From owner-svn-src-all@FreeBSD.ORG  Mon Nov 29 20:43:07 2010
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8F9C2106566B;
	Mon, 29 Nov 2010 20:43:07 +0000 (UTC)
	(envelope-from simon@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 7A2088FC15;
	Mon, 29 Nov 2010 20:43:07 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oATKh74t084306;
	Mon, 29 Nov 2010 20:43:07 GMT (envelope-from simon@svn.freebsd.org)
Received: (from simon@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id oATKh7EH084290;
	Mon, 29 Nov 2010 20:43:07 GMT (envelope-from simon@svn.freebsd.org)
Message-Id: <201011292043.oATKh7EH084290@svn.freebsd.org>
From: "Simon L. Nielsen" <simon@FreeBSD.org>
Date: Mon, 29 Nov 2010 20:43:07 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-releng@freebsd.org
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r216063 - in releng: 7.1 7.1/crypto/openssl/ssl
	7.1/sys/conf 7.3 7.3/crypto/openssl/ssl 7.3/sys/conf 8.0
	8.0/crypto/openssl/ssl 8.0/sys/conf 8.1
	8.1/crypto/openssl/ssl 8.1/sys/conf
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2010 20:43:07 -0000

Author: simon
Date: Mon Nov 29 20:43:06 2010
New Revision: 216063
URL: http://svn.freebsd.org/changeset/base/216063

Log:
  Fix a race condition exists in the OpenSSL TLS server extension code and
  a double free in the SSL client ECDH handling code.
  
  Approved by:	so (simon)
  Security:	CVE-2010-2939, CVE-2010-3864
  Security:	FreeBSD-SA-10:10.openssl

Modified:
  releng/7.1/UPDATING
  releng/7.1/crypto/openssl/ssl/s3_clnt.c
  releng/7.1/sys/conf/newvers.sh
  releng/7.3/UPDATING
  releng/7.3/crypto/openssl/ssl/s3_clnt.c
  releng/7.3/sys/conf/newvers.sh
  releng/8.0/UPDATING
  releng/8.0/crypto/openssl/ssl/s3_clnt.c
  releng/8.0/crypto/openssl/ssl/t1_lib.c
  releng/8.0/sys/conf/newvers.sh
  releng/8.1/UPDATING
  releng/8.1/crypto/openssl/ssl/s3_clnt.c
  releng/8.1/crypto/openssl/ssl/t1_lib.c
  releng/8.1/sys/conf/newvers.sh

Modified: releng/7.1/UPDATING
==============================================================================
--- releng/7.1/UPDATING	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/7.1/UPDATING	Mon Nov 29 20:43:06 2010	(r216063)
@@ -8,6 +8,9 @@ Items affecting the ports and packages s
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20101129:	p16	FreeBSD-SA-10:10.openssl
+	Fix OpenSSL multiple vulnerabilities.
+
 20101110:	p15	FreeBSD-SA-10:09.pseudofs
 	Don't unlock a mutex which wasn't locked.
 

Modified: releng/7.1/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- releng/7.1/crypto/openssl/ssl/s3_clnt.c	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/7.1/crypto/openssl/ssl/s3_clnt.c	Mon Nov 29 20:43:06 2010	(r216063)
@@ -1289,6 +1289,7 @@ int ssl3_get_key_exchange(SSL *s)
 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
 		ecdh=NULL;
 		BN_CTX_free(bn_ctx);
+		bn_ctx = NULL;
 		EC_POINT_free(srvr_ecpoint);
 		srvr_ecpoint = NULL;
 		}

Modified: releng/7.1/sys/conf/newvers.sh
==============================================================================
--- releng/7.1/sys/conf/newvers.sh	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/7.1/sys/conf/newvers.sh	Mon Nov 29 20:43:06 2010	(r216063)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.1"
-BRANCH="RELEASE-p15"
+BRANCH="RELEASE-p16"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/7.3/UPDATING
==============================================================================
--- releng/7.3/UPDATING	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/7.3/UPDATING	Mon Nov 29 20:43:06 2010	(r216063)
@@ -8,6 +8,9 @@ Items affecting the ports and packages s
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20101129:	p4	FreeBSD-SA-10:10.openssl
+	Fix OpenSSL multiple vulnerabilities.
+
 20100920:	p3	FreeBSD-SA-10:08.bzip2
 	Fix an integer overflow in RLE length parsing when decompressing
 	corrupt bzip2 data.

Modified: releng/7.3/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- releng/7.3/crypto/openssl/ssl/s3_clnt.c	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/7.3/crypto/openssl/ssl/s3_clnt.c	Mon Nov 29 20:43:06 2010	(r216063)
@@ -1289,6 +1289,7 @@ int ssl3_get_key_exchange(SSL *s)
 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
 		ecdh=NULL;
 		BN_CTX_free(bn_ctx);
+		bn_ctx = NULL;
 		EC_POINT_free(srvr_ecpoint);
 		srvr_ecpoint = NULL;
 		}

Modified: releng/7.3/sys/conf/newvers.sh
==============================================================================
--- releng/7.3/sys/conf/newvers.sh	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/7.3/sys/conf/newvers.sh	Mon Nov 29 20:43:06 2010	(r216063)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.3"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.0/UPDATING
==============================================================================
--- releng/8.0/UPDATING	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/8.0/UPDATING	Mon Nov 29 20:43:06 2010	(r216063)
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20101129:	p6	FreeBSD-SA-10:10.openssl
+	Fix OpenSSL multiple vulnerabilities.
+
 20100920:	p5	FreeBSD-SA-10:08.bzip2
 	Fix an integer overflow in RLE length parsing when decompressing
 	corrupt bzip2 data.

Modified: releng/8.0/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- releng/8.0/crypto/openssl/ssl/s3_clnt.c	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/8.0/crypto/openssl/ssl/s3_clnt.c	Mon Nov 29 20:43:06 2010	(r216063)
@@ -1378,6 +1378,7 @@ int ssl3_get_key_exchange(SSL *s)
 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
 		ecdh=NULL;
 		BN_CTX_free(bn_ctx);
+		bn_ctx = NULL;
 		EC_POINT_free(srvr_ecpoint);
 		srvr_ecpoint = NULL;
 		}

Modified: releng/8.0/crypto/openssl/ssl/t1_lib.c
==============================================================================
--- releng/8.0/crypto/openssl/ssl/t1_lib.c	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/8.0/crypto/openssl/ssl/t1_lib.c	Mon Nov 29 20:43:06 2010	(r216063)
@@ -369,14 +369,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 				switch (servname_type)
 					{
 				case TLSEXT_NAMETYPE_host_name:
-					if (s->session->tlsext_hostname == NULL)
+					if (!s->hit)
 						{
-						if (len > TLSEXT_MAXLEN_host_name || 
-							((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+						if(s->session->tlsext_hostname)
+							{
+							*al = SSL_AD_DECODE_ERROR;
+							return 0;
+							}
+						if (len > TLSEXT_MAXLEN_host_name)
 							{
 							*al = TLS1_AD_UNRECOGNIZED_NAME;
 							return 0;
 							}
+						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+							{
+							*al = TLS1_AD_INTERNAL_ERROR;
+							return 0;
+							}
 						memcpy(s->session->tlsext_hostname, sdata, len);
 						s->session->tlsext_hostname[len]='\0';
 						if (strlen(s->session->tlsext_hostname) != len) {
@@ -389,7 +398,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 
 						}
 					else 
-						s->servername_done = strlen(s->session->tlsext_hostname) == len 
+						s->servername_done = s->session->tlsext_hostname
+							&& strlen(s->session->tlsext_hostname) == len 
 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
 					
 					break;

Modified: releng/8.0/sys/conf/newvers.sh
==============================================================================
--- releng/8.0/sys/conf/newvers.sh	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/8.0/sys/conf/newvers.sh	Mon Nov 29 20:43:06 2010	(r216063)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.0"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.1/UPDATING
==============================================================================
--- releng/8.1/UPDATING	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/8.1/UPDATING	Mon Nov 29 20:43:06 2010	(r216063)
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20101129:	p2	FreeBSD-SA-10:10.openssl
+	Fix OpenSSL multiple vulnerabilities.
+
 20100920:	p1	FreeBSD-SA-10:08.bzip2
 	Fix an integer overflow in RLE length parsing when decompressing
 	corrupt bzip2 data.

Modified: releng/8.1/crypto/openssl/ssl/s3_clnt.c
==============================================================================
--- releng/8.1/crypto/openssl/ssl/s3_clnt.c	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/8.1/crypto/openssl/ssl/s3_clnt.c	Mon Nov 29 20:43:06 2010	(r216063)
@@ -1377,6 +1377,7 @@ int ssl3_get_key_exchange(SSL *s)
 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
 		ecdh=NULL;
 		BN_CTX_free(bn_ctx);
+		bn_ctx = NULL;
 		EC_POINT_free(srvr_ecpoint);
 		srvr_ecpoint = NULL;
 		}

Modified: releng/8.1/crypto/openssl/ssl/t1_lib.c
==============================================================================
--- releng/8.1/crypto/openssl/ssl/t1_lib.c	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/8.1/crypto/openssl/ssl/t1_lib.c	Mon Nov 29 20:43:06 2010	(r216063)
@@ -432,14 +432,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 				switch (servname_type)
 					{
 				case TLSEXT_NAMETYPE_host_name:
-					if (s->session->tlsext_hostname == NULL)
+					if (!s->hit)
 						{
-						if (len > TLSEXT_MAXLEN_host_name || 
-							((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+						if(s->session->tlsext_hostname)
+							{
+							*al = SSL_AD_DECODE_ERROR;
+							return 0;
+							}
+						if (len > TLSEXT_MAXLEN_host_name)
 							{
 							*al = TLS1_AD_UNRECOGNIZED_NAME;
 							return 0;
 							}
+						if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+							{
+							*al = TLS1_AD_INTERNAL_ERROR;
+							return 0;
+							}
 						memcpy(s->session->tlsext_hostname, sdata, len);
 						s->session->tlsext_hostname[len]='\0';
 						if (strlen(s->session->tlsext_hostname) != len) {
@@ -452,7 +461,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 
 						}
 					else 
-						s->servername_done = strlen(s->session->tlsext_hostname) == len 
+						s->servername_done = s->session->tlsext_hostname
+							&& strlen(s->session->tlsext_hostname) == len 
 							&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
 					
 					break;

Modified: releng/8.1/sys/conf/newvers.sh
==============================================================================
--- releng/8.1/sys/conf/newvers.sh	Mon Nov 29 18:33:20 2010	(r216062)
+++ releng/8.1/sys/conf/newvers.sh	Mon Nov 29 20:43:06 2010	(r216063)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.1"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi