openssl: fix CVE-2014-0224

http://www.openssl.org/news/secadv_20140605.txt SSL/TLS MITM vulnerability (CVE-2014-0224) An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. (Patch borrowed from Fedora.) (From OE-Core rev: f19dbbc864b12b0f87248d3199296b41a0dcd5b0) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Paul Eggleton <paul.eggleton@linux.intel.com> 2014-06-09 16:53:46 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-06-10 17:12:24 +0100
commit: 0ea0a14bd934964fa84a2d655d94ea227ed1981d (patch)
tree: 4d6282e426260a092016fbefcdc2c524aca8e7b7 /meta
parent: bd1a6f3d567e300e53301d1362b8c191ed927266 (diff)
download: poky-0ea0a14bd934964fa84a2d655d94ea227ed1981d.tar.gz
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0224.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0224.patch
new file mode 100644
index 0000000000..0ed1d12551
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0224.patch
@@ -0,0 +1,103 @@
+Fix for CVE-2014-0224
+Only accept change cipher spec when it is expected instead of at any
+time. This prevents premature setting of session keys before the master
+secret is determined which an attacker could use as a MITM attack.
+Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
+and providing the initial fix this patch is based on.
+Patch borrowed from Fedora
+Upstream-Status: Backport
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h
+--- openssl-1.0.1e/ssl/ssl3.h.keying-mitm       2014-06-02 19:48:04.518100562 +0200
+++ openssl-1.0.1e/ssl/ssl3.h   2014-06-02 19:48:04.642103429 +0200
+@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
+ #define TLS1_FLAGS_TLS_PADDING_BUG             0x0008
+ #define TLS1_FLAGS_SKIP_CERT_VERIFY            0x0010
+ #define TLS1_FLAGS_KEEP_HANDSHAKE              0x0020
+#define SSL3_FLAGS_CCS_OK                      0x0080
+  
+ /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+  * restart a handshake because of MS SGC and so prevents us
+diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c
+--- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm    2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/ssl/s3_clnt.c        2014-06-02 19:49:57.042701985 +0200
+@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s)
+                case SSL3_ST_CR_FINISHED_A:
+                case SSL3_ST_CR_FINISHED_B:
+ 
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
+                        ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
+                                SSL3_ST_CR_FINISHED_B);
+                        if (ret <= 0) goto end;
+@@ -916,6 +917,7 @@ int ssl3_get_server_hello(SSL *s)
+                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+                goto f_err;
+                }
+           s->s3->flags |= SSL3_FLAGS_CCS_OK;
+            s->hit=1;
+            }
+        else    /* a miss or crap from the other end */
+diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c
+--- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm     2014-06-02 19:48:04.640103383 +0200
+++ openssl-1.0.1e/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200
+@@ -1298,6 +1298,15 @@ start:
+                        goto f_err;
+                        }
+ 
+               if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
+                       {
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
+                       goto f_err;
+                       }
+
+               s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+
+                rr->length=0;
+ 
+                if (s->msg_callback)
+@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
+ 
+        if (s->s3->tmp.key_block == NULL)
+                {
+-               if (s->session == NULL) 
+               if (s->session == NULL || s->session->master_key_length == 0)
+                        {
+                        /* might happen if dtls1_read_bytes() calls this */
+                        SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c
+--- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm    2014-06-02 19:48:04.630103151 +0200
+++ openssl-1.0.1e/ssl/s3_srvr.c        2014-06-02 19:48:04.643103452 +0200
+@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
+                case SSL3_ST_SR_CERT_VRFY_A:
+                case SSL3_ST_SR_CERT_VRFY_B:
+ 
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
+                        /* we should decide if we expected this one */
+                        ret=ssl3_get_cert_verify(s);
+                        if (ret <= 0) goto end;
+@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
+ 
+                case SSL3_ST_SR_FINISHED_A:
+                case SSL3_ST_SR_FINISHED_B:
+                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
+                        ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
+                                SSL3_ST_SR_FINISHED_B);
+                        if (ret <= 0) goto end;
+@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
+                                s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+ #else
+                                if (s->s3->next_proto_neg_seen)
+                                       {
+                                       s->s3->flags |= SSL3_FLAGS_CCS_OK;
+                                        s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
+                                       }
+                                else
+                                        s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+ #endif
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
index dc77330df8..fae0b93f37 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -41,6 +41,7 @@ SRC_URI += "file://configure-targets.patch \
            file://openssl-1.0.1e-cve-2014-0195.patch \
            file://openssl-1.0.1e-cve-2014-0198.patch \
            file://openssl-1.0.1e-cve-2014-0221.patch \
+            file://openssl-1.0.1e-cve-2014-0224.patch \
           "
 SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
author	Paul Eggleton <paul.eggleton@linux.intel.com>	2014-06-09 16:53:46 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-06-10 17:12:24 +0100
commit	0ea0a14bd934964fa84a2d655d94ea227ed1981d (patch)
tree	4d6282e426260a092016fbefcdc2c524aca8e7b7 /meta
parent	bd1a6f3d567e300e53301d1362b8c191ed927266 (diff)
download	poky-0ea0a14bd934964fa84a2d655d94ea227ed1981d.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0224.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0224.patch new file mode 100644 index 0000000000..0ed1d12551 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0224.patch
@@ -0,0 +1,103 @@
		1	Fix for CVE-2014-0224
		2
		3	Only accept change cipher spec when it is expected instead of at any
		4	time. This prevents premature setting of session keys before the master
		5	secret is determined which an attacker could use as a MITM attack.
		6
		7	Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
		8	and providing the initial fix this patch is based on.
		9
		10
		11	Patch borrowed from Fedora
		12	Upstream-Status: Backport
		13	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		14
		15
		16	diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h
		17	--- openssl-1.0.1e/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200
		18	+++ openssl-1.0.1e/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200
		19	@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
		20	#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
		21	#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
		22	#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
		23	+#define SSL3_FLAGS_CCS_OK 0x0080
		24
		25	/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
		26	* restart a handshake because of MS SGC and so prevents us
		27	diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c
		28	--- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100
		29	+++ openssl-1.0.1e/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200
		30	@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s)
		31	case SSL3_ST_CR_FINISHED_A:
		32	case SSL3_ST_CR_FINISHED_B:
		33
		34	+ s->s3->flags \|= SSL3_FLAGS_CCS_OK;
		35	ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
		36	SSL3_ST_CR_FINISHED_B);
		37	if (ret <= 0) goto end;
		38	@@ -916,6 +917,7 @@ int ssl3_get_server_hello(SSL *s)
		39	SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
		40	goto f_err;
		41	}
		42	+ s->s3->flags \|= SSL3_FLAGS_CCS_OK;
		43	s->hit=1;
		44	}
		45	else /* a miss or crap from the other end */
		46	diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c
		47	--- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200
		48	+++ openssl-1.0.1e/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200
		49	@@ -1298,6 +1298,15 @@ start:
		50	goto f_err;
		51	}
		52
		53	+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
		54	+ {
		55	+ al=SSL_AD_UNEXPECTED_MESSAGE;
		56	+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
		57	+ goto f_err;
		58	+ }
		59	+
		60	+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
		61	+
		62	rr->length=0;
		63
		64	if (s->msg_callback)
		65	@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
		66
		67	if (s->s3->tmp.key_block == NULL)
		68	{
		69	- if (s->session == NULL)
		70	+ if (s->session == NULL \|\| s->session->master_key_length == 0)
		71	{
		72	/* might happen if dtls1_read_bytes() calls this */
		73	SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
		74	diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c
		75	--- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200
		76	+++ openssl-1.0.1e/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200
		77	@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
		78	case SSL3_ST_SR_CERT_VRFY_A:
		79	case SSL3_ST_SR_CERT_VRFY_B:
		80
		81	+ s->s3->flags \|= SSL3_FLAGS_CCS_OK;
		82	/* we should decide if we expected this one */
		83	ret=ssl3_get_cert_verify(s);
		84	if (ret <= 0) goto end;
		85	@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
		86
		87	case SSL3_ST_SR_FINISHED_A:
		88	case SSL3_ST_SR_FINISHED_B:
		89	+ s->s3->flags \|= SSL3_FLAGS_CCS_OK;
		90	ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
		91	SSL3_ST_SR_FINISHED_B);
		92	if (ret <= 0) goto end;
		93	@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
		94	s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
		95	#else
		96	if (s->s3->next_proto_neg_seen)
		97	+ {
		98	+ s->s3->flags \|= SSL3_FLAGS_CCS_OK;
		99	s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
		100	+ }
		101	else
		102	s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
		103	#endif


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb index dc77330df8..fae0b93f37 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -41,6 +41,7 @@ SRC_URI += "file://configure-targets.patch \
41	file://openssl-1.0.1e-cve-2014-0195.patch \	41	file://openssl-1.0.1e-cve-2014-0195.patch \
42	file://openssl-1.0.1e-cve-2014-0198.patch \	42	file://openssl-1.0.1e-cve-2014-0198.patch \
43	file://openssl-1.0.1e-cve-2014-0221.patch \	43	file://openssl-1.0.1e-cve-2014-0221.patch \
		44	file://openssl-1.0.1e-cve-2014-0224.patch \
44	"	45	"
45		46
46	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"	47	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"