FreeBSD Mail Archives

Date:      Fri, 5 Feb 2016 16:48:03 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-user@freebsd.org
Subject:   svn commit: r295322 - in user/cperciva/freebsd-update-build/patches: 10.1-RELEASE 10.2-RELEASE 9.3-RELEASE
Message-ID:  <201602051648.u15Gm3Vv079446@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: glebius
Date: Fri Feb  5 16:48:03 2016
New Revision: 295322
URL: https://svnweb.freebsd.org/changeset/base/295322

Log:
  Save patches for SA-16:11.

Added:
  user/cperciva/freebsd-update-build/patches/10.1-RELEASE/29-SA-16:11.openssl
  user/cperciva/freebsd-update-build/patches/10.2-RELEASE/12-SA-16:11.openssl
  user/cperciva/freebsd-update-build/patches/9.3-RELEASE/36-SA-16:11.openssl

Added: user/cperciva/freebsd-update-build/patches/10.1-RELEASE/29-SA-16:11.openssl
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.1-RELEASE/29-SA-16:11.openssl	Fri Feb  5 16:48:03 2016	(r295322)
@@ -0,0 +1,43 @@
+Index: crypto/openssl/ssl/s2_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s2_srvr.c	(revision 294905)
++++ crypto/openssl/ssl/s2_srvr.c	(working copy)
+@@ -392,7 +392,7 @@ static int get_client_master_key(SSL *s)
+ 			}
+ 
+ 		cp=ssl2_get_cipher_by_char(p);
+-		if (cp == NULL)
++		if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
+ 			{
+ 			ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ 			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+@@ -690,9 +690,12 @@ static int get_client_hello(SSL *s)
+ 		    prio = cs;
+ 		    allow = cl;
+ 		    }
+-		for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
++		/* Generate list of SSLv2 ciphers shared between client and server */
++		for (z = 0; z < sk_SSL_CIPHER_num(prio); z++)
+ 			{
+-			if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
++			const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++			if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
++			    sk_SSL_CIPHER_find(allow, cp) < 0)
+ 				{
+ 				(void)sk_SSL_CIPHER_delete(prio,z);
+ 				z--;
+@@ -703,6 +706,14 @@ static int get_client_hello(SSL *s)
+ 		    sk_SSL_CIPHER_free(s->session->ciphers);
+ 		    s->session->ciphers = prio;
+ 		    }
++
++		/* Make sure we have at least one cipher in common */
++		if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
++			{
++			ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++			SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++			return -1;
++			}
+ 		/* s->session->ciphers should now have a list of
+ 		 * ciphers that are on both the client and server.
+ 		 * This list is ordered by the order the client sent

Added: user/cperciva/freebsd-update-build/patches/10.2-RELEASE/12-SA-16:11.openssl
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.2-RELEASE/12-SA-16:11.openssl	Fri Feb  5 16:48:03 2016	(r295322)
@@ -0,0 +1,41 @@
+Index: crypto/openssl/ssl/s2_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s2_srvr.c	(revision 294905)
++++ crypto/openssl/ssl/s2_srvr.c	(working copy)
+@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
+         }
+ 
+         cp = ssl2_get_cipher_by_char(p);
+-        if (cp == NULL) {
++        if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
+             ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+             SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+             return (-1);
+@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
+             prio = cs;
+             allow = cl;
+         }
++
++        /* Generate list of SSLv2 ciphers shared between client and server */
+         for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
+-            if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
++            const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++            if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
++                sk_SSL_CIPHER_find(allow, cp) < 0) {
+                 (void)sk_SSL_CIPHER_delete(prio, z);
+                 z--;
+             }
+@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
+             sk_SSL_CIPHER_free(s->session->ciphers);
+             s->session->ciphers = prio;
+         }
++
++        /* Make sure we have at least one cipher in common */
++        if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
++            ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++            SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++            return -1;
++        }
+         /*
+          * s->session->ciphers should now have a list of ciphers that are on
+          * both the client and server. This list is ordered by the order the

Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/36-SA-16:11.openssl
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/36-SA-16:11.openssl	Fri Feb  5 16:48:03 2016	(r295322)
@@ -0,0 +1,43 @@
+Index: crypto/openssl/ssl/s2_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s2_srvr.c	(revision 294905)
++++ crypto/openssl/ssl/s2_srvr.c	(working copy)
+@@ -392,7 +392,7 @@ static int get_client_master_key(SSL *s)
+ 			}
+ 
+ 		cp=ssl2_get_cipher_by_char(p);
+-		if (cp == NULL)
++		if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
+ 			{
+ 			ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ 			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+@@ -690,9 +690,12 @@ static int get_client_hello(SSL *s)
+ 		    prio = cs;
+ 		    allow = cl;
+ 		    }
+-		for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
++		/* Generate list of SSLv2 ciphers shared between client and server */
++		for (z = 0; z < sk_SSL_CIPHER_num(prio); z++)
+ 			{
+-			if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
++			const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++			if ((cp->algorithms & SSL_SSLV2) == 0 ||
++			    sk_SSL_CIPHER_find(allow, cp) < 0)
+ 				{
+ 				(void)sk_SSL_CIPHER_delete(prio,z);
+ 				z--;
+@@ -703,6 +706,14 @@ static int get_client_hello(SSL *s)
+ 		    sk_SSL_CIPHER_free(s->session->ciphers);
+ 		    s->session->ciphers = prio;
+ 		    }
++
++		/* Make sure we have at least one cipher in common */
++		if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
++			{
++			ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++			SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++			return -1;
++			}
+ 		/* s->session->ciphers should now have a list of
+ 		 * ciphers that are on both the client and server.
+ 		 * This list is ordered by the order the client sent

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602051648.u15Gm3Vv079446>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation