diff options
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch | 204 |
1 files changed, 204 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch new file mode 100644 index 0000000000..8350455c2d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0002-CVE-2015-0204.patch | |||
@@ -0,0 +1,204 @@ | |||
1 | From 37580f43b5a39f5f4e920d17273fab9713d3a744 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Dr. Stephen Henson" <steve@openssl.org> | ||
3 | Date: Thu, 23 Oct 2014 17:09:57 +0100 | ||
4 | Subject: [PATCH] Only allow ephemeral RSA keys in export ciphersuites. | ||
5 | |||
6 | OpenSSL clients would tolerate temporary RSA keys in non-export | ||
7 | ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which | ||
8 | enabled this server side. Remove both options as they are a | ||
9 | protocol violation. | ||
10 | |||
11 | Thanks to Karthikeyan Bhargavan for reporting this issue. | ||
12 | (CVE-2015-0204) | ||
13 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
14 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
15 | |||
16 | (cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6) | ||
17 | |||
18 | Conflicts: | ||
19 | doc/ssl/SSL_CTX_set_options.pod | ||
20 | |||
21 | Conflicts: | ||
22 | Changes in the "CHANGES" file have been removed from this pacth since | ||
23 | it fails to apply. | ||
24 | |||
25 | Upstream-Status: Backport | ||
26 | |||
27 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
28 | --- | ||
29 | CHANGES | 8 ++++++++ | ||
30 | doc/ssl/SSL_CTX_set_options.pod | 10 +--------- | ||
31 | doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 23 ++++++++--------------- | ||
32 | ssl/d1_srvr.c | 21 ++++++--------------- | ||
33 | ssl/s3_clnt.c | 7 +++++++ | ||
34 | ssl/s3_srvr.c | 21 ++++++--------------- | ||
35 | ssl/ssl.h | 5 ++--- | ||
36 | 7 files changed, 38 insertions(+), 57 deletions(-) | ||
37 | |||
38 | |||
39 | diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod | ||
40 | index 6e6b5e6..e80a72c 100644 | ||
41 | --- a/doc/ssl/SSL_CTX_set_options.pod | ||
42 | +++ b/doc/ssl/SSL_CTX_set_options.pod | ||
43 | @@ -158,15 +158,7 @@ temporary/ephemeral DH parameters are used. | ||
44 | |||
45 | =item SSL_OP_EPHEMERAL_RSA | ||
46 | |||
47 | -Always use ephemeral (temporary) RSA key when doing RSA operations | ||
48 | -(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). | ||
49 | -According to the specifications this is only done, when a RSA key | ||
50 | -can only be used for signature operations (namely under export ciphers | ||
51 | -with restricted RSA keylength). By setting this option, ephemeral | ||
52 | -RSA keys are always used. This option breaks compatibility with the | ||
53 | -SSL/TLS specifications and may lead to interoperability problems with | ||
54 | -clients and should therefore never be used. Ciphers with EDH (ephemeral | ||
55 | -Diffie-Hellman) key exchange should be used instead. | ||
56 | +This option is no longer implemented and is treated as no op. | ||
57 | |||
58 | =item SSL_OP_CIPHER_SERVER_PREFERENCE | ||
59 | |||
60 | diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | ||
61 | index 534643c..8794eb7 100644 | ||
62 | --- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | ||
63 | +++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | ||
64 | @@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead | ||
65 | in order to achieve forward secrecy (see | ||
66 | L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). | ||
67 | |||
68 | -On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default | ||
69 | -and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of | ||
70 | -L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL | ||
71 | -standard. When ephemeral RSA key exchange is required for export ciphers, | ||
72 | -it will automatically be used without this option! | ||
73 | - | ||
74 | -An application may either directly specify the key or can supply the key via | ||
75 | -a callback function. The callback approach has the advantage, that the | ||
76 | -callback may generate the key only in case it is actually needed. As the | ||
77 | -generation of a RSA key is however costly, it will lead to a significant | ||
78 | -delay in the handshake procedure. Another advantage of the callback function | ||
79 | -is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA | ||
80 | -usage) while the explicit setting of the key is only useful for key size of | ||
81 | -512 bits to satisfy the export restricted ciphers and does give away key length | ||
82 | -if a longer key would be allowed. | ||
83 | +An application may either directly specify the key or can supply the key via a | ||
84 | +callback function. The callback approach has the advantage, that the callback | ||
85 | +may generate the key only in case it is actually needed. As the generation of a | ||
86 | +RSA key is however costly, it will lead to a significant delay in the handshake | ||
87 | +procedure. Another advantage of the callback function is that it can supply | ||
88 | +keys of different size while the explicit setting of the key is only useful for | ||
89 | +key size of 512 bits to satisfy the export restricted ciphers and does give | ||
90 | +away key length if a longer key would be allowed. | ||
91 | |||
92 | The B<tmp_rsa_callback> is called with the B<keylength> needed and | ||
93 | the B<is_export> information. The B<is_export> flag is set, when the | ||
94 | diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c | ||
95 | index e40701e..da4c21e 100644 | ||
96 | --- a/ssl/d1_srvr.c | ||
97 | +++ b/ssl/d1_srvr.c | ||
98 | @@ -454,24 +454,15 @@ int dtls1_accept(SSL *s) | ||
99 | case SSL3_ST_SW_KEY_EXCH_B: | ||
100 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | ||
101 | |||
102 | - /* clear this, it may get reset by | ||
103 | - * send_server_key_exchange */ | ||
104 | - if ((s->options & SSL_OP_EPHEMERAL_RSA) | ||
105 | -#ifndef OPENSSL_NO_KRB5 | ||
106 | - && !(alg_k & SSL_kKRB5) | ||
107 | -#endif /* OPENSSL_NO_KRB5 */ | ||
108 | - ) | ||
109 | - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key | ||
110 | - * even when forbidden by protocol specs | ||
111 | - * (handshake may fail as clients are not required to | ||
112 | - * be able to handle this) */ | ||
113 | - s->s3->tmp.use_rsa_tmp=1; | ||
114 | - else | ||
115 | - s->s3->tmp.use_rsa_tmp=0; | ||
116 | + /* | ||
117 | + * clear this, it may get reset by | ||
118 | + * send_server_key_exchange | ||
119 | + */ | ||
120 | + s->s3->tmp.use_rsa_tmp=0; | ||
121 | |||
122 | /* only send if a DH key exchange or | ||
123 | * RSA but we have a sign only certificate */ | ||
124 | - if (s->s3->tmp.use_rsa_tmp | ||
125 | + if (0 | ||
126 | /* PSK: send ServerKeyExchange if PSK identity | ||
127 | * hint if provided */ | ||
128 | #ifndef OPENSSL_NO_PSK | ||
129 | diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c | ||
130 | index 43ffc77..023c679 100644 | ||
131 | --- a/ssl/s3_clnt.c | ||
132 | +++ b/ssl/s3_clnt.c | ||
133 | @@ -1537,6 +1537,13 @@ int ssl3_get_key_exchange(SSL *s) | ||
134 | #ifndef OPENSSL_NO_RSA | ||
135 | if (alg_k & SSL_kRSA) | ||
136 | { | ||
137 | + /* Temporary RSA keys only allowed in export ciphersuites */ | ||
138 | + if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) | ||
139 | + { | ||
140 | + al=SSL_AD_UNEXPECTED_MESSAGE; | ||
141 | + SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE); | ||
142 | + goto f_err; | ||
143 | + } | ||
144 | if ((rsa=RSA_new()) == NULL) | ||
145 | { | ||
146 | SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); | ||
147 | diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c | ||
148 | index ac2cc3d..d883f86 100644 | ||
149 | --- a/ssl/s3_srvr.c | ||
150 | +++ b/ssl/s3_srvr.c | ||
151 | @@ -447,20 +447,11 @@ int ssl3_accept(SSL *s) | ||
152 | case SSL3_ST_SW_KEY_EXCH_B: | ||
153 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | ||
154 | |||
155 | - /* clear this, it may get reset by | ||
156 | - * send_server_key_exchange */ | ||
157 | - if ((s->options & SSL_OP_EPHEMERAL_RSA) | ||
158 | -#ifndef OPENSSL_NO_KRB5 | ||
159 | - && !(alg_k & SSL_kKRB5) | ||
160 | -#endif /* OPENSSL_NO_KRB5 */ | ||
161 | - ) | ||
162 | - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key | ||
163 | - * even when forbidden by protocol specs | ||
164 | - * (handshake may fail as clients are not required to | ||
165 | - * be able to handle this) */ | ||
166 | - s->s3->tmp.use_rsa_tmp=1; | ||
167 | - else | ||
168 | - s->s3->tmp.use_rsa_tmp=0; | ||
169 | + /* | ||
170 | + * clear this, it may get reset by | ||
171 | + * send_server_key_exchange | ||
172 | + */ | ||
173 | + s->s3->tmp.use_rsa_tmp=0; | ||
174 | |||
175 | |||
176 | /* only send if a DH key exchange, fortezza or | ||
177 | @@ -474,7 +465,7 @@ int ssl3_accept(SSL *s) | ||
178 | * server certificate contains the server's | ||
179 | * public key for key exchange. | ||
180 | */ | ||
181 | - if (s->s3->tmp.use_rsa_tmp | ||
182 | + if (0 | ||
183 | /* PSK: send ServerKeyExchange if PSK identity | ||
184 | * hint if provided */ | ||
185 | #ifndef OPENSSL_NO_PSK | ||
186 | diff --git a/ssl/ssl.h b/ssl/ssl.h | ||
187 | index a6a1c77..2ba5923 100644 | ||
188 | --- a/ssl/ssl.h | ||
189 | +++ b/ssl/ssl.h | ||
190 | @@ -596,9 +596,8 @@ struct ssl_session_st | ||
191 | #define SSL_OP_SINGLE_ECDH_USE 0x00080000L | ||
192 | /* If set, always create a new key when using tmp_dh parameters */ | ||
193 | #define SSL_OP_SINGLE_DH_USE 0x00100000L | ||
194 | -/* Set to always use the tmp_rsa key when doing RSA operations, | ||
195 | - * even when this violates protocol specs */ | ||
196 | -#define SSL_OP_EPHEMERAL_RSA 0x00200000L | ||
197 | +/* Does nothing: retained for compatibiity */ | ||
198 | +#define SSL_OP_EPHEMERAL_RSA 0x0 | ||
199 | /* Set on servers to choose the cipher according to the server's | ||
200 | * preferences */ | ||
201 | #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L | ||
202 | -- | ||
203 | 1.9.1 | ||
204 | |||