summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch91
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch239
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch30
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.2h.bb3
4 files changed, 363 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch
new file mode 100644
index 0000000000..9149dbe04b
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch
@@ -0,0 +1,91 @@
1From 20744f6b40b5ded059a848f66d6ba922f2a62eb3 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Tue, 5 Jul 2016 11:46:26 +0100
4Subject: [PATCH] Fix DTLS unprocessed records bug
5
6During a DTLS handshake we may get records destined for the next epoch
7arrive before we have processed the CCS. In that case we can't decrypt or
8verify the record yet, so we buffer it for later use. When we do receive
9the CCS we work through the queue of unprocessed records and process them.
10
11Unfortunately the act of processing wipes out any existing packet data
12that we were still working through. This includes any records from the new
13epoch that were in the same packet as the CCS. We should only process the
14buffered records if we've not got any data left.
15
16Reviewed-by: Richard Levitte <levitte@openssl.org>
17
18Upstream-Status: Backport
19CVE: CVE-2016-2180 patch 1
20Signed-off-by: Armin Kuster <akuster@mvista.com>
21
22---
23 ssl/d1_pkt.c | 23 +++++++++++++++++++++--
24 1 file changed, 21 insertions(+), 2 deletions(-)
25
26diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
27index fe30ec7..1fb119d 100644
28--- a/ssl/d1_pkt.c
29+++ b/ssl/d1_pkt.c
30@@ -319,6 +319,7 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
31 static int dtls1_process_buffered_records(SSL *s)
32 {
33 pitem *item;
34+ SSL3_BUFFER *rb;
35
36 item = pqueue_peek(s->d1->unprocessed_rcds.q);
37 if (item) {
38@@ -326,6 +327,19 @@ static int dtls1_process_buffered_records(SSL *s)
39 if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
40 return (1); /* Nothing to do. */
41
42+ rb = &s->s3->rbuf;
43+
44+ if (rb->left > 0) {
45+ /*
46+ * We've still got data from the current packet to read. There could
47+ * be a record from the new epoch in it - so don't overwrite it
48+ * with the unprocessed records yet (we'll do it when we've
49+ * finished reading the current packet).
50+ */
51+ return 1;
52+ }
53+
54+
55 /* Process all the records. */
56 while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
57 dtls1_get_unprocessed_record(s);
58@@ -581,6 +595,7 @@ int dtls1_get_record(SSL *s)
59
60 rr = &(s->s3->rrec);
61
62+ again:
63 /*
64 * The epoch may have changed. If so, process all the pending records.
65 * This is a non-blocking operation.
66@@ -593,7 +608,6 @@ int dtls1_get_record(SSL *s)
67 return 1;
68
69 /* get something from the wire */
70- again:
71 /* check if we have the header */
72 if ((s->rstate != SSL_ST_READ_BODY) ||
73 (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
74@@ -1830,8 +1844,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
75 if (rr->epoch == s->d1->r_epoch)
76 return &s->d1->bitmap;
77
78- /* Only HM and ALERT messages can be from the next epoch */
79+ /*
80+ * Only HM and ALERT messages can be from the next epoch and only if we
81+ * have already processed all of the unprocessed records from the last
82+ * epoch
83+ */
84 else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
85+ s->d1->unprocessed_rcds.epoch != s->d1->r_epoch &&
86 (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
87 *is_next_epoch = 1;
88 return &s->d1->next_bitmap;
89--
902.7.4
91
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch
new file mode 100644
index 0000000000..ecf138a1f7
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch
@@ -0,0 +1,239 @@
1From 3884b47b7c255c2e94d9b387ee83c7e8bb981258 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Tue, 5 Jul 2016 12:04:37 +0100
4Subject: [PATCH] Fix DTLS replay protection
5
6The DTLS implementation provides some protection against replay attacks
7in accordance with RFC6347 section 4.1.2.6.
8
9A sliding "window" of valid record sequence numbers is maintained with
10the "right" hand edge of the window set to the highest sequence number we
11have received so far. Records that arrive that are off the "left" hand
12edge of the window are rejected. Records within the window are checked
13against a list of records received so far. If we already received it then
14we also reject the new record.
15
16If we have not already received the record, or the sequence number is off
17the right hand edge of the window then we verify the MAC of the record.
18If MAC verification fails then we discard the record. Otherwise we mark
19the record as received. If the sequence number was off the right hand edge
20of the window, then we slide the window along so that the right hand edge
21is in line with the newly received sequence number.
22
23Records may arrive for future epochs, i.e. a record from after a CCS being
24sent, can arrive before the CCS does if the packets get re-ordered. As we
25have not yet received the CCS we are not yet in a position to decrypt or
26validate the MAC of those records. OpenSSL places those records on an
27unprocessed records queue. It additionally updates the window immediately,
28even though we have not yet verified the MAC. This will only occur if
29currently in a handshake/renegotiation.
30
31This could be exploited by an attacker by sending a record for the next
32epoch (which does not have to decrypt or have a valid MAC), with a very
33large sequence number. This means the right hand edge of the window is
34moved very far to the right, and all subsequent legitimate packets are
35dropped causing a denial of service.
36
37A similar effect can be achieved during the initial handshake. In this
38case there is no MAC key negotiated yet. Therefore an attacker can send a
39message for the current epoch with a very large sequence number. The code
40will process the record as normal. If the hanshake message sequence number
41(as opposed to the record sequence number that we have been talking about
42so far) is in the future then the injected message is bufferred to be
43handled later, but the window is still updated. Therefore all subsequent
44legitimate handshake records are dropped. This aspect is not considered a
45security issue because there are many ways for an attacker to disrupt the
46initial handshake and prevent it from completing successfully (e.g.
47injection of a handshake message will cause the Finished MAC to fail and
48the handshake to be aborted). This issue comes about as a result of trying
49to do replay protection, but having no integrity mechanism in place yet.
50Does it even make sense to have replay protection in epoch 0? That
51issue isn't addressed here though.
52
53This addressed an OCAP Audit issue.
54
55CVE-2016-2181
56
57Upstream-Status: Backport
58CVE: CVE-2016-2181 patch2
59Signed-off-by: Armin Kuster <akuster@mvista.com>
60
61
62Reviewed-by: Richard Levitte <levitte@openssl.org>
63---
64 ssl/d1_pkt.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++------------
65 ssl/ssl.h | 1 +
66 ssl/ssl_err.c | 4 +++-
67 3 files changed, 52 insertions(+), 13 deletions(-)
68
69Index: openssl-1.0.2h/ssl/d1_pkt.c
70===================================================================
71--- openssl-1.0.2h.orig/ssl/d1_pkt.c
72+++ openssl-1.0.2h/ssl/d1_pkt.c
73@@ -194,7 +194,7 @@ static int dtls1_record_needs_buffering(
74 #endif
75 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
76 unsigned char *priority);
77-static int dtls1_process_record(SSL *s);
78+static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap);
79
80 /* copy buffered record into SSL structure */
81 static int dtls1_copy_record(SSL *s, pitem *item)
82@@ -320,13 +320,18 @@ static int dtls1_process_buffered_record
83 {
84 pitem *item;
85 SSL3_BUFFER *rb;
86+ SSL3_RECORD *rr;
87+ DTLS1_BITMAP *bitmap;
88+ unsigned int is_next_epoch;
89+ int replayok = 1;
90
91 item = pqueue_peek(s->d1->unprocessed_rcds.q);
92 if (item) {
93 /* Check if epoch is current. */
94 if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
95- return (1); /* Nothing to do. */
96+ return 1; /* Nothing to do. */
97
98+ rr = &s->s3->rrec;
99 rb = &s->s3->rbuf;
100
101 if (rb->left > 0) {
102@@ -343,11 +348,41 @@ static int dtls1_process_buffered_record
103 /* Process all the records. */
104 while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
105 dtls1_get_unprocessed_record(s);
106- if (!dtls1_process_record(s))
107- return (0);
108+ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
109+ if (bitmap == NULL) {
110+ /*
111+ * Should not happen. This will only ever be NULL when the
112+ * current record is from a different epoch. But that cannot
113+ * be the case because we already checked the epoch above
114+ */
115+ SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS,
116+ ERR_R_INTERNAL_ERROR);
117+ return 0;
118+ }
119+#ifndef OPENSSL_NO_SCTP
120+ /* Only do replay check if no SCTP bio */
121+ if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
122+#endif
123+ {
124+ /*
125+ * Check whether this is a repeat, or aged record. We did this
126+ * check once already when we first received the record - but
127+ * we might have updated the window since then due to
128+ * records we subsequently processed.
129+ */
130+ replayok = dtls1_record_replay_check(s, bitmap);
131+ }
132+
133+ if (!replayok || !dtls1_process_record(s, bitmap)) {
134+ /* dump this record */
135+ rr->length = 0;
136+ s->packet_length = 0;
137+ continue;
138+ }
139+
140 if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
141 s->s3->rrec.seq_num) < 0)
142- return -1;
143+ return 0;
144 }
145 }
146
147@@ -358,7 +393,7 @@ static int dtls1_process_buffered_record
148 s->d1->processed_rcds.epoch = s->d1->r_epoch;
149 s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
150
151- return (1);
152+ return 1;
153 }
154
155 #if 0
156@@ -405,7 +440,7 @@ static int dtls1_get_buffered_record(SSL
157
158 #endif
159
160-static int dtls1_process_record(SSL *s)
161+static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
162 {
163 int i, al;
164 int enc_err;
165@@ -565,6 +600,10 @@ static int dtls1_process_record(SSL *s)
166
167 /* we have pulled in a full packet so zero things */
168 s->packet_length = 0;
169+
170+ /* Mark receipt of record. */
171+ dtls1_record_bitmap_update(s, bitmap);
172+
173 return (1);
174
175 f_err:
176@@ -600,7 +639,7 @@ int dtls1_get_record(SSL *s)
177 * The epoch may have changed. If so, process all the pending records.
178 * This is a non-blocking operation.
179 */
180- if (dtls1_process_buffered_records(s) < 0)
181+ if (!dtls1_process_buffered_records(s))
182 return -1;
183
184 /* if we're renegotiating, then there may be buffered records */
185@@ -735,20 +774,17 @@ int dtls1_get_record(SSL *s)
186 if (dtls1_buffer_record
187 (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0)
188 return -1;
189- /* Mark receipt of record. */
190- dtls1_record_bitmap_update(s, bitmap);
191 }
192 rr->length = 0;
193 s->packet_length = 0;
194 goto again;
195 }
196
197- if (!dtls1_process_record(s)) {
198+ if (!dtls1_process_record(s, bitmap)) {
199 rr->length = 0;
200 s->packet_length = 0; /* dump this record */
201 goto again; /* get another record */
202 }
203- dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
204
205 return (1);
206
207Index: openssl-1.0.2h/ssl/ssl.h
208===================================================================
209--- openssl-1.0.2h.orig/ssl/ssl.h
210+++ openssl-1.0.2h/ssl/ssl.h
211@@ -2623,6 +2623,7 @@ void ERR_load_SSL_strings(void);
212 # define SSL_F_DTLS1_HEARTBEAT 305
213 # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
214 # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
215+# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404
216 # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
217 # define SSL_F_DTLS1_PROCESS_RECORD 257
218 # define SSL_F_DTLS1_READ_BYTES 258
219Index: openssl-1.0.2h/ssl/ssl_err.c
220===================================================================
221--- openssl-1.0.2h.orig/ssl/ssl_err.c
222+++ openssl-1.0.2h/ssl/ssl_err.c
223@@ -1,6 +1,6 @@
224 /* ssl/ssl_err.c */
225 /* ====================================================================
226- * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
227+ * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
228 *
229 * Redistribution and use in source and binary forms, with or without
230 * modification, are permitted provided that the following conditions
231@@ -93,6 +93,8 @@ static ERR_STRING_DATA SSL_str_functs[]
232 {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"},
233 {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "dtls1_output_cert_chain"},
234 {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
235+ {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS),
236+ "DTLS1_PROCESS_BUFFERED_RECORDS"},
237 {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),
238 "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
239 {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch
new file mode 100644
index 0000000000..a752f89ff0
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch
@@ -0,0 +1,30 @@
1From 26aebca74e38ae09f673c2045cc8e2ef762d265a Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Wed, 17 Aug 2016 17:55:36 +0100
4Subject: [PATCH] Update function error code
5
6A function error code needed updating due to merge issues.
7
8Reviewed-by: Richard Levitte <levitte@openssl.org>
9
10Upstream-Status: Backport
11CVE: CVE-2016-2181 patch 3
12Signed-off-by: Armin Kuster <akuster@mvista.com>
13
14---
15 ssl/ssl.h | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18Index: openssl-1.0.2h/ssl/ssl.h
19===================================================================
20--- openssl-1.0.2h.orig/ssl/ssl.h
21+++ openssl-1.0.2h/ssl/ssl.h
22@@ -2623,7 +2623,7 @@ void ERR_load_SSL_strings(void);
23 # define SSL_F_DTLS1_HEARTBEAT 305
24 # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
25 # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
26-# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404
27+# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424
28 # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
29 # define SSL_F_DTLS1_PROCESS_RECORD 257
30 # define SSL_F_DTLS1_READ_BYTES 258
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
index 764f1a2858..d97b771748 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -41,6 +41,9 @@ SRC_URI += "file://configure-targets.patch \
41 file://CVE-2016-2177.patch \ 41 file://CVE-2016-2177.patch \
42 file://CVE-2016-2178.patch \ 42 file://CVE-2016-2178.patch \
43 file://CVE-2016-2180.patch \ 43 file://CVE-2016-2180.patch \
44 file://CVE-2016-2181_p1.patch \
45 file://CVE-2016-2181_p2.patch \
46 file://CVE-2016-2181_p3.patch \
44 " 47 "
45 48
46SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" 49SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"