diff options
author | Armin Kuster <akuster@mvista.com> | 2016-09-23 23:09:29 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-10-06 08:51:17 +0100 |
commit | dc61ec5f0c88101b4ec8ade012b3721b51eb0fcd (patch) | |
tree | a40cefd2c2a8ea1b012602e4f21f5b6a9f1172f1 /meta | |
parent | 766c5ced756e6aa75b7ce80dd1e9ca4605384c47 (diff) | |
download | poky-dc61ec5f0c88101b4ec8ade012b3721b51eb0fcd.tar.gz |
openssl: Security fix CVE-2016-2181
affects openssl < 1.0.1i
(From OE-Core rev: c3d4cc8e452b29d4ca620b5c93d22a88c5aa1f03)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
4 files changed, 363 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch new file mode 100644 index 0000000000..9149dbe04b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 20744f6b40b5ded059a848f66d6ba922f2a62eb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Tue, 5 Jul 2016 11:46:26 +0100 | ||
4 | Subject: [PATCH] Fix DTLS unprocessed records bug | ||
5 | |||
6 | During a DTLS handshake we may get records destined for the next epoch | ||
7 | arrive before we have processed the CCS. In that case we can't decrypt or | ||
8 | verify the record yet, so we buffer it for later use. When we do receive | ||
9 | the CCS we work through the queue of unprocessed records and process them. | ||
10 | |||
11 | Unfortunately the act of processing wipes out any existing packet data | ||
12 | that we were still working through. This includes any records from the new | ||
13 | epoch that were in the same packet as the CCS. We should only process the | ||
14 | buffered records if we've not got any data left. | ||
15 | |||
16 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2016-2180 patch 1 | ||
20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | ssl/d1_pkt.c | 23 +++++++++++++++++++++-- | ||
24 | 1 file changed, 21 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c | ||
27 | index fe30ec7..1fb119d 100644 | ||
28 | --- a/ssl/d1_pkt.c | ||
29 | +++ b/ssl/d1_pkt.c | ||
30 | @@ -319,6 +319,7 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) | ||
31 | static int dtls1_process_buffered_records(SSL *s) | ||
32 | { | ||
33 | pitem *item; | ||
34 | + SSL3_BUFFER *rb; | ||
35 | |||
36 | item = pqueue_peek(s->d1->unprocessed_rcds.q); | ||
37 | if (item) { | ||
38 | @@ -326,6 +327,19 @@ static int dtls1_process_buffered_records(SSL *s) | ||
39 | if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | ||
40 | return (1); /* Nothing to do. */ | ||
41 | |||
42 | + rb = &s->s3->rbuf; | ||
43 | + | ||
44 | + if (rb->left > 0) { | ||
45 | + /* | ||
46 | + * We've still got data from the current packet to read. There could | ||
47 | + * be a record from the new epoch in it - so don't overwrite it | ||
48 | + * with the unprocessed records yet (we'll do it when we've | ||
49 | + * finished reading the current packet). | ||
50 | + */ | ||
51 | + return 1; | ||
52 | + } | ||
53 | + | ||
54 | + | ||
55 | /* Process all the records. */ | ||
56 | while (pqueue_peek(s->d1->unprocessed_rcds.q)) { | ||
57 | dtls1_get_unprocessed_record(s); | ||
58 | @@ -581,6 +595,7 @@ int dtls1_get_record(SSL *s) | ||
59 | |||
60 | rr = &(s->s3->rrec); | ||
61 | |||
62 | + again: | ||
63 | /* | ||
64 | * The epoch may have changed. If so, process all the pending records. | ||
65 | * This is a non-blocking operation. | ||
66 | @@ -593,7 +608,6 @@ int dtls1_get_record(SSL *s) | ||
67 | return 1; | ||
68 | |||
69 | /* get something from the wire */ | ||
70 | - again: | ||
71 | /* check if we have the header */ | ||
72 | if ((s->rstate != SSL_ST_READ_BODY) || | ||
73 | (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { | ||
74 | @@ -1830,8 +1844,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, | ||
75 | if (rr->epoch == s->d1->r_epoch) | ||
76 | return &s->d1->bitmap; | ||
77 | |||
78 | - /* Only HM and ALERT messages can be from the next epoch */ | ||
79 | + /* | ||
80 | + * Only HM and ALERT messages can be from the next epoch and only if we | ||
81 | + * have already processed all of the unprocessed records from the last | ||
82 | + * epoch | ||
83 | + */ | ||
84 | else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && | ||
85 | + s->d1->unprocessed_rcds.epoch != s->d1->r_epoch && | ||
86 | (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { | ||
87 | *is_next_epoch = 1; | ||
88 | return &s->d1->next_bitmap; | ||
89 | -- | ||
90 | 2.7.4 | ||
91 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch new file mode 100644 index 0000000000..ecf138a1f7 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch | |||
@@ -0,0 +1,239 @@ | |||
1 | From 3884b47b7c255c2e94d9b387ee83c7e8bb981258 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Tue, 5 Jul 2016 12:04:37 +0100 | ||
4 | Subject: [PATCH] Fix DTLS replay protection | ||
5 | |||
6 | The DTLS implementation provides some protection against replay attacks | ||
7 | in accordance with RFC6347 section 4.1.2.6. | ||
8 | |||
9 | A sliding "window" of valid record sequence numbers is maintained with | ||
10 | the "right" hand edge of the window set to the highest sequence number we | ||
11 | have received so far. Records that arrive that are off the "left" hand | ||
12 | edge of the window are rejected. Records within the window are checked | ||
13 | against a list of records received so far. If we already received it then | ||
14 | we also reject the new record. | ||
15 | |||
16 | If we have not already received the record, or the sequence number is off | ||
17 | the right hand edge of the window then we verify the MAC of the record. | ||
18 | If MAC verification fails then we discard the record. Otherwise we mark | ||
19 | the record as received. If the sequence number was off the right hand edge | ||
20 | of the window, then we slide the window along so that the right hand edge | ||
21 | is in line with the newly received sequence number. | ||
22 | |||
23 | Records may arrive for future epochs, i.e. a record from after a CCS being | ||
24 | sent, can arrive before the CCS does if the packets get re-ordered. As we | ||
25 | have not yet received the CCS we are not yet in a position to decrypt or | ||
26 | validate the MAC of those records. OpenSSL places those records on an | ||
27 | unprocessed records queue. It additionally updates the window immediately, | ||
28 | even though we have not yet verified the MAC. This will only occur if | ||
29 | currently in a handshake/renegotiation. | ||
30 | |||
31 | This could be exploited by an attacker by sending a record for the next | ||
32 | epoch (which does not have to decrypt or have a valid MAC), with a very | ||
33 | large sequence number. This means the right hand edge of the window is | ||
34 | moved very far to the right, and all subsequent legitimate packets are | ||
35 | dropped causing a denial of service. | ||
36 | |||
37 | A similar effect can be achieved during the initial handshake. In this | ||
38 | case there is no MAC key negotiated yet. Therefore an attacker can send a | ||
39 | message for the current epoch with a very large sequence number. The code | ||
40 | will process the record as normal. If the hanshake message sequence number | ||
41 | (as opposed to the record sequence number that we have been talking about | ||
42 | so far) is in the future then the injected message is bufferred to be | ||
43 | handled later, but the window is still updated. Therefore all subsequent | ||
44 | legitimate handshake records are dropped. This aspect is not considered a | ||
45 | security issue because there are many ways for an attacker to disrupt the | ||
46 | initial handshake and prevent it from completing successfully (e.g. | ||
47 | injection of a handshake message will cause the Finished MAC to fail and | ||
48 | the handshake to be aborted). This issue comes about as a result of trying | ||
49 | to do replay protection, but having no integrity mechanism in place yet. | ||
50 | Does it even make sense to have replay protection in epoch 0? That | ||
51 | issue isn't addressed here though. | ||
52 | |||
53 | This addressed an OCAP Audit issue. | ||
54 | |||
55 | CVE-2016-2181 | ||
56 | |||
57 | Upstream-Status: Backport | ||
58 | CVE: CVE-2016-2181 patch2 | ||
59 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
60 | |||
61 | |||
62 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
63 | --- | ||
64 | ssl/d1_pkt.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++------------ | ||
65 | ssl/ssl.h | 1 + | ||
66 | ssl/ssl_err.c | 4 +++- | ||
67 | 3 files changed, 52 insertions(+), 13 deletions(-) | ||
68 | |||
69 | Index: openssl-1.0.2h/ssl/d1_pkt.c | ||
70 | =================================================================== | ||
71 | --- openssl-1.0.2h.orig/ssl/d1_pkt.c | ||
72 | +++ openssl-1.0.2h/ssl/d1_pkt.c | ||
73 | @@ -194,7 +194,7 @@ static int dtls1_record_needs_buffering( | ||
74 | #endif | ||
75 | static int dtls1_buffer_record(SSL *s, record_pqueue *q, | ||
76 | unsigned char *priority); | ||
77 | -static int dtls1_process_record(SSL *s); | ||
78 | +static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap); | ||
79 | |||
80 | /* copy buffered record into SSL structure */ | ||
81 | static int dtls1_copy_record(SSL *s, pitem *item) | ||
82 | @@ -320,13 +320,18 @@ static int dtls1_process_buffered_record | ||
83 | { | ||
84 | pitem *item; | ||
85 | SSL3_BUFFER *rb; | ||
86 | + SSL3_RECORD *rr; | ||
87 | + DTLS1_BITMAP *bitmap; | ||
88 | + unsigned int is_next_epoch; | ||
89 | + int replayok = 1; | ||
90 | |||
91 | item = pqueue_peek(s->d1->unprocessed_rcds.q); | ||
92 | if (item) { | ||
93 | /* Check if epoch is current. */ | ||
94 | if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | ||
95 | - return (1); /* Nothing to do. */ | ||
96 | + return 1; /* Nothing to do. */ | ||
97 | |||
98 | + rr = &s->s3->rrec; | ||
99 | rb = &s->s3->rbuf; | ||
100 | |||
101 | if (rb->left > 0) { | ||
102 | @@ -343,11 +348,41 @@ static int dtls1_process_buffered_record | ||
103 | /* Process all the records. */ | ||
104 | while (pqueue_peek(s->d1->unprocessed_rcds.q)) { | ||
105 | dtls1_get_unprocessed_record(s); | ||
106 | - if (!dtls1_process_record(s)) | ||
107 | - return (0); | ||
108 | + bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | ||
109 | + if (bitmap == NULL) { | ||
110 | + /* | ||
111 | + * Should not happen. This will only ever be NULL when the | ||
112 | + * current record is from a different epoch. But that cannot | ||
113 | + * be the case because we already checked the epoch above | ||
114 | + */ | ||
115 | + SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, | ||
116 | + ERR_R_INTERNAL_ERROR); | ||
117 | + return 0; | ||
118 | + } | ||
119 | +#ifndef OPENSSL_NO_SCTP | ||
120 | + /* Only do replay check if no SCTP bio */ | ||
121 | + if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) | ||
122 | +#endif | ||
123 | + { | ||
124 | + /* | ||
125 | + * Check whether this is a repeat, or aged record. We did this | ||
126 | + * check once already when we first received the record - but | ||
127 | + * we might have updated the window since then due to | ||
128 | + * records we subsequently processed. | ||
129 | + */ | ||
130 | + replayok = dtls1_record_replay_check(s, bitmap); | ||
131 | + } | ||
132 | + | ||
133 | + if (!replayok || !dtls1_process_record(s, bitmap)) { | ||
134 | + /* dump this record */ | ||
135 | + rr->length = 0; | ||
136 | + s->packet_length = 0; | ||
137 | + continue; | ||
138 | + } | ||
139 | + | ||
140 | if (dtls1_buffer_record(s, &(s->d1->processed_rcds), | ||
141 | s->s3->rrec.seq_num) < 0) | ||
142 | - return -1; | ||
143 | + return 0; | ||
144 | } | ||
145 | } | ||
146 | |||
147 | @@ -358,7 +393,7 @@ static int dtls1_process_buffered_record | ||
148 | s->d1->processed_rcds.epoch = s->d1->r_epoch; | ||
149 | s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; | ||
150 | |||
151 | - return (1); | ||
152 | + return 1; | ||
153 | } | ||
154 | |||
155 | #if 0 | ||
156 | @@ -405,7 +440,7 @@ static int dtls1_get_buffered_record(SSL | ||
157 | |||
158 | #endif | ||
159 | |||
160 | -static int dtls1_process_record(SSL *s) | ||
161 | +static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) | ||
162 | { | ||
163 | int i, al; | ||
164 | int enc_err; | ||
165 | @@ -565,6 +600,10 @@ static int dtls1_process_record(SSL *s) | ||
166 | |||
167 | /* we have pulled in a full packet so zero things */ | ||
168 | s->packet_length = 0; | ||
169 | + | ||
170 | + /* Mark receipt of record. */ | ||
171 | + dtls1_record_bitmap_update(s, bitmap); | ||
172 | + | ||
173 | return (1); | ||
174 | |||
175 | f_err: | ||
176 | @@ -600,7 +639,7 @@ int dtls1_get_record(SSL *s) | ||
177 | * The epoch may have changed. If so, process all the pending records. | ||
178 | * This is a non-blocking operation. | ||
179 | */ | ||
180 | - if (dtls1_process_buffered_records(s) < 0) | ||
181 | + if (!dtls1_process_buffered_records(s)) | ||
182 | return -1; | ||
183 | |||
184 | /* if we're renegotiating, then there may be buffered records */ | ||
185 | @@ -735,20 +774,17 @@ int dtls1_get_record(SSL *s) | ||
186 | if (dtls1_buffer_record | ||
187 | (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) | ||
188 | return -1; | ||
189 | - /* Mark receipt of record. */ | ||
190 | - dtls1_record_bitmap_update(s, bitmap); | ||
191 | } | ||
192 | rr->length = 0; | ||
193 | s->packet_length = 0; | ||
194 | goto again; | ||
195 | } | ||
196 | |||
197 | - if (!dtls1_process_record(s)) { | ||
198 | + if (!dtls1_process_record(s, bitmap)) { | ||
199 | rr->length = 0; | ||
200 | s->packet_length = 0; /* dump this record */ | ||
201 | goto again; /* get another record */ | ||
202 | } | ||
203 | - dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */ | ||
204 | |||
205 | return (1); | ||
206 | |||
207 | Index: openssl-1.0.2h/ssl/ssl.h | ||
208 | =================================================================== | ||
209 | --- openssl-1.0.2h.orig/ssl/ssl.h | ||
210 | +++ openssl-1.0.2h/ssl/ssl.h | ||
211 | @@ -2623,6 +2623,7 @@ void ERR_load_SSL_strings(void); | ||
212 | # define SSL_F_DTLS1_HEARTBEAT 305 | ||
213 | # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 | ||
214 | # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 | ||
215 | +# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404 | ||
216 | # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 | ||
217 | # define SSL_F_DTLS1_PROCESS_RECORD 257 | ||
218 | # define SSL_F_DTLS1_READ_BYTES 258 | ||
219 | Index: openssl-1.0.2h/ssl/ssl_err.c | ||
220 | =================================================================== | ||
221 | --- openssl-1.0.2h.orig/ssl/ssl_err.c | ||
222 | +++ openssl-1.0.2h/ssl/ssl_err.c | ||
223 | @@ -1,6 +1,6 @@ | ||
224 | /* ssl/ssl_err.c */ | ||
225 | /* ==================================================================== | ||
226 | - * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. | ||
227 | + * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. | ||
228 | * | ||
229 | * Redistribution and use in source and binary forms, with or without | ||
230 | * modification, are permitted provided that the following conditions | ||
231 | @@ -93,6 +93,8 @@ static ERR_STRING_DATA SSL_str_functs[] | ||
232 | {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"}, | ||
233 | {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "dtls1_output_cert_chain"}, | ||
234 | {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"}, | ||
235 | + {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS), | ||
236 | + "DTLS1_PROCESS_BUFFERED_RECORDS"}, | ||
237 | {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), | ||
238 | "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"}, | ||
239 | {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"}, | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch new file mode 100644 index 0000000000..a752f89ff0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | From 26aebca74e38ae09f673c2045cc8e2ef762d265a Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Wed, 17 Aug 2016 17:55:36 +0100 | ||
4 | Subject: [PATCH] Update function error code | ||
5 | |||
6 | A function error code needed updating due to merge issues. | ||
7 | |||
8 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2016-2181 patch 3 | ||
12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
13 | |||
14 | --- | ||
15 | ssl/ssl.h | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | Index: openssl-1.0.2h/ssl/ssl.h | ||
19 | =================================================================== | ||
20 | --- openssl-1.0.2h.orig/ssl/ssl.h | ||
21 | +++ openssl-1.0.2h/ssl/ssl.h | ||
22 | @@ -2623,7 +2623,7 @@ void ERR_load_SSL_strings(void); | ||
23 | # define SSL_F_DTLS1_HEARTBEAT 305 | ||
24 | # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 | ||
25 | # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 | ||
26 | -# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404 | ||
27 | +# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424 | ||
28 | # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 | ||
29 | # define SSL_F_DTLS1_PROCESS_RECORD 257 | ||
30 | # define SSL_F_DTLS1_READ_BYTES 258 | ||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb index 764f1a2858..d97b771748 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb | |||
@@ -41,6 +41,9 @@ SRC_URI += "file://configure-targets.patch \ | |||
41 | file://CVE-2016-2177.patch \ | 41 | file://CVE-2016-2177.patch \ |
42 | file://CVE-2016-2178.patch \ | 42 | file://CVE-2016-2178.patch \ |
43 | file://CVE-2016-2180.patch \ | 43 | file://CVE-2016-2180.patch \ |
44 | file://CVE-2016-2181_p1.patch \ | ||
45 | file://CVE-2016-2181_p2.patch \ | ||
46 | file://CVE-2016-2181_p3.patch \ | ||
44 | " | 47 | " |
45 | 48 | ||
46 | SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" | 49 | SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" |