summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-03-04 07:55:02 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-03-04 09:26:41 (GMT)
commite15d15673f5faa4623657eabab351986f650d509 (patch)
treeb4b91f4a5661274446e0c5c0a5e03d8a5bc220f4
parentb313001a4762cce6eca3d57fcd7f4c0f59d5d4e0 (diff)
downloadpoky-e15d15673f5faa4623657eabab351986f650d509.tar.gz
SSL/TLS: CVE-2016-0800
Cross-protocol attack on TLS using SSLv2 (DROWN) Mitigation for CVE-2016-0800 References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800 https://git.openssl.org/?p=openssl.git;a=patch;h=56f1acf5ef8a432992497a04792ff4b3b2c6f286 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch111
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.1p.bb1
2 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
new file mode 100644
index 0000000..3f75f36
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800.patch
@@ -0,0 +1,111 @@
1From 56f1acf5ef8a432992497a04792ff4b3b2c6f286 Mon Sep 17 00:00:00 2001
2From: Viktor Dukhovni <openssl-users@dukhovni.org>
3Date: Wed, 17 Feb 2016 21:37:15 -0500
4Disable SSLv2 default build, default negotiation and weak
5
6SSLv2 is by default disabled at build-time. Builds that are not
7configured with "enable-ssl2" will not support SSLv2. Even if
8"enable-ssl2" is used, users who want to negotiate SSLv2 via the
9version-flexible SSLv23_method() will need to explicitly call either
10of:
11
12 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
13or
14 SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
15
16as appropriate. Even if either of those is used, or the application
17explicitly uses the version-specific SSLv2_method() or its client
18or server variants, SSLv2 ciphers vulnerable to exhaustive search
19key recovery have been removed. Specifically, the SSLv2 40-bit
20EXPORT ciphers, and SSLv2 56-bit DES are no longer available.
21
22Mitigation for CVE-2016-0800
23
24Upstream-Status: Backport
25[Removed CHANGES and NEWS from the original patch]
26
27Reviewed-by: Emilia Käsper <emilia@openssl.org>
28Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
29---
30diff -ruN a/Configure b/Configure
31--- a/Configure 2016-03-04 08:36:29.390151489 +0100
32+++ b/Configure 2016-03-04 08:37:24.731804074 +0100
33@@ -780,8 +780,9 @@
34 "md2" => "default",
35 "rc5" => "default",
36 "rfc3779" => "default",
37- "sctp" => "default",
38+ "sctp" => "default",
39 "shared" => "default",
40+ "ssl2" => "default",
41 "store" => "experimental",
42 "unit-test" => "default",
43 "zlib" => "default",
44diff -ruN a/ssl/s2_lib.c b/ssl/s2_lib.c
45--- a/ssl/s2_lib.c 2015-07-09 14:21:24.000000000 +0200
46+++ b/ssl/s2_lib.c 2016-03-04 08:37:24.731804074 +0100
47@@ -156,6 +156,7 @@
48 128,
49 },
50
51+# if 0
52 /* RC4_128_EXPORT40_WITH_MD5 */
53 {
54 1,
55@@ -171,6 +172,7 @@
56 40,
57 128,
58 },
59+# endif
60
61 /* RC2_128_CBC_WITH_MD5 */
62 {
63@@ -188,6 +190,7 @@
64 128,
65 },
66
67+# if 0
68 /* RC2_128_CBC_EXPORT40_WITH_MD5 */
69 {
70 1,
71@@ -203,6 +206,7 @@
72 40,
73 128,
74 },
75+# endif
76
77 # ifndef OPENSSL_NO_IDEA
78 /* IDEA_128_CBC_WITH_MD5 */
79@@ -222,6 +226,7 @@
80 },
81 # endif
82
83+# if 0
84 /* DES_64_CBC_WITH_MD5 */
85 {
86 1,
87@@ -237,6 +242,7 @@
88 56,
89 56,
90 },
91+# endif
92
93 /* DES_192_EDE3_CBC_WITH_MD5 */
94 {
95diff -ruN a/ssl/ssl_lib.c b/ssl/ssl_lib.c
96--- a/ssl/ssl_lib.c 2015-07-09 14:21:24.000000000 +0200
97+++ b/ssl/ssl_lib.c 2016-03-04 08:37:24.735803905 +0100
98@@ -1896,6 +1896,13 @@
99 */
100 ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
101
102+ /*
103+ * Disable SSLv2 by default, callers that want to enable SSLv2 will have to
104+ * explicitly clear this option via either of SSL_CTX_clear_options() or
105+ * SSL_clear_options().
106+ */
107+ ret->options |= SSL_OP_NO_SSLv2;
108+
109 return (ret);
110 err:
111 SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
index 1d0242f..0fa3572 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
@@ -36,6 +36,7 @@ SRC_URI += "file://configure-targets.patch \
36 file://run-ptest \ 36 file://run-ptest \
37 file://CVE-2015-3194-Add-PSS-parameter-check.patch \ 37 file://CVE-2015-3194-Add-PSS-parameter-check.patch \
38 file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ 38 file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
39 file://CVE-2016-0800.patch \
39 " 40 "
40 41
41SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976" 42SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976"