SSL_F_SSL2_READ), "SSL2_READ"}, | |
130 | {ERR_FUNC(SSL_F_SSL2_READ_INTERNAL), "SSL2_READ_INTERNAL"}, | 130 | {ERR_FUNC(SSL_F_SSL2_READ_INTERNAL), "SSL2_READ_INTERNAL"}, | |
131 | {ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "SSL2_SET_CERTIFICATE"}, | 131 | {ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE), "SSL2_SET_CERTIFICATE"}, | |
132 | {ERR_FUNC(SSL_F_SSL2_WRITE), "SSL2_WRITE"}, | 132 | {ERR_FUNC(SSL_F_SSL2_WRITE), "SSL2_WRITE"}, | |
133 | {ERR_FUNC(SSL_F_SSL3_ACCEPT), "SSL3_ACCEPT"}, | 133 | {ERR_FUNC(SSL_F_SSL3_ACCEPT), "SSL3_ACCEPT"}, | |
134 | {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, | 134 | {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, | |
135 | {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, | 135 | {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, | |
136 | {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, | 136 | {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, | |
137 | {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, | 137 | {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, | |
138 | {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"}, | 138 | {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"}, | |
139 | {ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"}, | 139 | {ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"}, | |
140 | {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"}, | 140 | {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"}, | |
141 | {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"}, | |||
141 | {ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"}, | 142 | {ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"}, | |
142 | {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"}, | 143 | {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"}, | |
143 | {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, | 144 | {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, | |
144 | {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"}, | 145 | {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"}, | |
145 | {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"}, | 146 | {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"}, | |
146 | {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"}, | 147 | {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"}, | |
147 | {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"}, | 148 | {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"}, | |
148 | {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"}, | 149 | {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"}, | |
149 | {ERR_FUNC(SSL_F_SSL3_GET_FINISHED), "SSL3_GET_FINISHED"}, | 150 | {ERR_FUNC(SSL_F_SSL3_GET_FINISHED), "SSL3_GET_FINISHED"}, | |
150 | {ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"}, | 151 | {ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"}, | |
151 | {ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"}, | 152 | {ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"}, | |
152 | {ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"}, | 153 | {ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"}, | |
153 | {ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"}, | 154 | {ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"}, |