diff options
Diffstat (limited to 'meta')
3 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch b/meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch new file mode 100644 index 0000000000..39a2e5a94d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 00456fded43eadd4bb94bf675ae4ea5d158a764f Mon Sep 17 00:00:00 2001 | ||
2 | From: "Dr. Stephen Henson" <steve@openssl.org> | ||
3 | Date: Wed, 4 Nov 2015 13:30:03 +0000 | ||
4 | Subject: [PATCH] Add test for CVE-2015-3194 | ||
5 | |||
6 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | |||
10 | This patch was imported from | ||
11 | https://git.openssl.org/?p=openssl.git;a=commit;h=00456fded43eadd4bb94bf675ae4ea5d158a764f | ||
12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
13 | |||
14 | --- | ||
15 | test/certs/pss1.pem | 21 +++++++++++++++++++++ | ||
16 | test/tx509 | 7 +++++++ | ||
17 | 2 files changed, 28 insertions(+) | ||
18 | create mode 100644 test/certs/pss1.pem | ||
19 | |||
20 | diff --git a/test/certs/pss1.pem b/test/certs/pss1.pem | ||
21 | new file mode 100644 | ||
22 | index 0000000..29da71d | ||
23 | --- /dev/null | ||
24 | +++ b/test/certs/pss1.pem | ||
25 | @@ -0,0 +1,21 @@ | ||
26 | +-----BEGIN CERTIFICATE----- | ||
27 | +MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI | ||
28 | +AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD | ||
29 | +VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz | ||
30 | +NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj | ||
31 | +ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH | ||
32 | +qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL | ||
33 | +IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT | ||
34 | +IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k | ||
35 | +dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq | ||
36 | +QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa | ||
37 | +5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2 | ||
38 | +4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB | ||
39 | +Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii | ||
40 | +BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb | ||
41 | +xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn | ||
42 | +plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY | ||
43 | +DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p | ||
44 | +NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ | ||
45 | +lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8= | ||
46 | +-----END CERTIFICATE----- | ||
47 | diff --git a/test/tx509 b/test/tx509 | ||
48 | index 0ce3b52..77f5cac 100644 | ||
49 | --- a/test/tx509 | ||
50 | +++ b/test/tx509 | ||
51 | @@ -74,5 +74,12 @@ if [ $? != 0 ]; then exit 1; fi | ||
52 | cmp x509-f.p x509-ff.p3 | ||
53 | if [ $? != 0 ]; then exit 1; fi | ||
54 | |||
55 | +echo "Parsing test certificates" | ||
56 | + | ||
57 | +$cmd -in certs/pss1.pem -text -noout >/dev/null | ||
58 | +if [ $? != 0 ]; then exit 1; fi | ||
59 | + | ||
60 | +echo OK | ||
61 | + | ||
62 | /bin/rm -f x509-f.* x509-ff.* x509-fff.* | ||
63 | exit 0 | ||
64 | -- | ||
65 | 2.3.5 | ||
66 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch new file mode 100644 index 0000000000..13d48913b3 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From c394a488942387246653833359a5c94b5832674e Mon Sep 17 00:00:00 2001 | ||
2 | From: "Dr. Stephen Henson" <steve@openssl.org> | ||
3 | Date: Fri, 2 Oct 2015 12:35:19 +0100 | ||
4 | Subject: [PATCH] Add PSS parameter check. | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Avoid seg fault by checking mgf1 parameter is not NULL. This can be | ||
10 | triggered during certificate verification so could be a DoS attack | ||
11 | against a client or a server enabling client authentication. | ||
12 | |||
13 | Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug. | ||
14 | |||
15 | CVE-2015-3194 | ||
16 | |||
17 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | |||
21 | This patch was imported from | ||
22 | https://git.openssl.org/?p=openssl.git;a=commit;h=c394a488942387246653833359a5c94b5832674e | ||
23 | |||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | crypto/rsa/rsa_ameth.c | 2 +- | ||
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c | ||
31 | index ca3922e..4e06218 100644 | ||
32 | --- a/crypto/rsa/rsa_ameth.c | ||
33 | +++ b/crypto/rsa/rsa_ameth.c | ||
34 | @@ -268,7 +268,7 @@ static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg) | ||
35 | { | ||
36 | const unsigned char *p; | ||
37 | int plen; | ||
38 | - if (alg == NULL) | ||
39 | + if (alg == NULL || alg->parameter == NULL) | ||
40 | return NULL; | ||
41 | if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) | ||
42 | return NULL; | ||
43 | -- | ||
44 | 2.3.5 | ||
45 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb index ac78e5c8f2..3aae6a66fa 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | |||
@@ -36,6 +36,8 @@ SRC_URI += "file://configure-targets.patch \ | |||
36 | file://run-ptest \ | 36 | file://run-ptest \ |
37 | file://crypto_use_bigint_in_x86-64_perl.patch \ | 37 | file://crypto_use_bigint_in_x86-64_perl.patch \ |
38 | file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \ | 38 | file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \ |
39 | file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \ | ||
40 | file://0001-Add-test-for-CVE-2015-3194.patch \ | ||
39 | " | 41 | " |
40 | 42 | ||
41 | SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a" | 43 | SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a" |