[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

openssl / CVE-2016-2177.patch

I had a look at this CVE, and created a simply patch containing the new
checks required for ssl/s3_srvr.c (but not yet the other two files).

Not absolutely sure about the "1 byte for compression length later",
either wheezy is buggy in that it didn't have this allowance or I have
added 1 byte allowance where it isn't needed.

Unfortunately, while this builds OK, the tests now fail.

../util/shlib_wrap.sh ./srptest
Keys mismatch
N = EEAF0AB9ADB38DD69C33F80AFA8FC5E86072618775FF3C0B9EA2314C9C256576D674DF7496EA81D3383B4813D692C6E0E0D5D8E250B98BE48E495C1D6089DAD15DC7D7B46154D6B6CE8EF4AD69B15D4982559B297BCF1885C529F566660E57EC68EDBC3C05726CC02FD4CBF4976EAA9AFD5138FE8376435B9FC61D2FC0EB06E3
g = 2
Salt = 38223DCD51AB4A7C7C716904B4DDCE010F73BC98
Verifier = 8862192629BC930B0C5FB33A26BB46DCA029C2034936E36F15028B47EAF4C962E69DFF1F8BE2722189F59D22D37180404BACB694DC8BC618866B6990FE07D85B2E08BAE6B48D4698BCDA1AAFC51D1E01078817FBE93A07F98BC9783C9A4D21BA666DE444CD403CBCC6D875393592D7685C176099C64BD06D4CDA9A7098732781
b = 973E1CA0BFC397971667D2F0834E96E9879337FECEC012AEE82850FFC631619A
B = 125AF4A5B830934EEFEA4ABB9FC7CD7A6ED8D8497915CF0E2B413AD8458972D1F3DB59FAF63DD50DDE416BB359A85C23D45C68BD65C90A8177062FEF9FA4ACB05F3F384D3D3D8F7E81874C166BA07E87C9E35E63794137B372DA66775774C6A2A489047DA1562CF9CA939BE6AB41ABCAFC87F89323BDD7D68CB059AA64CC9B5E
a = 98D71AD08776A707255FD75FD2B1DA1571044EE0E451447CF77A1700C207214A
A = B0874DF9F9D9EE2B5927DF8B266CB1016214542D05196A611756154DB1EA318648C4AF872490EE309111CF23B17431755C6973E7A5B1D59F5A76B239E791A6D345E734B5E87E6925B442EF432811FB1B7684992AE70832E43A59458781F1ED603B921D0919355983D9954B59FF4326C36EBE8E7FCF8F32E1B23F9868E7746569
Client's key = A512C999F12522658C26B6FAA823316ED708D232B50333A343486C9BA3396EF87B2E88CA4DE985504AE45BC6D059B50746698C5A6DA73126EE10E977F85201E4D74C0BB28B61958D782A6D83D9907ABF116E5AD036FE85959317E6C74A10CA1C5A5EEABEA7630C850EB63BF0A78B6BF969A07508E28778E9434C1BF7E1589905
Server's key = 5332495DE622F9E310C2324550CDF9D3FDB4C8AF67A6A535536E482BC9DE862490B3840A7863445BB42D7C91D9555DBAFFDCC628F193D6D2EF98ABBF7922C588304842DA25C6371FFDE0AEF9AD76702FE9D220256EEDEBB91C1F364DEFB5941ACE76A6351B8FEDBC25278DE6B5561E51F846D386D34F608BBF5F53EAB8847E1E
N = EEAF0AB9ADB38DD69C33F80AFA8FC5E86072618775FF3C0B9EA2314C9C256576D674DF7496EA81D3383B4813D692C6E0E0D5D8E250B98BE48E495C1D6089DAD15DC7D7B46154D6B6CE8EF4AD69B15D4982559B297BCF1885C529F566660E57EC68EDBC3C05726CC02FD4CBF4976EAA9AFD5138FE8376435B9FC61D2FC0EB06E3
g = 2
Salt = 522684205623F51F882A5D94BDDE71074C6DD326
Verifier = 8EEA080842E3D873BC802506F860BEB7D2098E3EAF25E673E9BF549F3000BAEEB803E6EB70E7BC352B19117EB4479D5218E26C7E8D2D6F577E9EC702354BFC102F44ADFED53327FA9275ED1465D27D92032C4A9102ED30EE43BED9FC13B6980DEFE49988444F167D040C49904A297B191207C07D3994F565E133FC098070CDF4
b = C16E9E002AAA7F11DE29D44F4916C0AE89966D68B9C6367F6F6923512EEC336D
B = A1D5503A215DAE31CBB8BC9EFC6F1BB0D9E350B43268D3F62E5F5AE78981088073B9579FEE74C9897101C9E61697D3811CBB6666ED7FC6DD62086A892CAC66B49F3F5C1B861BC353E57B21F8B8355BAF553281604D17954BFE6836B4E961DFDFC18C86FBE85C9D1B3D008910C3F7738D8CDDCE7D1B2F0A705BB06EA1266684D6
a = AC2D6988B218B8A8F639AED281988B14232BB35A8C56D5CBBCFFBF8AB395653
A = 1E7C5985C892761723C81B69152A14B6FF1BE6E1FB74B2BB2EBCF2D962553B5B7C8D39C9FBACA9824AD048C1B9444070EAC29E840E666D5258BAB78E86D298DA7FF2ED59CB6A9E28403C296A19294233AF6C3BE21721B33CA030328BD74292B6C781BDAFE308523E340BC95948AB20841E691162C9CFCF180B828D4E6EF004BD
Client's key = 27C2554D9DFB135A0C6A0B1B695CEEF7CB69C982A79812CDB1B0680BAE4623D3B493061516F6F492BEB19109C1C42885883350C9B20153BF8F77ECAD0EB6F4B9AFA598E60AF78AF000310AAC1EAC07DAB9E932F7C57EA0372D364C0BB93D70A183ED91552C9BD557C772CC2EFDDF8EFA129FCCD308F5DFB9FCB5C5B2A7D20DFC
Server's key = 27C2554D9DFB135A0C6A0B1B695CEEF7CB69C982A79812CDB1B0680BAE4623D3B493061516F6F492BEB19109C1C42885883350C9B20153BF8F77ECAD0EB6F4B9AFA598E60AF78AF000310AAC1EAC07DAB9E932F7C57EA0372D364C0BB93D70A183ED91552C9BD557C772CC2EFDDF8EFA129FCCD308F5DFB9FCB5C5B2A7D20DFC
CMS consistency test
/usr/bin/perl cms-test.pl
CMS => PKCS#7 compatibility tests
signed content DER format, RSA key: verify error
make[2]: *** [test_cms] Error 1
make[2]: Leaving directory `/<<PKGBUILDDIR>>/test'
make[1]: *** [tests] Error 2
make[1]: Leaving directory `/<<PKGBUILDDIR>>'
make: *** [build-stamp] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2

Oh, wait, the tests fail in exactly the same way without my new patch. I
guess I didn't break it then.

Which probably means before we do a security update we are going to have
to fix this test failure.

Just to make sure I got the right version this is 1.0.1e-2+deb7u21 from
wheezy-security uploaded by Kurt Roeckx <kurt@roeckx.be>.

It might be worth somebody else testing it, just in case this is
something specific to my build.

Will continue investigating.
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -973,6 +973,11 @@
 		unsigned int session_length, cookie_length;
 		
 		session_length = *(p + SSL3_RANDOM_SIZE);
+		if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
+			al = SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+			goto f_err;
+		}
 		cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
 
 		if (cookie_length == 0)
@@ -986,6 +991,18 @@
 	/* get the session-id */
 	j= *(p++);
 
+	if ((d + n) - p < j) {
+		al = SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+		goto f_err;
+	}
+
+	if ((j < 0) || (j > SSL_MAX_SSL_SESSION_ID_LENGTH)) {
+		al = SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+		goto f_err;
+	}
+
 	s->hit=0;
 	/* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
 	 * 0.9.7 and later allow this by default, but optionally ignore resumption requests
@@ -1024,8 +1041,19 @@
 	if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
 		{
 		/* cookie stuff */
+		if ((d + n) - p < 1) {
+			al = SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+			goto f_err;
+		}
 		cookie_len = *(p++);
 
+		if ((d + n ) - p < cookie_len) {
+			al = SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+			goto f_err;
+		}
+
 		/* 
 		 * The ClientHello may contain a cookie even if the
 		 * HelloVerify message has not been sent--make sure that it
@@ -1072,6 +1100,11 @@
 		p += cookie_len;
 		}
 
+	if ((d + n ) - p < 2) {
+		al = SSL_AD_DECODE_ERROR;
+		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+		goto f_err;
+	}
 	n2s(p,i);
 	if ((i == 0) && (j != 0))
 		{
@@ -1080,7 +1113,8 @@
 		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
 		goto f_err;
 		}
-	if ((p+i) >= (d+n))
+	/* i bytes of cipher data + 1 byte for compression length later */
+	if ((d + n) - p < i + 1)
 		{
 		/* not enough data */
 		al=SSL_AD_DECODE_ERROR;
@@ -1147,7 +1181,7 @@
 
 	/* compression */
 	i= *(p++);
-	if ((p+i) > (d+n))
+	if ((d + n) - p < i)
 		{
 		/* not enough data */
 		al=SSL_AD_DECODE_ERROR;
Reply to: