mirror of
git://slackware.nl/current.git
synced 2025-01-14 08:01:11 +01:00
184 lines
6.7 KiB
Diff
184 lines
6.7 KiB
Diff
|
From 4e975e3aec06165e760953f6c51a795f3dcfd1a0 Mon Sep 17 00:00:00 2001
|
||
|
From: Ken Zalewski <ken.zalewski@gmail.com>
|
||
|
Date: Sat, 13 Jul 2024 12:02:52 -0400
|
||
|
Subject: [PATCH] Patch to openssl-1.1.1y. This version addresses two
|
||
|
vulnerabilities: CVE-2024-2511 and CVE-2024-4741
|
||
|
|
||
|
---
|
||
|
include/openssl/opensslv.h | 4 ++--
|
||
|
include/openssl/ssl.h | 2 +-
|
||
|
ssl/record/rec_layer_s3.c | 9 +++++++++
|
||
|
ssl/record/record.h | 1 +
|
||
|
ssl/ssl_lib.c | 8 ++++++--
|
||
|
ssl/ssl_local.h | 2 +-
|
||
|
ssl/ssl_sess.c | 28 ++++++++++++++++++++++------
|
||
|
ssl/statem/statem_srvr.c | 5 ++---
|
||
|
8 files changed, 44 insertions(+), 15 deletions(-)
|
||
|
|
||
|
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
|
||
|
index c16eafd..585109a 100644
|
||
|
--- a/include/openssl/opensslv.h
|
||
|
+++ b/include/openssl/opensslv.h
|
||
|
@@ -39,8 +39,8 @@ extern "C" {
|
||
|
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||
|
* major minor fix final patch/beta)
|
||
|
*/
|
||
|
-# define OPENSSL_VERSION_NUMBER 0x1010118fL
|
||
|
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1x 25 Jan 2024"
|
||
|
+# define OPENSSL_VERSION_NUMBER 0x1010119fL
|
||
|
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024"
|
||
|
|
||
|
/*-
|
||
|
* The macros below are to be used for shared library (.so, .dll, ...)
|
||
|
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
|
||
|
index 9af0c89..64eaca3 100644
|
||
|
--- a/include/openssl/ssl.h
|
||
|
+++ b/include/openssl/ssl.h
|
||
|
@@ -1659,7 +1659,7 @@ __owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
|
||
|
__owur int SSL_SESSION_is_resumable(const SSL_SESSION *s);
|
||
|
|
||
|
__owur SSL_SESSION *SSL_SESSION_new(void);
|
||
|
-__owur SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src);
|
||
|
+__owur SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src);
|
||
|
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
|
||
|
unsigned int *len);
|
||
|
const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
|
||
|
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
|
||
|
index 1db1712..525c3ab 100644
|
||
|
--- a/ssl/record/rec_layer_s3.c
|
||
|
+++ b/ssl/record/rec_layer_s3.c
|
||
|
@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
|
||
|
return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
|
||
|
}
|
||
|
|
||
|
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
|
||
|
+{
|
||
|
+ if (rl->rstate == SSL_ST_READ_BODY)
|
||
|
+ return 1;
|
||
|
+ if (RECORD_LAYER_processed_read_pending(rl))
|
||
|
+ return 1;
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
/* Checks if we have decrypted unread record data pending */
|
||
|
int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
|
||
|
{
|
||
|
diff --git a/ssl/record/record.h b/ssl/record/record.h
|
||
|
index af56206..513ab39 100644
|
||
|
--- a/ssl/record/record.h
|
||
|
+++ b/ssl/record/record.h
|
||
|
@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
|
||
|
int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
|
||
|
int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
|
||
|
int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
|
||
|
+int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
|
||
|
void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
|
||
|
void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
|
||
|
int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
|
||
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||
|
index 47adc32..356d65c 100644
|
||
|
--- a/ssl/ssl_lib.c
|
||
|
+++ b/ssl/ssl_lib.c
|
||
|
@@ -3515,9 +3515,10 @@ void ssl_update_cache(SSL *s, int mode)
|
||
|
|
||
|
/*
|
||
|
* If the session_id_length is 0, we are not supposed to cache it, and it
|
||
|
- * would be rather hard to do anyway :-)
|
||
|
+ * would be rather hard to do anyway :-). Also if the session has already
|
||
|
+ * been marked as not_resumable we should not cache it for later reuse.
|
||
|
*/
|
||
|
- if (s->session->session_id_length == 0)
|
||
|
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
|
||
|
return;
|
||
|
|
||
|
/*
|
||
|
@@ -5247,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl)
|
||
|
if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
|
||
|
return 0;
|
||
|
|
||
|
+ if (RECORD_LAYER_data_present(rl))
|
||
|
+ return 0;
|
||
|
+
|
||
|
RECORD_LAYER_release(rl);
|
||
|
return 1;
|
||
|
}
|
||
|
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
|
||
|
index 5c79215..5e73fa4 100644
|
||
|
--- a/ssl/ssl_local.h
|
||
|
+++ b/ssl/ssl_local.h
|
||
|
@@ -2261,7 +2261,7 @@ __owur int ssl_get_new_session(SSL *s, int session);
|
||
|
__owur SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
|
||
|
size_t sess_id_len);
|
||
|
__owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello);
|
||
|
-__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
|
||
|
+__owur SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket);
|
||
|
__owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
|
||
|
DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
|
||
|
__owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
|
||
|
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
|
||
|
index 68d1737..2b27a47 100644
|
||
|
--- a/ssl/ssl_sess.c
|
||
|
+++ b/ssl/ssl_sess.c
|
||
|
@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void)
|
||
|
return ss;
|
||
|
}
|
||
|
|
||
|
-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
|
||
|
-{
|
||
|
- return ssl_session_dup(src, 1);
|
||
|
-}
|
||
|
-
|
||
|
/*
|
||
|
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
|
||
|
* ticket == 0 then no ticket information is duplicated, otherwise it is.
|
||
|
*/
|
||
|
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
||
|
+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
|
||
|
{
|
||
|
SSL_SESSION *dest;
|
||
|
|
||
|
@@ -226,6 +221,27 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
||
|
return NULL;
|
||
|
}
|
||
|
|
||
|
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
|
||
|
+{
|
||
|
+ return ssl_session_dup_intern(src, 1);
|
||
|
+}
|
||
|
+
|
||
|
+/*
|
||
|
+ * Used internally when duplicating a session which might be already shared.
|
||
|
+ * We will have resumed the original session. Subsequently we might have marked
|
||
|
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
|
||
|
+ * resume from.
|
||
|
+ */
|
||
|
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
|
||
|
+{
|
||
|
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
|
||
|
+
|
||
|
+ if (sess != NULL)
|
||
|
+ sess->not_resumable = 0;
|
||
|
+
|
||
|
+ return sess;
|
||
|
+}
|
||
|
+
|
||
|
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
|
||
|
{
|
||
|
if (len)
|
||
|
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
||
|
index 43f77a5..2f6ce8f 100644
|
||
|
--- a/ssl/statem/statem_srvr.c
|
||
|
+++ b/ssl/statem/statem_srvr.c
|
||
|
@@ -2403,9 +2403,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
|
||
|
* so the following won't overwrite an ID that we're supposed
|
||
|
* to send back.
|
||
|
*/
|
||
|
- if (s->session->not_resumable ||
|
||
|
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
|
||
|
- && !s->hit))
|
||
|
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
|
||
|
+ && !s->hit)
|
||
|
s->session->session_id_length = 0;
|
||
|
|
||
|
if (usetls13) {
|