summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2014-11-06 07:14:31 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-11-06 11:42:30 +0000
commitf4e20ca712587b9b85119f8355ac2b63ed148c81 (patch)
treecf0e2fe5cd4a6c86d4a70c7df96ca39604a388f4
parent98408832c222a0abc31c48cb2b514a16998b29bc (diff)
downloadpoky-f4e20ca712587b9b85119f8355ac2b63ed148c81.tar.gz
openssl: Fix for CVE-2014-3513
Fix for SRTP Memory Leak This patch is a backport from OpenSSL_1.0.1j. (From OE-Core rev: 6c19ca0d5aa6094aa2cfede821d63c008951cfb7) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch211
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.1e.bb1
2 files changed, 212 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch
new file mode 100644
index 0000000000..a93bf23451
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch
@@ -0,0 +1,211 @@
1From 2b0532f3984324ebe1236a63d15893792384328d Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Wed, 15 Oct 2014 01:20:38 +0100
4Subject: [PATCH] Fix for SRTP Memory Leak
5
6CVE-2014-3513
7
8This issue was reported to OpenSSL on 26th September 2014, based on an origi
9issue and patch developed by the LibreSSL project. Further analysis of the i
10was performed by the OpenSSL team.
11
12The fix was developed by the OpenSSL team.
13
14Reviewed-by: Tim Hudson <tjh@openssl.org>
15Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
16---
17 ssl/d1_srtp.c | 93 +++++++++++++++++++--------------------------------------
18 ssl/t1_lib.c | 9 +++---
19 2 files changed, 36 insertions(+), 66 deletions(-)
20
21diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
22index ab9c419..535539b 100644
23--- a/ssl/d1_srtp.c
24+++ b/ssl/d1_srtp.c
25@@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name,
26 return 1;
27 }
28
29-static int find_profile_by_num(unsigned profile_num,
30- SRTP_PROTECTION_PROFILE **pptr)
31- {
32- SRTP_PROTECTION_PROFILE *p;
33-
34- p=srtp_known_profiles;
35- while(p->name)
36- {
37- if(p->id == profile_num)
38- {
39- *pptr=p;
40- return 0;
41- }
42- p++;
43- }
44-
45- return 1;
46- }
47-
48 static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
49 {
50 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
51@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE
52 if(!find_profile_by_name(ptr,&p,
53 col ? col-ptr : (int)strlen(ptr)))
54 {
55+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
56+ {
57+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
58+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
59+ return 1;
60+ }
61+
62 sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
63 }
64 else
65 {
66 SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
67+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
68 return 1;
69 }
70
71@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max
72
73 int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
74 {
75- SRTP_PROTECTION_PROFILE *cprof,*sprof;
76- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
77+ SRTP_PROTECTION_PROFILE *sprof;
78+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
79 int ct;
80 int mki_len;
81- int i,j;
82- int id;
83- int ret;
84+ int i, srtp_pref;
85+ unsigned int id;
86
87 /* Length value + the MKI length */
88 if(len < 3)
89@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
90 return 1;
91 }
92
93+ srvr=SSL_get_srtp_profiles(s);
94+ s->srtp_profile = NULL;
95+ /* Search all profiles for a match initially */
96+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
97
98- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
99-
100 while(ct)
101 {
102 n2s(d,id);
103 ct-=2;
104 len-=2;
105
106- if(!find_profile_by_num(id,&cprof))
107+ /*
108+ * Only look for match in profiles of higher preference than
109+ * current match.
110+ * If no profiles have been have been configured then this
111+ * does nothing.
112+ */
113+ for (i = 0; i < srtp_pref; i++)
114 {
115- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
116- }
117- else
118- {
119- ; /* Ignore */
120+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
121+ if (sprof->id == id)
122+ {
123+ s->srtp_profile = sprof;
124+ srtp_pref = i;
125+ break;
126+ }
127 }
128 }
129
130@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
131 return 1;
132 }
133
134- srvr=SSL_get_srtp_profiles(s);
135-
136- /* Pick our most preferred profile. If no profiles have been
137- configured then the outer loop doesn't run
138- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
139- and so we just return without doing anything */
140- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
141- {
142- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
143-
144- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
145- {
146- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
147-
148- if(cprof->id==sprof->id)
149- {
150- s->srtp_profile=sprof;
151- *al=0;
152- ret=0;
153- goto done;
154- }
155- }
156- }
157-
158- ret=0;
159-
160-done:
161- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
162-
163- return ret;
164+ return 0;
165 }
166
167 int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
168diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
169index 022a4fb..12ee3c9 100644
170--- a/ssl/t1_lib.c
171+++ b/ssl/t1_lib.c
172@@ -643,7 +643,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
173 #endif
174
175 #ifndef OPENSSL_NO_SRTP
176- if(SSL_get_srtp_profiles(s))
177+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
178 {
179 int el;
180
181@@ -806,7 +806,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
182 #endif
183
184 #ifndef OPENSSL_NO_SRTP
185- if(s->srtp_profile)
186+ if(SSL_IS_DTLS(s) && s->srtp_profile)
187 {
188 int el;
189
190@@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
191
192 /* session ticket processed earlier */
193 #ifndef OPENSSL_NO_SRTP
194- else if (type == TLSEXT_TYPE_use_srtp)
195+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
196+ && type == TLSEXT_TYPE_use_srtp)
197 {
198 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
199 al))
200@@ -1698,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
201 }
202 #endif
203 #ifndef OPENSSL_NO_SRTP
204- else if (type == TLSEXT_TYPE_use_srtp)
205+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
206 {
207 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
208 al))
209--
2101.7.9.5
211
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
index 7623f0d985..82828226fa 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -45,6 +45,7 @@ SRC_URI += "file://configure-targets.patch \
45 file://openssl-1.0.1e-cve-2014-3470.patch \ 45 file://openssl-1.0.1e-cve-2014-3470.patch \
46 file://openssl-CVE-2010-5298.patch \ 46 file://openssl-CVE-2010-5298.patch \
47 file://openssl-fix-CVE-2014-3566.patch \ 47 file://openssl-fix-CVE-2014-3566.patch \
48 file://openssl-fix-CVE-2014-3513.patch \
48 " 49 "
49 50
50SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c" 51SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"