From owner-svn-src-stable@freebsd.org Wed Nov 2 07:09:33 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 78622C2BB6C; Wed, 2 Nov 2016 07:09:33 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 361861576; Wed, 2 Nov 2016 07:09:33 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uA279WIC070561; Wed, 2 Nov 2016 07:09:32 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uA279Vkg070556; Wed, 2 Nov 2016 07:09:31 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201611020709.uA279Vkg070556@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 2 Nov 2016 07:09:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r308200 - in stable: 10/crypto/openssl/ssl 9/crypto/openssl/ssl X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2016 07:09:33 -0000 Author: delphij Date: Wed Nov 2 07:09:31 2016 New Revision: 308200 URL: https://svnweb.freebsd.org/changeset/base/308200 Log: Backport OpenSSL commit af58be768ebb690f78530f796e92b8ae5c9a4401: Don't allow too many consecutive warning alerts Certain warning alerts are ignored if they are received. This can mean that no progress will be made if one peer continually sends those warning alerts. Implement a count so that we abort the connection if we receive too many. Issue reported by Shi Lei. This is a direct commit to stable/10 and stable/9. Security: CVE-2016-8610 Modified: stable/9/crypto/openssl/ssl/d1_pkt.c stable/9/crypto/openssl/ssl/s3_pkt.c stable/9/crypto/openssl/ssl/ssl.h stable/9/crypto/openssl/ssl/ssl3.h stable/9/crypto/openssl/ssl/ssl_locl.h Changes in other areas also in this revision: Modified: stable/10/crypto/openssl/ssl/d1_pkt.c stable/10/crypto/openssl/ssl/s3_pkt.c stable/10/crypto/openssl/ssl/ssl.h stable/10/crypto/openssl/ssl/ssl3.h stable/10/crypto/openssl/ssl/ssl_locl.h Modified: stable/9/crypto/openssl/ssl/d1_pkt.c ============================================================================== --- stable/9/crypto/openssl/ssl/d1_pkt.c Wed Nov 2 06:58:47 2016 (r308199) +++ stable/9/crypto/openssl/ssl/d1_pkt.c Wed Nov 2 07:09:31 2016 (r308200) @@ -820,6 +820,13 @@ int dtls1_read_bytes(SSL *s, int type, u goto start; } + /* + * Reset the count of consecutive warning alerts if we've got a non-empty + * record that isn't an alert. + */ + if (rr->type != SSL3_RT_ALERT && rr->length != 0) + s->s3->alert_count = 0; + /* we now have a packet which can be read and processed */ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, @@ -1043,6 +1050,14 @@ int dtls1_read_bytes(SSL *s, int type, u if (alert_level == 1) { /* warning */ s->s3->warn_alert = alert_descr; + + s->s3->alert_count++; + if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); + goto f_err; + } + if (alert_descr == SSL_AD_CLOSE_NOTIFY) { s->shutdown |= SSL_RECEIVED_SHUTDOWN; return (0); Modified: stable/9/crypto/openssl/ssl/s3_pkt.c ============================================================================== --- stable/9/crypto/openssl/ssl/s3_pkt.c Wed Nov 2 06:58:47 2016 (r308199) +++ stable/9/crypto/openssl/ssl/s3_pkt.c Wed Nov 2 07:09:31 2016 (r308200) @@ -922,6 +922,13 @@ int ssl3_read_bytes(SSL *s, int type, un return (ret); } + /* + * Reset the count of consecutive warning alerts if we've got a non-empty + * record that isn't an alert. + */ + if (rr->type != SSL3_RT_ALERT && rr->length != 0) + s->s3->alert_count = 0; + /* we now have a packet which can be read and processed */ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, @@ -1121,6 +1128,14 @@ int ssl3_read_bytes(SSL *s, int type, un if (alert_level == 1) { /* warning */ s->s3->warn_alert = alert_descr; + + s->s3->alert_count++; + if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); + goto f_err; + } + if (alert_descr == SSL_AD_CLOSE_NOTIFY) { s->shutdown |= SSL_RECEIVED_SHUTDOWN; return (0); Modified: stable/9/crypto/openssl/ssl/ssl.h ============================================================================== --- stable/9/crypto/openssl/ssl/ssl.h Wed Nov 2 06:58:47 2016 (r308199) +++ stable/9/crypto/openssl/ssl/ssl.h Wed Nov 2 07:09:31 2016 (r308200) @@ -2195,6 +2195,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 # define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227 +# define SSL_R_TOO_MANY_WARN_ALERTS 409 # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 Modified: stable/9/crypto/openssl/ssl/ssl3.h ============================================================================== --- stable/9/crypto/openssl/ssl/ssl3.h Wed Nov 2 06:58:47 2016 (r308199) +++ stable/9/crypto/openssl/ssl/ssl3.h Wed Nov 2 07:09:31 2016 (r308200) @@ -491,6 +491,8 @@ typedef struct ssl3_state_st { char is_probably_safari; # endif /* !OPENSSL_NO_EC */ # endif /* !OPENSSL_NO_TLSEXT */ + /* Count of the number of consecutive warning alerts received */ + unsigned int alert_count; } SSL3_STATE; /* SSLv3 */ Modified: stable/9/crypto/openssl/ssl/ssl_locl.h ============================================================================== --- stable/9/crypto/openssl/ssl/ssl_locl.h Wed Nov 2 06:58:47 2016 (r308199) +++ stable/9/crypto/openssl/ssl/ssl_locl.h Wed Nov 2 07:09:31 2016 (r308200) @@ -247,6 +247,8 @@ # define DEC32(a) ((a)=((a)-1)&0xffffffffL) # define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */ +# define MAX_WARN_ALERT_COUNT 5 + /* * Define the Bitmasks for SSL_CIPHER.algorithms. * This bits are used packed as dense as possible. If new methods/ciphers