File openssl-CVE-2019-1559.patch of Package compat-openssl098.29205
commit e4f77bf1833245d2b6aa4ce6a16c85e1cdf78589
Author: Matt Caswell <matt@openssl.org>
Date: Thu Apr 23 20:01:33 2015 +0100
Add Error state
Reusing an SSL object when it has encountered a fatal error can
have bad consequences. This is a bug in application code not libssl
but libssl should be more forgiving and not crash.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a89db885e0d8aac3a9df1bbccb0c1ddfd8b2e10a)
Conflicts:
ssl/s3_srvr.c
ssl/ssl_stat.c
Index: openssl-0.9.8j/ssl/s3_srvr.c
===================================================================
--- openssl-0.9.8j.orig/ssl/s3_srvr.c
+++ openssl-0.9.8j/ssl/s3_srvr.c
@@ -210,6 +210,7 @@ int ssl3_accept(SSL *s)
if ((s->version>>8) != 3)
{
SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
+ s->state = SSL_ST_ERR;
return -1;
}
s->type=SSL_ST_ACCEPT;
@@ -219,11 +220,13 @@ int ssl3_accept(SSL *s)
if ((buf=BUF_MEM_new()) == NULL)
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
s->init_buf=buf;
@@ -232,6 +235,7 @@ int ssl3_accept(SSL *s)
if (!ssl3_setup_buffers(s))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
@@ -243,7 +247,11 @@ int ssl3_accept(SSL *s)
/* Ok, we now need to push on a buffering BIO so that
* the output is sent in a way that TCP likes :-)
*/
- if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
+ if (!ssl_init_wbio_buffer(s,1)) {
+ ret= -1;
+ s->state = SSL_ST_ERR;
+ goto end;
+ }
ssl3_init_finished_mac(s);
s->state=SSL3_ST_SR_CLNT_HELLO_A;
@@ -259,6 +267,7 @@ int ssl3_accept(SSL *s)
SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
ret = -1;
+ s->state = SSL_ST_ERR;
goto end;
}
else
@@ -552,8 +561,11 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SW_CHANGE_B:
s->session->cipher=s->s3->tmp.new_cipher;
- if (!s->method->ssl3_enc->setup_key_block(s))
- { ret= -1; goto end; }
+ if (!s->method->ssl3_enc->setup_key_block(s)) {
+ ret= -1;
+ s->state = SSL_ST_ERR;
+ goto end;
+ }
ret=ssl3_send_change_cipher_spec(s,
SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
@@ -566,6 +578,7 @@ int ssl3_accept(SSL *s)
SSL3_CHANGE_CIPHER_SERVER_WRITE))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
@@ -618,6 +631,7 @@ int ssl3_accept(SSL *s)
goto end;
/* break; */
+ case SSL_ST_ERR:
default:
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
ret= -1;
@@ -1116,8 +1130,9 @@ int ssl3_get_client_hello(SSL *s)
{
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
- }
err:
+ s->state = SSL_ST_ERR;
+ }
if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
return(ret);
}
@@ -1135,8 +1150,10 @@ int ssl3_send_server_hello(SSL *s)
p=s->s3->server_random;
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
- if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+ if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) {
+ s->state = SSL_ST_ERR;
return -1;
+ }
/* Do the message type and length last */
d=p= &(buf[4]);
@@ -1170,6 +1187,7 @@ int ssl3_send_server_hello(SSL *s)
if (sl > (int)sizeof(s->session->session_id))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+ s->state = SSL_ST_ERR;
return -1;
}
*(p++)=sl;
@@ -1193,6 +1211,7 @@ int ssl3_send_server_hello(SSL *s)
if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{
SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
+ s->state = SSL_ST_ERR;
return -1;
}
#endif
@@ -1656,6 +1675,7 @@ err:
BN_CTX_free(bn_ctx);
#endif
EVP_MD_CTX_cleanup(&md_ctx);
+ s->state = SSL_ST_ERR;
return(-1);
}
@@ -1745,6 +1765,7 @@ int ssl3_send_certificate_request(SSL *s
/* SSL3_ST_SW_CERT_REQ_B */
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
err:
+ s->state = SSL_ST_ERR;
return(-1);
}
@@ -2369,6 +2390,7 @@ err:
EC_KEY_free(srvr_ecdh);
BN_CTX_free(bn_ctx);
#endif
+ s->state = SSL_ST_ERR;
return(-1);
}
@@ -2521,6 +2543,7 @@ int ssl3_get_cert_verify(SSL *s)
{
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ s->state = SSL_ST_ERR;
}
end:
EVP_PKEY_free(pkey);
@@ -2676,8 +2699,9 @@ int ssl3_get_client_certificate(SSL *s)
{
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
- }
err:
+ s->state = SSL_ST_ERR;
+ }
if (x != NULL) X509_free(x);
if (sk != NULL) sk_X509_pop_free(sk,X509_free);
return(ret);
@@ -2698,6 +2722,7 @@ int ssl3_send_server_certificate(SSL *s)
!= (SSL_aKRB5|SSL_kKRB5))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+ s->state = SSL_ST_ERR;
return(0);
}
@@ -2777,13 +2802,15 @@ static int nid2curve_id(int nid)
#ifndef OPENSSL_NO_TLSEXT
int ssl3_send_newsession_ticket(SSL *s)
{
+ unsigned char *senc = NULL;
+ EVP_CIPHER_CTX ctx;
+ HMAC_CTX hctx;
+
if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
{
- unsigned char *p, *senc, *macstart;
+ unsigned char *p, *macstart;
int len, slen;
unsigned int hlen;
- EVP_CIPHER_CTX ctx;
- HMAC_CTX hctx;
SSL_CTX *tctx = s->initial_ctx;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char key_name[16];
@@ -2793,8 +2820,10 @@ int ssl3_send_newsession_ticket(SSL *s)
/* Some length values are 16 bits, so forget it if session is
* too long
*/
- if (slen > 0xFF00)
+ if (slen == 0 || slen > 0xFF00) {
+ s->state = SSL_ST_ERR;
return -1;
+ }
/* Grow buffer if need be: the length calculation is as
* follows 1 (size of message name) + 3 (message length
* bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
@@ -2807,18 +2836,23 @@ int ssl3_send_newsession_ticket(SSL *s)
EVP_MAX_MD_SIZE + slen))
return -1;
senc = OPENSSL_malloc(slen);
- if (!senc)
+ if (!senc) {
+ s->state = SSL_ST_ERR;
return -1;
+ }
+
+ EVP_CIPHER_CTX_init(&ctx);
+ HMAC_CTX_init(&hctx);
+
p = senc;
- i2d_SSL_SESSION(s->session, &p);
+ if (!i2d_SSL_SESSION(s->session, &p))
+ goto err;
p=(unsigned char *)s->init_buf->data;
/* do the header */
*(p++)=SSL3_MT_NEWSESSION_TICKET;
/* Skip message length for now */
p += 3;
- EVP_CIPHER_CTX_init(&ctx);
- HMAC_CTX_init(&hctx);
/* Initialize HMAC and cipher contexts. If callback present
* it does all the work otherwise use generated values
* from parent ctx.
@@ -2827,10 +2861,7 @@ int ssl3_send_newsession_ticket(SSL *s)
{
if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
&hctx, 1) < 0)
- {
- OPENSSL_free(senc);
- return -1;
- }
+ goto err;
}
else
{
@@ -2860,6 +2891,8 @@ int ssl3_send_newsession_ticket(SSL *s)
HMAC_Update(&hctx, macstart, p - macstart);
HMAC_Final(&hctx, p, &hlen);
+
+ EVP_CIPHER_CTX_cleanup(&ctx);
HMAC_CTX_cleanup(&hctx);
p += hlen;
@@ -2880,6 +2913,13 @@ int ssl3_send_newsession_ticket(SSL *s)
/* SSL3_ST_SW_SESSION_TICKET_B */
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+ err:
+ if (senc)
+ OPENSSL_free(senc);
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ HMAC_CTX_cleanup(&hctx);
+ s->state = SSL_ST_ERR;
+ return -1;
}
int ssl3_send_cert_status(SSL *s)
@@ -2892,8 +2932,10 @@ int ssl3_send_cert_status(SSL *s)
* 1 (ocsp response type) + 3 (ocsp response length)
* + (ocsp response)
*/
- if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
- return -1;
+ if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
+ s->state = SSL_ST_ERR;
+ return -1;
+ }
p=(unsigned char *)s->init_buf->data;
Index: openssl-0.9.8j/ssl/ssl.h
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl.h
+++ openssl-0.9.8j/ssl/ssl.h
@@ -1100,6 +1100,7 @@ extern "C" {
#define SSL_ST_BEFORE 0x4000
#define SSL_ST_OK 0x03
#define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
+#define SSL_ST_ERR (0x05|SSL_ST_INIT)
#define SSL_CB_LOOP 0x01
#define SSL_CB_EXIT 0x02
Index: openssl-0.9.8j/ssl/ssl_stat.c
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl_stat.c
+++ openssl-0.9.8j/ssl/ssl_stat.c
@@ -74,6 +74,7 @@ case SSL_ST_BEFORE|SSL_ST_CONNECT: str="
case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
+case SSL_ST_ERR: str="error"; break;
#ifndef OPENSSL_NO_SSL2
case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
@@ -233,6 +234,7 @@ case SSL_ST_BEFORE: str="PINIT "; bre
case SSL_ST_ACCEPT: str="AINIT "; break;
case SSL_ST_CONNECT: str="CINIT "; break;
case SSL_ST_OK: str="SSLOK "; break;
+case SSL_ST_ERR: str="SSLERR"; break;
#ifndef OPENSSL_NO_SSL2
case SSL2_ST_CLIENT_START_ENCRYPTION: str="2CSENC"; break;
case SSL2_ST_SERVER_START_ENCRYPTION: str="2SSENC"; break;
Index: openssl-0.9.8j/ssl/s3_clnt.c
===================================================================
--- openssl-0.9.8j.orig/ssl/s3_clnt.c
+++ openssl-0.9.8j/ssl/s3_clnt.c
@@ -206,6 +206,7 @@ int ssl3_connect(SSL *s)
if ((s->version & 0xff00 ) != 0x0300)
{
SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
+ s->state = SSL_ST_ERR;
ret = -1;
goto end;
}
@@ -218,11 +219,13 @@ int ssl3_connect(SSL *s)
if ((buf=BUF_MEM_new()) == NULL)
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
s->init_buf=buf;
@@ -232,7 +235,11 @@ int ssl3_connect(SSL *s)
if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
/* setup buffing BIO */
- if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
+ if (!ssl_init_wbio_buffer(s,0)) {
+ ret= -1;
+ s->state = SSL_ST_ERR;
+ goto end;
+ }
/* don't push the buffering BIO quite yet */
@@ -323,6 +330,7 @@ int ssl3_connect(SSL *s)
if (!ssl3_check_cert_and_algorithm(s))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
break;
@@ -416,6 +424,7 @@ int ssl3_connect(SSL *s)
if (!s->method->ssl3_enc->setup_key_block(s))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
@@ -423,6 +432,7 @@ int ssl3_connect(SSL *s)
SSL3_CHANGE_CIPHER_CLIENT_WRITE))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
@@ -541,7 +551,8 @@ int ssl3_connect(SSL *s)
goto end;
/* break; */
-
+
+ case SSL_ST_ERR:
default:
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
ret= -1;
@@ -688,6 +699,7 @@ int ssl3_client_hello(SSL *s)
/* SSL3_ST_CW_CLNT_HELLO_B */
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
err:
+ s->state = SSL_ST_ERR;
return(-1);
}
@@ -891,6 +903,7 @@ int ssl3_get_server_hello(SSL *s)
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
+ s->state = SSL_ST_ERR;
return(-1);
}
@@ -1078,8 +1091,9 @@ int ssl3_get_server_certificate(SSL *s)
{
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
- }
err:
+ s->state = SSL_ST_ERR;
+ }
EVP_PKEY_free(pkey);
X509_free(x);
sk_X509_pop_free(sk,X509_free);
@@ -1561,6 +1575,7 @@ err:
EC_KEY_free(ecdh);
#endif
EVP_MD_CTX_cleanup(&md_ctx);
+ s->state = SSL_ST_ERR;
return(-1);
}
@@ -1707,7 +1722,10 @@ cont:
ca_sk=NULL;
ret=1;
+ goto done;
err:
+ s->state = SSL_ST_ERR;
+done:
if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
return(ret);
}
@@ -1835,6 +1853,7 @@ int ssl3_get_new_session_ticket(SSL *s)
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
+ s->state = SSL_ST_ERR;
return(-1);
}
@@ -1904,6 +1923,7 @@ int ssl3_get_cert_status(SSL *s)
return 1;
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ s->state = SSL_ST_ERR;
return(-1);
}
#endif
@@ -1926,6 +1946,7 @@ int ssl3_get_server_done(SSL *s)
/* should contain no data */
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
+ s->state = SSL_ST_ERR;
return -1;
}
ret=1;
@@ -2447,6 +2468,7 @@ err:
EC_KEY_free(clnt_ecdh);
EVP_PKEY_free(srvr_pub_pkey);
#endif
+ s->state = SSL_ST_ERR;
return(-1);
}
@@ -2535,6 +2557,7 @@ int ssl3_send_client_verify(SSL *s)
}
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
err:
+ s->state = SSL_ST_ERR;
return(-1);
}
Index: openssl-0.9.8j/ssl/d1_clnt.c
===================================================================
--- openssl-0.9.8j.orig/ssl/d1_clnt.c
+++ openssl-0.9.8j/ssl/d1_clnt.c
@@ -185,6 +185,7 @@ int dtls1_connect(SSL *s)
{
SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
ret = -1;
+ s->state = SSL_ST_ERR;
goto end;
}
@@ -196,21 +197,31 @@ int dtls1_connect(SSL *s)
if ((buf=BUF_MEM_new()) == NULL)
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
s->init_buf=buf;
buf=NULL;
}
- if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
+ if (!ssl3_setup_buffers(s)) {
+ ret= -1;
+ s->state = SSL_ST_ERR;
+ goto end;
+ }
/* setup buffing BIO */
- if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
+ if (!ssl_init_wbio_buffer(s,0)) {
+ ret= -1;
+ s->state = SSL_ST_ERR;
+ goto end;
+ }
/* don't push the buffering BIO quite yet */
@@ -329,6 +340,7 @@ int dtls1_connect(SSL *s)
if (!ssl3_check_cert_and_algorithm(s))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
break;
@@ -415,6 +427,7 @@ int dtls1_connect(SSL *s)
if (!s->method->ssl3_enc->setup_key_block(s))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
@@ -422,6 +435,7 @@ int dtls1_connect(SSL *s)
SSL3_CHANGE_CIPHER_CLIENT_WRITE))
{
ret= -1;
+ s->state = SSL_ST_ERR;
goto end;
}
@@ -548,7 +562,8 @@ int dtls1_connect(SSL *s)
dtls1_clear_received_buffer(s);
goto end;
/* break; */
-
+
+ case SSL_ST_ERR:
default:
SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
ret= -1;
@@ -758,6 +773,7 @@ static int dtls1_get_hello_verify(SSL *s
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ s->state = SSL_ST_ERR;
return -1;
}
Index: openssl-0.9.8j/ssl/d1_pkt.c
===================================================================
--- openssl-0.9.8j.orig/ssl/d1_pkt.c
+++ openssl-0.9.8j/ssl/d1_pkt.c
@@ -1052,6 +1052,7 @@ start:
ERR_add_error_data(2,"SSL alert number ",tmp);
s->shutdown|=SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->ctx,s->session);
+ s->state = SSL_ST_ERR;
return(0);
}
else
Index: openssl-0.9.8j/ssl/s3_pkt.c
===================================================================
--- openssl-0.9.8j.orig/ssl/s3_pkt.c
+++ openssl-0.9.8j/ssl/s3_pkt.c
@@ -1117,6 +1117,7 @@ start:
ERR_add_error_data(2,"SSL alert number ",tmp);
s->shutdown|=SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->ctx,s->session);
+ s->state = SSL_ST_ERR;
return(0);
}
else
@@ -1339,9 +1340,12 @@ void ssl3_send_alert(SSL *s, int level,
if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
if (desc < 0) return;
- /* If a fatal one, remove from cache */
- if ((level == 2) && (s->session != NULL))
- SSL_CTX_remove_session(s->ctx,s->session);
+ /* If a fatal one, remove from cache and go into the error state */
+ if (level == SSL3_AL_FATAL) {
+ if (s->session != NULL)
+ SSL_CTX_remove_session(s->session_ctx, s->session);
+ s->state = SSL_ST_ERR;
+ }
s->s3->alert_dispatch=1;
s->s3->send_alert[0]=level;
