svn commit: r309565 - in user/cperciva/freebsd-update-build/patches: 10.1-RELEASE 10.2-RELEASE 10.3-RELEASE 11.0-RELEASE 9.3-RELEASE
Gleb Smirnoff
glebius at FreeBSD.org
Mon Dec 5 22:26:50 UTC 2016
Author: glebius
Date: Mon Dec 5 22:26:48 2016
New Revision: 309565
URL: https://svnweb.freebsd.org/changeset/base/309565
Log:
Store SA-16:33-35 patches.
Added:
user/cperciva/freebsd-update-build/patches/10.1-RELEASE/42-SA-16:35.openssl
user/cperciva/freebsd-update-build/patches/10.2-RELEASE/25-SA-16:35.openssl
user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:33.openssh
user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:35.openssl
user/cperciva/freebsd-update-build/patches/11.0-RELEASE/3-SA-16:33.openssh
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:34.bind
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:35.openssl
Added: user/cperciva/freebsd-update-build/patches/10.1-RELEASE/42-SA-16:35.openssl
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.1-RELEASE/42-SA-16:35.openssl Mon Dec 5 22:26:48 2016 (r309565)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -924,6 +924,13 @@
+ goto start;
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1190,6 +1197,14 @@
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+ /*
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -1057,6 +1057,13 @@
+ return (ret);
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1271,6 +1278,14 @@
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2717,6 +2717,7 @@
+ # define SSL_R_TLS_HEARTBEAT_PENDING 366
+ # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
++# define SSL_R_TOO_MANY_WARN_ALERTS 409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -587,6 +587,8 @@
+ char is_probably_safari;
+ # endif /* !OPENSSL_NO_EC */
+ # endif /* !OPENSSL_NO_TLSEXT */
++ /* Count of the number of consecutive warning alerts received */
++ unsigned int alert_count;
+ } SSL3_STATE;
+
+ # endif
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -389,6 +389,8 @@
+ */
+ # define SSL_MAX_DIGEST 6
+
++# define MAX_WARN_ALERT_COUNT 5
++
+ # define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
+
+ # define TLS1_PRF_DGST_SHIFT 10
Added: user/cperciva/freebsd-update-build/patches/10.2-RELEASE/25-SA-16:35.openssl
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.2-RELEASE/25-SA-16:35.openssl Mon Dec 5 22:26:48 2016 (r309565)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -924,6 +924,13 @@
+ goto start;
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1190,6 +1197,14 @@
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+ /*
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -1057,6 +1057,13 @@
+ return (ret);
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1271,6 +1278,14 @@
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2717,6 +2717,7 @@
+ # define SSL_R_TLS_HEARTBEAT_PENDING 366
+ # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
++# define SSL_R_TOO_MANY_WARN_ALERTS 409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -587,6 +587,8 @@
+ char is_probably_safari;
+ # endif /* !OPENSSL_NO_EC */
+ # endif /* !OPENSSL_NO_TLSEXT */
++ /* Count of the number of consecutive warning alerts received */
++ unsigned int alert_count;
+ } SSL3_STATE;
+
+ # endif
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -389,6 +389,8 @@
+ */
+ # define SSL_MAX_DIGEST 6
+
++# define MAX_WARN_ALERT_COUNT 5
++
+ # define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
+
+ # define TLS1_PRF_DGST_SHIFT 10
Added: user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:33.openssh
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:33.openssh Mon Dec 5 22:26:48 2016 (r309565)
@@ -0,0 +1,10 @@
+--- crypto/openssh/kex.c.orig
++++ crypto/openssh/kex.c
+@@ -468,6 +468,7 @@
+ if (kex == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ptr = sshpkt_ptr(ssh, &dlen);
+ if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ return r;
Added: user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:35.openssl
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:35.openssl Mon Dec 5 22:26:48 2016 (r309565)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -924,6 +924,13 @@
+ goto start;
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1190,6 +1197,14 @@
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+ /*
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -1057,6 +1057,13 @@
+ return (ret);
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1271,6 +1278,14 @@
+
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2717,6 +2717,7 @@
+ # define SSL_R_TLS_HEARTBEAT_PENDING 366
+ # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
++# define SSL_R_TOO_MANY_WARN_ALERTS 409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -587,6 +587,8 @@
+ char is_probably_safari;
+ # endif /* !OPENSSL_NO_EC */
+ # endif /* !OPENSSL_NO_TLSEXT */
++ /* Count of the number of consecutive warning alerts received */
++ unsigned int alert_count;
+ } SSL3_STATE;
+
+ # endif
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -389,6 +389,8 @@
+ */
+ # define SSL_MAX_DIGEST 6
+
++# define MAX_WARN_ALERT_COUNT 5
++
+ # define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
+
+ # define TLS1_PRF_DGST_SHIFT 10
Added: user/cperciva/freebsd-update-build/patches/11.0-RELEASE/3-SA-16:33.openssh
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/11.0-RELEASE/3-SA-16:33.openssh Mon Dec 5 22:26:48 2016 (r309565)
@@ -0,0 +1,10 @@
+--- crypto/openssh/kex.c.orig
++++ crypto/openssh/kex.c
+@@ -468,6 +468,7 @@
+ if (kex == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ptr = sshpkt_ptr(ssh, &dlen);
+ if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ return r;
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:34.bind
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:34.bind Mon Dec 5 22:26:48 2016 (r309565)
@@ -0,0 +1,184 @@
+--- contrib/bind9/lib/dns/resolver.c.orig
++++ contrib/bind9/lib/dns/resolver.c
+@@ -524,7 +524,9 @@
+ valarg->addrinfo = addrinfo;
+
+ if (!ISC_LIST_EMPTY(fctx->validators))
+- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
++ valoptions |= DNS_VALIDATOR_DEFER;
++ else
++ valoptions &= ~DNS_VALIDATOR_DEFER;
+
+ result = dns_validator_create(fctx->res->view, name, type, rdataset,
+ sigrdataset, fctx->rmessage,
+@@ -4849,13 +4851,6 @@
+ rdataset,
+ sigrdataset,
+ valoptions, task);
+- /*
+- * Defer any further validations.
+- * This prevents multiple validators
+- * from manipulating fctx->rmessage
+- * simultaneously.
+- */
+- valoptions |= DNS_VALIDATOR_DEFER;
+ }
+ } else if (CHAINING(rdataset)) {
+ if (rdataset->type == dns_rdatatype_cname)
+@@ -4961,6 +4956,11 @@
+ eresult == DNS_R_NCACHENXRRSET);
+ }
+ event->result = eresult;
++ if (adbp != NULL && *adbp != NULL) {
++ if (anodep != NULL && *anodep != NULL)
++ dns_db_detachnode(*adbp, anodep);
++ dns_db_detach(adbp);
++ }
+ dns_db_attach(fctx->cache, adbp);
+ dns_db_transfernode(fctx->cache, &node, anodep);
+ clone_results(fctx);
+@@ -5208,6 +5208,11 @@
+ fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+ if (event != NULL) {
+ event->result = eresult;
++ if (adbp != NULL && *adbp != NULL) {
++ if (anodep != NULL && *anodep != NULL)
++ dns_db_detachnode(*adbp, anodep);
++ dns_db_detach(adbp);
++ }
+ dns_db_attach(fctx->cache, adbp);
+ dns_db_transfernode(fctx->cache, &node, anodep);
+ clone_results(fctx);
+@@ -6016,13 +6021,15 @@
+ answer_response(fetchctx_t *fctx) {
+ isc_result_t result;
+ dns_message_t *message;
+- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
++ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++ dns_name_t *cname = NULL;
+ dns_rdataset_t *rdataset, *ns_rdataset;
+ isc_boolean_t done, external, chaining, aa, found, want_chaining;
+- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
++ isc_boolean_t have_answer, found_cname, found_dname, found_type;
++ isc_boolean_t wanted_chaining;
+ unsigned int aflag;
+ dns_rdatatype_t type;
+- dns_fixedname_t fdname, fqname;
++ dns_fixedname_t fdname, fqname, fqdname;
+ dns_view_t *view;
+
+ FCTXTRACE("answer_response");
+@@ -6036,6 +6043,7 @@
+
+ done = ISC_FALSE;
+ found_cname = ISC_FALSE;
++ found_dname = ISC_FALSE;
+ found_type = ISC_FALSE;
+ chaining = ISC_FALSE;
+ have_answer = ISC_FALSE;
+@@ -6045,12 +6053,13 @@
+ aa = ISC_TRUE;
+ else
+ aa = ISC_FALSE;
+- qname = &fctx->name;
++ dqname = qname = &fctx->name;
+ type = fctx->type;
+ view = fctx->res->view;
++ dns_fixedname_init(&fqdname);
+ result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ while (!done && result == ISC_R_SUCCESS) {
+- dns_namereln_t namereln;
++ dns_namereln_t namereln, dnamereln;
+ int order;
+ unsigned int nlabels;
+
+@@ -6058,6 +6067,8 @@
+ dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++ dnamereln = dns_name_fullcompare(dqname, name, &order,
++ &nlabels);
+ if (namereln == dns_namereln_equal) {
+ wanted_chaining = ISC_FALSE;
+ for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6152,7 +6163,7 @@
+ }
+ } else if (rdataset->type == dns_rdatatype_rrsig
+ && rdataset->covers ==
+- dns_rdatatype_cname
++ dns_rdatatype_cname
+ && !found_type) {
+ /*
+ * We're looking for something else,
+@@ -6182,11 +6193,18 @@
+ * a CNAME or DNAME).
+ */
+ INSIST(!external);
+- if (aflag ==
+- DNS_RDATASETATTR_ANSWER) {
++ if ((rdataset->type !=
++ dns_rdatatype_cname) ||
++ !found_dname ||
++ (aflag ==
++ DNS_RDATASETATTR_ANSWER))
++ {
+ have_answer = ISC_TRUE;
++ if (rdataset->type ==
++ dns_rdatatype_cname)
++ cname = name;
+ name->attributes |=
+- DNS_NAMEATTR_ANSWER;
++ DNS_NAMEATTR_ANSWER;
+ }
+ rdataset->attributes |= aflag;
+ if (aa)
+@@ -6280,11 +6298,11 @@
+ return (DNS_R_FORMERR);
+ }
+
+- if (namereln != dns_namereln_subdomain) {
++ if (dnamereln != dns_namereln_subdomain) {
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+- dns_name_format(qname, qbuf,
++ dns_name_format(dqname, qbuf,
+ sizeof(qbuf));
+ dns_name_format(name, obuf,
+ sizeof(obuf));
+@@ -6299,7 +6317,7 @@
+ want_chaining = ISC_TRUE;
+ POST(want_chaining);
+ aflag = DNS_RDATASETATTR_ANSWER;
+- result = dname_target(rdataset, qname,
++ result = dname_target(rdataset, dqname,
+ nlabels, &fdname);
+ if (result == ISC_R_NOSPACE) {
+ /*
+@@ -6316,10 +6334,13 @@
+
+ dname = dns_fixedname_name(&fdname);
+ if (!is_answertarget_allowed(view,
+- qname, rdataset->type,
+- dname, &fctx->domain)) {
++ dqname, rdataset->type,
++ dname, &fctx->domain))
++ {
+ return (DNS_R_SERVFAIL);
+ }
++ dqname = dns_fixedname_name(&fqdname);
++ dns_name_copy(dname, dqname, NULL);
+ } else {
+ /*
+ * We've found a signature that
+@@ -6344,6 +6365,10 @@
+ INSIST(!external);
+ if (aflag == DNS_RDATASETATTR_ANSWER) {
+ have_answer = ISC_TRUE;
++ found_dname = ISC_TRUE;
++ if (cname != NULL)
++ cname->attributes &=
++ ~DNS_NAMEATTR_ANSWER;
+ name->attributes |=
+ DNS_NAMEATTR_ANSWER;
+ }
Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:35.openssl
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:35.openssl Mon Dec 5 22:26:48 2016 (r309565)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -820,6 +820,13 @@
+ goto start;
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1043,6 +1050,14 @@
+
+ if (alert_level == 1) { /* warning */
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -922,6 +922,13 @@
+ return (ret);
+ }
+
++ /*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++ s->s3->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1121,6 +1128,14 @@
+
+ if (alert_level == 1) { /* warning */
+ s->s3->warn_alert = alert_descr;
++
++ s->s3->alert_count++;
++ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++ goto f_err;
++ }
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2195,6 +2195,7 @@
+ # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
+ # define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227
++# define SSL_R_TOO_MANY_WARN_ALERTS 409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -491,6 +491,8 @@
+ char is_probably_safari;
+ # endif /* !OPENSSL_NO_EC */
+ # endif /* !OPENSSL_NO_TLSEXT */
++ /* Count of the number of consecutive warning alerts received */
++ unsigned int alert_count;
+ } SSL3_STATE;
+
+ /* SSLv3 */
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -247,6 +247,8 @@
+ # define DEC32(a) ((a)=((a)-1)&0xffffffffL)
+ # define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
+
++# define MAX_WARN_ALERT_COUNT 5
++
+ /*
+ * Define the Bitmasks for SSL_CIPHER.algorithms.
+ * This bits are used packed as dense as possible. If new methods/ciphers
More information about the svn-src-user
mailing list