From owner-svn-src-stable-10@freebsd.org Wed Nov 2 14:01:52 2016 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CC5FC2BCEF for ; Wed, 2 Nov 2016 14:01:52 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 368FA1593 for ; Wed, 2 Nov 2016 14:01:51 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: by mail-lf0-x231.google.com with SMTP id t196so13446150lff.3 for ; Wed, 02 Nov 2016 07:01:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2o5j+K32I3Pg3qZxc9tAOEZwP+hKtFhO8XAfJdxmCn8=; b=YNoDxDxRTFlacY/7ZTnlAE+fKouMxPtGQ66LEU14V6RWT5u/JfAJHQEHujaml0fvTk DHhZnkSBRuhqKdJkenedZ8DFE+qJ53McelhMkml95rn0lrfYi2ocVPIlqlUajLpJj7G9 BWEa9c2WXlB4hgplx/GSDTZ/htzxh7ioZqVjXYPISbTNJUdRdNSQGyehm7jo7/B78bmo 9J2ITa0pcEDRRFsGZe+NnEScWsMXY593ESpUy/gyE3EC2lKwo2EhXkY/cVbDW4VwRrrf sOHCvRX3kIU4fZSu0TExrrXWH0MNCB923A0LwpF62HY3EApbn68Jx7RMKhutd8jqSUHM LmkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2o5j+K32I3Pg3qZxc9tAOEZwP+hKtFhO8XAfJdxmCn8=; b=miWymoezT5N5r9vGt1QRZirkuvivIKreJ5X3r6YPJgkuhJuL2Woi6R+btsR30hrfts NmUD6QryYxbyKUnCDHei94OWyB8wpvFGnoNkjmwLUQJufc+LVNNrX53UMwT0tZqg/zG9 Tbrn/cVzkGeuq6HXplla5/rXrsTEeNt8n4iWwJxF+f73iVUzfnKVGffz77yWVmocAb/B bzrswbFOwFVjqE3Zp3/9ZU68Yhg8UgnmXgBKWBhzSg12qUG84WAewRkkZP+67pFvCFYL ot3TVTrL0Cpdv8vIOqTu3Vl68NfR2tb9VI94EoFg0ILDiA9OksVCYSRM1IzFRfXWVYZn F4KQ== X-Gm-Message-State: ABUngvc/z6pc0ZSHQXLh6P+GwGLj2h/eNDGwgso/rlzbumeZjro4LFO0r8iAkRfq+IJD1q/y2/EYKMIAQPr5/XW4 X-Received: by 10.194.117.10 with SMTP id ka10mr4012005wjb.148.1478095308671; Wed, 02 Nov 2016 07:01:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.153.6 with HTTP; Wed, 2 Nov 2016 07:01:48 -0700 (PDT) In-Reply-To: <201611021325.uA2DPUGv029025@slippy.cwsent.com> References: <201611020709.uA279WM3070566@repo.freebsd.org> <201611021325.uA2DPUGv029025@slippy.cwsent.com> From: Oliver Pinter Date: Wed, 2 Nov 2016 15:01:48 +0100 Message-ID: Subject: Re: svn commit: r308200 - in stable: 10/crypto/openssl/ssl 9/crypto/openssl/ssl To: Cy Schubert Cc: Xin LI , svn-src-stable@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, svn-src-stable-10@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2016 14:01:52 -0000 On 11/2/16, Cy Schubert wrote: > In message <201611020709.uA279WM3070566@repo.freebsd.org>, Xin LI writes: >> Author: delphij >> Date: Wed Nov 2 07:09:31 2016 >> New Revision: 308200 >> URL: https://svnweb.freebsd.org/changeset/base/308200 >> >> Log: >> Backport OpenSSL commit af58be768ebb690f78530f796e92b8ae5c9a4401: >> >> Don't allow too many consecutive warning alerts >> >> Certain warning alerts are ignored if they are received. This can mean >> th >> at >> no progress will be made if one peer continually sends those warning >> aler >> ts. >> Implement a count so that we abort the connection if we receive too >> many. >> >> Issue reported by Shi Lei. >> >> This is a direct commit to stable/10 and stable/9. >> >> Security: CVE-2016-8610 >> >> Modified: >> stable/10/crypto/openssl/ssl/d1_pkt.c >> stable/10/crypto/openssl/ssl/s3_pkt.c >> stable/10/crypto/openssl/ssl/ssl.h >> stable/10/crypto/openssl/ssl/ssl3.h >> stable/10/crypto/openssl/ssl/ssl_locl.h >> >> Changes in other areas also in this revision: >> Modified: >> stable/9/crypto/openssl/ssl/d1_pkt.c >> stable/9/crypto/openssl/ssl/s3_pkt.c >> stable/9/crypto/openssl/ssl/ssl.h >> stable/9/crypto/openssl/ssl/ssl3.h >> stable/9/crypto/openssl/ssl/ssl_locl.h >> >> Modified: stable/10/crypto/openssl/ssl/d1_pkt.c >> ============================================================================= >> = >> --- stable/10/crypto/openssl/ssl/d1_pkt.c Wed Nov 2 06:58:47 2016 >> (r308199) >> +++ stable/10/crypto/openssl/ssl/d1_pkt.c Wed Nov 2 07:09:31 2016 >> (r308200) >> @@ -924,6 +924,13 @@ int dtls1_read_bytes(SSL *s, int type, u >> goto start; >> } >> >> + /* >> + * Reset the count of consecutive warning alerts if we've got a >> non-empt >> y >> + * record that isn't an alert. >> + */ >> + if (rr->type != SSL3_RT_ALERT && rr->length != 0) >> + s->s3->alert_count = 0; >> + >> /* we now have a packet which can be read and processed */ >> >> if (s->s3->change_cipher_spec /* set when we receive >> ChangeCipherSpec, >> @@ -1190,6 +1197,14 @@ int dtls1_read_bytes(SSL *s, int type, u >> >> if (alert_level == SSL3_AL_WARNING) { >> s->s3->warn_alert = alert_descr; >> + >> + s->s3->alert_count++; >> + if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) { >> + al = SSL_AD_UNEXPECTED_MESSAGE; >> + SSLerr(SSL_F_DTLS1_READ_BYTES, >> SSL_R_TOO_MANY_WARN_ALERTS); >> + goto f_err; >> + } >> + >> if (alert_descr == SSL_AD_CLOSE_NOTIFY) { >> #ifndef OPENSSL_NO_SCTP >> /* >> >> Modified: stable/10/crypto/openssl/ssl/s3_pkt.c >> ============================================================================= >> = >> --- stable/10/crypto/openssl/ssl/s3_pkt.c Wed Nov 2 06:58:47 2016 >> (r308199) >> +++ stable/10/crypto/openssl/ssl/s3_pkt.c Wed Nov 2 07:09:31 2016 >> (r308200) >> @@ -1057,6 +1057,13 @@ int ssl3_read_bytes(SSL *s, int type, un >> return (ret); >> } >> >> + /* >> + * Reset the count of consecutive warning alerts if we've got a >> non-empt >> y >> + * record that isn't an alert. >> + */ >> + if (rr->type != SSL3_RT_ALERT && rr->length != 0) >> + s->s3->alert_count = 0; >> + >> /* we now have a packet which can be read and processed */ >> >> if (s->s3->change_cipher_spec /* set when we receive >> ChangeCipherSpec, >> @@ -1271,6 +1278,14 @@ int ssl3_read_bytes(SSL *s, int type, un >> >> if (alert_level == SSL3_AL_WARNING) { >> s->s3->warn_alert = alert_descr; >> + >> + s->s3->alert_count++; >> + if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) { >> + al = SSL_AD_UNEXPECTED_MESSAGE; >> + SSLerr(SSL_F_SSL3_READ_BYTES, >> SSL_R_TOO_MANY_WARN_ALERTS); >> + goto f_err; >> + } >> + >> if (alert_descr == SSL_AD_CLOSE_NOTIFY) { >> s->shutdown |= SSL_RECEIVED_SHUTDOWN; >> return (0); >> >> Modified: stable/10/crypto/openssl/ssl/ssl.h >> ============================================================================= >> = >> --- stable/10/crypto/openssl/ssl/ssl.h Wed Nov 2 06:58:47 2016 >> (r308199) >> +++ stable/10/crypto/openssl/ssl/ssl.h Wed Nov 2 07:09:31 2016 >> (r308200) >> @@ -2717,6 +2717,7 @@ void ERR_load_SSL_strings(void); >> # define SSL_R_TLS_HEARTBEAT_PENDING 366 >> # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367 >> # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 >> +# define SSL_R_TOO_MANY_WARN_ALERTS 409 >> # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 >> # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 >> # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 >> >> Modified: stable/10/crypto/openssl/ssl/ssl3.h >> ============================================================================= >> = >> --- stable/10/crypto/openssl/ssl/ssl3.h Wed Nov 2 06:58:47 2016 >> (r308199) >> +++ stable/10/crypto/openssl/ssl/ssl3.h Wed Nov 2 07:09:31 2016 >> (r308200) >> @@ -587,6 +587,8 @@ typedef struct ssl3_state_st { >> char is_probably_safari; >> # endif /* !OPENSSL_NO_EC */ >> # endif /* !OPENSSL_NO_TLSEXT */ >> + /* Count of the number of consecutive warning alerts received */ >> + unsigned int alert_count; >> } SSL3_STATE; >> >> # endif >> >> Modified: stable/10/crypto/openssl/ssl/ssl_locl.h >> ============================================================================= >> = >> --- stable/10/crypto/openssl/ssl/ssl_locl.h Wed Nov 2 06:58:47 2016 >> (r308199) >> +++ stable/10/crypto/openssl/ssl/ssl_locl.h Wed Nov 2 07:09:31 2016 >> (r308200) >> @@ -389,6 +389,8 @@ >> */ >> # define SSL_MAX_DIGEST 6 >> >> +# define MAX_WARN_ALERT_COUNT 5 >> + >> # define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT) >> >> # define TLS1_PRF_DGST_SHIFT 10 >> >> > > Hi delphij@, > > This broke stable10 builds. > > --- d1_pkt.So --- > /opt/src/svn-stable10/secure/lib/libssl/../../../crypto/openssl/ssl/d1_pkt.c > :932:16: error: no member named 'alert_count' in 'struct ssl3_state_st' > s->s3->alert_count = 0; > ~~~~~ ^ > /opt/src/svn-stable10/secure/lib/libssl/../../../crypto/openssl/ssl/d1_pkt.c > :1201:20: error: no member named 'alert_count' in 'struct ssl3_state_st' > s->s3->alert_count++; > ~~~~~ ^ > /opt/src/svn-stable10/secure/lib/libssl/../../../crypto/openssl/ssl/d1_pkt.c > :1202:24: error: no member named 'alert_count' in 'struct ssl3_state_st' > if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) { > ~~~~~ ^ > /opt/src/svn-stable10/secure/lib/libssl/../../../crypto/openssl/ssl/d1_pkt.c > :1204:48: error: use of undeclared identifier 'SSL_R_TOO_MANY_WARN_ALERTS' > SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); > ^ > /usr/obj/opt/src/svn-stable10/tmp/usr/include/openssl/err.h:217:54: note: > expanded from macro 'SSLerr' > # define SSLerr(f,r) ERR_PUT_error(ERR_LIB_SSL,(f),(r),__FILE__,__LINE__) > ^ > /usr/obj/opt/src/svn-stable10/tmp/usr/include/openssl/err.h:135:61: note: > expanded from macro 'ERR_PUT_error' > # define ERR_PUT_error(a,b,c,d,e) ERR_put_error(a,b,c,d,e) > ^ > 4 errors generated. > *** [d1_pkt.So] Error code 1 > > make[4]: stopped in /opt/src/svn-stable10/secure/lib/libssl > 1 error > > make[4]: stopped in /opt/src/svn-stable10/secure/lib/libssl > *** [secure/lib/libssl__L] Error code 2 > > make[3]: stopped in /opt/src/svn-stable10 Are you sure about this? Our build tests finished properly on stable/10: http://jenkins.hardenedbsd.org:8180/jenkins/job/HardenedBSD-stable-10-STABLE-master-amd64/74/ and the release build too. > > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: http://www.FreeBSD.org > > The need of the many outweighs the greed of the few. > > > _______________________________________________ > svn-src-stable-10@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10 > To unsubscribe, send any mail to > "svn-src-stable-10-unsubscribe@freebsd.org" >