File openssl-CVE-2016-8610.patch of Package compat-openssl098.14113

commit 22646a075e75991b4e8f5d67171e45a6aead5b48
Author: Matt Caswell <matt@openssl.org>
Date:   Wed Sep 21 14:48:16 2016 +0100

    Don't allow too many consecutive warning alerts
    
    Certain warning alerts are ignored if they are received. This can mean that
    no progress will be made if one peer continually sends those warning alerts.
    Implement a count so that we abort the connection if we receive too many.
    
    Issue reported by Shi Lei.
    
    Reviewed-by: Rich Salz <rsalz@openssl.org>

commit f1f97699cb5e01f1b7e37f4c92df1a9bce6772f5
Author: Kurt Cancemi <kurt@x64architecture.com>
Date:   Thu Sep 22 18:05:37 2016 -0400

    Add missing error string for SSL_R_TOO_MANY_WARN_ALERTS

    Reviewed-by: Rich Salz <rsalz@openssl.org>
    Reviewed-by: Matt Caswell <matt@openssl.org>

Index: openssl-0.9.8j/ssl/d1_pkt.c
===================================================================
--- openssl-0.9.8j.orig/ssl/d1_pkt.c	2018-08-13 11:38:11.716202777 +0200
+++ openssl-0.9.8j/ssl/d1_pkt.c	2018-08-13 11:38:11.856203665 +0200
@@ -790,6 +790,13 @@ start:
 			}
 		}
 
+    /*
+     * Reset the count of consecutive warning alerts if we've got a non-empty
+     * record that isn't an alert.
+     */
+    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+        s->cert->alert_count = 0;
+
 	/* we now have a packet which can be read and processed */
 
 	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -997,6 +1004,14 @@ start:
 		if (alert_level == 1) /* warning */
 			{
 			s->s3->warn_alert = alert_descr;
+
+	            	s->cert->alert_count++;
+       		     if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
+	                al = SSL_AD_UNEXPECTED_MESSAGE;
+	                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+	                goto f_err;
+	            }
+
 			if (alert_descr == SSL_AD_CLOSE_NOTIFY)
 				{
 				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
Index: openssl-0.9.8j/ssl/s3_pkt.c
===================================================================
--- openssl-0.9.8j.orig/ssl/s3_pkt.c	2018-08-13 11:38:11.052198566 +0200
+++ openssl-0.9.8j/ssl/s3_pkt.c	2018-08-13 11:38:11.856203665 +0200
@@ -868,6 +868,13 @@ start:
 		if (ret <= 0) return(ret);
 		}
 
+    	/*
+     	* Reset the count of consecutive warning alerts if we've got a non-empty
+     	* record that isn't an alert.
+     	*/
+    	if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+        	s->cert->alert_count = 0;
+
 	/* we now have a packet which can be read and processed */
 
 	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1070,6 +1077,14 @@ start:
 		if (alert_level == 1) /* warning */
 			{
 			s->s3->warn_alert = alert_descr;
+
+            		s->cert->alert_count++;
+            		if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
+                		al = SSL_AD_UNEXPECTED_MESSAGE;
+                		SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+                		goto f_err;
+            		}
+
 			if (alert_descr == SSL_AD_CLOSE_NOTIFY)
 				{
 				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
Index: openssl-0.9.8j/ssl/ssl.h
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl.h	2018-08-13 11:38:11.720202803 +0200
+++ openssl-0.9.8j/ssl/ssl.h	2018-10-17 12:59:29.613518994 +0200
@@ -2073,6 +2073,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST		 227
 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
 #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG	 234
+#define SSL_R_TOO_MANY_WARN_ALERTS                       409
 #define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER		 235
 #define SSL_R_UNABLE_TO_DECODE_DH_CERTS			 236
 #define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS		 313
Index: openssl-0.9.8j/ssl/ssl_locl.h
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl_locl.h	2018-08-13 11:38:11.700202676 +0200
+++ openssl-0.9.8j/ssl/ssl_locl.h	2018-08-13 11:38:11.856203665 +0200
@@ -372,6 +372,7 @@
 				(c)->algo_strength)
 #define SSL_C_EXPORT_PKEYLENGTH(c)	SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
 
+#define MAX_WARN_ALERT_COUNT    5
 
 #define SSL_ALL			0xffffffffL
 #define SSL_ALL_CIPHERS		(SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
@@ -445,6 +446,8 @@ typedef struct cert_st
 	CERT_PKEY pkeys[SSL_PKEY_NUM];
 
 	int references; /* >1 only if SSL_copy_session_id is used */
+	/* Count of the number of consecutive warning alerts received */
+	unsigned int alert_count;
 	} CERT;
 
 
Index: openssl-0.9.8j/ssl/ssl_err.c
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl_err.c	2018-08-13 11:38:11.716202777 +0200
+++ openssl-0.9.8j/ssl/ssl_err.c	2018-10-17 13:00:23.969851540 +0200
@@ -479,6 +479,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
 {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
 {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
 {ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
+{ERR_REASON(SSL_R_TOO_MANY_WARN_ALERTS), "too many warn alerts"},
 {ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),"tried to use unsupported cipher"},
 {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS),"unable to decode dh certs"},
 {ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),"unable to decode ecdh certs"},
openSUSE Build Service is sponsored by