Date: Sat, 16 Dec 2017 17:33:32 +0000 (UTC) From: Jimmy Olgeni <olgeni@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r456477 - in head/lang/erlang-runtime17: . files Message-ID: <201712161733.vBGHXWdT003610@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: olgeni Date: Sat Dec 16 17:33:32 2017 New Revision: 456477 URL: https://svnweb.freebsd.org/changeset/ports/456477 Log: lang/erlang-runtime17: backport fix for CVE-2017-1000385 from erlang-runtime18. PR: 224278 Submitted by: Stefan Grundmann Added: head/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.erl (contents, props changed) head/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.hrl (contents, props changed) head/lang/erlang-runtime17/files/patch-lib_ssl_src_tls__connection.erl (contents, props changed) Modified: head/lang/erlang-runtime17/Makefile Modified: head/lang/erlang-runtime17/Makefile ============================================================================== --- head/lang/erlang-runtime17/Makefile Sat Dec 16 17:18:36 2017 (r456476) +++ head/lang/erlang-runtime17/Makefile Sat Dec 16 17:33:32 2017 (r456477) @@ -3,7 +3,7 @@ PORTNAME= erlang PORTVERSION= 17.5.6.9 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= lang parallel java MASTER_SITES= http://www.erlang.org/download/:erlangorg \ http://erlang.stacken.kth.se/download/:erlangorg \ Added: head/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.erl ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.erl Sat Dec 16 17:33:32 2017 (r456477) @@ -0,0 +1,30 @@ +--- lib/ssl/src/ssl_connection.erl.orig 2015-03-31 12:32:52.000000000 +0000 ++++ lib/ssl/src/ssl_connection.erl 2017-12-14 13:13:46.570861000 +0000 +@@ -1135,8 +1135,25 @@ + request_client_cert(State2, Connection). + + certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS}, +- #state{private_key = Key} = State, Connection) -> +- PremasterSecret = ssl_handshake:premaster_secret(EncPMS, Key), ++ #state{private_key = Key, client_hello_version = {Major, Minor} = Version } = State, Connection) -> ++ ++ %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret ++ %% and fail handshake later.RFC 5246 section 7.4.7.1. ++ PremasterSecret = ++ try ssl_handshake:premaster_secret(EncPMS, Key) of ++ Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES -> ++ case Secret of ++ <<?BYTE(Major), ?BYTE(Minor), _/binary>> -> %% Correct ++ Secret; ++ <<?BYTE(_), ?BYTE(_), Rest/binary>> -> %% Version mismatch ++ <<?BYTE(Major), ?BYTE(Minor), Rest/binary>> ++ end; ++ _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES ++ make_premaster_secret(Version, rsa) ++ catch ++ #alert{description = ?DECRYPT_ERROR} -> ++ make_premaster_secret(Version, rsa) ++ end, + calculate_master_secret(PremasterSecret, State, Connection, certify, cipher); + + certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPublicDhKey}, Added: head/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.hrl ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lang/erlang-runtime17/files/patch-lib_ssl_src_ssl__connection.hrl Sat Dec 16 17:33:32 2017 (r456477) @@ -0,0 +1,12 @@ +--- lib/ssl/src/ssl_connection.hrl.orig 2015-03-31 12:32:52.000000000 +0000 ++++ lib/ssl/src/ssl_connection.hrl 2017-12-14 13:18:02.736638000 +0000 +@@ -53,7 +53,8 @@ + session :: #session{} | secret_printout(), + session_cache :: db_handle(), + session_cache_cb :: atom(), +- negotiated_version :: ssl_record:ssl_version(), ++ negotiated_version :: ssl_record:ssl_version() | 'undefined', ++ client_hello_version :: ssl_record:ssl_version() | 'undefined', + client_certificate_requested = false :: boolean(), + key_algorithm :: ssl_cipher:key_algo(), + hashsign_algorithm = {undefined, undefined}, Added: head/lang/erlang-runtime17/files/patch-lib_ssl_src_tls__connection.erl ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lang/erlang-runtime17/files/patch-lib_ssl_src_tls__connection.erl Sat Dec 16 17:33:32 2017 (r456477) @@ -0,0 +1,10 @@ +--- lib/ssl/src/tls_connection.erl.orig 2015-03-31 12:32:52.000000000 +0000 ++++ lib/ssl/src/tls_connection.erl 2017-12-14 13:22:41.792681000 +0000 +@@ -197,6 +197,7 @@ + ssl_connection:hello({common_client_hello, Type, ServerHelloExt, HashSign}, + State#state{connection_states = ConnectionStates, + negotiated_version = Version, ++ client_hello_version = ClientVersion, + session = Session, + client_ecc = {EllipticCurves, EcPointFormats}}, ?MODULE); + #alert{} = Alert ->
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712161733.vBGHXWdT003610>