1 files changed, 204 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch
new file mode 100644
index 0000000000..8350455c2d
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch
@@ -0,0 +1,204 @@
+From 37580f43b5a39f5f4e920d17273fab9713d3a744 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Thu, 23 Oct 2014 17:09:57 +0100
+Subject: [PATCH] Only allow ephemeral RSA keys in export ciphersuites.
+OpenSSL clients would tolerate temporary RSA keys in non-export
+ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
+enabled this server side. Remove both options as they are a
+protocol violation.
+Thanks to Karthikeyan Bhargavan for reporting this issue.
+(CVE-2015-0204)
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+(cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6)
+Conflicts:
+        doc/ssl/SSL_CTX_set_options.pod
+Conflicts:
+Changes in the "CHANGES" file have been removed from this pacth since 
+it fails to apply.
+Upstream-Status: Backport 
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ CHANGES                                  |  8 ++++++++
+ doc/ssl/SSL_CTX_set_options.pod          | 10 +---------
+ doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 23 ++++++++---------------
+ ssl/d1_srvr.c                            | 21 ++++++---------------
+ ssl/s3_clnt.c                            |  7 +++++++
+ ssl/s3_srvr.c                            | 21 ++++++---------------
+ ssl/ssl.h                                |  5 ++---
+ 7 files changed, 38 insertions(+), 57 deletions(-)
+ 
+diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
+index 6e6b5e6..e80a72c 100644
+--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
+@@ -158,15 +158,7 @@ temporary/ephemeral DH parameters are used.
+ 
+ =item SSL_OP_EPHEMERAL_RSA
+ 
+-Always use ephemeral (temporary) RSA key when doing RSA operations
+-(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
+-According to the specifications this is only done, when a RSA key
+-can only be used for signature operations (namely under export ciphers
+-with restricted RSA keylength). By setting this option, ephemeral
+-RSA keys are always used. This option breaks compatibility with the
+-SSL/TLS specifications and may lead to interoperability problems with
+-clients and should therefore never be used. Ciphers with EDH (ephemeral
+-Diffie-Hellman) key exchange should be used instead.
+This option is no longer implemented and is treated as no op.
+ 
+ =item SSL_OP_CIPHER_SERVER_PREFERENCE
+ 
+diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+index 534643c..8794eb7 100644
+--- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
+ in order to achieve forward secrecy (see
+ L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
+ 
+-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
+-and must be explicitly enabled  using the SSL_OP_EPHEMERAL_RSA option of
+-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
+-standard. When ephemeral RSA key exchange is required for export ciphers,
+-it will automatically be used without this option!
+-
+-An application may either directly specify the key or can supply the key via
+-a callback function. The callback approach has the advantage, that the
+-callback may generate the key only in case it is actually needed. As the
+-generation of a RSA key is however costly, it will lead to a significant
+-delay in the handshake procedure.  Another advantage of the callback function
+-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
+-usage) while the explicit setting of the key is only useful for key size of
+-512 bits to satisfy the export restricted ciphers and does give away key length
+-if a longer key would be allowed.
+An application may either directly specify the key or can supply the key via a
+callback function. The callback approach has the advantage, that the callback
+may generate the key only in case it is actually needed. As the generation of a
+RSA key is however costly, it will lead to a significant delay in the handshake
+procedure.  Another advantage of the callback function is that it can supply
+keys of different size while the explicit setting of the key is only useful for
+key size of 512 bits to satisfy the export restricted ciphers and does give
+away key length if a longer key would be allowed.
+ 
+ The B<tmp_rsa_callback> is called with the B<keylength> needed and
+ the B<is_export> information. The B<is_export> flag is set, when the
+diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
+index e40701e..da4c21e 100644
+--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
+@@ -454,24 +454,15 @@ int dtls1_accept(SSL *s)
+                case SSL3_ST_SW_KEY_EXCH_B:
+                        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+ 
+-                       /* clear this, it may get reset by
+-                        * send_server_key_exchange */
+-                       if ((s->options & SSL_OP_EPHEMERAL_RSA)
+-#ifndef OPENSSL_NO_KRB5
+-                               && !(alg_k & SSL_kKRB5)
+-#endif /* OPENSSL_NO_KRB5 */
+-                               )
+-                               /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
+-                                * even when forbidden by protocol specs
+-                                * (handshake may fail as clients are not required to
+-                                * be able to handle this) */
+-                               s->s3->tmp.use_rsa_tmp=1;
+-                       else
+-                               s->s3->tmp.use_rsa_tmp=0;
+                       /*
+                        * clear this, it may get reset by
+                        * send_server_key_exchange
+                        */
+                       s->s3->tmp.use_rsa_tmp=0;
+ 
+                        /* only send if a DH key exchange or
+                         * RSA but we have a sign only certificate */
+-                       if (s->s3->tmp.use_rsa_tmp
+                       if (0
+                        /* PSK: send ServerKeyExchange if PSK identity
+                         * hint if provided */
+ #ifndef OPENSSL_NO_PSK
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index 43ffc77..023c679 100644
+--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
+@@ -1537,6 +1537,13 @@ int ssl3_get_key_exchange(SSL *s)
+ #ifndef OPENSSL_NO_RSA
+        if (alg_k & SSL_kRSA)
+                {
+               /* Temporary RSA keys only allowed in export ciphersuites */
+               if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
+                       {
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE);
+                       goto f_err;
+                       }
+                if ((rsa=RSA_new()) == NULL)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index ac2cc3d..d883f86 100644
+--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
+@@ -447,20 +447,11 @@ int ssl3_accept(SSL *s)
+                case SSL3_ST_SW_KEY_EXCH_B:
+                        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+ 
+-                       /* clear this, it may get reset by
+-                        * send_server_key_exchange */
+-                       if ((s->options & SSL_OP_EPHEMERAL_RSA)
+-#ifndef OPENSSL_NO_KRB5
+-                               && !(alg_k & SSL_kKRB5)
+-#endif /* OPENSSL_NO_KRB5 */
+-                               )
+-                               /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
+-                                * even when forbidden by protocol specs
+-                                * (handshake may fail as clients are not required to
+-                                * be able to handle this) */
+-                               s->s3->tmp.use_rsa_tmp=1;
+-                       else
+-                               s->s3->tmp.use_rsa_tmp=0;
+                       /*
+                        * clear this, it may get reset by
+                        * send_server_key_exchange
+                        */
+                       s->s3->tmp.use_rsa_tmp=0;
+ 
+ 
+                        /* only send if a DH key exchange, fortezza or
+@@ -474,7 +465,7 @@ int ssl3_accept(SSL *s)
+                         * server certificate contains the server's
+                         * public key for key exchange.
+                         */
+-                       if (s->s3->tmp.use_rsa_tmp
+                       if (0
+                        /* PSK: send ServerKeyExchange if PSK identity
+                         * hint if provided */
+ #ifndef OPENSSL_NO_PSK
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index a6a1c77..2ba5923 100644
+--- a/ssl/ssl.h
+++ b/ssl/ssl.h
+@@ -596,9 +596,8 @@ struct ssl_session_st
+ #define SSL_OP_SINGLE_ECDH_USE                         0x00080000L
+ /* If set, always create a new key when using tmp_dh parameters */
+ #define SSL_OP_SINGLE_DH_USE                           0x00100000L
+-/* Set to always use the tmp_rsa key when doing RSA operations,
+- * even when this violates protocol specs */
+-#define SSL_OP_EPHEMERAL_RSA                           0x00200000L
+/* Does nothing: retained for compatibiity */
+#define SSL_OP_EPHEMERAL_RSA                           0x0
+ /* Set on servers to choose the cipher according to the server's
+  * preferences */
+ #define SSL_OP_CIPHER_SERVER_PREFERENCE                        0x00400000L
+-- 
+1.9.1

diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch new file mode 100644 index 0000000000..8350455c2d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch
@@ -0,0 +1,204 @@
	1	From 37580f43b5a39f5f4e920d17273fab9713d3a744 Mon Sep 17 00:00:00 2001
	2	From: "Dr. Stephen Henson" <steve@openssl.org>
	3	Date: Thu, 23 Oct 2014 17:09:57 +0100
	4	Subject: [PATCH] Only allow ephemeral RSA keys in export ciphersuites.
	5
	6	OpenSSL clients would tolerate temporary RSA keys in non-export
	7	ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
	8	enabled this server side. Remove both options as they are a
	9	protocol violation.
	10
	11	Thanks to Karthikeyan Bhargavan for reporting this issue.
	12	(CVE-2015-0204)
	13	Reviewed-by: Matt Caswell <matt@openssl.org>
	14	Reviewed-by: Tim Hudson <tjh@openssl.org>
	15
	16	(cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6)
	17
	18	Conflicts:
	19	doc/ssl/SSL_CTX_set_options.pod
	20
	21	Conflicts:
	22	Changes in the "CHANGES" file have been removed from this pacth since
	23	it fails to apply.
	24
	25	Upstream-Status: Backport
	26
	27	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	28	---
	29	CHANGES \| 8 ++++++++
	30	doc/ssl/SSL_CTX_set_options.pod \| 10 +---------
	31	doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod \| 23 ++++++++---------------
	32	ssl/d1_srvr.c \| 21 ++++++---------------
	33	ssl/s3_clnt.c \| 7 +++++++
	34	ssl/s3_srvr.c \| 21 ++++++---------------
	35	ssl/ssl.h \| 5 ++---
	36	7 files changed, 38 insertions(+), 57 deletions(-)
	37
	38
	39	diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
	40	index 6e6b5e6..e80a72c 100644
	41	--- a/doc/ssl/SSL_CTX_set_options.pod
	42	+++ b/doc/ssl/SSL_CTX_set_options.pod
	43	@@ -158,15 +158,7 @@ temporary/ephemeral DH parameters are used.
	44
	45	=item SSL_OP_EPHEMERAL_RSA
	46
	47	-Always use ephemeral (temporary) RSA key when doing RSA operations
	48	-(see L<SSL_CTX_set_tmp_rsa_callback(3)\|SSL_CTX_set_tmp_rsa_callback(3)>).
	49	-According to the specifications this is only done, when a RSA key
	50	-can only be used for signature operations (namely under export ciphers
	51	-with restricted RSA keylength). By setting this option, ephemeral
	52	-RSA keys are always used. This option breaks compatibility with the
	53	-SSL/TLS specifications and may lead to interoperability problems with
	54	-clients and should therefore never be used. Ciphers with EDH (ephemeral
	55	-Diffie-Hellman) key exchange should be used instead.
	56	+This option is no longer implemented and is treated as no op.
	57
	58	=item SSL_OP_CIPHER_SERVER_PREFERENCE
	59
	60	diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
	61	index 534643c..8794eb7 100644
	62	--- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
	63	+++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
	64	@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
	65	in order to achieve forward secrecy (see
	66	L<SSL_CTX_set_tmp_dh_callback(3)\|SSL_CTX_set_tmp_dh_callback(3)>).
	67
	68	-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
	69	-and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
	70	-L<SSL_CTX_set_options(3)\|SSL_CTX_set_options(3)>, violating the TLS/SSL
	71	-standard. When ephemeral RSA key exchange is required for export ciphers,
	72	-it will automatically be used without this option!
	73	-
	74	-An application may either directly specify the key or can supply the key via
	75	-a callback function. The callback approach has the advantage, that the
	76	-callback may generate the key only in case it is actually needed. As the
	77	-generation of a RSA key is however costly, it will lead to a significant
	78	-delay in the handshake procedure. Another advantage of the callback function
	79	-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
	80	-usage) while the explicit setting of the key is only useful for key size of
	81	-512 bits to satisfy the export restricted ciphers and does give away key length
	82	-if a longer key would be allowed.
	83	+An application may either directly specify the key or can supply the key via a
	84	+callback function. The callback approach has the advantage, that the callback
	85	+may generate the key only in case it is actually needed. As the generation of a
	86	+RSA key is however costly, it will lead to a significant delay in the handshake
	87	+procedure. Another advantage of the callback function is that it can supply
	88	+keys of different size while the explicit setting of the key is only useful for
	89	+key size of 512 bits to satisfy the export restricted ciphers and does give
	90	+away key length if a longer key would be allowed.
	91
	92	The B<tmp_rsa_callback> is called with the B<keylength> needed and
	93	the B<is_export> information. The B<is_export> flag is set, when the
	94	diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
	95	index e40701e..da4c21e 100644
	96	--- a/ssl/d1_srvr.c
	97	+++ b/ssl/d1_srvr.c
	98	@@ -454,24 +454,15 @@ int dtls1_accept(SSL *s)
	99	case SSL3_ST_SW_KEY_EXCH_B:
	100	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
	101
	102	- /* clear this, it may get reset by
	103	- * send_server_key_exchange */
	104	- if ((s->options & SSL_OP_EPHEMERAL_RSA)
	105	-#ifndef OPENSSL_NO_KRB5
	106	- && !(alg_k & SSL_kKRB5)
	107	-#endif /* OPENSSL_NO_KRB5 */
	108	- )
	109	- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
	110	- * even when forbidden by protocol specs
	111	- * (handshake may fail as clients are not required to
	112	- * be able to handle this) */
	113	- s->s3->tmp.use_rsa_tmp=1;
	114	- else
	115	- s->s3->tmp.use_rsa_tmp=0;
	116	+ /*
	117	+ * clear this, it may get reset by
	118	+ * send_server_key_exchange
	119	+ */
	120	+ s->s3->tmp.use_rsa_tmp=0;
	121
	122	/* only send if a DH key exchange or
	123	* RSA but we have a sign only certificate */
	124	- if (s->s3->tmp.use_rsa_tmp
	125	+ if (0
	126	/* PSK: send ServerKeyExchange if PSK identity
	127	* hint if provided */
	128	#ifndef OPENSSL_NO_PSK
	129	diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
	130	index 43ffc77..023c679 100644
	131	--- a/ssl/s3_clnt.c
	132	+++ b/ssl/s3_clnt.c
	133	@@ -1537,6 +1537,13 @@ int ssl3_get_key_exchange(SSL *s)
	134	#ifndef OPENSSL_NO_RSA
	135	if (alg_k & SSL_kRSA)
	136	{
	137	+ /* Temporary RSA keys only allowed in export ciphersuites */
	138	+ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
	139	+ {
	140	+ al=SSL_AD_UNEXPECTED_MESSAGE;
	141	+ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE);
	142	+ goto f_err;
	143	+ }
	144	if ((rsa=RSA_new()) == NULL)
	145	{
	146	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
	147	diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
	148	index ac2cc3d..d883f86 100644
	149	--- a/ssl/s3_srvr.c
	150	+++ b/ssl/s3_srvr.c
	151	@@ -447,20 +447,11 @@ int ssl3_accept(SSL *s)
	152	case SSL3_ST_SW_KEY_EXCH_B:
	153	alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
	154
	155	- /* clear this, it may get reset by
	156	- * send_server_key_exchange */
	157	- if ((s->options & SSL_OP_EPHEMERAL_RSA)
	158	-#ifndef OPENSSL_NO_KRB5
	159	- && !(alg_k & SSL_kKRB5)
	160	-#endif /* OPENSSL_NO_KRB5 */
	161	- )
	162	- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
	163	- * even when forbidden by protocol specs
	164	- * (handshake may fail as clients are not required to
	165	- * be able to handle this) */
	166	- s->s3->tmp.use_rsa_tmp=1;
	167	- else
	168	- s->s3->tmp.use_rsa_tmp=0;
	169	+ /*
	170	+ * clear this, it may get reset by
	171	+ * send_server_key_exchange
	172	+ */
	173	+ s->s3->tmp.use_rsa_tmp=0;
	174
	175
	176	/* only send if a DH key exchange, fortezza or
	177	@@ -474,7 +465,7 @@ int ssl3_accept(SSL *s)
	178	* server certificate contains the server's
	179	* public key for key exchange.
	180	*/
	181	- if (s->s3->tmp.use_rsa_tmp
	182	+ if (0
	183	/* PSK: send ServerKeyExchange if PSK identity
	184	* hint if provided */
	185	#ifndef OPENSSL_NO_PSK
	186	diff --git a/ssl/ssl.h b/ssl/ssl.h
	187	index a6a1c77..2ba5923 100644
	188	--- a/ssl/ssl.h
	189	+++ b/ssl/ssl.h
	190	@@ -596,9 +596,8 @@ struct ssl_session_st
	191	#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
	192	/* If set, always create a new key when using tmp_dh parameters */
	193	#define SSL_OP_SINGLE_DH_USE 0x00100000L
	194	-/* Set to always use the tmp_rsa key when doing RSA operations,
	195	- * even when this violates protocol specs */
	196	-#define SSL_OP_EPHEMERAL_RSA 0x00200000L
	197	+/* Does nothing: retained for compatibiity */
	198	+#define SSL_OP_EPHEMERAL_RSA 0x0
	199	/* Set on servers to choose the cipher according to the server's
	200	* preferences */
	201	#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
	202	--
	203	1.9.1
	204