diff options
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch | 210 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.1g.bb | 1 |
2 files changed, 211 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch new file mode 100644 index 0000000000..1415d562b0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch | |||
@@ -0,0 +1,210 @@ | |||
1 | From 2b0532f3984324ebe1236a63d15893792384328d Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Wed, 15 Oct 2014 01:20:38 +0100 | ||
4 | Subject: [PATCH] Fix for SRTP Memory Leak | ||
5 | |||
6 | CVE-2014-3513 | ||
7 | |||
8 | This issue was reported to OpenSSL on 26th September 2014, based on an origi | ||
9 | issue and patch developed by the LibreSSL project. Further analysis of the i | ||
10 | was performed by the OpenSSL team. | ||
11 | |||
12 | The fix was developed by the OpenSSL team. | ||
13 | |||
14 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
15 | --- | ||
16 | ssl/d1_srtp.c | 93 +++++++++++++++++++-------------------------------------- | ||
17 | ssl/t1_lib.c | 9 +++--- | ||
18 | 2 files changed, 36 insertions(+), 66 deletions(-) | ||
19 | |||
20 | diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c | ||
21 | index ab9c419..535539b 100644 | ||
22 | --- a/ssl/d1_srtp.c | ||
23 | +++ b/ssl/d1_srtp.c | ||
24 | @@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name, | ||
25 | return 1; | ||
26 | } | ||
27 | |||
28 | -static int find_profile_by_num(unsigned profile_num, | ||
29 | - SRTP_PROTECTION_PROFILE **pptr) | ||
30 | - { | ||
31 | - SRTP_PROTECTION_PROFILE *p; | ||
32 | - | ||
33 | - p=srtp_known_profiles; | ||
34 | - while(p->name) | ||
35 | - { | ||
36 | - if(p->id == profile_num) | ||
37 | - { | ||
38 | - *pptr=p; | ||
39 | - return 0; | ||
40 | - } | ||
41 | - p++; | ||
42 | - } | ||
43 | - | ||
44 | - return 1; | ||
45 | - } | ||
46 | - | ||
47 | static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out) | ||
48 | { | ||
49 | STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; | ||
50 | @@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE | ||
51 | if(!find_profile_by_name(ptr,&p, | ||
52 | col ? col-ptr : (int)strlen(ptr))) | ||
53 | { | ||
54 | + if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0) | ||
55 | + { | ||
56 | + SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); | ||
57 | + sk_SRTP_PROTECTION_PROFILE_free(profiles); | ||
58 | + return 1; | ||
59 | + } | ||
60 | + | ||
61 | sk_SRTP_PROTECTION_PROFILE_push(profiles,p); | ||
62 | } | ||
63 | else | ||
64 | { | ||
65 | SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); | ||
66 | + sk_SRTP_PROTECTION_PROFILE_free(profiles); | ||
67 | return 1; | ||
68 | } | ||
69 | |||
70 | @@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max | ||
71 | |||
72 | int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) | ||
73 | { | ||
74 | - SRTP_PROTECTION_PROFILE *cprof,*sprof; | ||
75 | - STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr; | ||
76 | + SRTP_PROTECTION_PROFILE *sprof; | ||
77 | + STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; | ||
78 | int ct; | ||
79 | int mki_len; | ||
80 | - int i,j; | ||
81 | - int id; | ||
82 | - int ret; | ||
83 | + int i, srtp_pref; | ||
84 | + unsigned int id; | ||
85 | |||
86 | /* Length value + the MKI length */ | ||
87 | if(len < 3) | ||
88 | @@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al | ||
89 | return 1; | ||
90 | } | ||
91 | |||
92 | + srvr=SSL_get_srtp_profiles(s); | ||
93 | + s->srtp_profile = NULL; | ||
94 | + /* Search all profiles for a match initially */ | ||
95 | + srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); | ||
96 | |||
97 | - clnt=sk_SRTP_PROTECTION_PROFILE_new_null(); | ||
98 | - | ||
99 | while(ct) | ||
100 | { | ||
101 | n2s(d,id); | ||
102 | ct-=2; | ||
103 | len-=2; | ||
104 | |||
105 | - if(!find_profile_by_num(id,&cprof)) | ||
106 | + /* | ||
107 | + * Only look for match in profiles of higher preference than | ||
108 | + * current match. | ||
109 | + * If no profiles have been have been configured then this | ||
110 | + * does nothing. | ||
111 | + */ | ||
112 | + for (i = 0; i < srtp_pref; i++) | ||
113 | { | ||
114 | - sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof); | ||
115 | - } | ||
116 | - else | ||
117 | - { | ||
118 | - ; /* Ignore */ | ||
119 | + sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); | ||
120 | + if (sprof->id == id) | ||
121 | + { | ||
122 | + s->srtp_profile = sprof; | ||
123 | + srtp_pref = i; | ||
124 | + break; | ||
125 | + } | ||
126 | } | ||
127 | } | ||
128 | |||
129 | @@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al | ||
130 | return 1; | ||
131 | } | ||
132 | |||
133 | - srvr=SSL_get_srtp_profiles(s); | ||
134 | - | ||
135 | - /* Pick our most preferred profile. If no profiles have been | ||
136 | - configured then the outer loop doesn't run | ||
137 | - (sk_SRTP_PROTECTION_PROFILE_num() = -1) | ||
138 | - and so we just return without doing anything */ | ||
139 | - for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++) | ||
140 | - { | ||
141 | - sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i); | ||
142 | - | ||
143 | - for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++) | ||
144 | - { | ||
145 | - cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j); | ||
146 | - | ||
147 | - if(cprof->id==sprof->id) | ||
148 | - { | ||
149 | - s->srtp_profile=sprof; | ||
150 | - *al=0; | ||
151 | - ret=0; | ||
152 | - goto done; | ||
153 | - } | ||
154 | - } | ||
155 | - } | ||
156 | - | ||
157 | - ret=0; | ||
158 | - | ||
159 | -done: | ||
160 | - if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt); | ||
161 | - | ||
162 | - return ret; | ||
163 | + return 0; | ||
164 | } | ||
165 | |||
166 | int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) | ||
167 | diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c | ||
168 | index 022a4fb..12ee3c9 100644 | ||
169 | --- a/ssl/t1_lib.c | ||
170 | +++ b/ssl/t1_lib.c | ||
171 | @@ -643,7 +643,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c | ||
172 | #endif | ||
173 | |||
174 | #ifndef OPENSSL_NO_SRTP | ||
175 | - if(SSL_get_srtp_profiles(s)) | ||
176 | + if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) | ||
177 | { | ||
178 | int el; | ||
179 | |||
180 | @@ -806,7 +806,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c | ||
181 | #endif | ||
182 | |||
183 | #ifndef OPENSSL_NO_SRTP | ||
184 | - if(s->srtp_profile) | ||
185 | + if(SSL_IS_DTLS(s) && s->srtp_profile) | ||
186 | { | ||
187 | int el; | ||
188 | |||
189 | @@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | ||
190 | |||
191 | /* session ticket processed earlier */ | ||
192 | #ifndef OPENSSL_NO_SRTP | ||
193 | - else if (type == TLSEXT_TYPE_use_srtp) | ||
194 | + else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) | ||
195 | + && type == TLSEXT_TYPE_use_srtp) | ||
196 | { | ||
197 | if(ssl_parse_clienthello_use_srtp_ext(s, data, size, | ||
198 | al)) | ||
199 | @@ -1698,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | ||
200 | } | ||
201 | #endif | ||
202 | #ifndef OPENSSL_NO_SRTP | ||
203 | - else if (type == TLSEXT_TYPE_use_srtp) | ||
204 | + else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) | ||
205 | { | ||
206 | if(ssl_parse_serverhello_use_srtp_ext(s, data, size, | ||
207 | al)) | ||
208 | -- | ||
209 | 1.7.9.5 | ||
210 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb index 9bd8ab58dd..3ec5ddcfc0 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb | |||
@@ -44,6 +44,7 @@ SRC_URI += "file://configure-targets.patch \ | |||
44 | file://0001-Fix-CVE-2014-3470.patch \ | 44 | file://0001-Fix-CVE-2014-3470.patch \ |
45 | file://run-ptest \ | 45 | file://run-ptest \ |
46 | file://openssl-fix-CVE-2014-3566.patch \ | 46 | file://openssl-fix-CVE-2014-3566.patch \ |
47 | file://openssl-fix-CVE-2014-3513.patch \ | ||
47 | " | 48 | " |
48 | 49 | ||
49 | SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959" | 50 | SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959" |