diff options
author | Armin Kuster <akuster@mvista.com> | 2016-11-06 07:33:27 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-12-06 22:46:44 +0000 |
commit | 96c1644d0d474bc451fdf3c4efea70eef49b8e57 (patch) | |
tree | 01f016655620fedbd40150282d29521a2b0936a0 | |
parent | 9e1ca0ba844bca849d9bafa4026fc5365aa55f50 (diff) | |
download | poky-96c1644d0d474bc451fdf3c4efea70eef49b8e57.tar.gz |
openssl: Security fix CVE-2016-8610
affects openssl < 1.0.2i
(From OE-Core rev: 0256b61cdafe540edb3cec2a34429e24b037cfae)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch | 124 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.2h.bb | 1 |
2 files changed, 125 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch new file mode 100644 index 0000000000..c2af589bba --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From 22646a075e75991b4e8f5d67171e45a6aead5b48 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Wed, 21 Sep 2016 14:48:16 +0100 | ||
4 | Subject: [PATCH] Don't allow too many consecutive warning alerts | ||
5 | |||
6 | Certain warning alerts are ignored if they are received. This can mean that | ||
7 | no progress will be made if one peer continually sends those warning alerts. | ||
8 | Implement a count so that we abort the connection if we receive too many. | ||
9 | |||
10 | Issue reported by Shi Lei. | ||
11 | |||
12 | Reviewed-by: Rich Salz <rsalz@openssl.org> | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2016-8610 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | ssl/d1_pkt.c | 15 +++++++++++++++ | ||
20 | ssl/s3_pkt.c | 15 +++++++++++++++ | ||
21 | ssl/ssl.h | 1 + | ||
22 | ssl/ssl_locl.h | 4 ++++ | ||
23 | 4 files changed, 35 insertions(+) | ||
24 | |||
25 | Index: openssl-1.0.2h/ssl/d1_pkt.c | ||
26 | =================================================================== | ||
27 | --- openssl-1.0.2h.orig/ssl/d1_pkt.c | ||
28 | +++ openssl-1.0.2h/ssl/d1_pkt.c | ||
29 | @@ -928,6 +928,13 @@ int dtls1_read_bytes(SSL *s, int type, u | ||
30 | goto start; | ||
31 | } | ||
32 | |||
33 | + /* | ||
34 | + * Reset the count of consecutive warning alerts if we've got a non-empty | ||
35 | + * record that isn't an alert. | ||
36 | + */ | ||
37 | + if (rr->type != SSL3_RT_ALERT && rr->length != 0) | ||
38 | + s->cert->alert_count = 0; | ||
39 | + | ||
40 | /* we now have a packet which can be read and processed */ | ||
41 | |||
42 | if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, | ||
43 | @@ -1194,6 +1201,14 @@ int dtls1_read_bytes(SSL *s, int type, u | ||
44 | |||
45 | if (alert_level == SSL3_AL_WARNING) { | ||
46 | s->s3->warn_alert = alert_descr; | ||
47 | + | ||
48 | + s->cert->alert_count++; | ||
49 | + if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) { | ||
50 | + al = SSL_AD_UNEXPECTED_MESSAGE; | ||
51 | + SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); | ||
52 | + goto f_err; | ||
53 | + } | ||
54 | + | ||
55 | if (alert_descr == SSL_AD_CLOSE_NOTIFY) { | ||
56 | #ifndef OPENSSL_NO_SCTP | ||
57 | /* | ||
58 | Index: openssl-1.0.2h/ssl/s3_pkt.c | ||
59 | =================================================================== | ||
60 | --- openssl-1.0.2h.orig/ssl/s3_pkt.c | ||
61 | +++ openssl-1.0.2h/ssl/s3_pkt.c | ||
62 | @@ -1229,6 +1229,13 @@ int ssl3_read_bytes(SSL *s, int type, un | ||
63 | return (ret); | ||
64 | } | ||
65 | |||
66 | + /* | ||
67 | + * Reset the count of consecutive warning alerts if we've got a non-empty | ||
68 | + * record that isn't an alert. | ||
69 | + */ | ||
70 | + if (rr->type != SSL3_RT_ALERT && rr->length != 0) | ||
71 | + s->cert->alert_count = 0; | ||
72 | + | ||
73 | /* we now have a packet which can be read and processed */ | ||
74 | |||
75 | if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, | ||
76 | @@ -1443,6 +1450,14 @@ int ssl3_read_bytes(SSL *s, int type, un | ||
77 | |||
78 | if (alert_level == SSL3_AL_WARNING) { | ||
79 | s->s3->warn_alert = alert_descr; | ||
80 | + | ||
81 | + s->cert->alert_count++; | ||
82 | + if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) { | ||
83 | + al = SSL_AD_UNEXPECTED_MESSAGE; | ||
84 | + SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); | ||
85 | + goto f_err; | ||
86 | + } | ||
87 | + | ||
88 | if (alert_descr == SSL_AD_CLOSE_NOTIFY) { | ||
89 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; | ||
90 | return (0); | ||
91 | Index: openssl-1.0.2h/ssl/ssl.h | ||
92 | =================================================================== | ||
93 | --- openssl-1.0.2h.orig/ssl/ssl.h | ||
94 | +++ openssl-1.0.2h/ssl/ssl.h | ||
95 | @@ -3115,6 +3115,7 @@ void ERR_load_SSL_strings(void); | ||
96 | # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 | ||
97 | # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 | ||
98 | # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 | ||
99 | +# define SSL_R_TOO_MANY_WARN_ALERTS 409 | ||
100 | # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 | ||
101 | # define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236 | ||
102 | # define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313 | ||
103 | Index: openssl-1.0.2h/ssl/ssl_locl.h | ||
104 | =================================================================== | ||
105 | --- openssl-1.0.2h.orig/ssl/ssl_locl.h | ||
106 | +++ openssl-1.0.2h/ssl/ssl_locl.h | ||
107 | @@ -585,6 +585,8 @@ typedef struct { | ||
108 | */ | ||
109 | # define SSL_EXT_FLAG_SENT 0x2 | ||
110 | |||
111 | +# define MAX_WARN_ALERT_COUNT 5 | ||
112 | + | ||
113 | typedef struct { | ||
114 | custom_ext_method *meths; | ||
115 | size_t meths_count; | ||
116 | @@ -692,6 +694,8 @@ typedef struct cert_st { | ||
117 | unsigned char *alpn_proposed; /* server */ | ||
118 | unsigned int alpn_proposed_len; | ||
119 | int alpn_sent; /* client */ | ||
120 | + /* Count of the number of consecutive warning alerts received */ | ||
121 | + unsigned int alert_count; | ||
122 | } CERT; | ||
123 | |||
124 | typedef struct sess_cert_st { | ||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb index 94a986775c..26bc6be2f4 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb | |||
@@ -50,6 +50,7 @@ SRC_URI += "file://configure-targets.patch \ | |||
50 | file://CVE-2016-6304.patch \ | 50 | file://CVE-2016-6304.patch \ |
51 | file://CVE-2016-6306.patch \ | 51 | file://CVE-2016-6306.patch \ |
52 | file://CVE-2016-2179.patch \ | 52 | file://CVE-2016-2179.patch \ |
53 | file://CVE-2016-8610.patch \ | ||
53 | " | 54 | " |
54 | 55 | ||
55 | SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" | 56 | SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" |