svn commit: r295322 - in user/cperciva/freebsd-update-build/patches: 10.1-RELEASE 10.2-RELEASE 9.3-RELEASE
Gleb Smirnoff
glebius at FreeBSD.org
Fri Feb 5 16:48:04 UTC 2016
Author: glebius
Date: Fri Feb 5 16:48:03 2016
New Revision: 295322
URL: https://svnweb.freebsd.org/changeset/base/295322
Log:
Save patches for SA-16:11.
Added:
user/cperciva/freebsd-update-build/patches/10.1-RELEASE/29-SA-16:11.openssl
user/cperciva/freebsd-update-build/patches/10.2-RELEASE/12-SA-16:11.openssl
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/36-SA-16:11.openssl
Added: user/cperciva/freebsd-update-build/patches/10.1-RELEASE/29-SA-16:11.openssl
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.1-RELEASE/29-SA-16:11.openssl Fri Feb 5 16:48:03 2016 (r295322)
@@ -0,0 +1,43 @@
+Index: crypto/openssl/ssl/s2_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s2_srvr.c (revision 294905)
++++ crypto/openssl/ssl/s2_srvr.c (working copy)
+@@ -392,7 +392,7 @@ static int get_client_master_key(SSL *s)
+ }
+
+ cp=ssl2_get_cipher_by_char(p);
+- if (cp == NULL)
++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
+ {
+ ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+@@ -690,9 +690,12 @@ static int get_client_hello(SSL *s)
+ prio = cs;
+ allow = cl;
+ }
+- for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
++ /* Generate list of SSLv2 ciphers shared between client and server */
++ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++)
+ {
+- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
++ sk_SSL_CIPHER_find(allow, cp) < 0)
+ {
+ (void)sk_SSL_CIPHER_delete(prio,z);
+ z--;
+@@ -703,6 +706,14 @@ static int get_client_hello(SSL *s)
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
++
++ /* Make sure we have at least one cipher in common */
++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
++ {
++ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++ return -1;
++ }
+ /* s->session->ciphers should now have a list of
+ * ciphers that are on both the client and server.
+ * This list is ordered by the order the client sent
Added: user/cperciva/freebsd-update-build/patches/10.2-RELEASE/12-SA-16:11.openssl
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.2-RELEASE/12-SA-16:11.openssl Fri Feb 5 16:48:03 2016 (r295322)
@@ -0,0 +1,41 @@
+Index: crypto/openssl/ssl/s2_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s2_srvr.c (revision 294905)
++++ crypto/openssl/ssl/s2_srvr.c (working copy)
+@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
+ }
+
+ cp = ssl2_get_cipher_by_char(p);
+- if (cp == NULL) {
++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+ return (-1);
+@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
+ prio = cs;
+ allow = cl;
+ }
++
++ /* Generate list of SSLv2 ciphers shared between client and server */
+ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
+- if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
++ sk_SSL_CIPHER_find(allow, cp) < 0) {
+ (void)sk_SSL_CIPHER_delete(prio, z);
+ z--;
+ }
+@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
++
++ /* Make sure we have at least one cipher in common */
++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
++ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++ return -1;
++ }
+ /*
+ * s->session->ciphers should now have a list of ciphers that are on
+ * both the client and server. This list is ordered by the order the
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/36-SA-16:11.openssl
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/36-SA-16:11.openssl Fri Feb 5 16:48:03 2016 (r295322)
@@ -0,0 +1,43 @@
+Index: crypto/openssl/ssl/s2_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s2_srvr.c (revision 294905)
++++ crypto/openssl/ssl/s2_srvr.c (working copy)
+@@ -392,7 +392,7 @@ static int get_client_master_key(SSL *s)
+ }
+
+ cp=ssl2_get_cipher_by_char(p);
+- if (cp == NULL)
++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0)
+ {
+ ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+@@ -690,9 +690,12 @@ static int get_client_hello(SSL *s)
+ prio = cs;
+ allow = cl;
+ }
+- for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
++ /* Generate list of SSLv2 ciphers shared between client and server */
++ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++)
+ {
+- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++ if ((cp->algorithms & SSL_SSLV2) == 0 ||
++ sk_SSL_CIPHER_find(allow, cp) < 0)
+ {
+ (void)sk_SSL_CIPHER_delete(prio,z);
+ z--;
+@@ -703,6 +706,14 @@ static int get_client_hello(SSL *s)
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
++
++ /* Make sure we have at least one cipher in common */
++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0)
++ {
++ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++ return -1;
++ }
+ /* s->session->ciphers should now have a list of
+ * ciphers that are on both the client and server.
+ * This list is ordered by the order the client sent
More information about the svn-src-user
mailing list