diff -Nru openssl-1.0.1f/debian/changelog openssl-1.0.1f/debian/changelog --- openssl-1.0.1f/debian/changelog 2016-09-23 11:58:21.000000000 +0000 +++ openssl-1.0.1f/debian/changelog 2017-01-30 18:03:16.000000000 +0000 @@ -1,3 +1,38 @@ +openssl (1.0.1f-1ubuntu2.22) trusty-security; urgency=medium + + * SECURITY UPDATE: Pointer arithmetic undefined behaviour + - debian/patches/CVE-2016-2177-pre.patch: check for ClientHello message + overruns in ssl/s3_srvr.c. + - debian/patches/CVE-2016-2177-pre2.patch: validate ClientHello + extension field length in ssl/t1_lib.c. + - debian/patches/CVE-2016-2177-pre3.patch: pass in a limit rather than + calculate it in ssl/s3_srvr.c, ssl/ssl_locl.h, ssl/t1_lib.c. + - debian/patches/CVE-2016-2177.patch: avoid undefined pointer + arithmetic in ssl/s3_srvr.c, ssl/t1_lib.c, + - CVE-2016-2177 + * SECURITY UPDATE: ECDSA P-256 timing attack key recovery + - debian/patches/CVE-2016-7056.patch: use BN_mod_exp_mont_consttime in + crypto/ec/ec.h, crypto/ec/ec_lcl.h, crypto/ec/ec_lib.c, + crypto/ecdsa/ecs_ossl.c. + - CVE-2016-7056 + * SECURITY UPDATE: DoS via warning alerts + - debian/patches/CVE-2016-8610.patch: don't allow too many consecutive + warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h, + ssl/ssl_locl.h. + - debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record + type is received in ssl/s3_pkt.c. + - CVE-2016-8610 + * SECURITY UPDATE: Truncated packet could crash via OOB read + - debian/patches/CVE-2017-3731-pre.patch: sanity check + EVP_CTRL_AEAD_TLS_AAD in crypto/evp/e_aes.c, + crypto/evp/e_aes_cbc_hmac_sha1.c, crypto/evp/e_rc4_hmac_md5.c, + crypto/evp/evp.h, ssl/t1_enc.c. + - debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in + crypto/evp/e_rc4_hmac_md5.c. + - CVE-2017-3731 + + -- Marc Deslauriers Mon, 30 Jan 2017 11:38:06 -0500 + openssl (1.0.1f-1ubuntu2.21) trusty-security; urgency=medium * SECURITY REGRESSION: incomplete fix for CVE-2016-2182 (LP: #1626883) diff -Nru openssl-1.0.1f/debian/patches/CVE-2016-2177.patch openssl-1.0.1f/debian/patches/CVE-2016-2177.patch --- openssl-1.0.1f/debian/patches/CVE-2016-2177.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2016-2177.patch 2017-01-30 16:37:10.000000000 +0000 @@ -0,0 +1,245 @@ +Backport of: + +From 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 5 May 2016 11:10:26 +0100 +Subject: [PATCH] Avoid some undefined pointer arithmetic + +A common idiom in the codebase is: + +if (p + len > limit) +{ + return; /* Too long */ +} + +Where "p" points to some malloc'd data of SIZE bytes and +limit == p + SIZE + +"len" here could be from some externally supplied data (e.g. from a TLS +message). + +The rules of C pointer arithmetic are such that "p + len" is only well +defined where len <= SIZE. Therefore the above idiom is actually +undefined behaviour. + +For example this could cause problems if some malloc implementation +provides an address for "p" such that "p + len" actually overflows for +values of len that are too big and therefore p + len < limit! + +Issue reported by Guido Vranken. + +CVE-2016-2177 + +Reviewed-by: Rich Salz +--- + ssl/s3_srvr.c | 14 +++++++------- + ssl/ssl_sess.c | 2 +- + ssl/t1_lib.c | 48 ++++++++++++++++++++++++++---------------------- + 3 files changed, 34 insertions(+), 30 deletions(-) + +Index: openssl-1.0.1f/ssl/s3_srvr.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/s3_srvr.c 2017-01-30 11:23:10.675902912 -0500 ++++ openssl-1.0.1f/ssl/s3_srvr.c 2017-01-30 11:25:06.797479525 -0500 +@@ -984,7 +984,7 @@ + + session_length = *(p + SSL3_RANDOM_SIZE); + +- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { ++ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1002,7 +1002,7 @@ + /* get the session-id */ + j= *(p++); + +- if (p + j > d + n) { ++ if ((d + n) - p < j) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1046,14 +1046,14 @@ + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) + { + /* cookie stuff */ +- if (p + 1 > d + n) { ++ if ((d + n) - p < 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + cookie_len = *(p++); + +- if (p + cookie_len > d + n) { ++ if ((d + n ) - p < cookie_len) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1105,7 +1105,7 @@ + p += cookie_len; + } + +- if (p + 2 > d + n) { ++ if ((d + n ) - p < 2) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1120,7 +1120,7 @@ + } + + /* i bytes of cipher data + 1 byte for compression length later */ +- if ((p + i + 1) > (d + n)) ++ if ((d + n) - p < i + 1) + { + /* not enough data */ + al=SSL_AD_DECODE_ERROR; +@@ -1187,7 +1187,7 @@ + + /* compression */ + i= *(p++); +- if ((p+i) > (d+n)) ++ if ((d + n) - p < i) + { + /* not enough data */ + al=SSL_AD_DECODE_ERROR; +Index: openssl-1.0.1f/ssl/t1_lib.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/t1_lib.c 2017-01-30 11:23:10.675902912 -0500 ++++ openssl-1.0.1f/ssl/t1_lib.c 2017-01-30 11:36:15.086404473 -0500 +@@ -899,11 +899,11 @@ + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + +- if (data >= (limit-2)) ++ if (limit - data <= 2) + return; + data += 2; + +- if (data > (limit-4)) ++ if (limit - data < 4) + return; + n2s(data,type); + n2s(data,size); +@@ -911,7 +911,7 @@ + if (type != TLSEXT_TYPE_server_name) + return; + +- if (data+size > limit) ++ if (limit - data < size) + return; + data += size; + +@@ -920,7 +920,7 @@ + const size_t len1 = sizeof(kSafariExtensionsBlock); + const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); + +- if (data + len1 + len2 != limit) ++ if (limit - data != (int)(len1 + len2)) + return; + if (memcmp(data, kSafariExtensionsBlock, len1) != 0) + return; +@@ -931,7 +931,7 @@ + { + const size_t len = sizeof(kSafariExtensionsBlock); + +- if (data + len != limit) ++ if (limit - data != (int)(len)) + return; + if (memcmp(data, kSafariExtensionsBlock, len) != 0) + return; +@@ -966,19 +966,19 @@ + ssl_check_for_safari(s, data, limit); + #endif /* !OPENSSL_NO_EC */ + +- if (data >= (limit-2)) ++ if (limit - data <= 2) + goto ri_check; + n2s(data,len); + +- if (data + len != limit) ++ if (limit - data != len) + goto ri_check; + +- while (data <= (limit-4)) ++ while (limit - data >= 4) + { + n2s(data,type); + n2s(data,size); + +- if (data+size > (limit)) ++ if (limit - data < size) + goto ri_check; + #if 0 + fprintf(stderr,"Received extension type %d size %d\n",type,size); +@@ -1493,22 +1493,22 @@ + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + #endif + +- if (data >= (d+n-2)) ++ if ((d + n) - data <= 2) + goto ri_check; + + n2s(data,length); +- if (data+length != d+n) ++ if ((d + n) - data != length) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + +- while(data <= (d+n-4)) ++ while ((d + n) - data >= 4) + { + n2s(data,type); + n2s(data,size); + +- if (data+size > (d+n)) ++ if ((d + n) - data < size) + goto ri_check; + + if (s->tlsext_debug_cb) +@@ -2196,30 +2196,34 @@ + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) + { + i = *(p++); +- p+= i; +- if (p >= limit) ++ ++ if (limit - p <= i) + return -1; ++ ++ p += i; + } + /* Skip past cipher list */ + n2s(p, i); +- p+= i; +- if (p >= limit) ++ if (limit - p <= i) + return -1; ++ p+= i; ++ + /* Skip past compression algorithm list */ + i = *(p++); +- p += i; +- if (p > limit) ++ if (limit - p < i) + return -1; ++ p += i; ++ + /* Now at start of extensions */ +- if ((p + 2) >= limit) ++ if (limit - p <= 2) + return 0; + n2s(p, i); +- while ((p + 4) <= limit) ++ while (limit - p >= 4) + { + unsigned short type, size; + n2s(p, type); + n2s(p, size); +- if (p + size > limit) ++ if (limit - p < size) + return 0; + if (type == TLSEXT_TYPE_session_ticket) + { diff -Nru openssl-1.0.1f/debian/patches/CVE-2016-2177-pre2.patch openssl-1.0.1f/debian/patches/CVE-2016-2177-pre2.patch --- openssl-1.0.1f/debian/patches/CVE-2016-2177-pre2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2016-2177-pre2.patch 2017-01-30 16:18:22.000000000 +0000 @@ -0,0 +1,31 @@ +Backport of: + +From e4840c88c516d959785fcd842d8658d3b7a6ae43 Mon Sep 17 00:00:00 2001 +From: Alessandro Ghedini +Date: Fri, 2 Oct 2015 14:38:30 +0200 +Subject: [PATCH] Validate ClientHello extension field length +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +RT#4069 + +Reviewed-by: Emilia Käsper +Reviewed-by: Matt Caswell +--- + ssl/t1_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.1f/ssl/t1_lib.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/t1_lib.c 2017-01-30 11:17:32.467273420 -0500 ++++ openssl-1.0.1f/ssl/t1_lib.c 2017-01-30 11:18:05.119716960 -0500 +@@ -970,7 +970,7 @@ + goto ri_check; + n2s(data,len); + +- if (data > (d+n-len)) ++ if (data + len != d + n) + goto ri_check; + + while (data <= (d+n-4)) diff -Nru openssl-1.0.1f/debian/patches/CVE-2016-2177-pre3.patch openssl-1.0.1f/debian/patches/CVE-2016-2177-pre3.patch --- openssl-1.0.1f/debian/patches/CVE-2016-2177-pre3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2016-2177-pre3.patch 2017-01-30 16:37:16.000000000 +0000 @@ -0,0 +1,144 @@ +Backport of: + +From f141376ae2892b59f2b1af94204f925832f8dc3a Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 5 Oct 2015 14:12:05 +0100 +Subject: [PATCH] Change functions to pass in a limit rather than calculate it +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Some extension handling functions were passing in a pointer to the start +of the data, plus the length in order to calculate the end, rather than +just passing in the end to start with. This change makes things a little +more readable. + +Reviewed-by: Emilia Käsper + +Conflicts: + ssl/s3_srvr.c + ssl/ssl_locl.h + ssl/t1_lib.c +--- + ssl/s3_srvr.c | 2 +- + ssl/ssl_locl.h | 2 +- + ssl/t1_lib.c | 30 +++++++++++++++--------------- + 3 files changed, 17 insertions(+), 17 deletions(-) + +Index: openssl-1.0.1f/ssl/s3_srvr.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/s3_srvr.c 2017-01-30 11:18:33.260098102 -0500 ++++ openssl-1.0.1f/ssl/s3_srvr.c 2017-01-30 11:19:07.944576474 -0500 +@@ -1213,7 +1213,7 @@ + /* TLS extensions*/ + if (s->version >= SSL3_VERSION) + { +- if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al)) ++ if (!ssl_parse_clienthello_tlsext(s,&p,d+n, &al)) + { + /* 'al' set by ssl_parse_clienthello_tlsext */ + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT); +Index: openssl-1.0.1f/ssl/ssl_locl.h +=================================================================== +--- openssl-1.0.1f.orig/ssl/ssl_locl.h 2017-01-30 11:18:33.260098102 -0500 ++++ openssl-1.0.1f/ssl/ssl_locl.h 2017-01-30 11:19:43.793070659 -0500 +@@ -1100,7 +1100,7 @@ + #ifndef OPENSSL_NO_TLSEXT + unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); + unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); ++int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *limit, int *al); + int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); + int ssl_prepare_clienthello_tlsext(SSL *s); + int ssl_prepare_serverhello_tlsext(SSL *s); +Index: openssl-1.0.1f/ssl/t1_lib.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/t1_lib.c 2017-01-30 11:18:33.260098102 -0500 ++++ openssl-1.0.1f/ssl/t1_lib.c 2017-01-30 11:22:25.075281338 -0500 +@@ -871,7 +871,7 @@ + * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from + * 10.8..10.8.3 (which don't work). + */ +-static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { ++static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *limit) { + unsigned short type, size; + static const unsigned char kSafariExtensionsBlock[] = { + 0x00, 0x0a, /* elliptic_curves extension */ +@@ -899,11 +899,11 @@ + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + +- if (data >= (d+n-2)) ++ if (data >= (limit-2)) + return; + data += 2; + +- if (data > (d+n-4)) ++ if (data > (limit-4)) + return; + n2s(data,type); + n2s(data,size); +@@ -911,7 +911,7 @@ + if (type != TLSEXT_TYPE_server_name) + return; + +- if (data+size > d+n) ++ if (data+size > limit) + return; + data += size; + +@@ -920,7 +920,7 @@ + const size_t len1 = sizeof(kSafariExtensionsBlock); + const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); + +- if (data + len1 + len2 != d+n) ++ if (data + len1 + len2 != limit) + return; + if (memcmp(data, kSafariExtensionsBlock, len1) != 0) + return; +@@ -931,7 +931,7 @@ + { + const size_t len = sizeof(kSafariExtensionsBlock); + +- if (data + len != d+n) ++ if (data + len != limit) + return; + if (memcmp(data, kSafariExtensionsBlock, len) != 0) + return; +@@ -941,7 +941,7 @@ + } + #endif /* !OPENSSL_NO_EC */ + +-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) ++int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *limit, int *al) + { + unsigned short type; + unsigned short size; +@@ -963,22 +963,22 @@ + + #ifndef OPENSSL_NO_EC + if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) +- ssl_check_for_safari(s, data, d, n); ++ ssl_check_for_safari(s, data, limit); + #endif /* !OPENSSL_NO_EC */ + +- if (data >= (d+n-2)) ++ if (data >= (limit-2)) + goto ri_check; + n2s(data,len); + +- if (data + len != d + n) ++ if (data + len != limit) + goto ri_check; + +- while (data <= (d+n-4)) ++ while (data <= (limit-4)) + { + n2s(data,type); + n2s(data,size); + +- if (data+size > (d+n)) ++ if (data+size > (limit)) + goto ri_check; + #if 0 + fprintf(stderr,"Received extension type %d size %d\n",type,size); diff -Nru openssl-1.0.1f/debian/patches/CVE-2016-2177-pre.patch openssl-1.0.1f/debian/patches/CVE-2016-2177-pre.patch --- openssl-1.0.1f/debian/patches/CVE-2016-2177-pre.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2016-2177-pre.patch 2017-01-30 16:12:24.000000000 +0000 @@ -0,0 +1,110 @@ +Backport of: + +From 89c2720298f875ac80777da2da88a64859775898 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 10 Apr 2015 17:25:27 +0100 +Subject: [PATCH] Check for ClientHello message overruns + +The ClientHello processing is insufficiently rigorous in its checks to make +sure that we don't read past the end of the message. This does not have +security implications due to the size of the underlying buffer - but still +needs to be fixed. + +With thanks to Qinghao Tang for reporting this issue. + +Reviewed-by: Rich Salz +(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79) +--- + ssl/s3_srvr.c | 42 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 41 insertions(+), 1 deletion(-) + +Index: openssl-1.0.1f/ssl/s3_srvr.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/s3_srvr.c 2017-01-30 11:07:41.467312664 -0500 ++++ openssl-1.0.1f/ssl/s3_srvr.c 2017-01-30 11:11:59.810656978 -0500 +@@ -945,6 +945,16 @@ + s->first_packet=0; + d=p=(unsigned char *)s->init_msg; + ++ /* ++ * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte ++ * for session id length ++ */ ++ if (n < 2 + SSL3_RANDOM_SIZE + 1) { ++ al = SSL_AD_DECODE_ERROR; ++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); ++ goto f_err; ++ } ++ + /* use version from inside client hello, not from record header + * (may differ: see RFC 2246, Appendix E, second paragraph) */ + s->client_version=(((int)p[0])<<8)|(int)p[1]; +@@ -973,6 +983,12 @@ + unsigned int session_length, cookie_length; + + session_length = *(p + SSL3_RANDOM_SIZE); ++ ++ if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { ++ al = SSL_AD_DECODE_ERROR; ++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); ++ goto f_err; ++ } + cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); + + if (cookie_length == 0) +@@ -986,6 +1002,12 @@ + /* get the session-id */ + j= *(p++); + ++ if (p + j > d + n) { ++ al = SSL_AD_DECODE_ERROR; ++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); ++ goto f_err; ++ } ++ + s->hit=0; + /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation. + * 0.9.7 and later allow this by default, but optionally ignore resumption requests +@@ -1024,8 +1046,19 @@ + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) + { + /* cookie stuff */ ++ if (p + 1 > d + n) { ++ al = SSL_AD_DECODE_ERROR; ++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); ++ goto f_err; ++ } + cookie_len = *(p++); + ++ if (p + cookie_len > d + n) { ++ al = SSL_AD_DECODE_ERROR; ++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); ++ goto f_err; ++ } ++ + /* + * The ClientHello may contain a cookie even if the + * HelloVerify message has not been sent--make sure that it +@@ -1072,6 +1105,11 @@ + p += cookie_len; + } + ++ if (p + 2 > d + n) { ++ al = SSL_AD_DECODE_ERROR; ++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); ++ goto f_err; ++ } + n2s(p,i); + if ((i == 0) && (j != 0)) + { +@@ -1080,7 +1118,9 @@ + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); + goto f_err; + } +- if ((p+i) >= (d+n)) ++ ++ /* i bytes of cipher data + 1 byte for compression length later */ ++ if ((p + i + 1) > (d + n)) + { + /* not enough data */ + al=SSL_AD_DECODE_ERROR; diff -Nru openssl-1.0.1f/debian/patches/CVE-2016-7056.patch openssl-1.0.1f/debian/patches/CVE-2016-7056.patch --- openssl-1.0.1f/debian/patches/CVE-2016-7056.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2016-7056.patch 2017-01-30 17:34:07.000000000 +0000 @@ -0,0 +1,231 @@ +From 8aed2a7548362e88e84a7feb795a3a97e8395008 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Fri, 12 Sep 2014 00:13:20 +0200 +Subject: [PATCH] Reserve option to use BN_mod_exp_mont_consttime in ECDSA. + +Submitted by Shay Gueron, Intel Corp. +RT: 3149 + +Reviewed-by: Rich Salz +(cherry picked from commit f54be179aa4cbbd944728771d7d59ed588158a12) +--- + crypto/ec/ec.h | 6 +++++ + crypto/ec/ec_lcl.h | 11 ++++++++ + crypto/ec/ec_lib.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++ + crypto/ecdsa/ecs_ossl.c | 36 +++++++++++++++++++++---- + 4 files changed, 119 insertions(+), 5 deletions(-) + +diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h +index 7ae8e8a..b8551c5 100644 +--- a/crypto/ec/ec.h ++++ b/crypto/ec/ec.h +@@ -243,6 +243,12 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIG + */ + const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group); + ++/** Returns the montgomery data for order(Generator) ++ * \param group EC_GROUP object ++ * \return the currently used generator (possibly NULL). ++*/ ++BN_MONT_CTX *EC_GROUP_get_mont_data(const EC_GROUP *group); ++ + /** Gets the order of a EC_GROUP + * \param group EC_GROUP object + * \param order BIGNUM to which the order is copied +diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h +index b0d48b6..22b53d2 100644 +--- a/crypto/ec/ec_lcl.h ++++ b/crypto/ec/ec_lcl.h +@@ -235,6 +235,8 @@ struct ec_group_st { + void *field_data1; /* method-specific (e.g., Montgomery structure) */ + void *field_data2; /* method-specific */ + int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); /* method-specific */ ++ ++ BN_MONT_CTX *mont_data; /* data for ECDSA inverse */ + } /* EC_GROUP */; + + struct ec_key_st { +@@ -444,3 +446,12 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, + void (*felem_contract)(void *out, const void *in)); + void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in); + #endif ++int ec_precompute_mont_data(EC_GROUP *); ++ ++#ifdef ECP_NISTZ256_ASM ++/** Returns GFp methods using montgomery multiplication, with x86-64 optimized ++ * P256. See http://eprint.iacr.org/2013/816. ++ * \return EC_METHOD object ++ */ ++const EC_METHOD *EC_GFp_nistz256_method(void); ++#endif +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index e2c4741..7fe3115 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -98,6 +98,7 @@ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth) + ret->meth = meth; + + ret->extra_data = NULL; ++ ret->mont_data = NULL; + + ret->generator = NULL; + BN_init(&ret->order); +@@ -129,6 +130,9 @@ void EC_GROUP_free(EC_GROUP *group) + + EC_EX_DATA_free_all_data(&group->extra_data); + ++ if (group->mont_data) ++ BN_MONT_CTX_free(group->mont_data); ++ + if (group->generator != NULL) + EC_POINT_free(group->generator); + BN_free(&group->order); +@@ -152,6 +156,9 @@ void EC_GROUP_clear_free(EC_GROUP *group) + + EC_EX_DATA_clear_free_all_data(&group->extra_data); + ++ if (group->mont_data) ++ BN_MONT_CTX_free(group->mont_data); ++ + if (group->generator != NULL) + EC_POINT_clear_free(group->generator); + BN_clear_free(&group->order); +@@ -197,6 +204,25 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) + return 0; + } + ++ if (src->mont_data != NULL) ++ { ++ if (dest->mont_data == NULL) ++ { ++ dest->mont_data = BN_MONT_CTX_new(); ++ if (dest->mont_data == NULL) return 0; ++ } ++ if (!BN_MONT_CTX_copy(dest->mont_data, src->mont_data)) return 0; ++ } ++ else ++ { ++ /* src->generator == NULL */ ++ if (dest->mont_data != NULL) ++ { ++ BN_MONT_CTX_free(dest->mont_data); ++ dest->mont_data = NULL; ++ } ++ } ++ + if (src->generator != NULL) + { + if (dest->generator == NULL) +@@ -306,6 +332,11 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIG + else + BN_zero(&group->cofactor); + ++ /* We ignore the return value because some groups have an order with ++ * factors of two, which makes the Montgomery setup fail. ++ * |group->mont_data| will be NULL in this case. */ ++ ec_precompute_mont_data(group); ++ + return 1; + } + +@@ -315,6 +346,10 @@ const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) + return group->generator; + } + ++BN_MONT_CTX *EC_GROUP_get_mont_data(const EC_GROUP *group) ++ { ++ return group->mont_data; ++ } + + int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) + { +@@ -1094,3 +1129,39 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group) + else + return 0; /* cannot tell whether precomputation has been performed */ + } ++ ++/* ec_precompute_mont_data sets |group->mont_data| from |group->order| and ++ * returns one on success. On error it returns zero. */ ++int ec_precompute_mont_data(EC_GROUP *group) ++ { ++ BN_CTX *ctx = BN_CTX_new(); ++ int ret = 0; ++ ++ if (group->mont_data) ++ { ++ BN_MONT_CTX_free(group->mont_data); ++ group->mont_data = NULL; ++ } ++ ++ if (ctx == NULL) ++ goto err; ++ ++ group->mont_data = BN_MONT_CTX_new(); ++ if (!group->mont_data) ++ goto err; ++ ++ if (!BN_MONT_CTX_set(group->mont_data, &group->order, ctx)) ++ { ++ BN_MONT_CTX_free(group->mont_data); ++ group->mont_data = NULL; ++ goto err; ++ } ++ ++ ret = 1; ++ ++err: ++ ++ if (ctx) ++ BN_CTX_free(ctx); ++ return ret; ++ } +diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c +index 7725935..c23343b 100644 +--- a/crypto/ecdsa/ecs_ossl.c ++++ b/crypto/ecdsa/ecs_ossl.c +@@ -187,11 +187,37 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + while (BN_is_zero(r)); + + /* compute the inverse of k */ +- if (!BN_mod_inverse(k, k, order, ctx)) +- { +- ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); +- goto err; +- } ++ if (EC_GROUP_get_mont_data(group) != NULL) ++ { ++ /* We want inverse in constant time, therefore we utilize the ++ * fact order must be prime and use Fermats Little Theorem ++ * instead. */ ++ if (!BN_set_word(X, 2) ) ++ { ++ ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!BN_mod_sub(X, order, X, order, ctx)) ++ { ++ ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); ++ goto err; ++ } ++ BN_set_flags(X, BN_FLG_CONSTTIME); ++ if (!BN_mod_exp_mont_consttime(k, k, X, order, ctx, EC_GROUP_get_mont_data(group))) ++ { ++ ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); ++ goto err; ++ } ++ } ++ else ++ { ++ if (!BN_mod_inverse(k, k, order, ctx)) ++ { ++ ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); ++ goto err; ++ } ++ } ++ + /* clear old values if necessary */ + if (*rp != NULL) + BN_clear_free(*rp); +-- +2.7.4 + diff -Nru openssl-1.0.1f/debian/patches/CVE-2016-8610-2.patch openssl-1.0.1f/debian/patches/CVE-2016-8610-2.patch --- openssl-1.0.1f/debian/patches/CVE-2016-8610-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2016-8610-2.patch 2017-01-30 17:43:02.000000000 +0000 @@ -0,0 +1,50 @@ +Backport of: + +From f1185392189641014dca94f3fe7834bccb5f4c16 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 2 Nov 2016 22:26:17 +0000 +Subject: [PATCH] Fail if an unrecognised record type is received +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +TLS1.0 and TLS1.1 say you SHOULD ignore unrecognised record types, but +TLS 1.2 says you MUST send an unexpected message alert. We swap to the +TLS 1.2 behaviour for all protocol versions to prevent issues where no +progress is being made and the peer continually sends unrecognised record +types, using up resources processing them. + +Issue reported by 郭志攀 + +Reviewed-by: Tim Hudson +--- + ssl/s3_pkt.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +Index: openssl-1.0.1f/ssl/s3_pkt.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/s3_pkt.c 2017-01-30 12:41:32.006003547 -0500 ++++ openssl-1.0.1f/ssl/s3_pkt.c 2017-01-30 12:42:41.262909510 -0500 +@@ -1388,16 +1388,13 @@ + switch (rr->type) + { + default: +-#ifndef OPENSSL_NO_TLS +- /* TLS up to v1.1 just ignores unknown message types: +- * TLS v1.2 give an unexpected message alert. ++ /* ++ * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but ++ * TLS 1.2 says you MUST send an unexpected message alert. We use the ++ * TLS 1.2 behaviour for all protocol versions to prevent issues where ++ * no progress is being made and the peer continually sends unrecognised ++ * record types, using up resources processing them. + */ +- if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) +- { +- rr->length = 0; +- goto start; +- } +-#endif + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD); + goto f_err; diff -Nru openssl-1.0.1f/debian/patches/CVE-2016-8610.patch openssl-1.0.1f/debian/patches/CVE-2016-8610.patch --- openssl-1.0.1f/debian/patches/CVE-2016-8610.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2016-8610.patch 2017-01-30 17:41:02.000000000 +0000 @@ -0,0 +1,121 @@ +Backport of: + +From 22646a075e75991b4e8f5d67171e45a6aead5b48 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 21 Sep 2016 14:48:16 +0100 +Subject: [PATCH] Don't allow too many consecutive warning alerts + +Certain warning alerts are ignored if they are received. This can mean that +no progress will be made if one peer continually sends those warning alerts. +Implement a count so that we abort the connection if we receive too many. + +Issue reported by Shi Lei. + +Reviewed-by: Rich Salz +--- + ssl/d1_pkt.c | 15 +++++++++++++++ + ssl/s3_pkt.c | 15 +++++++++++++++ + ssl/ssl.h | 1 + + ssl/ssl_locl.h | 4 ++++ + 4 files changed, 35 insertions(+) + +Index: openssl-1.0.1f/ssl/d1_pkt.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/d1_pkt.c 2017-01-30 12:34:38.876598997 -0500 ++++ openssl-1.0.1f/ssl/d1_pkt.c 2017-01-30 12:37:24.370762576 -0500 +@@ -910,6 +910,13 @@ + goto start; + } + ++ /* ++ * Reset the count of consecutive warning alerts if we've got a non-empty ++ * record that isn't an alert. ++ */ ++ if (rr->type != SSL3_RT_ALERT && rr->length != 0) ++ s->cert->alert_count = 0; ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1179,6 +1186,14 @@ + if (alert_level == 1) /* warning */ + { + s->s3->warn_alert = alert_descr; ++ ++ s->cert->alert_count++; ++ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) { ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); ++ goto f_err; ++ } ++ + if (alert_descr == SSL_AD_CLOSE_NOTIFY) + { + #ifndef OPENSSL_NO_SCTP +Index: openssl-1.0.1f/ssl/s3_pkt.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/s3_pkt.c 2017-01-30 12:34:38.876598997 -0500 ++++ openssl-1.0.1f/ssl/s3_pkt.c 2017-01-30 12:38:42.263782297 -0500 +@@ -1013,6 +1013,13 @@ + if (ret <= 0) return(ret); + } + ++ /* ++ * Reset the count of consecutive warning alerts if we've got a non-empty ++ * record that isn't an alert. ++ */ ++ if (rr->type != SSL3_RT_ALERT && rr->length != 0) ++ s->cert->alert_count = 0; ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1229,6 +1236,14 @@ + if (alert_level == 1) /* warning */ + { + s->s3->warn_alert = alert_descr; ++ ++ s->cert->alert_count++; ++ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) { ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); ++ goto f_err; ++ } ++ + if (alert_descr == SSL_AD_CLOSE_NOTIFY) + { + s->shutdown |= SSL_RECEIVED_SHUTDOWN; +Index: openssl-1.0.1f/ssl/ssl.h +=================================================================== +--- openssl-1.0.1f.orig/ssl/ssl.h 2017-01-30 12:34:38.876598997 -0500 ++++ openssl-1.0.1f/ssl/ssl.h 2017-01-30 12:39:16.524230727 -0500 +@@ -2548,6 +2548,7 @@ + #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 + #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 + #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 ++#define SSL_R_TOO_MANY_WARN_ALERTS 409 + #define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 + #define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236 + #define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313 +Index: openssl-1.0.1f/ssl/ssl_locl.h +=================================================================== +--- openssl-1.0.1f.orig/ssl/ssl_locl.h 2017-01-30 12:34:38.876598997 -0500 ++++ openssl-1.0.1f/ssl/ssl_locl.h 2017-01-30 12:40:37.325288124 -0500 +@@ -478,6 +478,8 @@ + #define NAMED_CURVE_TYPE 3 + #endif /* OPENSSL_NO_EC */ + ++# define MAX_WARN_ALERT_COUNT 5 ++ + typedef struct cert_pkey_st + { + X509 *x509; +@@ -517,6 +519,8 @@ + CERT_PKEY pkeys[SSL_PKEY_NUM]; + + int references; /* >1 only if SSL_copy_session_id is used */ ++ /* Count of the number of consecutive warning alerts received */ ++ unsigned int alert_count; + } CERT; + + diff -Nru openssl-1.0.1f/debian/patches/CVE-2017-3731.patch openssl-1.0.1f/debian/patches/CVE-2017-3731.patch --- openssl-1.0.1f/debian/patches/CVE-2017-3731.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2017-3731.patch 2017-01-30 18:00:27.000000000 +0000 @@ -0,0 +1,39 @@ +Backport of: + +From 51d009043670a627d6abe66894126851cf3690e9 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Thu, 19 Jan 2017 00:17:30 +0100 +Subject: [PATCH] crypto/evp: harden RC4_MD5 cipher. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory (or bogus +MAC value is produced if x86 MD5 assembly module is involved). Since +hash operation is read-only it is not considered to be exploitable +beyond a DoS condition. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Reviewed-by: Rich Salz +--- + crypto/evp/e_rc4_hmac_md5.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: openssl-1.0.1f/crypto/evp/e_rc4_hmac_md5.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/evp/e_rc4_hmac_md5.c 2017-01-30 13:00:25.236707109 -0500 ++++ openssl-1.0.1f/crypto/evp/e_rc4_hmac_md5.c 2017-01-30 13:00:25.232707057 -0500 +@@ -262,6 +262,8 @@ + + if (!ctx->encrypt) + { ++ if (len < MD5_DIGEST_LENGTH) ++ return -1; + len -= MD5_DIGEST_LENGTH; + p[arg-2] = len>>8; + p[arg-1] = len; diff -Nru openssl-1.0.1f/debian/patches/CVE-2017-3731-pre.patch openssl-1.0.1f/debian/patches/CVE-2017-3731-pre.patch --- openssl-1.0.1f/debian/patches/CVE-2017-3731-pre.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1f/debian/patches/CVE-2017-3731-pre.patch 2017-01-30 17:58:50.000000000 +0000 @@ -0,0 +1,124 @@ +Backport of: + +From 1a3701f4fe0530a40ec073cd78d02cfcc26c0f8e Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 27 Apr 2015 11:07:06 +0100 +Subject: [PATCH] Sanity check EVP_CTRL_AEAD_TLS_AAD + +The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at +least 13 bytes long. Add sanity checks to ensure that the length is at +least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to +represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and +Paramjot Oberoi (Int3 Solutions) for reporting this issue. + +Reviewed-by: Andy Polyakov +(cherry picked from commit c8269881093324b881b81472be037055571f73f3) + +Conflicts: + ssl/record/ssl3_record.c +--- + apps/speed.c | 5 +++-- + crypto/evp/e_aes.c | 2 +- + crypto/evp/e_aes_cbc_hmac_sha1.c | 9 ++++++--- + crypto/evp/e_aes_cbc_hmac_sha256.c | 7 +++++-- + crypto/evp/e_rc4_hmac_md5.c | 7 ++++++- + crypto/evp/evp.h | 3 +++ + ssl/t1_enc.c | 7 +++++-- + 7 files changed, 29 insertions(+), 11 deletions(-) + +Index: openssl-1.0.1f/crypto/evp/e_aes.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/evp/e_aes.c 2017-01-30 12:51:26.025768464 -0500 ++++ openssl-1.0.1f/crypto/evp/e_aes.c 2017-01-30 12:53:31.351405247 -0500 +@@ -791,7 +791,7 @@ + + case EVP_CTRL_AEAD_TLS1_AAD: + /* Save the AAD for later use */ +- if (arg != 13) ++ if (arg != EVP_AEAD_TLS1_AAD_LEN) + return 0; + memcpy(c->buf, ptr, arg); + gctx->tls_aad_len = arg; +Index: openssl-1.0.1f/crypto/evp/e_aes_cbc_hmac_sha1.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/evp/e_aes_cbc_hmac_sha1.c 2017-01-30 12:51:26.025768464 -0500 ++++ openssl-1.0.1f/crypto/evp/e_aes_cbc_hmac_sha1.c 2017-01-30 12:54:26.100120138 -0500 +@@ -492,7 +492,12 @@ + case EVP_CTRL_AEAD_TLS1_AAD: + { + unsigned char *p=ptr; +- unsigned int len=p[arg-2]<<8|p[arg-1]; ++ unsigned int len; ++ ++ if (arg != EVP_AEAD_TLS1_AAD_LEN) ++ return -1; ++ ++ len = p[arg - 2] << 8 | p[arg - 1]; + + if (ctx->encrypt) + { +@@ -510,7 +515,6 @@ + } + else + { +- if (arg>13) arg = 13; + memcpy(key->aux.tls_aad,ptr,arg); + key->payload_length = arg; + +Index: openssl-1.0.1f/crypto/evp/e_rc4_hmac_md5.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/evp/e_rc4_hmac_md5.c 2017-01-30 12:51:26.025768464 -0500 ++++ openssl-1.0.1f/crypto/evp/e_rc4_hmac_md5.c 2017-01-30 12:55:01.004571988 -0500 +@@ -253,7 +253,12 @@ + case EVP_CTRL_AEAD_TLS1_AAD: + { + unsigned char *p=ptr; +- unsigned int len=p[arg-2]<<8|p[arg-1]; ++ unsigned int len; ++ ++ if (arg != EVP_AEAD_TLS1_AAD_LEN) ++ return -1; ++ ++ len = p[arg - 2] << 8 | p[arg - 1]; + + if (!ctx->encrypt) + { +Index: openssl-1.0.1f/crypto/evp/evp.h +=================================================================== +--- openssl-1.0.1f.orig/crypto/evp/evp.h 2017-01-30 12:51:26.025768464 -0500 ++++ openssl-1.0.1f/crypto/evp/evp.h 2017-01-30 12:56:24.225632169 -0500 +@@ -394,6 +394,9 @@ + /* Set the GCM invocation field, decrypt only */ + #define EVP_CTRL_GCM_SET_IV_INV 0x18 + ++/* RFC 5246 defines additional data to be 13 bytes in length */ ++# define EVP_AEAD_TLS1_AAD_LEN 13 ++ + /* GCM TLS constants */ + /* Length of fixed part of IV derived from PRF */ + #define EVP_GCM_TLS_FIXED_IV_LEN 4 +Index: openssl-1.0.1f/ssl/t1_enc.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/t1_enc.c 2017-01-30 12:51:26.025768464 -0500 ++++ openssl-1.0.1f/ssl/t1_enc.c 2017-01-30 12:57:52.862762269 -0500 +@@ -756,7 +756,7 @@ + + if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) + { +- unsigned char buf[13],*seq; ++ unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq; + + seq = send?s->s3->write_sequence:s->s3->read_sequence; + +@@ -783,7 +783,10 @@ + buf[10]=(unsigned char)(s->version); + buf[11]=rec->length>>8; + buf[12]=rec->length&0xff; +- pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf); ++ pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, ++ EVP_AEAD_TLS1_AAD_LEN, buf); ++ if (pad <= 0) ++ return -1; + if (send) + { + l+=pad; diff -Nru openssl-1.0.1f/debian/patches/series openssl-1.0.1f/debian/patches/series --- openssl-1.0.1f/debian/patches/series 2016-09-23 11:55:57.000000000 +0000 +++ openssl-1.0.1f/debian/patches/series 2017-01-30 18:00:12.000000000 +0000 @@ -128,3 +128,12 @@ update-expired-smime-test-certs.patch CVE-2014-3571-3.patch CVE-2016-2182-2.patch +CVE-2016-2177-pre.patch +CVE-2016-2177-pre2.patch +CVE-2016-2177-pre3.patch +CVE-2016-2177.patch +CVE-2016-7056.patch +CVE-2016-8610.patch +CVE-2016-8610-2.patch +CVE-2017-3731-pre.patch +CVE-2017-3731.patch