openssl / CVE-2016-2177.patch
I had a look at this CVE, and created a simply patch containing the new
checks required for ssl/s3_srvr.c (but not yet the other two files).
Not absolutely sure about the "1 byte for compression length later",
either wheezy is buggy in that it didn't have this allowance or I have
added 1 byte allowance where it isn't needed.
Unfortunately, while this builds OK, the tests now fail.
../util/shlib_wrap.sh ./srptest
Keys mismatch
N = EEAF0AB9ADB38DD69C33F80AFA8FC5E86072618775FF3C0B9EA2314C9C256576D674DF7496EA81D3383B4813D692C6E0E0D5D8E250B98BE48E495C1D6089DAD15DC7D7B46154D6B6CE8EF4AD69B15D4982559B297BCF1885C529F566660E57EC68EDBC3C05726CC02FD4CBF4976EAA9AFD5138FE8376435B9FC61D2FC0EB06E3
g = 2
Salt = 38223DCD51AB4A7C7C716904B4DDCE010F73BC98
Verifier = 8862192629BC930B0C5FB33A26BB46DCA029C2034936E36F15028B47EAF4C962E69DFF1F8BE2722189F59D22D37180404BACB694DC8BC618866B6990FE07D85B2E08BAE6B48D4698BCDA1AAFC51D1E01078817FBE93A07F98BC9783C9A4D21BA666DE444CD403CBCC6D875393592D7685C176099C64BD06D4CDA9A7098732781
b = 973E1CA0BFC397971667D2F0834E96E9879337FECEC012AEE82850FFC631619A
B = 125AF4A5B830934EEFEA4ABB9FC7CD7A6ED8D8497915CF0E2B413AD8458972D1F3DB59FAF63DD50DDE416BB359A85C23D45C68BD65C90A8177062FEF9FA4ACB05F3F384D3D3D8F7E81874C166BA07E87C9E35E63794137B372DA66775774C6A2A489047DA1562CF9CA939BE6AB41ABCAFC87F89323BDD7D68CB059AA64CC9B5E
a = 98D71AD08776A707255FD75FD2B1DA1571044EE0E451447CF77A1700C207214A
A = B0874DF9F9D9EE2B5927DF8B266CB1016214542D05196A611756154DB1EA318648C4AF872490EE309111CF23B17431755C6973E7A5B1D59F5A76B239E791A6D345E734B5E87E6925B442EF432811FB1B7684992AE70832E43A59458781F1ED603B921D0919355983D9954B59FF4326C36EBE8E7FCF8F32E1B23F9868E7746569
Client's key = A512C999F12522658C26B6FAA823316ED708D232B50333A343486C9BA3396EF87B2E88CA4DE985504AE45BC6D059B50746698C5A6DA73126EE10E977F85201E4D74C0BB28B61958D782A6D83D9907ABF116E5AD036FE85959317E6C74A10CA1C5A5EEABEA7630C850EB63BF0A78B6BF969A07508E28778E9434C1BF7E1589905
Server's key = 5332495DE622F9E310C2324550CDF9D3FDB4C8AF67A6A535536E482BC9DE862490B3840A7863445BB42D7C91D9555DBAFFDCC628F193D6D2EF98ABBF7922C588304842DA25C6371FFDE0AEF9AD76702FE9D220256EEDEBB91C1F364DEFB5941ACE76A6351B8FEDBC25278DE6B5561E51F846D386D34F608BBF5F53EAB8847E1E
N = EEAF0AB9ADB38DD69C33F80AFA8FC5E86072618775FF3C0B9EA2314C9C256576D674DF7496EA81D3383B4813D692C6E0E0D5D8E250B98BE48E495C1D6089DAD15DC7D7B46154D6B6CE8EF4AD69B15D4982559B297BCF1885C529F566660E57EC68EDBC3C05726CC02FD4CBF4976EAA9AFD5138FE8376435B9FC61D2FC0EB06E3
g = 2
Salt = 522684205623F51F882A5D94BDDE71074C6DD326
Verifier = 8EEA080842E3D873BC802506F860BEB7D2098E3EAF25E673E9BF549F3000BAEEB803E6EB70E7BC352B19117EB4479D5218E26C7E8D2D6F577E9EC702354BFC102F44ADFED53327FA9275ED1465D27D92032C4A9102ED30EE43BED9FC13B6980DEFE49988444F167D040C49904A297B191207C07D3994F565E133FC098070CDF4
b = C16E9E002AAA7F11DE29D44F4916C0AE89966D68B9C6367F6F6923512EEC336D
B = A1D5503A215DAE31CBB8BC9EFC6F1BB0D9E350B43268D3F62E5F5AE78981088073B9579FEE74C9897101C9E61697D3811CBB6666ED7FC6DD62086A892CAC66B49F3F5C1B861BC353E57B21F8B8355BAF553281604D17954BFE6836B4E961DFDFC18C86FBE85C9D1B3D008910C3F7738D8CDDCE7D1B2F0A705BB06EA1266684D6
a = AC2D6988B218B8A8F639AED281988B14232BB35A8C56D5CBBCFFBF8AB395653
A = 1E7C5985C892761723C81B69152A14B6FF1BE6E1FB74B2BB2EBCF2D962553B5B7C8D39C9FBACA9824AD048C1B9444070EAC29E840E666D5258BAB78E86D298DA7FF2ED59CB6A9E28403C296A19294233AF6C3BE21721B33CA030328BD74292B6C781BDAFE308523E340BC95948AB20841E691162C9CFCF180B828D4E6EF004BD
Client's key = 27C2554D9DFB135A0C6A0B1B695CEEF7CB69C982A79812CDB1B0680BAE4623D3B493061516F6F492BEB19109C1C42885883350C9B20153BF8F77ECAD0EB6F4B9AFA598E60AF78AF000310AAC1EAC07DAB9E932F7C57EA0372D364C0BB93D70A183ED91552C9BD557C772CC2EFDDF8EFA129FCCD308F5DFB9FCB5C5B2A7D20DFC
Server's key = 27C2554D9DFB135A0C6A0B1B695CEEF7CB69C982A79812CDB1B0680BAE4623D3B493061516F6F492BEB19109C1C42885883350C9B20153BF8F77ECAD0EB6F4B9AFA598E60AF78AF000310AAC1EAC07DAB9E932F7C57EA0372D364C0BB93D70A183ED91552C9BD557C772CC2EFDDF8EFA129FCCD308F5DFB9FCB5C5B2A7D20DFC
CMS consistency test
/usr/bin/perl cms-test.pl
CMS => PKCS#7 compatibility tests
signed content DER format, RSA key: verify error
make[2]: *** [test_cms] Error 1
make[2]: Leaving directory `/<<PKGBUILDDIR>>/test'
make[1]: *** [tests] Error 2
make[1]: Leaving directory `/<<PKGBUILDDIR>>'
make: *** [build-stamp] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
Oh, wait, the tests fail in exactly the same way without my new patch. I
guess I didn't break it then.
Which probably means before we do a security update we are going to have
to fix this test failure.
Just to make sure I got the right version this is 1.0.1e-2+deb7u21 from
wheezy-security uploaded by Kurt Roeckx <kurt@roeckx.be>.
It might be worth somebody else testing it, just in case this is
something specific to my build.
Will continue investigating.
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -973,6 +973,11 @@
unsigned int session_length, cookie_length;
session_length = *(p + SSL3_RANDOM_SIZE);
+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+ }
cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
if (cookie_length == 0)
@@ -986,6 +991,18 @@
/* get the session-id */
j= *(p++);
+ if ((d + n) - p < j) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+ }
+
+ if ((j < 0) || (j > SSL_MAX_SSL_SESSION_ID_LENGTH)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+
s->hit=0;
/* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
* 0.9.7 and later allow this by default, but optionally ignore resumption requests
@@ -1024,8 +1041,19 @@
if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
{
/* cookie stuff */
+ if ((d + n) - p < 1) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+ }
cookie_len = *(p++);
+ if ((d + n ) - p < cookie_len) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+ }
+
/*
* The ClientHello may contain a cookie even if the
* HelloVerify message has not been sent--make sure that it
@@ -1072,6 +1100,11 @@
p += cookie_len;
}
+ if ((d + n ) - p < 2) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+ }
n2s(p,i);
if ((i == 0) && (j != 0))
{
@@ -1080,7 +1113,8 @@
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
goto f_err;
}
- if ((p+i) >= (d+n))
+ /* i bytes of cipher data + 1 byte for compression length later */
+ if ((d + n) - p < i + 1)
{
/* not enough data */
al=SSL_AD_DECODE_ERROR;
@@ -1147,7 +1181,7 @@
/* compression */
i= *(p++);
- if ((p+i) > (d+n))
+ if ((d + n) - p < i)
{
/* not enough data */
al=SSL_AD_DECODE_ERROR;
Reply to: