Imported Debian patch 1.4.28-2+squeeze1.2debian/1.4.28-2+squeeze1.2

6 files changed, 237 insertions, 3 deletions

diff --git a/debian/NEWS b/debian/NEWS
index c31c290..6c456f6 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,18 @@
+lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high
+
+  To fix a security vulnerability in the design of the SSL/TLS protocol
+  (CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
+  session renegotiation is no longer supported with old clients that do not
+  implement this extension. This breaks certain configurations with client
+  certificate authentication. If you still need to support old clients, you
+  may restore the old (insecure) behaviour by adding the configuration option
+
+      ssl.disable-client-renegotiation = "disable"
+
+  to /etc/lighttpd/lighttpd.conf.
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Thu, 14 Feb 2013 19:42:19 +0100
+
 lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high
 
   This releases includes an option to force Lighttpd to honor the cipher order
diff --git a/debian/changelog b/debian/changelog
index bfa16d1..3a96b61 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+lighttpd (1.4.28-2+squeeze1.2) stable-security; urgency=high
+
+  * Fix numbering issue with the newly added configuration option.
+    Thanks Wessel Dankers.
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Sat, 16 Feb 2013 19:13:19 +0100
+
+lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high
+
+  * Non-maintainer upload by the security team.
+  * Backport upstream fixes for SSL attacks:
+    + Disable client triggered renegotiation by default (CVE-2009-3555).
+      Can be re-enabled with ssl.disable-client-renegotiation = "disable".
+    + Disable SSL compression at build time (CVE-2012-4929, 'CRIME').
+    (closes: #700399)
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Tue, 12 Feb 2013 13:56:53 +0100
+
 lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high
 
   * Backport security issues from 1.4.30:
diff --git a/debian/gbp.conf b/debian/gbp.conf
deleted file mode 100644
index 75eed04..0000000
--- a/debian/gbp.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[DEFAULT]
-pristine-tar=true
-debian-branch=squeeze
diff --git a/debian/patches/series b/debian/patches/series
index 8441374..3beaef4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@ silence-errors.diff
 fix-CVE-2011-4362.patch
 ssl-mitigate-beast.patch
 debian-changes-1.4.28-2
+ssl-reneg.patch
+ssl-crime.patch
diff --git a/debian/patches/ssl-crime.patch b/debian/patches/ssl-crime.patch
new file mode 100644
index 0000000..49b4728
--- /dev/null
+++ b/debian/patches/ssl-crime.patch
@@ -0,0 +1,20 @@
+Description: Disable SSL compression.
+ Mitigates the SSL CRIME (CVE-2012-4929) attacks.
+ Upstream patch uses option only present in wheezy openssl, so
+ this code is needed to actually disable compression in squeeze.
+Forwarded: not-needed
+Bug-Debian: http://bugs.debian.org/700399
+
+diff -Nur lighttpd-1.4.28/src/network.c lighttpd-1.4.28.new/src/network.c
+--- lighttpd-1.4.28/src/network.c	2013-02-12 15:20:23.000000000 +0100
++++ lighttpd-1.4.28.new/src/network.c	2013-02-12 15:19:51.954559635 +0100
+@@ -566,6 +566,9 @@
+ 			}
+ 		}
+ 
++		/* Debian: disable ssl compression to mitigate CRIME attack. */
++		sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
++
+ 		if (!buffer_is_empty(s->ssl_cipher_list)) {
+ 			/* Disable support for low encryption ciphers */
+ 			if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
diff --git a/debian/patches/ssl-reneg.patch b/debian/patches/ssl-reneg.patch
new file mode 100644
index 0000000..a967943
--- /dev/null
+++ b/debian/patches/ssl-reneg.patch
@@ -0,0 +1,182 @@
+Description: Disable SSL renegotiation.
+ Mitigates the SSL renegotiation (CVE-2009-3555) attacks.
+ Introduces a new configuration option: ssl.disable-client-renegotiation,
+ default true. Upstream also included code to disable SSL compression
+ in the same commit. This does not work on the openssl in squeeze but
+ doesn't hurt.
+Forwarded: not-needed
+Origin: upstream, r2808 r2809 r2812
+Bug-Debian: http://bugs.debian.org/700399
+
+Index: b/src/network.c
+===================================================================
+--- a/src/network.c	2013-02-16 19:18:04.438541647 +0100
++++ b/src/network.c	2013-02-16 19:18:07.278507389 +0100
+@@ -27,6 +27,19 @@
+ # include <openssl/rand.h>
+ #endif
+ 
++#ifdef USE_OPENSSL
++static void ssl_info_callback(const SSL *ssl, int where, int ret) {
++	UNUSED(ret);
++
++	if (0 != (where & SSL_CB_HANDSHAKE_START)) {
++		connection *con = SSL_get_app_data(ssl);
++		++con->renegotiations;
++	} else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
++		ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
++	}
++}
++#endif
++
+ static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
+ 	server_socket *srv_socket = (server_socket *)context;
+ 	connection *con;
+@@ -504,6 +517,11 @@
+ 	/* load SSL certificates */
+ 	for (i = 0; i < srv->config_context->used; i++) {
+ 		specific_config *s = srv->config_storage[i];
++#ifndef SSL_OP_NO_COMPRESSION
++# define SSL_OP_NO_COMPRESSION 0
++#endif
++		long ssloptions =
++			SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
+ 
+ 		if (buffer_is_empty(s->ssl_pemfile)) continue;
+ 
+@@ -536,6 +554,9 @@
+ 			return -1;
+ 		}
+ 
++		SSL_CTX_set_options(s->ssl_ctx, ssloptions);
++		SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
++
+ 		if (!s->ssl_use_sslv2) {
+ 			/* disable SSLv2 */
+ 			if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
+Index: b/src/base.h
+===================================================================
+--- a/src/base.h	2013-02-16 19:18:04.426502421 +0100
++++ b/src/base.h	2013-02-16 19:18:04.466500766 +0100
+@@ -282,6 +282,7 @@
+ 	unsigned short ssl_verifyclient_depth;
+ 	buffer *ssl_verifyclient_username;
+ 	unsigned short ssl_verifyclient_export_cert;
++	unsigned short ssl_disable_client_renegotiation;
+ 
+ 	unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */
+ 	unsigned short defer_accept;
+@@ -435,6 +436,7 @@
+ # ifndef OPENSSL_NO_TLSEXT
+ 	buffer *tlsext_server_name;
+ # endif
++	unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */
+ #endif
+ 	/* etag handling */
+ 	etag_flags_t etag_flags;
+Index: b/src/network_openssl.c
+===================================================================
+--- a/src/network_openssl.c	2013-02-16 19:17:56.758505345 +0100
++++ b/src/network_openssl.c	2013-02-16 19:18:04.486539910 +0100
+@@ -87,7 +87,14 @@
+ 			 */
+ 
+ 			ERR_clear_error();
+-			if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
++			r = SSL_write(ssl, offset, toSend);
++
++			if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++				log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++				return -1;
++			}
++
++			if (r <= 0) {
+ 				unsigned long err;
+ 
+ 				switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -190,7 +197,14 @@
+ 				close(ifd);
+ 
+ 				ERR_clear_error();
+-				if ((r = SSL_write(ssl, s, toSend)) <= 0) {
++				r = SSL_write(ssl, s, toSend);
++
++				if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++					log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++					return -1;
++				}
++
++				if (r <= 0) {
+ 					unsigned long err;
+ 
+ 					switch ((ssl_r = SSL_get_error(ssl, r))) {
+Index: b/src/connections.c
+===================================================================
+--- a/src/connections.c	2013-02-16 19:18:04.402514856 +0100
++++ b/src/connections.c	2013-02-16 19:18:04.490538415 +0100
+@@ -223,6 +223,12 @@
+ 
+ 		len = SSL_read(con->ssl, b->ptr + read_offset, toread);
+ 
++		if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++			connection_set_state(srv, con, CON_STATE_ERROR);
++			log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++			return -1;
++		}
++
+ 		if (len > 0) {
+ 			if (b->used > 0) b->used--;
+ 			b->used += len;
+@@ -1352,6 +1358,7 @@
+ 				return NULL;
+ 			}
+ 
++			con->renegotiations = 0;
+ #ifndef OPENSSL_NO_TLSEXT
+ 			SSL_set_app_data(con->ssl, con);
+ #endif
+Index: b/src/configfile.c
+===================================================================
+--- a/src/configfile.c	2013-02-16 19:18:04.430500920 +0100
++++ b/src/configfile.c	2013-02-16 19:18:04.494546359 +0100
+@@ -103,6 +103,7 @@
+ 
+ 		{ "server.set-v6only",           NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 61 */
+ 		{ "ssl.honor-cipher-order",      NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER},      /* 62 */
++		{ "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 63 */
+ 
+ 		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ 		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+@@ -195,6 +196,7 @@
+ 		s->ssl_verifyclient_username = buffer_init();
+ 		s->ssl_verifyclient_depth = 9;
+ 		s->ssl_verifyclient_export_cert = 0;
++		s->ssl_disable_client_renegotiation = 1;
+ 
+ 		cv[2].destination = s->errorfile_prefix;
+ 
+@@ -249,6 +251,7 @@
+ 		cv[59].destination = s->ssl_verifyclient_username;
+ 		cv[60].destination = &(s->ssl_verifyclient_export_cert);
+ 		cv[62].destination = &(s->ssl_honor_cipher_order);
++		cv[63].destination = &(s->ssl_disable_client_renegotiation);
+ 
+ 		srv->config_storage[i] = s;
+ 
+@@ -338,6 +341,7 @@
+ 	PATCH(ssl_verifyclient_depth);
+ 	PATCH(ssl_verifyclient_username);
+ 	PATCH(ssl_verifyclient_export_cert);
++	PATCH(ssl_disable_client_renegotiation);
+ 
+ 	return 0;
+ }
+@@ -442,6 +446,8 @@
+ 				PATCH(ssl_verifyclient_username);
+ 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) {
+ 				PATCH(ssl_verifyclient_export_cert);
++			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) {
++				PATCH(ssl_disable_client_renegotiation);
+ 			}
+ 		}
+ 	}