24528111 problem in LIBRARY/OPENSSL
authorMisaki Miyashita <Misaki.Miyashita@Oracle.COM>
Mon, 29 Aug 2016 13:44:04 -0700
changeset 6708 4e02cfefe7e9
parent 6707 9ae1e20ff4ec
child 6711 824d4bb15f85
24528111 problem in LIBRARY/OPENSSL 24394794 CRL conversions from DER to PEM format fail for large CRL files. 24513545 XMPP element quoting confusion
components/openssl/common/patches/052-CVE-2016-6302.patch
components/openssl/common/patches/053-large-crl.patch
components/openssl/common/patches/054-xmpp-detection.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/common/patches/052-CVE-2016-6302.patch	Mon Aug 29 13:44:04 2016 -0700
@@ -0,0 +1,30 @@
+# The patch is based on the following commit from the upstream:
+# https://github.com/openssl/openssl/commit/baaabfd8fdcec04a691695fad9a664bea43202b6
+# The fix is patched until the new version becomes available
+# from the upstream.
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
[email protected]@ -3401,9 +3401,7 @@
+     HMAC_CTX hctx;
+     EVP_CIPHER_CTX ctx;
+     SSL_CTX *tctx = s->initial_ctx;
+-    /* Need at least keyname + iv + some encrypted data */
+-    if (eticklen < 48)
+-        return 2;
++
+     /* Initialize session ticket encryption and HMAC contexts */
+     HMAC_CTX_init(&hctx);
+     EVP_CIPHER_CTX_init(&ctx);
[email protected]@ -3437,6 +3435,12 @@
+     if (mlen < 0) {
+         goto err;
+     }
++    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
++    if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
++        HMAC_CTX_cleanup(&hctx);
++        EVP_CIPHER_CTX_cleanup(&ctx);
++        return 2;
++    }
+     eticklen -= mlen;
+     /* Check HMAC of encrypted ticket */
+     if (HMAC_Update(&hctx, etick, eticklen) <= 0
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/common/patches/053-large-crl.patch	Mon Aug 29 13:44:04 2016 -0700
@@ -0,0 +1,19 @@
+# The patch is based on the following commit from the upstream:
+# https://github.com/openssl/openssl/commit/a1eef756cc1948e
+# The fix is patched until the new version becomes available
+# from the upstream.
+--- a/crypto/asn1/x_name.c
++++ b/crypto/asn1/x_name.c
[email protected]@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
+     int i, j, ret;
+     STACK_OF(X509_NAME_ENTRY) *entries;
+     X509_NAME_ENTRY *entry;
+-    if (len > X509_NAME_MAX) {
+-        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+-        return 0;
+-    }
++    if (len > X509_NAME_MAX)
++        len = X509_NAME_MAX;
+     q = p;
+ 
+     /* Get internal representation of Name */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/common/patches/054-xmpp-detection.patch	Mon Aug 29 13:44:04 2016 -0700
@@ -0,0 +1,17 @@
+# The patch is based on the following commit from the upstream:
+# https://github.com/openssl/openssl/commit/4e48c77572a9a96a301e362a3646cd3cc7eca0f9 
+# The fix is patched until the new version becomes available
+# from the upstream.
+--- a/apps/s_client.c
++++ b/apps/s_client.c
[email protected]@ -1640,8 +1640,8 @@
+                    "xmlns='jabber:client' to='%s' version='1.0'>", host);
+         seen = BIO_read(sbio, mbuf, BUFSIZZ);
+         mbuf[seen] = 0;
+-        while (!strstr
+-               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
++        while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
++               !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) {
+             if (strstr(mbuf, "/stream:features>"))
+                 goto shut;
+             seen = BIO_read(sbio, mbuf, BUFSIZZ);