diff options
author | Armin Kuster <akuster808@gmail.com> | 2016-01-29 14:57:08 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-01-30 12:13:09 +0000 |
commit | 942ce53bebff0a9a57d42649a2a67a75b0ad4453 (patch) | |
tree | 156b3f0500da553067af7ae1b8a3c82e8c653b01 /meta/recipes-connectivity/openssl | |
parent | ce8ae1c164219f5855998b6c01a4f46092bdb35f (diff) | |
download | poky-942ce53bebff0a9a57d42649a2a67a75b0ad4453.tar.gz |
openssl: Security fix CVE-2016-0701
CVE-2016-0701 OpenSSL: DH small subgroups
(From OE-Core rev: c5868a7cd0a28c5800dfa4be1c9d98d3de08cd12)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssl')
3 files changed, 260 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch new file mode 100644 index 0000000000..cf2d9a7b04 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From 878e2c5b13010329c203f309ed0c8f2113f85648 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Mon, 18 Jan 2016 11:31:58 +0000 | ||
4 | Subject: [PATCH] Prevent small subgroup attacks on DH/DHE | ||
5 | |||
6 | Historically OpenSSL only ever generated DH parameters based on "safe" | ||
7 | primes. More recently (in version 1.0.2) support was provided for | ||
8 | generating X9.42 style parameter files such as those required for RFC | ||
9 | 5114 support. The primes used in such files may not be "safe". Where an | ||
10 | application is using DH configured with parameters based on primes that | ||
11 | are not "safe" then an attacker could use this fact to find a peer's | ||
12 | private DH exponent. This attack requires that the attacker complete | ||
13 | multiple handshakes in which the peer uses the same DH exponent. | ||
14 | |||
15 | A simple mitigation is to ensure that y^q (mod p) == 1 | ||
16 | |||
17 | CVE-2016-0701 (fix part 1 of 2) | ||
18 | |||
19 | Issue reported by Antonio Sanso. | ||
20 | |||
21 | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | |||
25 | https://github.com/openssl/openssl/commit/878e2c5b13010329c203f309ed0c8f2113f85648 | ||
26 | |||
27 | CVE: CVE-2016-0701 | ||
28 | Signed-of-by: Armin Kuster <akuster@mvisa.com> | ||
29 | |||
30 | --- | ||
31 | crypto/dh/dh.h | 1 + | ||
32 | crypto/dh/dh_check.c | 35 +++++++++++++++++++++++++---------- | ||
33 | 2 files changed, 26 insertions(+), 10 deletions(-) | ||
34 | |||
35 | diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h | ||
36 | index b177673..5498a9d 100644 | ||
37 | --- a/crypto/dh/dh.h | ||
38 | +++ b/crypto/dh/dh.h | ||
39 | @@ -174,6 +174,7 @@ struct dh_st { | ||
40 | /* DH_check_pub_key error codes */ | ||
41 | # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 | ||
42 | # define DH_CHECK_PUBKEY_TOO_LARGE 0x02 | ||
43 | +# define DH_CHECK_PUBKEY_INVALID 0x03 | ||
44 | |||
45 | /* | ||
46 | * primes p where (p-1)/2 is prime too are called "safe"; we define this for | ||
47 | diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c | ||
48 | index 347467c..5adedc0 100644 | ||
49 | --- a/crypto/dh/dh_check.c | ||
50 | +++ b/crypto/dh/dh_check.c | ||
51 | @@ -151,23 +151,38 @@ int DH_check(const DH *dh, int *ret) | ||
52 | int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) | ||
53 | { | ||
54 | int ok = 0; | ||
55 | - BIGNUM *q = NULL; | ||
56 | + BIGNUM *tmp = NULL; | ||
57 | + BN_CTX *ctx = NULL; | ||
58 | |||
59 | *ret = 0; | ||
60 | - q = BN_new(); | ||
61 | - if (q == NULL) | ||
62 | + ctx = BN_CTX_new(); | ||
63 | + if (ctx == NULL) | ||
64 | goto err; | ||
65 | - BN_set_word(q, 1); | ||
66 | - if (BN_cmp(pub_key, q) <= 0) | ||
67 | + BN_CTX_start(ctx); | ||
68 | + tmp = BN_CTX_get(ctx); | ||
69 | + if (tmp == NULL) | ||
70 | + goto err; | ||
71 | + BN_set_word(tmp, 1); | ||
72 | + if (BN_cmp(pub_key, tmp) <= 0) | ||
73 | *ret |= DH_CHECK_PUBKEY_TOO_SMALL; | ||
74 | - BN_copy(q, dh->p); | ||
75 | - BN_sub_word(q, 1); | ||
76 | - if (BN_cmp(pub_key, q) >= 0) | ||
77 | + BN_copy(tmp, dh->p); | ||
78 | + BN_sub_word(tmp, 1); | ||
79 | + if (BN_cmp(pub_key, tmp) >= 0) | ||
80 | *ret |= DH_CHECK_PUBKEY_TOO_LARGE; | ||
81 | |||
82 | + if (dh->q != NULL) { | ||
83 | + /* Check pub_key^q == 1 mod p */ | ||
84 | + if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) | ||
85 | + goto err; | ||
86 | + if (!BN_is_one(tmp)) | ||
87 | + *ret |= DH_CHECK_PUBKEY_INVALID; | ||
88 | + } | ||
89 | + | ||
90 | ok = 1; | ||
91 | err: | ||
92 | - if (q != NULL) | ||
93 | - BN_free(q); | ||
94 | + if (ctx != NULL) { | ||
95 | + BN_CTX_end(ctx); | ||
96 | + BN_CTX_free(ctx); | ||
97 | + } | ||
98 | return (ok); | ||
99 | } | ||
100 | -- | ||
101 | 2.3.5 | ||
102 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch new file mode 100644 index 0000000000..05caf0a99e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch | |||
@@ -0,0 +1,156 @@ | |||
1 | From c5b831f21d0d29d1e517d139d9d101763f60c9a2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Thu, 17 Dec 2015 02:57:20 +0000 | ||
4 | Subject: [PATCH] Always generate DH keys for ephemeral DH cipher suites | ||
5 | |||
6 | Modified version of the commit ffaef3f15 in the master branch by Stephen | ||
7 | Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always | ||
8 | generates a new DH key for every handshake regardless. | ||
9 | |||
10 | CVE-2016-0701 (fix part 2 or 2) | ||
11 | |||
12 | Issue reported by Antonio Sanso | ||
13 | |||
14 | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | https://github.com/openssl/openssl/commit/c5b831f21d0d29d1e517d139d9d101763f60c9a2 | ||
19 | |||
20 | CVE: CVE-2016-0701 #2 | ||
21 | Signed-of-by: Armin Kuster <akuster@mvisa.com> | ||
22 | |||
23 | --- | ||
24 | doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 29 +++++------------------------ | ||
25 | ssl/s3_lib.c | 14 -------------- | ||
26 | ssl/s3_srvr.c | 17 +++-------------- | ||
27 | ssl/ssl.h | 2 +- | ||
28 | 4 files changed, 9 insertions(+), 53 deletions(-) | ||
29 | |||
30 | Index: openssl-1.0.2d/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | ||
31 | =================================================================== | ||
32 | --- openssl-1.0.2d.orig/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | ||
33 | +++ openssl-1.0.2d/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | ||
34 | @@ -48,25 +48,8 @@ even if he gets hold of the normal (cert | ||
35 | only used for signing. | ||
36 | |||
37 | In order to perform a DH key exchange the server must use a DH group | ||
38 | -(DH parameters) and generate a DH key. | ||
39 | -The server will always generate a new DH key during the negotiation | ||
40 | -if either the DH parameters are supplied via callback or the | ||
41 | -SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both). | ||
42 | -It will immediately create a DH key if DH parameters are supplied via | ||
43 | -SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. | ||
44 | -In this case, | ||
45 | -it may happen that a key is generated on initialization without later | ||
46 | -being needed, while on the other hand the computer time during the | ||
47 | -negotiation is being saved. | ||
48 | - | ||
49 | -If "strong" primes were used to generate the DH parameters, it is not strictly | ||
50 | -necessary to generate a new key for each handshake but it does improve forward | ||
51 | -secrecy. If it is not assured that "strong" primes were used, | ||
52 | -SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup | ||
53 | -attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the | ||
54 | -computer time needed during negotiation, but it is not very large, so | ||
55 | -application authors/users should consider always enabling this option. | ||
56 | -The option is required to implement perfect forward secrecy (PFS). | ||
57 | +(DH parameters) and generate a DH key. The server will always generate | ||
58 | +a new DH key during the negotiation. | ||
59 | |||
60 | As generating DH parameters is extremely time consuming, an application | ||
61 | should not generate the parameters on the fly but supply the parameters. | ||
62 | @@ -93,10 +76,9 @@ can supply the DH parameters via a callb | ||
63 | Previous versions of the callback used B<is_export> and B<keylength> | ||
64 | parameters to control parameter generation for export and non-export | ||
65 | cipher suites. Modern servers that do not support export ciphersuites | ||
66 | -are advised to either use SSL_CTX_set_tmp_dh() in combination with | ||
67 | -SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore | ||
68 | -B<keylength> and B<is_export> and simply supply at least 2048-bit | ||
69 | -parameters in the callback. | ||
70 | +are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use | ||
71 | +the callback but ignore B<keylength> and B<is_export> and simply | ||
72 | +supply at least 2048-bit parameters in the callback. | ||
73 | |||
74 | =head1 EXAMPLES | ||
75 | |||
76 | @@ -128,7 +110,6 @@ partly left out.) | ||
77 | if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { | ||
78 | /* Error. */ | ||
79 | } | ||
80 | - SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); | ||
81 | ... | ||
82 | |||
83 | =head1 RETURN VALUES | ||
84 | Index: openssl-1.0.2d/ssl/s3_lib.c | ||
85 | =================================================================== | ||
86 | --- openssl-1.0.2d.orig/ssl/s3_lib.c | ||
87 | +++ openssl-1.0.2d/ssl/s3_lib.c | ||
88 | @@ -3206,13 +3206,6 @@ long ssl3_ctrl(SSL *s, int cmd, long lar | ||
89 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); | ||
90 | return (ret); | ||
91 | } | ||
92 | - if (!(s->options & SSL_OP_SINGLE_DH_USE)) { | ||
93 | - if (!DH_generate_key(dh)) { | ||
94 | - DH_free(dh); | ||
95 | - SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); | ||
96 | - return (ret); | ||
97 | - } | ||
98 | - } | ||
99 | if (s->cert->dh_tmp != NULL) | ||
100 | DH_free(s->cert->dh_tmp); | ||
101 | s->cert->dh_tmp = dh; | ||
102 | @@ -3710,13 +3703,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd | ||
103 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); | ||
104 | return 0; | ||
105 | } | ||
106 | - if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) { | ||
107 | - if (!DH_generate_key(new)) { | ||
108 | - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); | ||
109 | - DH_free(new); | ||
110 | - return 0; | ||
111 | - } | ||
112 | - } | ||
113 | if (cert->dh_tmp != NULL) | ||
114 | DH_free(cert->dh_tmp); | ||
115 | cert->dh_tmp = new; | ||
116 | Index: openssl-1.0.2d/ssl/s3_srvr.c | ||
117 | =================================================================== | ||
118 | --- openssl-1.0.2d.orig/ssl/s3_srvr.c | ||
119 | +++ openssl-1.0.2d/ssl/s3_srvr.c | ||
120 | @@ -1684,20 +1684,9 @@ int ssl3_send_server_key_exchange(SSL *s | ||
121 | } | ||
122 | |||
123 | s->s3->tmp.dh = dh; | ||
124 | - if ((dhp->pub_key == NULL || | ||
125 | - dhp->priv_key == NULL || | ||
126 | - (s->options & SSL_OP_SINGLE_DH_USE))) { | ||
127 | - if (!DH_generate_key(dh)) { | ||
128 | - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); | ||
129 | - goto err; | ||
130 | - } | ||
131 | - } else { | ||
132 | - dh->pub_key = BN_dup(dhp->pub_key); | ||
133 | - dh->priv_key = BN_dup(dhp->priv_key); | ||
134 | - if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) { | ||
135 | - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); | ||
136 | - goto err; | ||
137 | - } | ||
138 | + if (!DH_generate_key(dh)) { | ||
139 | + SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); | ||
140 | + goto err; | ||
141 | } | ||
142 | r[0] = dh->p; | ||
143 | r[1] = dh->g; | ||
144 | Index: openssl-1.0.2d/ssl/ssl.h | ||
145 | =================================================================== | ||
146 | --- openssl-1.0.2d.orig/ssl/ssl.h | ||
147 | +++ openssl-1.0.2d/ssl/ssl.h | ||
148 | @@ -625,7 +625,7 @@ struct ssl_session_st { | ||
149 | # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L | ||
150 | /* If set, always create a new key when using tmp_ecdh parameters */ | ||
151 | # define SSL_OP_SINGLE_ECDH_USE 0x00080000L | ||
152 | -/* If set, always create a new key when using tmp_dh parameters */ | ||
153 | +/* Does nothing: retained for compatibility */ | ||
154 | # define SSL_OP_SINGLE_DH_USE 0x00100000L | ||
155 | /* Does nothing: retained for compatibiity */ | ||
156 | # define SSL_OP_EPHEMERAL_RSA 0x0 | ||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb index 07bdf4b3b9..8defa5b743 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | |||
@@ -42,6 +42,8 @@ SRC_URI += "file://configure-targets.patch \ | |||
42 | file://0001-Add-test-for-CVE-2015-3194.patch \ | 42 | file://0001-Add-test-for-CVE-2015-3194.patch \ |
43 | file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ | 43 | file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ |
44 | file://CVE-2015-3197.patch \ | 44 | file://CVE-2015-3197.patch \ |
45 | file://CVE-2016-0701_1.patch \ | ||
46 | file://CVE-2016-0701_2.patch \ | ||
45 | " | 47 | " |
46 | 48 | ||
47 | SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a" | 49 | SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a" |