10.3/releng-p12.diff - freebsd-patches - Rivoreo Source Code Repositories

 Index: UPDATING
 ===================================================================
 --- UPDATING	(版本 307934)
 +++ UPDATING	(版本 308203)
 @@ -16,6 +16,13 @@
  stable/10, and then rebuild without this option. The bootstrap process from
  older version of current is a bit fragile.

 +20161102	p12	FreeBSD-SA-16:33.openssh
 +			FreeBSD-SA-16:35.openssl
 +
 +	Fix OpenSSH remote Denial of Service vulnerability. [SA-16:33]
 +
 +	Fix OpenSSL remote DoS vulnerability. [SA-16:35]
 +
  20161025	p11	FreeBSD-SA-16:15.sysarch [revised]
  			FreeBSD-EN-16:17.vm

 Index: crypto/openssh/kex.c
 ===================================================================
 --- crypto/openssh/kex.c	(版本 307934)
 +++ crypto/openssh/kex.c	(版本 308203)
 @@ -468,6 +468,7 @@
  	if (kex == NULL)
  		return SSH_ERR_INVALID_ARGUMENT;

 +	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
  	ptr = sshpkt_ptr(ssh, &dlen);
  	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
  		return r;
 Index: crypto/openssl/ssl/d1_pkt.c
 ===================================================================
 --- crypto/openssl/ssl/d1_pkt.c	(版本 307934)
 +++ crypto/openssl/ssl/d1_pkt.c	(版本 308203)
 @@ -924,6 +924,13 @@
          goto start;
      }

 +    /*
 +     * Reset the count of consecutive warning alerts if we've got a non-empty
 +     * record that isn't an alert.
 +     */
 +    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
 +        s->s3->alert_count = 0;
 +
      /* we now have a packet which can be read and processed */

      if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
 @@ -1190,6 +1197,14 @@

          if (alert_level == SSL3_AL_WARNING) {
              s->s3->warn_alert = alert_descr;
 +
 +            s->s3->alert_count++;
 +            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
 +                al = SSL_AD_UNEXPECTED_MESSAGE;
 +                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
 +                goto f_err;
 +            }
 +
              if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
  #ifndef OPENSSL_NO_SCTP
                  /*
 Index: crypto/openssl/ssl/s3_pkt.c
 ===================================================================
 --- crypto/openssl/ssl/s3_pkt.c	(版本 307934)
 +++ crypto/openssl/ssl/s3_pkt.c	(版本 308203)
 @@ -1057,6 +1057,13 @@
              return (ret);
      }

 +    /*
 +     * Reset the count of consecutive warning alerts if we've got a non-empty
 +     * record that isn't an alert.
 +     */
 +    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
 +        s->s3->alert_count = 0;
 +
      /* we now have a packet which can be read and processed */

      if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
 @@ -1271,6 +1278,14 @@

          if (alert_level == SSL3_AL_WARNING) {
              s->s3->warn_alert = alert_descr;
 +
 +            s->s3->alert_count++;
 +            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
 +                al = SSL_AD_UNEXPECTED_MESSAGE;
 +                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
 +                goto f_err;
 +            }
 +
              if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
                  s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                  return (0);
 Index: crypto/openssl/ssl/ssl.h
 ===================================================================
 --- crypto/openssl/ssl/ssl.h	(版本 307934)
 +++ crypto/openssl/ssl/ssl.h	(版本 308203)
 @@ -2717,6 +2717,7 @@
  # define SSL_R_TLS_HEARTBEAT_PENDING                      366
  # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL                 367
  # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             157
 +# define SSL_R_TOO_MANY_WARN_ALERTS                       409
  # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
  # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
  # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
 Index: crypto/openssl/ssl/ssl3.h
 ===================================================================
 --- crypto/openssl/ssl/ssl3.h	(版本 307934)
 +++ crypto/openssl/ssl/ssl3.h	(版本 308203)
 @@ -587,6 +587,8 @@
      char is_probably_safari;
  #   endif                       /* !OPENSSL_NO_EC */
  #  endif                        /* !OPENSSL_NO_TLSEXT */
 +    /* Count of the number of consecutive warning alerts received */
 +    unsigned int alert_count;
  } SSL3_STATE;

  # endif
 Index: crypto/openssl/ssl/ssl_locl.h
 ===================================================================
 --- crypto/openssl/ssl/ssl_locl.h	(版本 307934)
 +++ crypto/openssl/ssl/ssl_locl.h	(版本 308203)
 @@ -389,6 +389,8 @@
   */
  # define SSL_MAX_DIGEST 6

 +# define MAX_WARN_ALERT_COUNT    5
 +
  # define TLS1_PRF_DGST_MASK      (0xff << TLS1_PRF_DGST_SHIFT)

  # define TLS1_PRF_DGST_SHIFT 10
 Index: sys/conf/newvers.sh
 ===================================================================
 --- sys/conf/newvers.sh	(版本 307934)
 +++ sys/conf/newvers.sh	(版本 308203)
 @@ -32,7 +32,7 @@

  TYPE="FreeBSD"
  REVISION="10.3"
 -BRANCH="RELEASE-p11"
 +BRANCH="RELEASE-p12"
  if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
  	BRANCH=${BRANCH_OVERRIDE}
  fi
	Index: UPDATING
	===================================================================
	--- UPDATING (版本 307934)
	+++ UPDATING (版本 308203)
	@@ -16,6 +16,13 @@
	stable/10, and then rebuild without this option. The bootstrap process from
	older version of current is a bit fragile.

	+20161102 p12 FreeBSD-SA-16:33.openssh
	+ FreeBSD-SA-16:35.openssl
	+
	+ Fix OpenSSH remote Denial of Service vulnerability. [SA-16:33]
	+
	+ Fix OpenSSL remote DoS vulnerability. [SA-16:35]
	+
	20161025 p11 FreeBSD-SA-16:15.sysarch [revised]
	FreeBSD-EN-16:17.vm

	Index: crypto/openssh/kex.c
	===================================================================
	--- crypto/openssh/kex.c (版本 307934)
	+++ crypto/openssh/kex.c (版本 308203)
	@@ -468,6 +468,7 @@
	if (kex == NULL)
	return SSH_ERR_INVALID_ARGUMENT;

	+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
	ptr = sshpkt_ptr(ssh, &dlen);
	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
	return r;
	Index: crypto/openssl/ssl/d1_pkt.c
	===================================================================
	--- crypto/openssl/ssl/d1_pkt.c (版本 307934)
	+++ crypto/openssl/ssl/d1_pkt.c (版本 308203)
	@@ -924,6 +924,13 @@
	goto start;
	}

	+ /*
	+ * Reset the count of consecutive warning alerts if we've got a non-empty
	+ * record that isn't an alert.
	+ */
	+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
	+ s->s3->alert_count = 0;
	+
	/* we now have a packet which can be read and processed */

	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
	@@ -1190,6 +1197,14 @@

	if (alert_level == SSL3_AL_WARNING) {
	s->s3->warn_alert = alert_descr;
	+
	+ s->s3->alert_count++;
	+ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
	+ al = SSL_AD_UNEXPECTED_MESSAGE;
	+ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
	+ goto f_err;
	+ }
	+
	if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
	#ifndef OPENSSL_NO_SCTP
	/*
	Index: crypto/openssl/ssl/s3_pkt.c
	===================================================================
	--- crypto/openssl/ssl/s3_pkt.c (版本 307934)
	+++ crypto/openssl/ssl/s3_pkt.c (版本 308203)
	@@ -1057,6 +1057,13 @@
	return (ret);
	}

	+ /*
	+ * Reset the count of consecutive warning alerts if we've got a non-empty
	+ * record that isn't an alert.
	+ */
	+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
	+ s->s3->alert_count = 0;
	+
	/* we now have a packet which can be read and processed */

	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
	@@ -1271,6 +1278,14 @@

	if (alert_level == SSL3_AL_WARNING) {
	s->s3->warn_alert = alert_descr;
	+
	+ s->s3->alert_count++;
	+ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
	+ al = SSL_AD_UNEXPECTED_MESSAGE;
	+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
	+ goto f_err;
	+ }
	+
	if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
	s->shutdown \|= SSL_RECEIVED_SHUTDOWN;
	return (0);
	Index: crypto/openssl/ssl/ssl.h
	===================================================================
	--- crypto/openssl/ssl/ssl.h (版本 307934)
	+++ crypto/openssl/ssl/ssl.h (版本 308203)
	@@ -2717,6 +2717,7 @@
	# define SSL_R_TLS_HEARTBEAT_PENDING 366
	# define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
	# define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
	+# define SSL_R_TOO_MANY_WARN_ALERTS 409
	# define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
	# define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
	# define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
	Index: crypto/openssl/ssl/ssl3.h
	===================================================================
	--- crypto/openssl/ssl/ssl3.h (版本 307934)
	+++ crypto/openssl/ssl/ssl3.h (版本 308203)
	@@ -587,6 +587,8 @@
	char is_probably_safari;
	# endif /* !OPENSSL_NO_EC */
	# endif /* !OPENSSL_NO_TLSEXT */
	+ /* Count of the number of consecutive warning alerts received */
	+ unsigned int alert_count;
	} SSL3_STATE;

	# endif
	Index: crypto/openssl/ssl/ssl_locl.h
	===================================================================
	--- crypto/openssl/ssl/ssl_locl.h (版本 307934)
	+++ crypto/openssl/ssl/ssl_locl.h (版本 308203)
	@@ -389,6 +389,8 @@
	*/
	# define SSL_MAX_DIGEST 6

	+# define MAX_WARN_ALERT_COUNT 5
	+
	# define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)

	# define TLS1_PRF_DGST_SHIFT 10
	Index: sys/conf/newvers.sh
	===================================================================
	--- sys/conf/newvers.sh (版本 307934)
	+++ sys/conf/newvers.sh (版本 308203)
	@@ -32,7 +32,7 @@

	TYPE="FreeBSD"
	REVISION="10.3"
	-BRANCH="RELEASE-p11"
	+BRANCH="RELEASE-p12"
	if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
	BRANCH=${BRANCH_OVERRIDE}
	fi