2 files changed, 211 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch
new file mode 100644
index 0000000000..1415d562b0
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch
@@ -0,0 +1,210 @@
+From 2b0532f3984324ebe1236a63d15893792384328d Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 15 Oct 2014 01:20:38 +0100
+Subject: [PATCH] Fix for SRTP Memory Leak
+CVE-2014-3513
+This issue was reported to OpenSSL on 26th September 2014, based on an origi
+issue and patch developed by the LibreSSL project. Further analysis of the i
+was performed by the OpenSSL team.
+The fix was developed by the OpenSSL team.
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+---
+ ssl/d1_srtp.c |   93 +++++++++++++++++++--------------------------------------
+ ssl/t1_lib.c  |    9 +++---
+ 2 files changed, 36 insertions(+), 66 deletions(-)
+diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
+index ab9c419..535539b 100644
+--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
+@@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name,
+        return 1;
+        }
+ 
+-static int find_profile_by_num(unsigned profile_num,
+-                              SRTP_PROTECTION_PROFILE **pptr)
+-       {
+-       SRTP_PROTECTION_PROFILE *p;
+-
+-       p=srtp_known_profiles;
+-       while(p->name)
+-               {
+-               if(p->id == profile_num)
+-                       {
+-                       *pptr=p;
+-                       return 0;
+-                       }
+-               p++;
+-               }
+-
+-       return 1;
+-       }
+-
+ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
+        {
+        STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
+@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE
+                if(!find_profile_by_name(ptr,&p,
+                                         col ? col-ptr : (int)strlen(ptr)))
+                        {
+                       if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
+                               {
+                               SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+                               sk_SRTP_PROTECTION_PROFILE_free(profiles);
+                               return 1;
+                               }
+
+                        sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
+                        }
+                else
+                        {
+                        SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
+                       sk_SRTP_PROTECTION_PROFILE_free(profiles);
+                        return 1;
+                        }
+ 
+@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max
+ 
+ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
+        {
+-       SRTP_PROTECTION_PROFILE *cprof,*sprof;
+-       STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
+       SRTP_PROTECTION_PROFILE *sprof;
+       STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
+         int ct;
+         int mki_len;
+-       int i,j;
+-       int id;
+-       int ret;
+       int i, srtp_pref;
+       unsigned int id;
+ 
+          /* Length value + the MKI length */
+         if(len < 3)
+@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
+                return 1;
+                }
+ 
+       srvr=SSL_get_srtp_profiles(s);
+       s->srtp_profile = NULL;
+       /* Search all profiles for a match initially */
+       srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
+         
+-       clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
+-
+        while(ct)
+                {
+                n2s(d,id);
+                ct-=2;
+                 len-=2;
+ 
+-               if(!find_profile_by_num(id,&cprof))
+               /*
+                * Only look for match in profiles of higher preference than
+                * current match.
+                * If no profiles have been have been configured then this
+                * does nothing.
+                */
+               for (i = 0; i < srtp_pref; i++)
+                        {
+-                       sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
+-                       }
+-               else
+-                       {
+-                       ; /* Ignore */
+                       sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
+                       if (sprof->id == id)
+                               {
+                               s->srtp_profile = sprof;
+                               srtp_pref = i;
+                               break;
+                               }
+                        }
+                }
+ 
+@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
+                return 1;
+                }
+ 
+-       srvr=SSL_get_srtp_profiles(s);
+-
+-       /* Pick our most preferred profile. If no profiles have been
+-        configured then the outer loop doesn't run 
+-        (sk_SRTP_PROTECTION_PROFILE_num() = -1)
+-        and so we just return without doing anything */
+-       for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
+-               {
+-               sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
+-
+-               for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
+-                       {
+-                       cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
+-            
+-                       if(cprof->id==sprof->id)
+-                               {
+-                               s->srtp_profile=sprof;
+-                               *al=0;
+-                               ret=0;
+-                               goto done;
+-                               }
+-                       }
+-               }
+-
+-       ret=0;
+-    
+-done:
+-       if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
+-
+-       return ret;
+       return 0;
+        }
+ 
+ int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 022a4fb..12ee3c9 100644
+--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
+@@ -643,7 +643,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
+ #endif
+ 
+ #ifndef OPENSSL_NO_SRTP
+-        if(SSL_get_srtp_profiles(s))
+       if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
+                 {
+                 int el;
+ 
+@@ -806,7 +806,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
+ #endif
+ 
+ #ifndef OPENSSL_NO_SRTP
+-        if(s->srtp_profile)
+       if(SSL_IS_DTLS(s) && s->srtp_profile)
+                 {
+                 int el;
+ 
+@@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
+ 
+                /* session ticket processed earlier */
+ #ifndef OPENSSL_NO_SRTP
+-               else if (type == TLSEXT_TYPE_use_srtp)
+               else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
+                        && type == TLSEXT_TYPE_use_srtp)
+                        {
+                        if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
+                                                              al))
+@@ -1698,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
+                        }
+ #endif
+ #ifndef OPENSSL_NO_SRTP
+-               else if (type == TLSEXT_TYPE_use_srtp)
+               else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
+                        {
+                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
+                                                              al))
+-- 
+1.7.9.5
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
index 9bd8ab58dd..3ec5ddcfc0 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -44,6 +44,7 @@ SRC_URI += "file://configure-targets.patch \
            file://0001-Fix-CVE-2014-3470.patch \
            file://run-ptest \
            file://openssl-fix-CVE-2014-3566.patch \
+            file://openssl-fix-CVE-2014-3513.patch \
           "
 SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"

diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch new file mode 100644 index 0000000000..1415d562b0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch
@@ -0,0 +1,210 @@
		1	From 2b0532f3984324ebe1236a63d15893792384328d Mon Sep 17 00:00:00 2001
		2	From: Matt Caswell <matt@openssl.org>
		3	Date: Wed, 15 Oct 2014 01:20:38 +0100
		4	Subject: [PATCH] Fix for SRTP Memory Leak
		5
		6	CVE-2014-3513
		7
		8	This issue was reported to OpenSSL on 26th September 2014, based on an origi
		9	issue and patch developed by the LibreSSL project. Further analysis of the i
		10	was performed by the OpenSSL team.
		11
		12	The fix was developed by the OpenSSL team.
		13
		14	Reviewed-by: Tim Hudson <tjh@openssl.org>
		15	---
		16	ssl/d1_srtp.c \| 93 +++++++++++++++++++--------------------------------------
		17	ssl/t1_lib.c \| 9 +++---
		18	2 files changed, 36 insertions(+), 66 deletions(-)
		19
		20	diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
		21	index ab9c419..535539b 100644
		22	--- a/ssl/d1_srtp.c
		23	+++ b/ssl/d1_srtp.c
		24	@@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name,
		25	return 1;
		26	}
		27
		28	-static int find_profile_by_num(unsigned profile_num,
		29	- SRTP_PROTECTION_PROFILE **pptr)
		30	- {
		31	- SRTP_PROTECTION_PROFILE *p;
		32	-
		33	- p=srtp_known_profiles;
		34	- while(p->name)
		35	- {
		36	- if(p->id == profile_num)
		37	- {
		38	- *pptr=p;
		39	- return 0;
		40	- }
		41	- p++;
		42	- }
		43	-
		44	- return 1;
		45	- }
		46	-
		47	static int ssl_ctx_make_profiles(const char profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) *out)
		48	{
		49	STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
		50	@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE
		51	if(!find_profile_by_name(ptr,&p,
		52	col ? col-ptr : (int)strlen(ptr)))
		53	{
		54	+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
		55	+ {
		56	+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
		57	+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
		58	+ return 1;
		59	+ }
		60	+
		61	sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
		62	}
		63	else
		64	{
		65	SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
		66	+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
		67	return 1;
		68	}
		69
		70	@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL s, unsigned char p, int *len, int max
		71
		72	int ssl_parse_clienthello_use_srtp_ext(SSL s, unsigned char d, int len,int *al)
		73	{
		74	- SRTP_PROTECTION_PROFILE cprof,sprof;
		75	- STACK_OF(SRTP_PROTECTION_PROFILE) clnt=0,srvr;
		76	+ SRTP_PROTECTION_PROFILE *sprof;
		77	+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
		78	int ct;
		79	int mki_len;
		80	- int i,j;
		81	- int id;
		82	- int ret;
		83	+ int i, srtp_pref;
		84	+ unsigned int id;
		85
		86	/* Length value + the MKI length */
		87	if(len < 3)
		88	@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(SSL s, unsigned char d, int len,int *al
		89	return 1;
		90	}
		91
		92	+ srvr=SSL_get_srtp_profiles(s);
		93	+ s->srtp_profile = NULL;
		94	+ /* Search all profiles for a match initially */
		95	+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
		96
		97	- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
		98	-
		99	while(ct)
		100	{
		101	n2s(d,id);
		102	ct-=2;
		103	len-=2;
		104
		105	- if(!find_profile_by_num(id,&cprof))
		106	+ /*
		107	+ * Only look for match in profiles of higher preference than
		108	+ * current match.
		109	+ * If no profiles have been have been configured then this
		110	+ * does nothing.
		111	+ */
		112	+ for (i = 0; i < srtp_pref; i++)
		113	{
		114	- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
		115	- }
		116	- else
		117	- {
		118	- ; /* Ignore */
		119	+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
		120	+ if (sprof->id == id)
		121	+ {
		122	+ s->srtp_profile = sprof;
		123	+ srtp_pref = i;
		124	+ break;
		125	+ }
		126	}
		127	}
		128
		129	@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL s, unsigned char d, int len,int *al
		130	return 1;
		131	}
		132
		133	- srvr=SSL_get_srtp_profiles(s);
		134	-
		135	- /* Pick our most preferred profile. If no profiles have been
		136	- configured then the outer loop doesn't run
		137	- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
		138	- and so we just return without doing anything */
		139	- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
		140	- {
		141	- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
		142	-
		143	- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
		144	- {
		145	- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
		146	-
		147	- if(cprof->id==sprof->id)
		148	- {
		149	- s->srtp_profile=sprof;
		150	- *al=0;
		151	- ret=0;
		152	- goto done;
		153	- }
		154	- }
		155	- }
		156	-
		157	- ret=0;
		158	-
		159	-done:
		160	- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
		161	-
		162	- return ret;
		163	+ return 0;
		164	}
		165
		166	int ssl_add_serverhello_use_srtp_ext(SSL s, unsigned char p, int *len, int maxlen)
		167	diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
		168	index 022a4fb..12ee3c9 100644
		169	--- a/ssl/t1_lib.c
		170	+++ b/ssl/t1_lib.c
		171	@@ -643,7 +643,7 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *buf, unsigned c
		172	#endif
		173
		174	#ifndef OPENSSL_NO_SRTP
		175	- if(SSL_get_srtp_profiles(s))
		176	+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
		177	{
		178	int el;
		179
		180	@@ -806,7 +806,7 @@ unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *buf, unsigned c
		181	#endif
		182
		183	#ifndef OPENSSL_NO_SRTP
		184	- if(s->srtp_profile)
		185	+ if(SSL_IS_DTLS(s) && s->srtp_profile)
		186	{
		187	int el;
		188
		189	@@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d, in
		190
		191	/* session ticket processed earlier */
		192	#ifndef OPENSSL_NO_SRTP
		193	- else if (type == TLSEXT_TYPE_use_srtp)
		194	+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
		195	+ && type == TLSEXT_TYPE_use_srtp)
		196	{
		197	if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
		198	al))
		199	@@ -1698,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL s, unsigned char p, unsigned char d, in
		200	}
		201	#endif
		202	#ifndef OPENSSL_NO_SRTP
		203	- else if (type == TLSEXT_TYPE_use_srtp)
		204	+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
		205	{
		206	if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
		207	al))
		208	--
		209	1.7.9.5
		210


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb index 9bd8ab58dd..3ec5ddcfc0 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -44,6 +44,7 @@ SRC_URI += "file://configure-targets.patch \
44	file://0001-Fix-CVE-2014-3470.patch \	44	file://0001-Fix-CVE-2014-3470.patch \
45	file://run-ptest \	45	file://run-ptest \
46	file://openssl-fix-CVE-2014-3566.patch \	46	file://openssl-fix-CVE-2014-3566.patch \
		47	file://openssl-fix-CVE-2014-3513.patch \
47	"	48	"
48		49
49	SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"	50	SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"