From 6f14fd2bda6eadfccd084ca4a31173c962ef6e06 Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 2 Nov 2016 07:09:31 +0000
Subject: [PATCH] Backport OpenSSL commit
 af58be768ebb690f78530f796e92b8ae5c9a4401:

  Don't allow too many consecutive warning alerts

  Certain warning alerts are ignored if they are received. This can mean that
  no progress will be made if one peer continually sends those warning alerts.
  Implement a count so that we abort the connection if we receive too many.

  Issue reported by Shi Lei.

This is a direct commit to stable/10 and stable/9.

Security:	CVE-2016-8610


git-svn-id: svn://svn.freebsd.org/base/stable/9@308200 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 crypto/openssl/ssl/d1_pkt.c   | 15 +++++++++++++++
 crypto/openssl/ssl/s3_pkt.c   | 15 +++++++++++++++
 crypto/openssl/ssl/ssl.h      |  1 +
 crypto/openssl/ssl/ssl3.h     |  2 ++
 crypto/openssl/ssl/ssl_locl.h |  2 ++
 5 files changed, 35 insertions(+)

diff --git a/crypto/openssl/ssl/d1_pkt.c b/crypto/openssl/ssl/d1_pkt.c
index 034a4fa25..9a5b14582 100644
--- a/crypto/openssl/ssl/d1_pkt.c
+++ b/crypto/openssl/ssl/d1_pkt.c
@@ -820,6 +820,13 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
         goto start;
     }
 
+    /*
+     * Reset the count of consecutive warning alerts if we've got a non-empty
+     * record that isn't an alert.
+     */
+    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+        s->s3->alert_count = 0;
+
     /* we now have a packet which can be read and processed */
 
     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1043,6 +1050,14 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 
         if (alert_level == 1) { /* warning */
             s->s3->warn_alert = alert_descr;
+
+            s->s3->alert_count++;
+            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
+                al = SSL_AD_UNEXPECTED_MESSAGE;
+                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+                goto f_err;
+            }
+
             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                 return (0);
diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
index ca0ef7064..8a9c92e6f 100644
--- a/crypto/openssl/ssl/s3_pkt.c
+++ b/crypto/openssl/ssl/s3_pkt.c
@@ -922,6 +922,13 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
             return (ret);
     }
 
+    /*
+     * Reset the count of consecutive warning alerts if we've got a non-empty
+     * record that isn't an alert.
+     */
+    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+        s->s3->alert_count = 0;
+
     /* we now have a packet which can be read and processed */
 
     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1121,6 +1128,14 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 
         if (alert_level == 1) { /* warning */
             s->s3->warn_alert = alert_descr;
+
+            s->s3->alert_count++;
+            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
+                al = SSL_AD_UNEXPECTED_MESSAGE;
+                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+                goto f_err;
+            }
+
             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                 return (0);
diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
index 0c2a30320..b6aa2cdab 100644
--- a/crypto/openssl/ssl/ssl.h
+++ b/crypto/openssl/ssl/ssl.h
@@ -2195,6 +2195,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION                1110
 # define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER       232
 # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             227
+# define SSL_R_TOO_MANY_WARN_ALERTS                       409
 # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
 # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
 # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
diff --git a/crypto/openssl/ssl/ssl3.h b/crypto/openssl/ssl/ssl3.h
index 761a0e20b..eda992fce 100644
--- a/crypto/openssl/ssl/ssl3.h
+++ b/crypto/openssl/ssl/ssl3.h
@@ -491,6 +491,8 @@ typedef struct ssl3_state_st {
     char is_probably_safari;
 #  endif                        /* !OPENSSL_NO_EC */
 # endif                         /* !OPENSSL_NO_TLSEXT */
+    /* Count of the number of consecutive warning alerts received */
+    unsigned int alert_count;
 } SSL3_STATE;
 
 /* SSLv3 */
diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h
index 31a9cecca..ecb0814f3 100644
--- a/crypto/openssl/ssl/ssl_locl.h
+++ b/crypto/openssl/ssl/ssl_locl.h
@@ -247,6 +247,8 @@
 # define DEC32(a)        ((a)=((a)-1)&0xffffffffL)
 # define MAX_MAC_SIZE    20     /* up from 16 for SSLv3 */
 
+# define MAX_WARN_ALERT_COUNT    5
+
 /*
  * Define the Bitmasks for SSL_CIPHER.algorithms.
  * This bits are used packed as dense as possible. If new methods/ciphers
-- 
2.45.0