openssl: Security fix CVE-2015-3197

CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers (From OE-Core rev: b387d9b8dff8e2c572ca14f9628ab8298347fd4f) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster808@gmail.com> 2016-01-29 14:57:07 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-01-30 12:13:09 +0000
commit: ce8ae1c164219f5855998b6c01a4f46092bdb35f (patch)
tree: 2c35cfa994e572c3c6b48f5939b086d5739a1cbd /meta/recipes-connectivity
parent: 080e027d141247e98e28ccae8563682f73516db0 (diff)
download: poky-ce8ae1c164219f5855998b6c01a4f46092bdb35f.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
new file mode 100644
index 0000000000..dd288c93fb
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
@@ -0,0 +1,63 @@
+From d81a1600588b726c2bdccda7efad3cc7a87d6245 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Wed, 30 Dec 2015 22:44:51 -0500
+Subject: [PATCH] Better SSLv2 cipher-suite enforcement
+Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>
+CVE-2015-3197
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Upstream-Status: Backport
+https://github.com/openssl/openssl/commit/d81a1600588b726c2bdccda7efad3cc7a87d6245
+CVE: CVE-2015-3197
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ssl/s2_srvr.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+Index: openssl-1.0.2d/ssl/s2_srvr.c
+===================================================================
+--- openssl-1.0.2d.orig/ssl/s2_srvr.c
+++ openssl-1.0.2d/ssl/s2_srvr.c
+@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
+         }
+ 
+         cp = ssl2_get_cipher_by_char(p);
+-        if (cp == NULL) {
+        if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
+             ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+             SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+             return (-1);
+@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
+             prio = cs;
+             allow = cl;
+         }
+
+        /* Generate list of SSLv2 ciphers shared between client and server */
+         for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
+-            if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
+            const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
+            if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
+                sk_SSL_CIPHER_find(allow, cp) < 0) {
+                 (void)sk_SSL_CIPHER_delete(prio, z);
+                 z--;
+             }
+@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
+             sk_SSL_CIPHER_free(s->session->ciphers);
+             s->session->ciphers = prio;
+         }
+
+        /* Make sure we have at least one cipher in common */
+        if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
+            ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+            SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
+            return -1;
+        }
+         /*
+          * s->session->ciphers should now have a list of ciphers that are on
+          * both the client and server. This list is ordered by the order the
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
index 60d5676126..07bdf4b3b9 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -41,6 +41,7 @@ SRC_URI += "file://configure-targets.patch \
            file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
            file://0001-Add-test-for-CVE-2015-3194.patch \
            file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
+            file://CVE-2015-3197.patch \
           "
 SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
author	Armin Kuster <akuster808@gmail.com>	2016-01-29 14:57:07 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-01-30 12:13:09 +0000
commit	ce8ae1c164219f5855998b6c01a4f46092bdb35f (patch)
tree	2c35cfa994e572c3c6b48f5939b086d5739a1cbd /meta/recipes-connectivity
parent	080e027d141247e98e28ccae8563682f73516db0 (diff)
download	poky-ce8ae1c164219f5855998b6c01a4f46092bdb35f.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch new file mode 100644 index 0000000000..dd288c93fb --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
@@ -0,0 +1,63 @@
		1	From d81a1600588b726c2bdccda7efad3cc7a87d6245 Mon Sep 17 00:00:00 2001
		2	From: Viktor Dukhovni <openssl-users@dukhovni.org>
		3	Date: Wed, 30 Dec 2015 22:44:51 -0500
		4	Subject: [PATCH] Better SSLv2 cipher-suite enforcement
		5
		6	Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>
		7
		8	CVE-2015-3197
		9
		10	Reviewed-by: Tim Hudson <tjh@openssl.org>
		11	Reviewed-by: Richard Levitte <levitte@openssl.org>
		12
		13	Upstream-Status: Backport
		14	https://github.com/openssl/openssl/commit/d81a1600588b726c2bdccda7efad3cc7a87d6245
		15
		16	CVE: CVE-2015-3197
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	ssl/s2_srvr.c \| 15 +++++++++++++--
		21	1 file changed, 13 insertions(+), 2 deletions(-)
		22
		23	Index: openssl-1.0.2d/ssl/s2_srvr.c
		24	===================================================================
		25	--- openssl-1.0.2d.orig/ssl/s2_srvr.c
		26	+++ openssl-1.0.2d/ssl/s2_srvr.c
		27	@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
		28	}
		29
		30	cp = ssl2_get_cipher_by_char(p);
		31	- if (cp == NULL) {
		32	+ if (cp == NULL \|\| sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
		33	ssl2_return_error(s, SSL2_PE_NO_CIPHER);
		34	SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
		35	return (-1);
		36	@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
		37	prio = cs;
		38	allow = cl;
		39	}
		40	+
		41	+ /* Generate list of SSLv2 ciphers shared between client and server */
		42	for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
		43	- if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
		44	+ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
		45	+ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 \|\|
		46	+ sk_SSL_CIPHER_find(allow, cp) < 0) {
		47	(void)sk_SSL_CIPHER_delete(prio, z);
		48	z--;
		49	}
		50	@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
		51	sk_SSL_CIPHER_free(s->session->ciphers);
		52	s->session->ciphers = prio;
		53	}
		54	+
		55	+ /* Make sure we have at least one cipher in common */
		56	+ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
		57	+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
		58	+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
		59	+ return -1;
		60	+ }
		61	/*
		62	* s->session->ciphers should now have a list of ciphers that are on
		63	* both the client and server. This list is ordered by the order the


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb index 60d5676126..07bdf4b3b9 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -41,6 +41,7 @@ SRC_URI += "file://configure-targets.patch \
41	file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \	41	file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
42	file://0001-Add-test-for-CVE-2015-3194.patch \	42	file://0001-Add-test-for-CVE-2015-3194.patch \
43	file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \	43	file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
		44	file://CVE-2015-3197.patch \
44	"	45	"
45		46
46	SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"	47	SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"