aboutsummaryrefslogtreecommitdiffstats
path: root/main/openssl
diff options
context:
space:
mode:
Diffstat (limited to 'main/openssl')
-rw-r--r--main/openssl/APKBUILD48
-rw-r--r--main/openssl/CVE-2016-0797.patch125
-rw-r--r--main/openssl/CVE-2016-2177.patch279
-rw-r--r--main/openssl/CVE-2016-2178.patch104
-rw-r--r--main/openssl/CVE-2016-2179.patch253
-rw-r--r--main/openssl/CVE-2016-2180.patch38
-rw-r--r--main/openssl/CVE-2016-2181.patch351
-rw-r--r--main/openssl/CVE-2016-2182.patch104
-rw-r--r--main/openssl/CVE-2016-6302.patch51
-rw-r--r--main/openssl/CVE-2016-6303.patch31
10 files changed, 8 insertions, 1376 deletions
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index 475a52e278..f1a36aad8a 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openssl
-pkgver=1.0.2h
-pkgrel=4
+pkgver=1.0.2i
+pkgrel=0
pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
url="http://openssl.org"
depends=
@@ -27,14 +27,6 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
1002-backport-changes-from-upstream-padlock-module.patch
1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
- CVE-2016-2177.patch
- CVE-2016-2178.patch
- CVE-2016-2179.patch
- CVE-2016-2180.patch
- CVE-2016-2181.patch
- CVE-2016-2182.patch
- CVE-2016-6302.patch
- CVE-2016-6303.patch
"
# secfixes:
@@ -142,7 +134,7 @@ libssl() {
done
}
-md5sums="9392e65072ce4b614c1392eefc1f23d0 openssl-1.0.2h.tar.gz
+md5sums="678374e63f8df456a697d3e5e5a931fb openssl-1.0.2i.tar.gz
67bdfe450143a41042d2c318003e963a 0002-busybox-basename.patch
84c03f201f55ca7fbfde364cfdfc9cf4 0003-use-termios.patch
9bb9dffdd871eeccc945494771302cc3 0004-fix-default-ca-path-for-apps.patch
@@ -154,16 +146,8 @@ ed6e779e9799aeb7e029929a5719e631 0005-fix-parallel-build.patch
742ee13d88b13414248f329a09f9a92d 0010-ssl-env-zlib.patch
25091afb907de2b504f8bad6bf70002c 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
aa16c89b283faf0fe546e3f897279c44 1002-backport-changes-from-upstream-padlock-module.patch
-57cca845e22c178c3b317010be56edf0 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-1accc0880b6e95726ea9f668808cd8ba CVE-2016-2177.patch
-5c8e962b3d7e0082c1af432f6d0ad221 CVE-2016-2178.patch
-c00ded9884ee5dbe557e1ee4216bd99a CVE-2016-2179.patch
-6d2276c87a17ae8615b47a1dea306d41 CVE-2016-2180.patch
-fec771747e29df875e63bea2bc88f110 CVE-2016-2181.patch
-43c75a464bb6c0110717decb76220778 CVE-2016-2182.patch
-70159524406c4dc59e1c278d556696e8 CVE-2016-6302.patch
-96af7035339f01cebfc26118a6f12795 CVE-2016-6303.patch"
-sha256sums="1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 openssl-1.0.2h.tar.gz
+57cca845e22c178c3b317010be56edf0 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch"
+sha256sums="9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f openssl-1.0.2i.tar.gz
b449fb998b5f60a3a1779ac2f432b2c7f08ae52fc6dfa98bca37d735f863d400 0002-busybox-basename.patch
c3e6a9710726dac72e3eeffd78961d3bae67a480f6bde7890e066547da25cdfd 0003-use-termios.patch
1f022ccab9b2e5850f32d2ac75cb617c8ce7b803a4548ce71e82776fe5b15b67 0004-fix-default-ca-path-for-apps.patch
@@ -175,16 +159,8 @@ c934b5d1a2cb58b5235da2dfee423f0f66bb83e1d479f511b444751899637c37 0007-reimpleme
fa2e3101ca7c6daed7ea063860d586424be7590b1cec4302bc2beee1a3c6039f 0010-ssl-env-zlib.patch
2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 1002-backport-changes-from-upstream-padlock-module.patch
-c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-e321860623758c8a98b15dfa0b4671244e2cff34b5c62a489c43437d1053ed06 CVE-2016-2177.patch
-7abe837d39953d0c0f694013a54f444e6f9ca0db8b98ca8aaf1d58683086784e CVE-2016-2178.patch
-707bd694d828178ed6b5855a06ad70052f4c113c26f5ac2cb92133a82c0109e7 CVE-2016-2179.patch
-fa906541a97bf0dbb1faa600055e28a1515b073f8c2b607edbcbbb53bdd97c99 CVE-2016-2180.patch
-8fa93d64990cccef800faebe892bbb9a7ffff48f049e16964f4362618bec4aa2 CVE-2016-2181.patch
-9bf8bf766cd6784ca50fcd99f45ebf2c57e8a821fa05644ce3b70e673f83ed53 CVE-2016-2182.patch
-5751fb95b74a4a6b6091ad034a4e5919ff5e5eb186321cac82a8ab590abe76bc CVE-2016-6302.patch
-3fccf95efbd51dff85cd4a04d5c589c6c06dee5cfa8d428edf93c378d106fb1e CVE-2016-6303.patch"
-sha512sums="780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303 openssl-1.0.2h.tar.gz
+c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch"
+sha512sums="41764debd5d64e4e770945f30d682e2c887d9cefb39b358c5c7f9d2cdce34393ed28d49b24e95c4639db2df01c278cbcde71bed2b03f9aafafc76766b03850e3 openssl-1.0.2i.tar.gz
2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c 0002-busybox-basename.patch
58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch
c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae 0004-fix-default-ca-path-for-apps.patch
@@ -196,12 +172,4 @@ fc4e383ec85c6543e4e82520904122a5a5601c68042ece1e95a0cae95e02d89174f06f78ba2f8aac
5febe20948e3f12d981e378e1f4ea538711657aacb6865a1aa91339d4a04277e250f490a1f2abc2c6f290bdc2b1bffdba1d00983b4c09f7ea983eef8163f9420 0010-ssl-env-zlib.patch
8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 1002-backport-changes-from-upstream-padlock-module.patch
-6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-6e149213d1c4cbab06e0aedeb04562f96c1430e6e8f9b9836ff4ddd79da361db2bcfbdf83f6615369e8feaaefecfc0dc5f9cee3b56c2eeeca57233a2daf25d2c CVE-2016-2177.patch
-9a90ee6b6329dea17a70c6cd62fbf349289b4beab74137adc2448c54652501c2ff47694b9154da6e610e8b947ff2070e0460fe2754b62301a6a439e16eb6fd1b CVE-2016-2178.patch
-02e0f2dfcb13f22b42c3945af5a8c81d4dd12b4c73b1e30de1dd54b6af8d460b15a0d05011fce3168696f39f9a72b126cc7e8c9cd1e889a1f6c37bc5bc329820 CVE-2016-2179.patch
-6c330a4a204311b21c0319de4fae7ff99819d462313cb36b4486d3e322d1d7c6393392308ff6c9f7b5a7c070584be46de232a940626ff979db88656299c87d48 CVE-2016-2180.patch
-995b2780aaaaf5b56851ab670df2c52ce1cede06e235a380d337cb40785f36677e4456b90b7782f40447c4aedcb8be00b08caf05ada5a2b95c90e073e6316970 CVE-2016-2181.patch
-f6a30bdbe6c2bf21b5dcd9a79fe25207c8c8df9e928935bbc84f65a2aa6719d316c5afca320df107cc5c46027859624fbad7a4f41d3d1447a9658e9949614152 CVE-2016-2182.patch
-fe88218c57fa8382a565d921d54f6bc20c89b5a63ebf9c80b941095baa76f102152c584ee15aac7e284f71e2bd7d04c621af9ade7719f87b69cb19caf22f823c CVE-2016-6302.patch
-9f3f6f9c2be8830f444c7045a7d54d35461a665b48a6227015bc7fff10f9220d2814a3a045461e57af5b753b90738113e43d916fca28dda6e47519a4564f1f63 CVE-2016-6303.patch"
+6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch"
diff --git a/main/openssl/CVE-2016-0797.patch b/main/openssl/CVE-2016-0797.patch
deleted file mode 100644
index e6f2028dce..0000000000
--- a/main/openssl/CVE-2016-0797.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From c175308407858afff3fc8c2e5e085d94d12edc7d Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Mon, 22 Feb 2016 10:27:18 +0000
-Subject: [PATCH] Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption
-
-In the BN_hex2bn function the number of hex digits is calculated using
-an int value |i|. Later |bn_expand| is called with a value of |i * 4|.
-For large values of |i| this can result in |bn_expand| not allocating any
-memory because |i * 4| is negative. This leaves ret->d as NULL leading
-to a subsequent NULL ptr deref. For very large values of |i|, the
-calculation |i * 4| could be a positive value smaller than |i|. In this
-case memory is allocated to ret->d, but it is insufficiently sized
-leading to heap corruption. A similar issue exists in BN_dec2bn.
-
-This could have security consequences if BN_hex2bn/BN_dec2bn is ever
-called by user applications with very large untrusted hex/dec data. This is
-anticipated to be a rare occurrence.
-
-All OpenSSL internal usage of this function uses data that is not expected
-to be untrusted, e.g. config file data or application command line
-arguments. If user developed applications generate config file data based
-on untrusted data then it is possible that this could also lead to security
-consequences. This is also anticipated to be a rare.
-
-Issue reported by Guido Vranken.
-
-CVE-2016-0797
-
-Reviewed-by: Andy Polyakov <appro@openssl.org>
----
- crypto/bn/bn.h | 14 ++++++++++++--
- crypto/bn/bn_print.c | 17 +++++++++++++----
- 2 files changed, 25 insertions(+), 6 deletions(-)
-
-diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
-index 5696965..86264ae 100644
---- a/crypto/bn/bn.h
-+++ b/crypto/bn/bn.h
-@@ -125,6 +125,7 @@
- #ifndef HEADER_BN_H
- # define HEADER_BN_H
-
-+# include <limits.h>
- # include <openssl/e_os2.h>
- # ifndef OPENSSL_NO_FP_API
- # include <stdio.h> /* FILE */
-@@ -721,8 +722,17 @@ const BIGNUM *BN_get0_nist_prime_521(void);
-
- /* library internal functions */
-
--# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
-- (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
-+# define bn_expand(a,bits) \
-+ ( \
-+ bits > (INT_MAX - BN_BITS2 + 1) ? \
-+ NULL \
-+ : \
-+ (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \
-+ (a) \
-+ : \
-+ bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \
-+ )
-+
- # define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
- BIGNUM *bn_expand2(BIGNUM *a, int words);
- # ifndef OPENSSL_NO_DEPRECATED
-diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
-index ab10b95..bfa31ef 100644
---- a/crypto/bn/bn_print.c
-+++ b/crypto/bn/bn_print.c
-@@ -58,6 +58,7 @@
-
- #include <stdio.h>
- #include <ctype.h>
-+#include <limits.h>
- #include "cryptlib.h"
- #include <openssl/buffer.h>
- #include "bn_lcl.h"
-@@ -189,7 +190,11 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
- a++;
- }
-
-- for (i = 0; isxdigit((unsigned char)a[i]); i++) ;
-+ for (i = 0; i <= (INT_MAX/4) && isxdigit((unsigned char)a[i]); i++)
-+ continue;
-+
-+ if (i > INT_MAX/4)
-+ goto err;
-
- num = i + neg;
- if (bn == NULL)
-@@ -204,7 +209,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
- BN_zero(ret);
- }
-
-- /* i is the number of hex digests; */
-+ /* i is the number of hex digits */
- if (bn_expand(ret, i * 4) == NULL)
- goto err;
-
-@@ -260,7 +265,11 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
- a++;
- }
-
-- for (i = 0; isdigit((unsigned char)a[i]); i++) ;
-+ for (i = 0; i <= (INT_MAX/4) && isdigit((unsigned char)a[i]); i++)
-+ continue;
-+
-+ if (i > INT_MAX/4)
-+ goto err;
-
- num = i + neg;
- if (bn == NULL)
-@@ -278,7 +287,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
- BN_zero(ret);
- }
-
-- /* i is the number of digests, a bit of an over expand; */
-+ /* i is the number of digits, a bit of an over expand */
- if (bn_expand(ret, i * 4) == NULL)
- goto err;
-
---
-1.9.1
-
diff --git a/main/openssl/CVE-2016-2177.patch b/main/openssl/CVE-2016-2177.patch
deleted file mode 100644
index ca934c20a6..0000000000
--- a/main/openssl/CVE-2016-2177.patch
+++ /dev/null
@@ -1,279 +0,0 @@
-From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 5 May 2016 11:10:26 +0100
-Subject: [PATCH] Avoid some undefined pointer arithmetic
-
-A common idiom in the codebase is:
-
-if (p + len > limit)
-{
- return; /* Too long */
-}
-
-Where "p" points to some malloc'd data of SIZE bytes and
-limit == p + SIZE
-
-"len" here could be from some externally supplied data (e.g. from a TLS
-message).
-
-The rules of C pointer arithmetic are such that "p + len" is only well
-defined where len <= SIZE. Therefore the above idiom is actually
-undefined behaviour.
-
-For example this could cause problems if some malloc implementation
-provides an address for "p" such that "p + len" actually overflows for
-values of len that are too big and therefore p + len < limit!
-
-Issue reported by Guido Vranken.
-
-CVE-2016-2177
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- ssl/s3_srvr.c | 14 +++++++-------
- ssl/ssl_sess.c | 2 +-
- ssl/t1_lib.c | 56 ++++++++++++++++++++++++++++++--------------------------
- 3 files changed, 38 insertions(+), 34 deletions(-)
-
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index ab28702..ab7f690 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
-
- session_length = *(p + SSL3_RANDOM_SIZE);
-
-- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
- /* get the session-id */
- j = *(p++);
-
-- if (p + j > d + n) {
-+ if ((d + n) - p < j) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
-
- if (SSL_IS_DTLS(s)) {
- /* cookie stuff */
-- if (p + 1 > d + n) {
-+ if ((d + n) - p < 1) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
- }
- cookie_len = *(p++);
-
-- if (p + cookie_len > d + n) {
-+ if ((d + n ) - p < cookie_len) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
- }
- }
-
-- if (p + 2 > d + n) {
-+ if ((d + n ) - p < 2) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
- }
-
- /* i bytes of cipher data + 1 byte for compression length later */
-- if ((p + i + 1) > (d + n)) {
-+ if ((d + n) - p < i + 1) {
- /* not enough data */
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
-
- /* compression */
- i = *(p++);
-- if ((p + i) > (d + n)) {
-+ if ((d + n) - p < i) {
- /* not enough data */
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
-index b182998..54ee783 100644
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
- int r;
- #endif
-
-- if (session_id + len > limit) {
-+ if (limit - session_id < len) {
- fatal = 1;
- goto err;
- }
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index fb64607..cdac011 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- 0x02, 0x03, /* SHA-1/ECDSA */
- };
-
-- if (data >= (limit - 2))
-+ if (limit - data <= 2)
- return;
- data += 2;
-
-- if (data > (limit - 4))
-+ if (limit - data < 4)
- return;
- n2s(data, type);
- n2s(data, size);
-@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- if (type != TLSEXT_TYPE_server_name)
- return;
-
-- if (data + size > limit)
-+ if (limit - data < size)
- return;
- data += size;
-
-@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- const size_t len1 = sizeof(kSafariExtensionsBlock);
- const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
-
-- if (data + len1 + len2 != limit)
-+ if (limit - data != (int)(len1 + len2))
- return;
- if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
- return;
-@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- } else {
- const size_t len = sizeof(kSafariExtensionsBlock);
-
-- if (data + len != limit)
-+ if (limit - data != (int)(len))
- return;
- if (memcmp(data, kSafariExtensionsBlock, len) != 0)
- return;
-@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
- if (data == limit)
- goto ri_check;
-
-- if (data > (limit - 2))
-+ if (limit - data < 2)
- goto err;
-
- n2s(data, len);
-
-- if (data + len != limit)
-+ if (limit - data != len)
- goto err;
-
-- while (data <= (limit - 4)) {
-+ while (limit - data >= 4) {
- n2s(data, type);
- n2s(data, size);
-
-- if (data + size > (limit))
-+ if (limit - data < size)
- goto err;
- # if 0
- fprintf(stderr, "Received extension type %d size %d\n", type, size);
-@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
- if (s->hit || s->cert->srv_ext.meths_count == 0)
- return 1;
-
-- if (data >= limit - 2)
-+ if (limit - data <= 2)
- return 1;
- n2s(data, len);
-
-- if (data > limit - len)
-+ if (limit - data < len)
- return 1;
-
-- while (data <= limit - 4) {
-+ while (limit - data >= 4) {
- n2s(data, type);
- n2s(data, size);
-
-- if (data + size > limit)
-+ if (limit - data < size)
- return 1;
- if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
- return 0;
-@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
- SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
-
-- if (data >= (d + n - 2))
-+ if ((d + n) - data <= 2)
- goto ri_check;
-
- n2s(data, length);
-- if (data + length != d + n) {
-+ if ((d + n) - data != length) {
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
-- while (data <= (d + n - 4)) {
-+ while ((d + n) - data >= 4) {
- n2s(data, type);
- n2s(data, size);
-
-- if (data + size > (d + n))
-+ if ((d + n) - data < size)
- goto ri_check;
-
- if (s->tlsext_debug_cb)
-@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
- /* Skip past DTLS cookie */
- if (SSL_IS_DTLS(s)) {
- i = *(p++);
-- p += i;
-- if (p >= limit)
-+
-+ if (limit - p <= i)
- return -1;
-+
-+ p += i;
- }
- /* Skip past cipher list */
- n2s(p, i);
-- p += i;
-- if (p >= limit)
-+ if (limit - p <= i)
- return -1;
-+ p += i;
-+
- /* Skip past compression algorithm list */
- i = *(p++);
-- p += i;
-- if (p > limit)
-+ if (limit - p < i)
- return -1;
-+ p += i;
-+
- /* Now at start of extensions */
-- if ((p + 2) >= limit)
-+ if (limit - p <= 2)
- return 0;
- n2s(p, i);
-- while ((p + 4) <= limit) {
-+ while (limit - p >= 4) {
- unsigned short type, size;
- n2s(p, type);
- n2s(p, size);
-- if (p + size > limit)
-+ if (limit - p < size)
- return 0;
- if (type == TLSEXT_TYPE_session_ticket) {
- int r;
---
-1.9.1
-
diff --git a/main/openssl/CVE-2016-2178.patch b/main/openssl/CVE-2016-2178.patch
deleted file mode 100644
index 8b8f46eab0..0000000000
--- a/main/openssl/CVE-2016-2178.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001
-From: Cesar Pereida <cesar.pereida@aalto.fi>
-Date: Mon, 23 May 2016 12:45:25 +0300
-Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME
-
-Operations in the DSA signing algorithm should run in constant time in
-order to avoid side channel attacks. A flaw in the OpenSSL DSA
-implementation means that a non-constant time codepath is followed for
-certain operations. This has been demonstrated through a cache-timing
-attack to be sufficient for an attacker to recover the private DSA key.
-
-CVE-2016-2178
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
----
- crypto/dsa/dsa_ossl.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index efc4f1b..b29eb4b 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- if (!BN_rand_range(&k, dsa->q))
- goto err;
- while (BN_is_zero(&k)) ;
-- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-- BN_set_flags(&k, BN_FLG_CONSTTIME);
-- }
-
- if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
- if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- }
-
- K = &kq;
-+
-+ BN_set_flags(K, BN_FLG_CONSTTIME);
- } else {
- K = &k;
- }
-+
- DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
- dsa->method_mont_p);
- if (!BN_mod(r, r, dsa->q, ctx))
---
-1.9.1
-
-From b7d0f2834e139a20560d64c73e2565e93715ce2b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Jun 2016 09:12:51 +0100
-Subject: [PATCH] More fix DSA, preserve BN_FLG_CONSTTIME
-
-The previous "fix" still left "k" exposed to constant time problems in
-the later BN_mod_inverse() call. Ensure both k and kq have the
-BN_FLG_CONSTTIME flag set at the earliest opportunity after creation.
-
-CVE-2016-2178
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- crypto/dsa/dsa_ossl.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index b29eb4b..58013a4 100644
---- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- do
- if (!BN_rand_range(&k, dsa->q))
- goto err;
-- while (BN_is_zero(&k)) ;
-+ while (BN_is_zero(&k));
-+
-+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-+ BN_set_flags(&k, BN_FLG_CONSTTIME);
-+ }
-+
-
- if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
- if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
-@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- if (!BN_copy(&kq, &k))
- goto err;
-
-+ BN_set_flags(&kq, BN_FLG_CONSTTIME);
-+
- /*
- * We do not want timing information to leak the length of k, so we
- * compute g^k using an equivalent exponent of fixed length. (This
-@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
- }
-
- K = &kq;
--
-- BN_set_flags(K, BN_FLG_CONSTTIME);
- } else {
- K = &k;
- }
---
-1.9.1
-
diff --git a/main/openssl/CVE-2016-2179.patch b/main/openssl/CVE-2016-2179.patch
deleted file mode 100644
index 1511cc77a9..0000000000
--- a/main/openssl/CVE-2016-2179.patch
+++ /dev/null
@@ -1,253 +0,0 @@
-From 26f2c5774f117aea588e8f31fad38bcf14e83bec Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 30 Jun 2016 13:17:08 +0100
-Subject: [PATCH] Fix DTLS buffered message DoS attack
-
-DTLS can handle out of order record delivery. Additionally since
-handshake messages can be bigger than will fit into a single packet, the
-messages can be fragmented across multiple records (as with normal TLS).
-That means that the messages can arrive mixed up, and we have to
-reassemble them. We keep a queue of buffered messages that are "from the
-future", i.e. messages we're not ready to deal with yet but have arrived
-early. The messages held there may not be full yet - they could be one
-or more fragments that are still in the process of being reassembled.
-
-The code assumes that we will eventually complete the reassembly and
-when that occurs the complete message is removed from the queue at the
-point that we need to use it.
-
-However, DTLS is also tolerant of packet loss. To get around that DTLS
-messages can be retransmitted. If we receive a full (non-fragmented)
-message from the peer after previously having received a fragment of
-that message, then we ignore the message in the queue and just use the
-non-fragmented version. At that point the queued message will never get
-removed.
-
-Additionally the peer could send "future" messages that we never get to
-in order to complete the handshake. Each message has a sequence number
-(starting from 0). We will accept a message fragment for the current
-message sequence number, or for any sequence up to 10 into the future.
-However if the Finished message has a sequence number of 2, anything
-greater than that in the queue is just left there.
-
-So, in those two ways we can end up with "orphaned" data in the queue
-that will never get removed - except when the connection is closed. At
-that point all the queues are flushed.
-
-An attacker could seek to exploit this by filling up the queues with
-lots of large messages that are never going to be used in order to
-attempt a DoS by memory exhaustion.
-
-I will assume that we are only concerned with servers here. It does not
-seem reasonable to be concerned about a memory exhaustion attack on a
-client. They are unlikely to process enough connections for this to be
-an issue.
-
-A "long" handshake with many messages might be 5 messages long (in the
-incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange,
-CertificateVerify, Finished. So this would be message sequence numbers 0
-to 4. Additionally we can buffer up to 10 messages in the future.
-Therefore the maximum number of messages that an attacker could send
-that could get orphaned would typically be 15.
-
-The maximum size that a DTLS message is allowed to be is defined by
-max_cert_list, which by default is 100k. Therefore the maximum amount of
-"orphaned" memory per connection is 1500k.
-
-Message sequence numbers get reset after the Finished message, so
-renegotiation will not extend the maximum number of messages that can be
-orphaned per connection.
-
-As noted above, the queues do get cleared when the connection is closed.
-Therefore in order to mount an effective attack, an attacker would have
-to open many simultaneous connections.
-
-Issue reported by Quan Luo.
-
-CVE-2016-2179
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
----
- ssl/d1_both.c | 32 ++++++++++++++++----------------
- ssl/d1_clnt.c | 1 +
- ssl/d1_lib.c | 37 ++++++++++++++++++++++++++-----------
- ssl/d1_srvr.c | 3 ++-
- ssl/ssl_locl.h | 3 ++-
- 5 files changed, 47 insertions(+), 29 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 5d2c209..46c70d8 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -618,11 +618,23 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
- int al;
-
- *ok = 0;
-- item = pqueue_peek(s->d1->buffered_messages);
-- if (item == NULL)
-- return 0;
-+ do {
-+ item = pqueue_peek(s->d1->buffered_messages);
-+ if (item == NULL)
-+ return 0;
-+
-+ frag = (hm_fragment *)item->data;
-+
-+ if (frag->msg_header.seq < s->d1->handshake_read_seq) {
-+ /* This is a stale message that has been buffered so clear it */
-+ pqueue_pop(s->d1->buffered_messages);
-+ dtls1_hm_fragment_free(frag);
-+ pitem_free(item);
-+ item = NULL;
-+ frag = NULL;
-+ }
-+ } while (item == NULL);
-
-- frag = (hm_fragment *)item->data;
-
- /* Don't return if reassembly still in progress */
- if (frag->reassembly != NULL)
-@@ -1296,18 +1308,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
- return ret;
- }
-
--/* call this function when the buffered messages are no longer needed */
--void dtls1_clear_record_buffer(SSL *s)
--{
-- pitem *item;
--
-- for (item = pqueue_pop(s->d1->sent_messages);
-- item != NULL; item = pqueue_pop(s->d1->sent_messages)) {
-- dtls1_hm_fragment_free((hm_fragment *)item->data);
-- pitem_free(item);
-- }
--}
--
- unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
- unsigned char mt, unsigned long len,
- unsigned long frag_off,
-diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
-index 3ddfa7b..7e2f5c2 100644
---- a/ssl/d1_clnt.c
-+++ b/ssl/d1_clnt.c
-@@ -769,6 +769,7 @@ int dtls1_connect(SSL *s)
- /* done with handshaking */
- s->d1->handshake_read_seq = 0;
- s->d1->next_handshake_write_seq = 0;
-+ dtls1_clear_received_buffer(s);
- goto end;
- /* break; */
-
-diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
-index ee78921..debd4fd 100644
---- a/ssl/d1_lib.c
-+++ b/ssl/d1_lib.c
-@@ -170,7 +170,6 @@ int dtls1_new(SSL *s)
- static void dtls1_clear_queues(SSL *s)
- {
- pitem *item = NULL;
-- hm_fragment *frag = NULL;
- DTLS1_RECORD_DATA *rdata;
-
- while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
-@@ -191,28 +190,44 @@ static void dtls1_clear_queues(SSL *s)
- pitem_free(item);
- }
-
-+ while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
-+ rdata = (DTLS1_RECORD_DATA *)item->data;
-+ if (rdata->rbuf.buf) {
-+ OPENSSL_free(rdata->rbuf.buf);
-+ }
-+ OPENSSL_free(item->data);
-+ pitem_free(item);
-+ }
-+
-+ dtls1_clear_received_buffer(s);
-+ dtls1_clear_sent_buffer(s);
-+}
-+
-+void dtls1_clear_received_buffer(SSL *s)
-+{
-+ pitem *item = NULL;
-+ hm_fragment *frag = NULL;
-+
- while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
- frag = (hm_fragment *)item->data;
- dtls1_hm_fragment_free(frag);
- pitem_free(item);
- }
-+}
-+
-+void dtls1_clear_sent_buffer(SSL *s)
-+{
-+ pitem *item = NULL;
-+ hm_fragment *frag = NULL;
-
- while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
- frag = (hm_fragment *)item->data;
- dtls1_hm_fragment_free(frag);
- pitem_free(item);
- }
--
-- while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
-- rdata = (DTLS1_RECORD_DATA *)item->data;
-- if (rdata->rbuf.buf) {
-- OPENSSL_free(rdata->rbuf.buf);
-- }
-- OPENSSL_free(item->data);
-- pitem_free(item);
-- }
- }
-
-+
- void dtls1_free(SSL *s)
- {
- ssl3_free(s);
-@@ -456,7 +471,7 @@ void dtls1_stop_timer(SSL *s)
- BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
- &(s->d1->next_timeout));
- /* Clear retransmission buffer */
-- dtls1_clear_record_buffer(s);
-+ dtls1_clear_sent_buffer(s);
- }
-
- int dtls1_check_timeout_num(SSL *s)
-diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
-index e677d88..bc875b5 100644
---- a/ssl/d1_srvr.c
-+++ b/ssl/d1_srvr.c
-@@ -313,7 +313,7 @@ int dtls1_accept(SSL *s)
- case SSL3_ST_SW_HELLO_REQ_B:
-
- s->shutdown = 0;
-- dtls1_clear_record_buffer(s);
-+ dtls1_clear_sent_buffer(s);
- dtls1_start_timer(s);
- ret = ssl3_send_hello_request(s);
- if (ret <= 0)
-@@ -894,6 +894,7 @@ int dtls1_accept(SSL *s)
- /* next message is server hello */
- s->d1->handshake_write_seq = 0;
- s->d1->next_handshake_write_seq = 0;
-+ dtls1_clear_received_buffer(s);
- goto end;
- /* break; */
-
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 3dd2a54..e358031 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -1248,7 +1248,8 @@ int dtls1_retransmit_message(SSL *s, unsigned short seq,
- unsigned long frag_off, int *found);
- int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
- int dtls1_retransmit_buffered_messages(SSL *s);
--void dtls1_clear_record_buffer(SSL *s);
-+void dtls1_clear_received_buffer(SSL *s);
-+void dtls1_clear_sent_buffer(SSL *s);
- void dtls1_get_message_header(unsigned char *data,
- struct hm_header_st *msg_hdr);
- void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
---
-1.9.1
-
diff --git a/main/openssl/CVE-2016-2180.patch b/main/openssl/CVE-2016-2180.patch
deleted file mode 100644
index 4974b6d4fa..0000000000
--- a/main/openssl/CVE-2016-2180.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 0ed26acce328ec16a3aa635f1ca37365e8c7403a Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Thu, 21 Jul 2016 15:24:16 +0100
-Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
-
-TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
-as a null terminated buffer. The length value returned is the total
-length the complete text reprsentation would need not the amount of
-data written.
-
-CVE-2016-2180
-
-Thanks to Shi Lei for reporting this bug.
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
----
- crypto/ts/ts_lib.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
-index bde1bd7..e18f1f3 100644
---- a/crypto/ts/ts_lib.c
-+++ b/crypto/ts/ts_lib.c
-@@ -40,9 +40,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
- {
- char obj_txt[128];
-
-- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
-- BIO_write(bio, obj_txt, len);
-- BIO_write(bio, "\n", 1);
-+ OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
-+ BIO_printf(bio, "%s\n", obj_txt);
-
- return 1;
- }
---
-2.9.3
-
diff --git a/main/openssl/CVE-2016-2181.patch b/main/openssl/CVE-2016-2181.patch
deleted file mode 100644
index 7caafda767..0000000000
--- a/main/openssl/CVE-2016-2181.patch
+++ /dev/null
@@ -1,351 +0,0 @@
-From 20744f6b40b5ded059a848f66d6ba922f2a62eb3 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 5 Jul 2016 11:46:26 +0100
-Subject: [PATCH] Fix DTLS unprocessed records bug
-
-During a DTLS handshake we may get records destined for the next epoch
-arrive before we have processed the CCS. In that case we can't decrypt or
-verify the record yet, so we buffer it for later use. When we do receive
-the CCS we work through the queue of unprocessed records and process them.
-
-Unfortunately the act of processing wipes out any existing packet data
-that we were still working through. This includes any records from the new
-epoch that were in the same packet as the CCS. We should only process the
-buffered records if we've not got any data left.
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
----
- ssl/d1_pkt.c | 23 +++++++++++++++++++++--
- 1 file changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index fe30ec7..1fb119d 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -319,6 +319,7 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
- static int dtls1_process_buffered_records(SSL *s)
- {
- pitem *item;
-+ SSL3_BUFFER *rb;
-
- item = pqueue_peek(s->d1->unprocessed_rcds.q);
- if (item) {
-@@ -326,6 +327,19 @@ static int dtls1_process_buffered_records(SSL *s)
- if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
- return (1); /* Nothing to do. */
-
-+ rb = &s->s3->rbuf;
-+
-+ if (rb->left > 0) {
-+ /*
-+ * We've still got data from the current packet to read. There could
-+ * be a record from the new epoch in it - so don't overwrite it
-+ * with the unprocessed records yet (we'll do it when we've
-+ * finished reading the current packet).
-+ */
-+ return 1;
-+ }
-+
-+
- /* Process all the records. */
- while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
- dtls1_get_unprocessed_record(s);
-@@ -581,6 +595,7 @@ int dtls1_get_record(SSL *s)
-
- rr = &(s->s3->rrec);
-
-+ again:
- /*
- * The epoch may have changed. If so, process all the pending records.
- * This is a non-blocking operation.
-@@ -593,7 +608,6 @@ int dtls1_get_record(SSL *s)
- return 1;
-
- /* get something from the wire */
-- again:
- /* check if we have the header */
- if ((s->rstate != SSL_ST_READ_BODY) ||
- (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
-@@ -1830,8 +1844,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
- if (rr->epoch == s->d1->r_epoch)
- return &s->d1->bitmap;
-
-- /* Only HM and ALERT messages can be from the next epoch */
-+ /*
-+ * Only HM and ALERT messages can be from the next epoch and only if we
-+ * have already processed all of the unprocessed records from the last
-+ * epoch
-+ */
- else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
-+ s->d1->unprocessed_rcds.epoch != s->d1->r_epoch &&
- (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
- *is_next_epoch = 1;
- return &s->d1->next_bitmap;
---
-1.9.1
-
-From 3884b47b7c255c2e94d9b387ee83c7e8bb981258 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 5 Jul 2016 12:04:37 +0100
-Subject: [PATCH] Fix DTLS replay protection
-
-The DTLS implementation provides some protection against replay attacks
-in accordance with RFC6347 section 4.1.2.6.
-
-A sliding "window" of valid record sequence numbers is maintained with
-the "right" hand edge of the window set to the highest sequence number we
-have received so far. Records that arrive that are off the "left" hand
-edge of the window are rejected. Records within the window are checked
-against a list of records received so far. If we already received it then
-we also reject the new record.
-
-If we have not already received the record, or the sequence number is off
-the right hand edge of the window then we verify the MAC of the record.
-If MAC verification fails then we discard the record. Otherwise we mark
-the record as received. If the sequence number was off the right hand edge
-of the window, then we slide the window along so that the right hand edge
-is in line with the newly received sequence number.
-
-Records may arrive for future epochs, i.e. a record from after a CCS being
-sent, can arrive before the CCS does if the packets get re-ordered. As we
-have not yet received the CCS we are not yet in a position to decrypt or
-validate the MAC of those records. OpenSSL places those records on an
-unprocessed records queue. It additionally updates the window immediately,
-even though we have not yet verified the MAC. This will only occur if
-currently in a handshake/renegotiation.
-
-This could be exploited by an attacker by sending a record for the next
-epoch (which does not have to decrypt or have a valid MAC), with a very
-large sequence number. This means the right hand edge of the window is
-moved very far to the right, and all subsequent legitimate packets are
-dropped causing a denial of service.
-
-A similar effect can be achieved during the initial handshake. In this
-case there is no MAC key negotiated yet. Therefore an attacker can send a
-message for the current epoch with a very large sequence number. The code
-will process the record as normal. If the hanshake message sequence number
-(as opposed to the record sequence number that we have been talking about
-so far) is in the future then the injected message is bufferred to be
-handled later, but the window is still updated. Therefore all subsequent
-legitimate handshake records are dropped. This aspect is not considered a
-security issue because there are many ways for an attacker to disrupt the
-initial handshake and prevent it from completing successfully (e.g.
-injection of a handshake message will cause the Finished MAC to fail and
-the handshake to be aborted). This issue comes about as a result of trying
-to do replay protection, but having no integrity mechanism in place yet.
-Does it even make sense to have replay protection in epoch 0? That
-issue isn't addressed here though.
-
-This addressed an OCAP Audit issue.
-
-CVE-2016-2181
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
----
- ssl/d1_pkt.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++------------
- ssl/ssl.h | 1 +
- ssl/ssl_err.c | 4 +++-
- 3 files changed, 52 insertions(+), 13 deletions(-)
-
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index 1fb119d..589bf9e 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -194,7 +194,7 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
- #endif
- static int dtls1_buffer_record(SSL *s, record_pqueue *q,
- unsigned char *priority);
--static int dtls1_process_record(SSL *s);
-+static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap);
-
- /* copy buffered record into SSL structure */
- static int dtls1_copy_record(SSL *s, pitem *item)
-@@ -320,13 +320,18 @@ static int dtls1_process_buffered_records(SSL *s)
- {
- pitem *item;
- SSL3_BUFFER *rb;
-+ SSL3_RECORD *rr;
-+ DTLS1_BITMAP *bitmap;
-+ unsigned int is_next_epoch;
-+ int replayok = 1;
-
- item = pqueue_peek(s->d1->unprocessed_rcds.q);
- if (item) {
- /* Check if epoch is current. */
- if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
-- return (1); /* Nothing to do. */
-+ return 1; /* Nothing to do. */
-
-+ rr = &s->s3->rrec;
- rb = &s->s3->rbuf;
-
- if (rb->left > 0) {
-@@ -343,11 +348,41 @@ static int dtls1_process_buffered_records(SSL *s)
- /* Process all the records. */
- while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
- dtls1_get_unprocessed_record(s);
-- if (!dtls1_process_record(s))
-- return (0);
-+ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
-+ if (bitmap == NULL) {
-+ /*
-+ * Should not happen. This will only ever be NULL when the
-+ * current record is from a different epoch. But that cannot
-+ * be the case because we already checked the epoch above
-+ */
-+ SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS,
-+ ERR_R_INTERNAL_ERROR);
-+ return 0;
-+ }
-+#ifndef OPENSSL_NO_SCTP
-+ /* Only do replay check if no SCTP bio */
-+ if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
-+#endif
-+ {
-+ /*
-+ * Check whether this is a repeat, or aged record. We did this
-+ * check once already when we first received the record - but
-+ * we might have updated the window since then due to
-+ * records we subsequently processed.
-+ */
-+ replayok = dtls1_record_replay_check(s, bitmap);
-+ }
-+
-+ if (!replayok || !dtls1_process_record(s, bitmap)) {
-+ /* dump this record */
-+ rr->length = 0;
-+ s->packet_length = 0;
-+ continue;
-+ }
-+
- if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
- s->s3->rrec.seq_num) < 0)
-- return -1;
-+ return 0;
- }
- }
-
-@@ -358,7 +393,7 @@ static int dtls1_process_buffered_records(SSL *s)
- s->d1->processed_rcds.epoch = s->d1->r_epoch;
- s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
-
-- return (1);
-+ return 1;
- }
-
- #if 0
-@@ -405,7 +440,7 @@ static int dtls1_get_buffered_record(SSL *s)
-
- #endif
-
--static int dtls1_process_record(SSL *s)
-+static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
- {
- int i, al;
- int enc_err;
-@@ -565,6 +600,10 @@ static int dtls1_process_record(SSL *s)
-
- /* we have pulled in a full packet so zero things */
- s->packet_length = 0;
-+
-+ /* Mark receipt of record. */
-+ dtls1_record_bitmap_update(s, bitmap);
-+
- return (1);
-
- f_err:
-@@ -600,7 +639,7 @@ int dtls1_get_record(SSL *s)
- * The epoch may have changed. If so, process all the pending records.
- * This is a non-blocking operation.
- */
-- if (dtls1_process_buffered_records(s) < 0)
-+ if (!dtls1_process_buffered_records(s))
- return -1;
-
- /* if we're renegotiating, then there may be buffered records */
-@@ -735,20 +774,17 @@ int dtls1_get_record(SSL *s)
- if (dtls1_buffer_record
- (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0)
- return -1;
-- /* Mark receipt of record. */
-- dtls1_record_bitmap_update(s, bitmap);
- }
- rr->length = 0;
- s->packet_length = 0;
- goto again;
- }
-
-- if (!dtls1_process_record(s)) {
-+ if (!dtls1_process_record(s, bitmap)) {
- rr->length = 0;
- s->packet_length = 0; /* dump this record */
- goto again; /* get another record */
- }
-- dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
-
- return (1);
-
-diff --git a/ssl/ssl.h b/ssl/ssl.h
-index 028681a..4cbac9a 100644
---- a/ssl/ssl.h
-+++ b/ssl/ssl.h
-@@ -2615,6 +2615,7 @@ void ERR_load_SSL_strings(void);
- # define SSL_F_DTLS1_HEARTBEAT 305
- # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
- # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
-+# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404
- # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
- # define SSL_F_DTLS1_PROCESS_RECORD 257
- # define SSL_F_DTLS1_READ_BYTES 258
-diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
-index 704088d..79aaf1a 100644
---- a/ssl/ssl_err.c
-+++ b/ssl/ssl_err.c
-@@ -1,6 +1,6 @@
- /* ssl/ssl_err.c */
- /* ====================================================================
-- * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
-+ * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -93,6 +93,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
- {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"},
- {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "dtls1_output_cert_chain"},
- {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
-+ {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS),
-+ "DTLS1_PROCESS_BUFFERED_RECORDS"},
- {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),
- "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
- {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
---
-1.9.1
-
-From 26aebca74e38ae09f673c2045cc8e2ef762d265a Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Wed, 17 Aug 2016 17:55:36 +0100
-Subject: [PATCH] Update function error code
-
-A function error code needed updating due to merge issues.
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
----
- ssl/ssl.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/ssl.h b/ssl/ssl.h
-index 4cbac9a..2638755 100644
---- a/ssl/ssl.h
-+++ b/ssl/ssl.h
-@@ -2615,7 +2615,7 @@ void ERR_load_SSL_strings(void);
- # define SSL_F_DTLS1_HEARTBEAT 305
- # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
- # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
--# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404
-+# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424
- # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
- # define SSL_F_DTLS1_PROCESS_RECORD 257
- # define SSL_F_DTLS1_READ_BYTES 258
---
-1.9.1
-
diff --git a/main/openssl/CVE-2016-2182.patch b/main/openssl/CVE-2016-2182.patch
deleted file mode 100644
index b966748404..0000000000
--- a/main/openssl/CVE-2016-2182.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Fri, 5 Aug 2016 14:26:03 +0100
-Subject: [PATCH] Check for errors in BN_bn2dec()
-
-If an oversize BIGNUM is presented to BN_bn2dec() it can cause
-BN_div_word() to fail and not reduce the value of 't' resulting
-in OOB writes to the bn_data buffer and eventually crashing.
-
-Fix by checking return value of BN_div_word() and checking writes
-don't overflow buffer.
-
-Thanks to Shi Lei for reporting this bug.
-
-CVE-2016-2182
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
-
-Conflicts:
- crypto/bn/bn_print.c
----
- crypto/bn/bn_print.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
-index bfa31ef..b44403e 100644
---- a/crypto/bn/bn_print.c
-+++ b/crypto/bn/bn_print.c
-@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
- char *p;
- BIGNUM *t = NULL;
- BN_ULONG *bn_data = NULL, *lp;
-+ int bn_data_num;
-
- /*-
- * get an upper bound for the length of the decimal integer
-@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
- */
- i = BN_num_bits(a) * 3;
- num = (i / 10 + i / 1000 + 1) + 1;
-- bn_data =
-- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
-- buf = (char *)OPENSSL_malloc(num + 3);
-+ bn_data_num = num / BN_DEC_NUM + 1;
-+ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
-+ buf = OPENSSL_malloc(num + 3);
- if ((buf == NULL) || (bn_data == NULL)) {
- BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
- goto err;
-@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a)
- i = 0;
- while (!BN_is_zero(t)) {
- *lp = BN_div_word(t, BN_DEC_CONV);
-+ if (*lp == (BN_ULONG)-1)
-+ goto err;
- lp++;
-+ if (lp - bn_data >= bn_data_num)
-+ goto err;
- }
- lp--;
- /*
---
-1.9.1
-
-From 67e11f1d44b85758f01b4905d64c4c49476c1db5 Mon Sep 17 00:00:00 2001
-From: Kazuki Yamaguchi <k@rhe.jp>
-Date: Mon, 22 Aug 2016 02:36:36 +0900
-Subject: [PATCH] Fix overflow check in BN_bn2dec()
-
-Fix an off by one error in the overflow check added by 07bed46f332fc
-("Check for errors in BN_bn2dec()").
-
-Reviewed-by: Stephen Henson <steve@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(cherry picked from commit 099e2968ed3c7d256cda048995626664082b1b30)
----
- crypto/bn/bn_print.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
-index b44403e..a9ff271 100644
---- a/crypto/bn/bn_print.c
-+++ b/crypto/bn/bn_print.c
-@@ -141,14 +141,13 @@ char *BN_bn2dec(const BIGNUM *a)
- if (BN_is_negative(t))
- *p++ = '-';
-
-- i = 0;
- while (!BN_is_zero(t)) {
-+ if (lp - bn_data >= bn_data_num)
-+ goto err;
- *lp = BN_div_word(t, BN_DEC_CONV);
- if (*lp == (BN_ULONG)-1)
- goto err;
- lp++;
-- if (lp - bn_data >= bn_data_num)
-- goto err;
- }
- lp--;
- /*
---
-1.9.1
-
diff --git a/main/openssl/CVE-2016-6302.patch b/main/openssl/CVE-2016-6302.patch
deleted file mode 100644
index fde58dee9b..0000000000
--- a/main/openssl/CVE-2016-6302.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From baaabfd8fdcec04a691695fad9a664bea43202b6 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Tue, 23 Aug 2016 18:14:54 +0100
-Subject: [PATCH] Sanity check ticket length.
-
-If a ticket callback changes the HMAC digest to SHA512 the existing
-sanity checks are not sufficient and an attacker could perform a DoS
-attack with a malformed ticket. Add additional checks based on
-HMAC size.
-
-Thanks to Shi Lei for reporting this bug.
-
-CVE-2016-6302
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- ssl/t1_lib.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 7d322d0..fbcf2e6 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -3401,9 +3401,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
- HMAC_CTX hctx;
- EVP_CIPHER_CTX ctx;
- SSL_CTX *tctx = s->initial_ctx;
-- /* Need at least keyname + iv + some encrypted data */
-- if (eticklen < 48)
-- return 2;
-+
- /* Initialize session ticket encryption and HMAC contexts */
- HMAC_CTX_init(&hctx);
- EVP_CIPHER_CTX_init(&ctx);
-@@ -3437,6 +3435,13 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
- if (mlen < 0) {
- goto err;
- }
-+ /* Sanity check ticket length: must exceed keyname + IV + HMAC */
-+ if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
-+ HMAC_CTX_cleanup(&hctx);
-+ EVP_CIPHER_CTX_cleanup(&ctx);
-+ return 2;
-+ }
-+
- eticklen -= mlen;
- /* Check HMAC of encrypted ticket */
- if (HMAC_Update(&hctx, etick, eticklen) <= 0
---
-1.9.1
-
diff --git a/main/openssl/CVE-2016-6303.patch b/main/openssl/CVE-2016-6303.patch
deleted file mode 100644
index bdb0e252ce..0000000000
--- a/main/openssl/CVE-2016-6303.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 1027ad4f34c30b8585592764b9a670ba36888269 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve@openssl.org>
-Date: Fri, 19 Aug 2016 23:28:29 +0100
-Subject: [PATCH] Avoid overflow in MDC2_Update()
-
-Thanks to Shi Lei for reporting this issue.
-
-CVE-2016-6303
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07)
----
- crypto/mdc2/mdc2dgst.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
-index 6615cf8..2dce493 100644
---- a/crypto/mdc2/mdc2dgst.c
-+++ b/crypto/mdc2/mdc2dgst.c
-@@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len)
-
- i = c->num;
- if (i != 0) {
-- if (i + len < MDC2_BLOCK) {
-+ if (len < MDC2_BLOCK - i) {
- /* partial block */
- memcpy(&(c->data[i]), in, len);
- c->num += (int)len;
---
-1.9.1
-