Patch openssl for CVE-2014-0160

TritonDataCenter · Apr 8, 2014 · 8e8a100 · 8e8a100
1 parent 193fed3
commit 8e8a100
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 0 deletions.
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
@@ -2,6 +2,7 @@
 
 DISTNAME=	openssl-1.0.1f
 MASTER_SITES=	http://ftp.openssl.org/source/
+PKGREVISION=	1
 SVR4_PKGNAME=	ossl
 CATEGORIES=	security
 

diff --git a/security/openssl/distinfo b/security/openssl/distinfo
@@ -31,3 +31,5 @@ SHA1 (patch-doc_ssl_SSL__set__session.pod) = e4d8442f4fc827520ca20f108050fcd6314
 SHA1 (patch-doc_ssl_SSL__shutdown.pod) = 21682f3385a66ba8f0ebd11bb9bb3c6198352783
 SHA1 (patch-doc_ssl_SSL__write.pod) = 67efd6d0de0a0db34c18c62e4a939c0ea49442ca
 SHA1 (patch-engines_ccgost_Makefile) = 08999f0f40969883482ad9ffc1aa9959ed7d402c
+SHA1 (patch-ssl_d1__both.c) = b9489cbffb0ddaf3ddd63bc414b223a3f815ba7e
+SHA1 (patch-ssl_t1__lib.c) = 259741a4004a1cc39805501f8a237779e6cdb93b
diff --git a/security/openssl/patches/patch-ssl_d1__both.c b/security/openssl/patches/patch-ssl_d1__both.c
@@ -0,0 +1,63 @@
+$NetBSD$
+
+Patch for CVE-2014-0160.
+
+--- ssl/d1_both.c.orig	2013-02-11 15:26:04.000000000 +0000
++++ ssl/d1_both.c
+@@ -1452,26 +1452,36 @@ dtls1_process_heartbeat(SSL *s)
+ 	unsigned int payload;
+ 	unsigned int padding = 16; /* Use minimum padding */
+
+-	/* Read type and payload length first */
+-	hbtype = *p++;
+-	n2s(p, payload);
+-	pl = p;
+-
+ 	if (s->msg_callback)
+ 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
+ 			&s->s3->rrec.data[0], s->s3->rrec.length,
+ 			s, s->msg_callback_arg);
+
++	/* Read type and payload length first */
++	if (1 + 2 + 16 > s->s3->rrec.length)
++		return 0; /* silently discard */
++	hbtype = *p++;
++	n2s(p, payload);
++	if (1 + 2 + payload + 16 > s->s3->rrec.length)
++		return 0; /* silently discard per RFC 6520 sec. 4 */
++	pl = p;
++
+ 	if (hbtype == TLS1_HB_REQUEST)
+ 		{
+ 		unsigned char *buffer, *bp;
++		unsigned int write_length = 1 /* heartbeat type */ +
++					    2 /* heartbeat length */ +
++					    payload + padding;
+ 		int r;
+
++		if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
++			return 0;
++
+ 		/* Allocate memory for the response, size is 1 byte
+ 		 * message type, plus 2 bytes payload length, plus
+ 		 * payload, plus padding
+ 		 */
+-		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
++		buffer = OPENSSL_malloc(write_length);
+ 		bp = buffer;
+
+ 		/* Enter response type, length and copy payload */
+@@ -1482,11 +1492,11 @@ dtls1_process_heartbeat(SSL *s)
+ 		/* Random padding */
+ 		RAND_pseudo_bytes(bp, padding);
+
+-		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
++		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
+
+ 		if (r >= 0 && s->msg_callback)
+ 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
+-				buffer, 3 + payload + padding,
++				buffer, write_length,
+ 				s, s->msg_callback_arg);
+
+ 		OPENSSL_free(buffer);
diff --git a/security/openssl/patches/patch-ssl_t1__lib.c b/security/openssl/patches/patch-ssl_t1__lib.c
@@ -0,0 +1,32 @@
+$NetBSD$
+
+Patch for CVE-2014-0160.
+
+--- ssl/t1_lib.c.orig	2013-02-11 15:26:04.000000000 +0000
++++ ssl/t1_lib.c
+@@ -2486,16 +2486,20 @@ tls1_process_heartbeat(SSL *s)
+ 	unsigned int payload;
+ 	unsigned int padding = 16; /* Use minimum padding */
+
+-	/* Read type and payload length first */
+-	hbtype = *p++;
+-	n2s(p, payload);
+-	pl = p;
+-
+ 	if (s->msg_callback)
+ 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
+ 			&s->s3->rrec.data[0], s->s3->rrec.length,
+ 			s, s->msg_callback_arg);
+
++	/* Read type and payload length first */
++	if (1 + 2 + 16 > s->s3->rrec.length)
++		return 0; /* silently discard */
++	hbtype = *p++;
++	n2s(p, payload);
++	if (1 + 2 + payload + 16 > s->s3->rrec.length)
++		return 0; /* silently discard per RFC 6520 sec. 4 */
++	pl = p;
++
+ 	if (hbtype == TLS1_HB_REQUEST)
+ 		{
+ 		unsigned char *buffer, *bp;