From 165fa6ce6213ab2b9610732a4926496b78ca4038 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 6 Feb 2016 15:14:47 -0800 Subject: openssl: Security fix CVE-2016-0701 CVE-2016-0701 OpenSSL: DH small subgroups (From OE-Core rev: c5868a7cd0a28c5800dfa4be1c9d98d3de08cd12) (From OE-Core rev: 5e73d0e88c28ca1e948f5c463b9d9d1001251a42) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../openssl/openssl/CVE-2016-0701_1.patch | 102 +++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch (limited to 'meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch') diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch new file mode 100644 index 0000000000..cf2d9a7b04 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch @@ -0,0 +1,102 @@ +From 878e2c5b13010329c203f309ed0c8f2113f85648 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 18 Jan 2016 11:31:58 +0000 +Subject: [PATCH] Prevent small subgroup attacks on DH/DHE + +Historically OpenSSL only ever generated DH parameters based on "safe" +primes. More recently (in version 1.0.2) support was provided for +generating X9.42 style parameter files such as those required for RFC +5114 support. The primes used in such files may not be "safe". Where an +application is using DH configured with parameters based on primes that +are not "safe" then an attacker could use this fact to find a peer's +private DH exponent. This attack requires that the attacker complete +multiple handshakes in which the peer uses the same DH exponent. + +A simple mitigation is to ensure that y^q (mod p) == 1 + +CVE-2016-0701 (fix part 1 of 2) + +Issue reported by Antonio Sanso. + +Reviewed-by: Viktor Dukhovni + +Upstream-Status: Backport + +https://github.com/openssl/openssl/commit/878e2c5b13010329c203f309ed0c8f2113f85648 + +CVE: CVE-2016-0701 +Signed-of-by: Armin Kuster + +--- + crypto/dh/dh.h | 1 + + crypto/dh/dh_check.c | 35 +++++++++++++++++++++++++---------- + 2 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h +index b177673..5498a9d 100644 +--- a/crypto/dh/dh.h ++++ b/crypto/dh/dh.h +@@ -174,6 +174,7 @@ struct dh_st { + /* DH_check_pub_key error codes */ + # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 + # define DH_CHECK_PUBKEY_TOO_LARGE 0x02 ++# define DH_CHECK_PUBKEY_INVALID 0x03 + + /* + * primes p where (p-1)/2 is prime too are called "safe"; we define this for +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 347467c..5adedc0 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -151,23 +151,38 @@ int DH_check(const DH *dh, int *ret) + int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) + { + int ok = 0; +- BIGNUM *q = NULL; ++ BIGNUM *tmp = NULL; ++ BN_CTX *ctx = NULL; + + *ret = 0; +- q = BN_new(); +- if (q == NULL) ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) + goto err; +- BN_set_word(q, 1); +- if (BN_cmp(pub_key, q) <= 0) ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); ++ if (tmp == NULL) ++ goto err; ++ BN_set_word(tmp, 1); ++ if (BN_cmp(pub_key, tmp) <= 0) + *ret |= DH_CHECK_PUBKEY_TOO_SMALL; +- BN_copy(q, dh->p); +- BN_sub_word(q, 1); +- if (BN_cmp(pub_key, q) >= 0) ++ BN_copy(tmp, dh->p); ++ BN_sub_word(tmp, 1); ++ if (BN_cmp(pub_key, tmp) >= 0) + *ret |= DH_CHECK_PUBKEY_TOO_LARGE; + ++ if (dh->q != NULL) { ++ /* Check pub_key^q == 1 mod p */ ++ if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) ++ goto err; ++ if (!BN_is_one(tmp)) ++ *ret |= DH_CHECK_PUBKEY_INVALID; ++ } ++ + ok = 1; + err: +- if (q != NULL) +- BN_free(q); ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ } + return (ok); + } +-- +2.3.5 + -- cgit v1.2.3-54-g00ecf