summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch124
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.2h.bb1
2 files changed, 125 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch
new file mode 100644
index 0000000000..c2af589bba
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-8610.patch
@@ -0,0 +1,124 @@
1From 22646a075e75991b4e8f5d67171e45a6aead5b48 Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Wed, 21 Sep 2016 14:48:16 +0100
4Subject: [PATCH] Don't allow too many consecutive warning alerts
5
6Certain warning alerts are ignored if they are received. This can mean that
7no progress will be made if one peer continually sends those warning alerts.
8Implement a count so that we abort the connection if we receive too many.
9
10Issue reported by Shi Lei.
11
12Reviewed-by: Rich Salz <rsalz@openssl.org>
13
14Upstream-Status: Backport
15CVE: CVE-2016-8610
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 ssl/d1_pkt.c | 15 +++++++++++++++
20 ssl/s3_pkt.c | 15 +++++++++++++++
21 ssl/ssl.h | 1 +
22 ssl/ssl_locl.h | 4 ++++
23 4 files changed, 35 insertions(+)
24
25Index: openssl-1.0.2h/ssl/d1_pkt.c
26===================================================================
27--- openssl-1.0.2h.orig/ssl/d1_pkt.c
28+++ openssl-1.0.2h/ssl/d1_pkt.c
29@@ -928,6 +928,13 @@ int dtls1_read_bytes(SSL *s, int type, u
30 goto start;
31 }
32
33+ /*
34+ * Reset the count of consecutive warning alerts if we've got a non-empty
35+ * record that isn't an alert.
36+ */
37+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
38+ s->cert->alert_count = 0;
39+
40 /* we now have a packet which can be read and processed */
41
42 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
43@@ -1194,6 +1201,14 @@ int dtls1_read_bytes(SSL *s, int type, u
44
45 if (alert_level == SSL3_AL_WARNING) {
46 s->s3->warn_alert = alert_descr;
47+
48+ s->cert->alert_count++;
49+ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
50+ al = SSL_AD_UNEXPECTED_MESSAGE;
51+ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
52+ goto f_err;
53+ }
54+
55 if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
56 #ifndef OPENSSL_NO_SCTP
57 /*
58Index: openssl-1.0.2h/ssl/s3_pkt.c
59===================================================================
60--- openssl-1.0.2h.orig/ssl/s3_pkt.c
61+++ openssl-1.0.2h/ssl/s3_pkt.c
62@@ -1229,6 +1229,13 @@ int ssl3_read_bytes(SSL *s, int type, un
63 return (ret);
64 }
65
66+ /*
67+ * Reset the count of consecutive warning alerts if we've got a non-empty
68+ * record that isn't an alert.
69+ */
70+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
71+ s->cert->alert_count = 0;
72+
73 /* we now have a packet which can be read and processed */
74
75 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
76@@ -1443,6 +1450,14 @@ int ssl3_read_bytes(SSL *s, int type, un
77
78 if (alert_level == SSL3_AL_WARNING) {
79 s->s3->warn_alert = alert_descr;
80+
81+ s->cert->alert_count++;
82+ if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
83+ al = SSL_AD_UNEXPECTED_MESSAGE;
84+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
85+ goto f_err;
86+ }
87+
88 if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
89 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
90 return (0);
91Index: openssl-1.0.2h/ssl/ssl.h
92===================================================================
93--- openssl-1.0.2h.orig/ssl/ssl.h
94+++ openssl-1.0.2h/ssl/ssl.h
95@@ -3115,6 +3115,7 @@ void ERR_load_SSL_strings(void);
96 # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
97 # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
98 # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
99+# define SSL_R_TOO_MANY_WARN_ALERTS 409
100 # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
101 # define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
102 # define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
103Index: openssl-1.0.2h/ssl/ssl_locl.h
104===================================================================
105--- openssl-1.0.2h.orig/ssl/ssl_locl.h
106+++ openssl-1.0.2h/ssl/ssl_locl.h
107@@ -585,6 +585,8 @@ typedef struct {
108 */
109 # define SSL_EXT_FLAG_SENT 0x2
110
111+# define MAX_WARN_ALERT_COUNT 5
112+
113 typedef struct {
114 custom_ext_method *meths;
115 size_t meths_count;
116@@ -692,6 +694,8 @@ typedef struct cert_st {
117 unsigned char *alpn_proposed; /* server */
118 unsigned int alpn_proposed_len;
119 int alpn_sent; /* client */
120+ /* Count of the number of consecutive warning alerts received */
121+ unsigned int alert_count;
122 } CERT;
123
124 typedef struct sess_cert_st {
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
index 5a4e52a4d7..a9146bb1dc 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -49,6 +49,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
49 file://CVE-2016-6303.patch \ 49 file://CVE-2016-6303.patch \
50 file://CVE-2016-6304.patch \ 50 file://CVE-2016-6304.patch \
51 file://CVE-2016-6306.patch \ 51 file://CVE-2016-6306.patch \
52 file://CVE-2016-8610.patch \
52 " 53 "
53SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" 54SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
54SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919" 55SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"