diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2014-11-06 07:14:31 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-11-06 11:42:30 +0000 |
commit | f4e20ca712587b9b85119f8355ac2b63ed148c81 (patch) | |
tree | cf0e2fe5cd4a6c86d4a70c7df96ca39604a388f4 | |
parent | 98408832c222a0abc31c48cb2b514a16998b29bc (diff) | |
download | poky-f4e20ca712587b9b85119f8355ac2b63ed148c81.tar.gz |
openssl: Fix for CVE-2014-3513
Fix for SRTP Memory Leak
This patch is a backport from OpenSSL_1.0.1j.
(From OE-Core rev: 6c19ca0d5aa6094aa2cfede821d63c008951cfb7)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch | 211 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.1e.bb | 1 |
2 files changed, 212 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch new file mode 100644 index 0000000000..a93bf23451 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch | |||
@@ -0,0 +1,211 @@ | |||
1 | From 2b0532f3984324ebe1236a63d15893792384328d Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Wed, 15 Oct 2014 01:20:38 +0100 | ||
4 | Subject: [PATCH] Fix for SRTP Memory Leak | ||
5 | |||
6 | CVE-2014-3513 | ||
7 | |||
8 | This issue was reported to OpenSSL on 26th September 2014, based on an origi | ||
9 | issue and patch developed by the LibreSSL project. Further analysis of the i | ||
10 | was performed by the OpenSSL team. | ||
11 | |||
12 | The fix was developed by the OpenSSL team. | ||
13 | |||
14 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
15 | Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com> | ||
16 | --- | ||
17 | ssl/d1_srtp.c | 93 +++++++++++++++++++-------------------------------------- | ||
18 | ssl/t1_lib.c | 9 +++--- | ||
19 | 2 files changed, 36 insertions(+), 66 deletions(-) | ||
20 | |||
21 | diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c | ||
22 | index ab9c419..535539b 100644 | ||
23 | --- a/ssl/d1_srtp.c | ||
24 | +++ b/ssl/d1_srtp.c | ||
25 | @@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name, | ||
26 | return 1; | ||
27 | } | ||
28 | |||
29 | -static int find_profile_by_num(unsigned profile_num, | ||
30 | - SRTP_PROTECTION_PROFILE **pptr) | ||
31 | - { | ||
32 | - SRTP_PROTECTION_PROFILE *p; | ||
33 | - | ||
34 | - p=srtp_known_profiles; | ||
35 | - while(p->name) | ||
36 | - { | ||
37 | - if(p->id == profile_num) | ||
38 | - { | ||
39 | - *pptr=p; | ||
40 | - return 0; | ||
41 | - } | ||
42 | - p++; | ||
43 | - } | ||
44 | - | ||
45 | - return 1; | ||
46 | - } | ||
47 | - | ||
48 | static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out) | ||
49 | { | ||
50 | STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; | ||
51 | @@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE | ||
52 | if(!find_profile_by_name(ptr,&p, | ||
53 | col ? col-ptr : (int)strlen(ptr))) | ||
54 | { | ||
55 | + if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0) | ||
56 | + { | ||
57 | + SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); | ||
58 | + sk_SRTP_PROTECTION_PROFILE_free(profiles); | ||
59 | + return 1; | ||
60 | + } | ||
61 | + | ||
62 | sk_SRTP_PROTECTION_PROFILE_push(profiles,p); | ||
63 | } | ||
64 | else | ||
65 | { | ||
66 | SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); | ||
67 | + sk_SRTP_PROTECTION_PROFILE_free(profiles); | ||
68 | return 1; | ||
69 | } | ||
70 | |||
71 | @@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max | ||
72 | |||
73 | int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) | ||
74 | { | ||
75 | - SRTP_PROTECTION_PROFILE *cprof,*sprof; | ||
76 | - STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr; | ||
77 | + SRTP_PROTECTION_PROFILE *sprof; | ||
78 | + STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; | ||
79 | int ct; | ||
80 | int mki_len; | ||
81 | - int i,j; | ||
82 | - int id; | ||
83 | - int ret; | ||
84 | + int i, srtp_pref; | ||
85 | + unsigned int id; | ||
86 | |||
87 | /* Length value + the MKI length */ | ||
88 | if(len < 3) | ||
89 | @@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al | ||
90 | return 1; | ||
91 | } | ||
92 | |||
93 | + srvr=SSL_get_srtp_profiles(s); | ||
94 | + s->srtp_profile = NULL; | ||
95 | + /* Search all profiles for a match initially */ | ||
96 | + srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); | ||
97 | |||
98 | - clnt=sk_SRTP_PROTECTION_PROFILE_new_null(); | ||
99 | - | ||
100 | while(ct) | ||
101 | { | ||
102 | n2s(d,id); | ||
103 | ct-=2; | ||
104 | len-=2; | ||
105 | |||
106 | - if(!find_profile_by_num(id,&cprof)) | ||
107 | + /* | ||
108 | + * Only look for match in profiles of higher preference than | ||
109 | + * current match. | ||
110 | + * If no profiles have been have been configured then this | ||
111 | + * does nothing. | ||
112 | + */ | ||
113 | + for (i = 0; i < srtp_pref; i++) | ||
114 | { | ||
115 | - sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof); | ||
116 | - } | ||
117 | - else | ||
118 | - { | ||
119 | - ; /* Ignore */ | ||
120 | + sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); | ||
121 | + if (sprof->id == id) | ||
122 | + { | ||
123 | + s->srtp_profile = sprof; | ||
124 | + srtp_pref = i; | ||
125 | + break; | ||
126 | + } | ||
127 | } | ||
128 | } | ||
129 | |||
130 | @@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al | ||
131 | return 1; | ||
132 | } | ||
133 | |||
134 | - srvr=SSL_get_srtp_profiles(s); | ||
135 | - | ||
136 | - /* Pick our most preferred profile. If no profiles have been | ||
137 | - configured then the outer loop doesn't run | ||
138 | - (sk_SRTP_PROTECTION_PROFILE_num() = -1) | ||
139 | - and so we just return without doing anything */ | ||
140 | - for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++) | ||
141 | - { | ||
142 | - sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i); | ||
143 | - | ||
144 | - for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++) | ||
145 | - { | ||
146 | - cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j); | ||
147 | - | ||
148 | - if(cprof->id==sprof->id) | ||
149 | - { | ||
150 | - s->srtp_profile=sprof; | ||
151 | - *al=0; | ||
152 | - ret=0; | ||
153 | - goto done; | ||
154 | - } | ||
155 | - } | ||
156 | - } | ||
157 | - | ||
158 | - ret=0; | ||
159 | - | ||
160 | -done: | ||
161 | - if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt); | ||
162 | - | ||
163 | - return ret; | ||
164 | + return 0; | ||
165 | } | ||
166 | |||
167 | int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) | ||
168 | diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c | ||
169 | index 022a4fb..12ee3c9 100644 | ||
170 | --- a/ssl/t1_lib.c | ||
171 | +++ b/ssl/t1_lib.c | ||
172 | @@ -643,7 +643,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c | ||
173 | #endif | ||
174 | |||
175 | #ifndef OPENSSL_NO_SRTP | ||
176 | - if(SSL_get_srtp_profiles(s)) | ||
177 | + if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) | ||
178 | { | ||
179 | int el; | ||
180 | |||
181 | @@ -806,7 +806,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c | ||
182 | #endif | ||
183 | |||
184 | #ifndef OPENSSL_NO_SRTP | ||
185 | - if(s->srtp_profile) | ||
186 | + if(SSL_IS_DTLS(s) && s->srtp_profile) | ||
187 | { | ||
188 | int el; | ||
189 | |||
190 | @@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | ||
191 | |||
192 | /* session ticket processed earlier */ | ||
193 | #ifndef OPENSSL_NO_SRTP | ||
194 | - else if (type == TLSEXT_TYPE_use_srtp) | ||
195 | + else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) | ||
196 | + && type == TLSEXT_TYPE_use_srtp) | ||
197 | { | ||
198 | if(ssl_parse_clienthello_use_srtp_ext(s, data, size, | ||
199 | al)) | ||
200 | @@ -1698,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | ||
201 | } | ||
202 | #endif | ||
203 | #ifndef OPENSSL_NO_SRTP | ||
204 | - else if (type == TLSEXT_TYPE_use_srtp) | ||
205 | + else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) | ||
206 | { | ||
207 | if(ssl_parse_serverhello_use_srtp_ext(s, data, size, | ||
208 | al)) | ||
209 | -- | ||
210 | 1.7.9.5 | ||
211 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb index 7623f0d985..82828226fa 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb | |||
@@ -45,6 +45,7 @@ SRC_URI += "file://configure-targets.patch \ | |||
45 | file://openssl-1.0.1e-cve-2014-3470.patch \ | 45 | file://openssl-1.0.1e-cve-2014-3470.patch \ |
46 | file://openssl-CVE-2010-5298.patch \ | 46 | file://openssl-CVE-2010-5298.patch \ |
47 | file://openssl-fix-CVE-2014-3566.patch \ | 47 | file://openssl-fix-CVE-2014-3566.patch \ |
48 | file://openssl-fix-CVE-2014-3513.patch \ | ||
48 | " | 49 | " |
49 | 50 | ||
50 | SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c" | 51 | SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c" |