diff options
12 files changed, 0 insertions, 1032 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch deleted file mode 100644 index 07b1310..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2178.patch +++ /dev/null | |||
| @@ -1,54 +0,0 @@ | |||
| 1 | From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Cesar Pereida <cesar.pereida@aalto.fi> | ||
| 3 | Date: Mon, 23 May 2016 12:45:25 +0300 | ||
| 4 | Subject: [PATCH] Fix DSA, preserve BN_FLG_CONSTTIME | ||
| 5 | |||
| 6 | Operations in the DSA signing algorithm should run in constant time in | ||
| 7 | order to avoid side channel attacks. A flaw in the OpenSSL DSA | ||
| 8 | implementation means that a non-constant time codepath is followed for | ||
| 9 | certain operations. This has been demonstrated through a cache-timing | ||
| 10 | attack to be sufficient for an attacker to recover the private DSA key. | ||
| 11 | |||
| 12 | CVE-2016-2178 | ||
| 13 | |||
| 14 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
| 15 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
| 16 | |||
| 17 | Upstream-Status: Backport | ||
| 18 | CVE: CVE-2016-2178 | ||
| 19 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 20 | |||
| 21 | --- | ||
| 22 | crypto/dsa/dsa_ossl.c | 6 +++--- | ||
| 23 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c | ||
| 26 | index efc4f1b..b29eb4b 100644 | ||
| 27 | --- a/crypto/dsa/dsa_ossl.c | ||
| 28 | +++ b/crypto/dsa/dsa_ossl.c | ||
| 29 | @@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, | ||
| 30 | if (!BN_rand_range(&k, dsa->q)) | ||
| 31 | goto err; | ||
| 32 | while (BN_is_zero(&k)) ; | ||
| 33 | - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | ||
| 34 | - BN_set_flags(&k, BN_FLG_CONSTTIME); | ||
| 35 | - } | ||
| 36 | |||
| 37 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { | ||
| 38 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, | ||
| 39 | @@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, | ||
| 40 | } | ||
| 41 | |||
| 42 | K = &kq; | ||
| 43 | + | ||
| 44 | + BN_set_flags(K, BN_FLG_CONSTTIME); | ||
| 45 | } else { | ||
| 46 | K = &k; | ||
| 47 | } | ||
| 48 | + | ||
| 49 | DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, | ||
| 50 | dsa->method_mont_p); | ||
| 51 | if (!BN_mod(r, r, dsa->q, ctx)) | ||
| 52 | -- | ||
| 53 | 2.7.4 | ||
| 54 | |||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2179.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2179.patch deleted file mode 100644 index 3a80696..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2179.patch +++ /dev/null | |||
| @@ -1,255 +0,0 @@ | |||
| 1 | From 26f2c5774f117aea588e8f31fad38bcf14e83bec Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matt Caswell <matt@openssl.org> | ||
| 3 | Date: Thu, 30 Jun 2016 13:17:08 +0100 | ||
| 4 | Subject: [PATCH] Fix DTLS buffered message DoS attack | ||
| 5 | |||
| 6 | DTLS can handle out of order record delivery. Additionally since | ||
| 7 | handshake messages can be bigger than will fit into a single packet, the | ||
| 8 | messages can be fragmented across multiple records (as with normal TLS). | ||
| 9 | That means that the messages can arrive mixed up, and we have to | ||
| 10 | reassemble them. We keep a queue of buffered messages that are "from the | ||
| 11 | future", i.e. messages we're not ready to deal with yet but have arrived | ||
| 12 | early. The messages held there may not be full yet - they could be one | ||
| 13 | or more fragments that are still in the process of being reassembled. | ||
| 14 | |||
| 15 | The code assumes that we will eventually complete the reassembly and | ||
| 16 | when that occurs the complete message is removed from the queue at the | ||
| 17 | point that we need to use it. | ||
| 18 | |||
| 19 | However, DTLS is also tolerant of packet loss. To get around that DTLS | ||
| 20 | messages can be retransmitted. If we receive a full (non-fragmented) | ||
| 21 | message from the peer after previously having received a fragment of | ||
| 22 | that message, then we ignore the message in the queue and just use the | ||
| 23 | non-fragmented version. At that point the queued message will never get | ||
| 24 | removed. | ||
| 25 | |||
| 26 | Additionally the peer could send "future" messages that we never get to | ||
| 27 | in order to complete the handshake. Each message has a sequence number | ||
| 28 | (starting from 0). We will accept a message fragment for the current | ||
| 29 | message sequence number, or for any sequence up to 10 into the future. | ||
| 30 | However if the Finished message has a sequence number of 2, anything | ||
| 31 | greater than that in the queue is just left there. | ||
| 32 | |||
| 33 | So, in those two ways we can end up with "orphaned" data in the queue | ||
| 34 | that will never get removed - except when the connection is closed. At | ||
| 35 | that point all the queues are flushed. | ||
| 36 | |||
| 37 | An attacker could seek to exploit this by filling up the queues with | ||
| 38 | lots of large messages that are never going to be used in order to | ||
| 39 | attempt a DoS by memory exhaustion. | ||
| 40 | |||
| 41 | I will assume that we are only concerned with servers here. It does not | ||
| 42 | seem reasonable to be concerned about a memory exhaustion attack on a | ||
| 43 | client. They are unlikely to process enough connections for this to be | ||
| 44 | an issue. | ||
| 45 | |||
| 46 | A "long" handshake with many messages might be 5 messages long (in the | ||
| 47 | incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange, | ||
| 48 | CertificateVerify, Finished. So this would be message sequence numbers 0 | ||
| 49 | to 4. Additionally we can buffer up to 10 messages in the future. | ||
| 50 | Therefore the maximum number of messages that an attacker could send | ||
| 51 | that could get orphaned would typically be 15. | ||
| 52 | |||
| 53 | The maximum size that a DTLS message is allowed to be is defined by | ||
| 54 | max_cert_list, which by default is 100k. Therefore the maximum amount of | ||
| 55 | "orphaned" memory per connection is 1500k. | ||
| 56 | |||
| 57 | Message sequence numbers get reset after the Finished message, so | ||
| 58 | renegotiation will not extend the maximum number of messages that can be | ||
| 59 | orphaned per connection. | ||
| 60 | |||
| 61 | As noted above, the queues do get cleared when the connection is closed. | ||
| 62 | Therefore in order to mount an effective attack, an attacker would have | ||
| 63 | to open many simultaneous connections. | ||
| 64 | |||
| 65 | Issue reported by Quan Luo. | ||
| 66 | |||
| 67 | CVE-2016-2179 | ||
| 68 | |||
| 69 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
| 70 | |||
| 71 | Upstream-Status: Backport | ||
| 72 | CVE: CVE-2016-2179 | ||
| 73 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 74 | |||
| 75 | --- | ||
| 76 | ssl/d1_both.c | 32 ++++++++++++++++---------------- | ||
| 77 | ssl/d1_clnt.c | 1 + | ||
| 78 | ssl/d1_lib.c | 37 ++++++++++++++++++++++++++----------- | ||
| 79 | ssl/d1_srvr.c | 3 ++- | ||
| 80 | ssl/ssl_locl.h | 3 ++- | ||
| 81 | 5 files changed, 47 insertions(+), 29 deletions(-) | ||
| 82 | |||
| 83 | Index: openssl-1.0.2h/ssl/d1_both.c | ||
| 84 | =================================================================== | ||
| 85 | --- openssl-1.0.2h.orig/ssl/d1_both.c | ||
| 86 | +++ openssl-1.0.2h/ssl/d1_both.c | ||
| 87 | @@ -618,11 +618,23 @@ static int dtls1_retrieve_buffered_fragm | ||
| 88 | int al; | ||
| 89 | |||
| 90 | *ok = 0; | ||
| 91 | - item = pqueue_peek(s->d1->buffered_messages); | ||
| 92 | - if (item == NULL) | ||
| 93 | - return 0; | ||
| 94 | + do { | ||
| 95 | + item = pqueue_peek(s->d1->buffered_messages); | ||
| 96 | + if (item == NULL) | ||
| 97 | + return 0; | ||
| 98 | + | ||
| 99 | + frag = (hm_fragment *)item->data; | ||
| 100 | + | ||
| 101 | + if (frag->msg_header.seq < s->d1->handshake_read_seq) { | ||
| 102 | + /* This is a stale message that has been buffered so clear it */ | ||
| 103 | + pqueue_pop(s->d1->buffered_messages); | ||
| 104 | + dtls1_hm_fragment_free(frag); | ||
| 105 | + pitem_free(item); | ||
| 106 | + item = NULL; | ||
| 107 | + frag = NULL; | ||
| 108 | + } | ||
| 109 | + } while (item == NULL); | ||
| 110 | |||
| 111 | - frag = (hm_fragment *)item->data; | ||
| 112 | |||
| 113 | /* Don't return if reassembly still in progress */ | ||
| 114 | if (frag->reassembly != NULL) | ||
| 115 | @@ -1296,18 +1308,6 @@ dtls1_retransmit_message(SSL *s, unsigne | ||
| 116 | return ret; | ||
| 117 | } | ||
| 118 | |||
| 119 | -/* call this function when the buffered messages are no longer needed */ | ||
| 120 | -void dtls1_clear_record_buffer(SSL *s) | ||
| 121 | -{ | ||
| 122 | - pitem *item; | ||
| 123 | - | ||
| 124 | - for (item = pqueue_pop(s->d1->sent_messages); | ||
| 125 | - item != NULL; item = pqueue_pop(s->d1->sent_messages)) { | ||
| 126 | - dtls1_hm_fragment_free((hm_fragment *)item->data); | ||
| 127 | - pitem_free(item); | ||
| 128 | - } | ||
| 129 | -} | ||
| 130 | - | ||
| 131 | unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p, | ||
| 132 | unsigned char mt, unsigned long len, | ||
| 133 | unsigned long frag_off, | ||
| 134 | Index: openssl-1.0.2h/ssl/d1_clnt.c | ||
| 135 | =================================================================== | ||
| 136 | --- openssl-1.0.2h.orig/ssl/d1_clnt.c | ||
| 137 | +++ openssl-1.0.2h/ssl/d1_clnt.c | ||
| 138 | @@ -769,6 +769,7 @@ int dtls1_connect(SSL *s) | ||
| 139 | /* done with handshaking */ | ||
| 140 | s->d1->handshake_read_seq = 0; | ||
| 141 | s->d1->next_handshake_write_seq = 0; | ||
| 142 | + dtls1_clear_received_buffer(s); | ||
| 143 | goto end; | ||
| 144 | /* break; */ | ||
| 145 | |||
| 146 | Index: openssl-1.0.2h/ssl/d1_lib.c | ||
| 147 | =================================================================== | ||
| 148 | --- openssl-1.0.2h.orig/ssl/d1_lib.c | ||
| 149 | +++ openssl-1.0.2h/ssl/d1_lib.c | ||
| 150 | @@ -170,7 +170,6 @@ int dtls1_new(SSL *s) | ||
| 151 | static void dtls1_clear_queues(SSL *s) | ||
| 152 | { | ||
| 153 | pitem *item = NULL; | ||
| 154 | - hm_fragment *frag = NULL; | ||
| 155 | DTLS1_RECORD_DATA *rdata; | ||
| 156 | |||
| 157 | while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) { | ||
| 158 | @@ -191,28 +190,44 @@ static void dtls1_clear_queues(SSL *s) | ||
| 159 | pitem_free(item); | ||
| 160 | } | ||
| 161 | |||
| 162 | + while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) { | ||
| 163 | + rdata = (DTLS1_RECORD_DATA *)item->data; | ||
| 164 | + if (rdata->rbuf.buf) { | ||
| 165 | + OPENSSL_free(rdata->rbuf.buf); | ||
| 166 | + } | ||
| 167 | + OPENSSL_free(item->data); | ||
| 168 | + pitem_free(item); | ||
| 169 | + } | ||
| 170 | + | ||
| 171 | + dtls1_clear_received_buffer(s); | ||
| 172 | + dtls1_clear_sent_buffer(s); | ||
| 173 | +} | ||
| 174 | + | ||
| 175 | +void dtls1_clear_received_buffer(SSL *s) | ||
| 176 | +{ | ||
| 177 | + pitem *item = NULL; | ||
| 178 | + hm_fragment *frag = NULL; | ||
| 179 | + | ||
| 180 | while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) { | ||
| 181 | frag = (hm_fragment *)item->data; | ||
| 182 | dtls1_hm_fragment_free(frag); | ||
| 183 | pitem_free(item); | ||
| 184 | } | ||
| 185 | +} | ||
| 186 | + | ||
| 187 | +void dtls1_clear_sent_buffer(SSL *s) | ||
| 188 | +{ | ||
| 189 | + pitem *item = NULL; | ||
| 190 | + hm_fragment *frag = NULL; | ||
| 191 | |||
| 192 | while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) { | ||
| 193 | frag = (hm_fragment *)item->data; | ||
| 194 | dtls1_hm_fragment_free(frag); | ||
| 195 | pitem_free(item); | ||
| 196 | } | ||
| 197 | - | ||
| 198 | - while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) { | ||
| 199 | - rdata = (DTLS1_RECORD_DATA *)item->data; | ||
| 200 | - if (rdata->rbuf.buf) { | ||
| 201 | - OPENSSL_free(rdata->rbuf.buf); | ||
| 202 | - } | ||
| 203 | - OPENSSL_free(item->data); | ||
| 204 | - pitem_free(item); | ||
| 205 | - } | ||
| 206 | } | ||
| 207 | |||
| 208 | + | ||
| 209 | void dtls1_free(SSL *s) | ||
| 210 | { | ||
| 211 | ssl3_free(s); | ||
| 212 | @@ -456,7 +471,7 @@ void dtls1_stop_timer(SSL *s) | ||
| 213 | BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, | ||
| 214 | &(s->d1->next_timeout)); | ||
| 215 | /* Clear retransmission buffer */ | ||
| 216 | - dtls1_clear_record_buffer(s); | ||
| 217 | + dtls1_clear_sent_buffer(s); | ||
| 218 | } | ||
| 219 | |||
| 220 | int dtls1_check_timeout_num(SSL *s) | ||
| 221 | Index: openssl-1.0.2h/ssl/d1_srvr.c | ||
| 222 | =================================================================== | ||
| 223 | --- openssl-1.0.2h.orig/ssl/d1_srvr.c | ||
| 224 | +++ openssl-1.0.2h/ssl/d1_srvr.c | ||
| 225 | @@ -313,7 +313,7 @@ int dtls1_accept(SSL *s) | ||
| 226 | case SSL3_ST_SW_HELLO_REQ_B: | ||
| 227 | |||
| 228 | s->shutdown = 0; | ||
| 229 | - dtls1_clear_record_buffer(s); | ||
| 230 | + dtls1_clear_sent_buffer(s); | ||
| 231 | dtls1_start_timer(s); | ||
| 232 | ret = ssl3_send_hello_request(s); | ||
| 233 | if (ret <= 0) | ||
| 234 | @@ -894,6 +894,7 @@ int dtls1_accept(SSL *s) | ||
| 235 | /* next message is server hello */ | ||
| 236 | s->d1->handshake_write_seq = 0; | ||
| 237 | s->d1->next_handshake_write_seq = 0; | ||
| 238 | + dtls1_clear_received_buffer(s); | ||
| 239 | goto end; | ||
| 240 | /* break; */ | ||
| 241 | |||
| 242 | Index: openssl-1.0.2h/ssl/ssl_locl.h | ||
| 243 | =================================================================== | ||
| 244 | --- openssl-1.0.2h.orig/ssl/ssl_locl.h | ||
| 245 | +++ openssl-1.0.2h/ssl/ssl_locl.h | ||
| 246 | @@ -1242,7 +1242,8 @@ int dtls1_retransmit_message(SSL *s, uns | ||
| 247 | unsigned long frag_off, int *found); | ||
| 248 | int dtls1_get_queue_priority(unsigned short seq, int is_ccs); | ||
| 249 | int dtls1_retransmit_buffered_messages(SSL *s); | ||
| 250 | -void dtls1_clear_record_buffer(SSL *s); | ||
| 251 | +void dtls1_clear_received_buffer(SSL *s); | ||
| 252 | +void dtls1_clear_sent_buffer(SSL *s); | ||
| 253 | void dtls1_get_message_header(unsigned char *data, | ||
| 254 | struct hm_header_st *msg_hdr); | ||
| 255 | void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr); | ||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch deleted file mode 100644 index c71aaa5..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2180.patch +++ /dev/null | |||
| @@ -1,44 +0,0 @@ | |||
| 1 | From b746aa3fe05b5b5f7126df247ac3eceeb995e2a0 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Dr. Stephen Henson" <steve@openssl.org> | ||
| 3 | Date: Thu, 21 Jul 2016 15:24:16 +0100 | ||
| 4 | Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio(). | ||
| 5 | |||
| 6 | TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result | ||
| 7 | as a null terminated buffer. The length value returned is the total | ||
| 8 | length the complete text reprsentation would need not the amount of | ||
| 9 | data written. | ||
| 10 | |||
| 11 | CVE-2016-2180 | ||
| 12 | |||
| 13 | Thanks to Shi Lei for reporting this bug. | ||
| 14 | |||
| 15 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
| 16 | (cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a) | ||
| 17 | |||
| 18 | Upstream-Status: Backport | ||
| 19 | CVE: CVE-2016-2180 | ||
| 20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 21 | |||
| 22 | --- | ||
| 23 | crypto/ts/ts_lib.c | 5 ++--- | ||
| 24 | 1 file changed, 2 insertions(+), 3 deletions(-) | ||
| 25 | |||
| 26 | diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c | ||
| 27 | index c51538a..e0f1063 100644 | ||
| 28 | --- a/crypto/ts/ts_lib.c | ||
| 29 | +++ b/crypto/ts/ts_lib.c | ||
| 30 | @@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj) | ||
| 31 | { | ||
| 32 | char obj_txt[128]; | ||
| 33 | |||
| 34 | - int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); | ||
| 35 | - BIO_write(bio, obj_txt, len); | ||
| 36 | - BIO_write(bio, "\n", 1); | ||
| 37 | + OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0); | ||
| 38 | + BIO_printf(bio, "%s\n", obj_txt); | ||
| 39 | |||
| 40 | return 1; | ||
| 41 | } | ||
| 42 | -- | ||
| 43 | 2.7.4 | ||
| 44 | |||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch deleted file mode 100644 index 9149dbe..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch +++ /dev/null | |||
| @@ -1,91 +0,0 @@ | |||
| 1 | From 20744f6b40b5ded059a848f66d6ba922f2a62eb3 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matt Caswell <matt@openssl.org> | ||
| 3 | Date: Tue, 5 Jul 2016 11:46:26 +0100 | ||
| 4 | Subject: [PATCH] Fix DTLS unprocessed records bug | ||
| 5 | |||
| 6 | During a DTLS handshake we may get records destined for the next epoch | ||
| 7 | arrive before we have processed the CCS. In that case we can't decrypt or | ||
| 8 | verify the record yet, so we buffer it for later use. When we do receive | ||
| 9 | the CCS we work through the queue of unprocessed records and process them. | ||
| 10 | |||
| 11 | Unfortunately the act of processing wipes out any existing packet data | ||
| 12 | that we were still working through. This includes any records from the new | ||
| 13 | epoch that were in the same packet as the CCS. We should only process the | ||
| 14 | buffered records if we've not got any data left. | ||
| 15 | |||
| 16 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
| 17 | |||
| 18 | Upstream-Status: Backport | ||
| 19 | CVE: CVE-2016-2180 patch 1 | ||
| 20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 21 | |||
| 22 | --- | ||
| 23 | ssl/d1_pkt.c | 23 +++++++++++++++++++++-- | ||
| 24 | 1 file changed, 21 insertions(+), 2 deletions(-) | ||
| 25 | |||
| 26 | diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c | ||
| 27 | index fe30ec7..1fb119d 100644 | ||
| 28 | --- a/ssl/d1_pkt.c | ||
| 29 | +++ b/ssl/d1_pkt.c | ||
| 30 | @@ -319,6 +319,7 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) | ||
| 31 | static int dtls1_process_buffered_records(SSL *s) | ||
| 32 | { | ||
| 33 | pitem *item; | ||
| 34 | + SSL3_BUFFER *rb; | ||
| 35 | |||
| 36 | item = pqueue_peek(s->d1->unprocessed_rcds.q); | ||
| 37 | if (item) { | ||
| 38 | @@ -326,6 +327,19 @@ static int dtls1_process_buffered_records(SSL *s) | ||
| 39 | if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | ||
| 40 | return (1); /* Nothing to do. */ | ||
| 41 | |||
| 42 | + rb = &s->s3->rbuf; | ||
| 43 | + | ||
| 44 | + if (rb->left > 0) { | ||
| 45 | + /* | ||
| 46 | + * We've still got data from the current packet to read. There could | ||
| 47 | + * be a record from the new epoch in it - so don't overwrite it | ||
| 48 | + * with the unprocessed records yet (we'll do it when we've | ||
| 49 | + * finished reading the current packet). | ||
| 50 | + */ | ||
| 51 | + return 1; | ||
| 52 | + } | ||
| 53 | + | ||
| 54 | + | ||
| 55 | /* Process all the records. */ | ||
| 56 | while (pqueue_peek(s->d1->unprocessed_rcds.q)) { | ||
| 57 | dtls1_get_unprocessed_record(s); | ||
| 58 | @@ -581,6 +595,7 @@ int dtls1_get_record(SSL *s) | ||
| 59 | |||
| 60 | rr = &(s->s3->rrec); | ||
| 61 | |||
| 62 | + again: | ||
| 63 | /* | ||
| 64 | * The epoch may have changed. If so, process all the pending records. | ||
| 65 | * This is a non-blocking operation. | ||
| 66 | @@ -593,7 +608,6 @@ int dtls1_get_record(SSL *s) | ||
| 67 | return 1; | ||
| 68 | |||
| 69 | /* get something from the wire */ | ||
| 70 | - again: | ||
| 71 | /* check if we have the header */ | ||
| 72 | if ((s->rstate != SSL_ST_READ_BODY) || | ||
| 73 | (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { | ||
| 74 | @@ -1830,8 +1844,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, | ||
| 75 | if (rr->epoch == s->d1->r_epoch) | ||
| 76 | return &s->d1->bitmap; | ||
| 77 | |||
| 78 | - /* Only HM and ALERT messages can be from the next epoch */ | ||
| 79 | + /* | ||
| 80 | + * Only HM and ALERT messages can be from the next epoch and only if we | ||
| 81 | + * have already processed all of the unprocessed records from the last | ||
| 82 | + * epoch | ||
| 83 | + */ | ||
| 84 | else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && | ||
| 85 | + s->d1->unprocessed_rcds.epoch != s->d1->r_epoch && | ||
| 86 | (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { | ||
| 87 | *is_next_epoch = 1; | ||
| 88 | return &s->d1->next_bitmap; | ||
| 89 | -- | ||
| 90 | 2.7.4 | ||
| 91 | |||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch deleted file mode 100644 index ecf138a..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2181_p2.patch +++ /dev/null | |||
| @@ -1,239 +0,0 @@ | |||
| 1 | From 3884b47b7c255c2e94d9b387ee83c7e8bb981258 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matt Caswell <matt@openssl.org> | ||
| 3 | Date: Tue, 5 Jul 2016 12:04:37 +0100 | ||
| 4 | Subject: [PATCH] Fix DTLS replay protection | ||
| 5 | |||
| 6 | The DTLS implementation provides some protection against replay attacks | ||
| 7 | in accordance with RFC6347 section 4.1.2.6. | ||
| 8 | |||
| 9 | A sliding "window" of valid record sequence numbers is maintained with | ||
| 10 | the "right" hand edge of the window set to the highest sequence number we | ||
| 11 | have received so far. Records that arrive that are off the "left" hand | ||
| 12 | edge of the window are rejected. Records within the window are checked | ||
| 13 | against a list of records received so far. If we already received it then | ||
| 14 | we also reject the new record. | ||
| 15 | |||
| 16 | If we have not already received the record, or the sequence number is off | ||
| 17 | the right hand edge of the window then we verify the MAC of the record. | ||
| 18 | If MAC verification fails then we discard the record. Otherwise we mark | ||
| 19 | the record as received. If the sequence number was off the right hand edge | ||
| 20 | of the window, then we slide the window along so that the right hand edge | ||
| 21 | is in line with the newly received sequence number. | ||
| 22 | |||
| 23 | Records may arrive for future epochs, i.e. a record from after a CCS being | ||
| 24 | sent, can arrive before the CCS does if the packets get re-ordered. As we | ||
| 25 | have not yet received the CCS we are not yet in a position to decrypt or | ||
| 26 | validate the MAC of those records. OpenSSL places those records on an | ||
| 27 | unprocessed records queue. It additionally updates the window immediately, | ||
| 28 | even though we have not yet verified the MAC. This will only occur if | ||
| 29 | currently in a handshake/renegotiation. | ||
| 30 | |||
| 31 | This could be exploited by an attacker by sending a record for the next | ||
| 32 | epoch (which does not have to decrypt or have a valid MAC), with a very | ||
| 33 | large sequence number. This means the right hand edge of the window is | ||
| 34 | moved very far to the right, and all subsequent legitimate packets are | ||
| 35 | dropped causing a denial of service. | ||
| 36 | |||
| 37 | A similar effect can be achieved during the initial handshake. In this | ||
| 38 | case there is no MAC key negotiated yet. Therefore an attacker can send a | ||
| 39 | message for the current epoch with a very large sequence number. The code | ||
| 40 | will process the record as normal. If the hanshake message sequence number | ||
| 41 | (as opposed to the record sequence number that we have been talking about | ||
| 42 | so far) is in the future then the injected message is bufferred to be | ||
| 43 | handled later, but the window is still updated. Therefore all subsequent | ||
| 44 | legitimate handshake records are dropped. This aspect is not considered a | ||
| 45 | security issue because there are many ways for an attacker to disrupt the | ||
| 46 | initial handshake and prevent it from completing successfully (e.g. | ||
| 47 | injection of a handshake message will cause the Finished MAC to fail and | ||
| 48 | the handshake to be aborted). This issue comes about as a result of trying | ||
| 49 | to do replay protection, but having no integrity mechanism in place yet. | ||
| 50 | Does it even make sense to have replay protection in epoch 0? That | ||
| 51 | issue isn't addressed here though. | ||
| 52 | |||
| 53 | This addressed an OCAP Audit issue. | ||
| 54 | |||
| 55 | CVE-2016-2181 | ||
| 56 | |||
| 57 | Upstream-Status: Backport | ||
| 58 | CVE: CVE-2016-2181 patch2 | ||
| 59 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 60 | |||
| 61 | |||
| 62 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
| 63 | --- | ||
| 64 | ssl/d1_pkt.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++------------ | ||
| 65 | ssl/ssl.h | 1 + | ||
| 66 | ssl/ssl_err.c | 4 +++- | ||
| 67 | 3 files changed, 52 insertions(+), 13 deletions(-) | ||
| 68 | |||
| 69 | Index: openssl-1.0.2h/ssl/d1_pkt.c | ||
| 70 | =================================================================== | ||
| 71 | --- openssl-1.0.2h.orig/ssl/d1_pkt.c | ||
| 72 | +++ openssl-1.0.2h/ssl/d1_pkt.c | ||
| 73 | @@ -194,7 +194,7 @@ static int dtls1_record_needs_buffering( | ||
| 74 | #endif | ||
| 75 | static int dtls1_buffer_record(SSL *s, record_pqueue *q, | ||
| 76 | unsigned char *priority); | ||
| 77 | -static int dtls1_process_record(SSL *s); | ||
| 78 | +static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap); | ||
| 79 | |||
| 80 | /* copy buffered record into SSL structure */ | ||
| 81 | static int dtls1_copy_record(SSL *s, pitem *item) | ||
| 82 | @@ -320,13 +320,18 @@ static int dtls1_process_buffered_record | ||
| 83 | { | ||
| 84 | pitem *item; | ||
| 85 | SSL3_BUFFER *rb; | ||
| 86 | + SSL3_RECORD *rr; | ||
| 87 | + DTLS1_BITMAP *bitmap; | ||
| 88 | + unsigned int is_next_epoch; | ||
| 89 | + int replayok = 1; | ||
| 90 | |||
| 91 | item = pqueue_peek(s->d1->unprocessed_rcds.q); | ||
| 92 | if (item) { | ||
| 93 | /* Check if epoch is current. */ | ||
| 94 | if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | ||
| 95 | - return (1); /* Nothing to do. */ | ||
| 96 | + return 1; /* Nothing to do. */ | ||
| 97 | |||
| 98 | + rr = &s->s3->rrec; | ||
| 99 | rb = &s->s3->rbuf; | ||
| 100 | |||
| 101 | if (rb->left > 0) { | ||
| 102 | @@ -343,11 +348,41 @@ static int dtls1_process_buffered_record | ||
| 103 | /* Process all the records. */ | ||
| 104 | while (pqueue_peek(s->d1->unprocessed_rcds.q)) { | ||
| 105 | dtls1_get_unprocessed_record(s); | ||
| 106 | - if (!dtls1_process_record(s)) | ||
| 107 | - return (0); | ||
| 108 | + bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | ||
| 109 | + if (bitmap == NULL) { | ||
| 110 | + /* | ||
| 111 | + * Should not happen. This will only ever be NULL when the | ||
| 112 | + * current record is from a different epoch. But that cannot | ||
| 113 | + * be the case because we already checked the epoch above | ||
| 114 | + */ | ||
| 115 | + SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS, | ||
| 116 | + ERR_R_INTERNAL_ERROR); | ||
| 117 | + return 0; | ||
| 118 | + } | ||
| 119 | +#ifndef OPENSSL_NO_SCTP | ||
| 120 | + /* Only do replay check if no SCTP bio */ | ||
| 121 | + if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) | ||
| 122 | +#endif | ||
| 123 | + { | ||
| 124 | + /* | ||
| 125 | + * Check whether this is a repeat, or aged record. We did this | ||
| 126 | + * check once already when we first received the record - but | ||
| 127 | + * we might have updated the window since then due to | ||
| 128 | + * records we subsequently processed. | ||
| 129 | + */ | ||
| 130 | + replayok = dtls1_record_replay_check(s, bitmap); | ||
| 131 | + } | ||
| 132 | + | ||
| 133 | + if (!replayok || !dtls1_process_record(s, bitmap)) { | ||
| 134 | + /* dump this record */ | ||
| 135 | + rr->length = 0; | ||
| 136 | + s->packet_length = 0; | ||
| 137 | + continue; | ||
| 138 | + } | ||
| 139 | + | ||
| 140 | if (dtls1_buffer_record(s, &(s->d1->processed_rcds), | ||
| 141 | s->s3->rrec.seq_num) < 0) | ||
| 142 | - return -1; | ||
| 143 | + return 0; | ||
| 144 | } | ||
| 145 | } | ||
| 146 | |||
| 147 | @@ -358,7 +393,7 @@ static int dtls1_process_buffered_record | ||
| 148 | s->d1->processed_rcds.epoch = s->d1->r_epoch; | ||
| 149 | s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; | ||
| 150 | |||
| 151 | - return (1); | ||
| 152 | + return 1; | ||
| 153 | } | ||
| 154 | |||
| 155 | #if 0 | ||
| 156 | @@ -405,7 +440,7 @@ static int dtls1_get_buffered_record(SSL | ||
| 157 | |||
| 158 | #endif | ||
| 159 | |||
| 160 | -static int dtls1_process_record(SSL *s) | ||
| 161 | +static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) | ||
| 162 | { | ||
| 163 | int i, al; | ||
| 164 | int enc_err; | ||
| 165 | @@ -565,6 +600,10 @@ static int dtls1_process_record(SSL *s) | ||
| 166 | |||
| 167 | /* we have pulled in a full packet so zero things */ | ||
| 168 | s->packet_length = 0; | ||
| 169 | + | ||
| 170 | + /* Mark receipt of record. */ | ||
| 171 | + dtls1_record_bitmap_update(s, bitmap); | ||
| 172 | + | ||
| 173 | return (1); | ||
| 174 | |||
| 175 | f_err: | ||
| 176 | @@ -600,7 +639,7 @@ int dtls1_get_record(SSL *s) | ||
| 177 | * The epoch may have changed. If so, process all the pending records. | ||
| 178 | * This is a non-blocking operation. | ||
| 179 | */ | ||
| 180 | - if (dtls1_process_buffered_records(s) < 0) | ||
| 181 | + if (!dtls1_process_buffered_records(s)) | ||
| 182 | return -1; | ||
| 183 | |||
| 184 | /* if we're renegotiating, then there may be buffered records */ | ||
| 185 | @@ -735,20 +774,17 @@ int dtls1_get_record(SSL *s) | ||
| 186 | if (dtls1_buffer_record | ||
| 187 | (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) | ||
| 188 | return -1; | ||
| 189 | - /* Mark receipt of record. */ | ||
| 190 | - dtls1_record_bitmap_update(s, bitmap); | ||
| 191 | } | ||
| 192 | rr->length = 0; | ||
| 193 | s->packet_length = 0; | ||
| 194 | goto again; | ||
| 195 | } | ||
| 196 | |||
| 197 | - if (!dtls1_process_record(s)) { | ||
| 198 | + if (!dtls1_process_record(s, bitmap)) { | ||
| 199 | rr->length = 0; | ||
| 200 | s->packet_length = 0; /* dump this record */ | ||
| 201 | goto again; /* get another record */ | ||
| 202 | } | ||
| 203 | - dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */ | ||
| 204 | |||
| 205 | return (1); | ||
| 206 | |||
| 207 | Index: openssl-1.0.2h/ssl/ssl.h | ||
| 208 | =================================================================== | ||
| 209 | --- openssl-1.0.2h.orig/ssl/ssl.h | ||
| 210 | +++ openssl-1.0.2h/ssl/ssl.h | ||
| 211 | @@ -2623,6 +2623,7 @@ void ERR_load_SSL_strings(void); | ||
| 212 | # define SSL_F_DTLS1_HEARTBEAT 305 | ||
| 213 | # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 | ||
| 214 | # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 | ||
| 215 | +# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404 | ||
| 216 | # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 | ||
| 217 | # define SSL_F_DTLS1_PROCESS_RECORD 257 | ||
| 218 | # define SSL_F_DTLS1_READ_BYTES 258 | ||
| 219 | Index: openssl-1.0.2h/ssl/ssl_err.c | ||
| 220 | =================================================================== | ||
| 221 | --- openssl-1.0.2h.orig/ssl/ssl_err.c | ||
| 222 | +++ openssl-1.0.2h/ssl/ssl_err.c | ||
| 223 | @@ -1,6 +1,6 @@ | ||
| 224 | /* ssl/ssl_err.c */ | ||
| 225 | /* ==================================================================== | ||
| 226 | - * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. | ||
| 227 | + * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. | ||
| 228 | * | ||
| 229 | * Redistribution and use in source and binary forms, with or without | ||
| 230 | * modification, are permitted provided that the following conditions | ||
| 231 | @@ -93,6 +93,8 @@ static ERR_STRING_DATA SSL_str_functs[] | ||
| 232 | {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "dtls1_heartbeat"}, | ||
| 233 | {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "dtls1_output_cert_chain"}, | ||
| 234 | {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"}, | ||
| 235 | + {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS), | ||
| 236 | + "DTLS1_PROCESS_BUFFERED_RECORDS"}, | ||
| 237 | {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), | ||
| 238 | "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"}, | ||
| 239 | {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"}, | ||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch deleted file mode 100644 index a752f89..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2181_p3.patch +++ /dev/null | |||
| @@ -1,30 +0,0 @@ | |||
| 1 | From 26aebca74e38ae09f673c2045cc8e2ef762d265a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matt Caswell <matt@openssl.org> | ||
| 3 | Date: Wed, 17 Aug 2016 17:55:36 +0100 | ||
| 4 | Subject: [PATCH] Update function error code | ||
| 5 | |||
| 6 | A function error code needed updating due to merge issues. | ||
| 7 | |||
| 8 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
| 9 | |||
| 10 | Upstream-Status: Backport | ||
| 11 | CVE: CVE-2016-2181 patch 3 | ||
| 12 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 13 | |||
| 14 | --- | ||
| 15 | ssl/ssl.h | 2 +- | ||
| 16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 17 | |||
| 18 | Index: openssl-1.0.2h/ssl/ssl.h | ||
| 19 | =================================================================== | ||
| 20 | --- openssl-1.0.2h.orig/ssl/ssl.h | ||
| 21 | +++ openssl-1.0.2h/ssl/ssl.h | ||
| 22 | @@ -2623,7 +2623,7 @@ void ERR_load_SSL_strings(void); | ||
| 23 | # define SSL_F_DTLS1_HEARTBEAT 305 | ||
| 24 | # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 | ||
| 25 | # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 | ||
| 26 | -# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404 | ||
| 27 | +# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424 | ||
| 28 | # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 | ||
| 29 | # define SSL_F_DTLS1_PROCESS_RECORD 257 | ||
| 30 | # define SSL_F_DTLS1_READ_BYTES 258 | ||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch deleted file mode 100644 index 5995cbe..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2182.patch +++ /dev/null | |||
| @@ -1,70 +0,0 @@ | |||
| 1 | From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Dr. Stephen Henson" <steve@openssl.org> | ||
| 3 | Date: Fri, 5 Aug 2016 14:26:03 +0100 | ||
| 4 | Subject: [PATCH] Check for errors in BN_bn2dec() | ||
| 5 | |||
| 6 | If an oversize BIGNUM is presented to BN_bn2dec() it can cause | ||
| 7 | BN_div_word() to fail and not reduce the value of 't' resulting | ||
| 8 | in OOB writes to the bn_data buffer and eventually crashing. | ||
| 9 | |||
| 10 | Fix by checking return value of BN_div_word() and checking writes | ||
| 11 | don't overflow buffer. | ||
| 12 | |||
| 13 | Thanks to Shi Lei for reporting this bug. | ||
| 14 | |||
| 15 | CVE-2016-2182 | ||
| 16 | |||
| 17 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
| 18 | (cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34) | ||
| 19 | |||
| 20 | Conflicts: | ||
| 21 | crypto/bn/bn_print.c | ||
| 22 | |||
| 23 | Upstream-Status: Backport | ||
| 24 | CVE: CVE-2016-2182 | ||
| 25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 26 | |||
| 27 | --- | ||
| 28 | crypto/bn/bn_print.c | 11 ++++++++--- | ||
| 29 | 1 file changed, 8 insertions(+), 3 deletions(-) | ||
| 30 | |||
| 31 | diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c | ||
| 32 | index bfa31ef..b44403e 100644 | ||
| 33 | --- a/crypto/bn/bn_print.c | ||
| 34 | +++ b/crypto/bn/bn_print.c | ||
| 35 | @@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) | ||
| 36 | char *p; | ||
| 37 | BIGNUM *t = NULL; | ||
| 38 | BN_ULONG *bn_data = NULL, *lp; | ||
| 39 | + int bn_data_num; | ||
| 40 | |||
| 41 | /*- | ||
| 42 | * get an upper bound for the length of the decimal integer | ||
| 43 | @@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) | ||
| 44 | */ | ||
| 45 | i = BN_num_bits(a) * 3; | ||
| 46 | num = (i / 10 + i / 1000 + 1) + 1; | ||
| 47 | - bn_data = | ||
| 48 | - (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); | ||
| 49 | - buf = (char *)OPENSSL_malloc(num + 3); | ||
| 50 | + bn_data_num = num / BN_DEC_NUM + 1; | ||
| 51 | + bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); | ||
| 52 | + buf = OPENSSL_malloc(num + 3); | ||
| 53 | if ((buf == NULL) || (bn_data == NULL)) { | ||
| 54 | BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); | ||
| 55 | goto err; | ||
| 56 | @@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a) | ||
| 57 | i = 0; | ||
| 58 | while (!BN_is_zero(t)) { | ||
| 59 | *lp = BN_div_word(t, BN_DEC_CONV); | ||
| 60 | + if (*lp == (BN_ULONG)-1) | ||
| 61 | + goto err; | ||
| 62 | lp++; | ||
| 63 | + if (lp - bn_data >= bn_data_num) | ||
| 64 | + goto err; | ||
| 65 | } | ||
| 66 | lp--; | ||
| 67 | /* | ||
| 68 | -- | ||
| 69 | 2.7.4 | ||
| 70 | |||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-6302.patch b/recipes-connectivity/openssl/openssl/CVE-2016-6302.patch deleted file mode 100644 index a72ee70..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-6302.patch +++ /dev/null | |||
| @@ -1,53 +0,0 @@ | |||
| 1 | From baaabfd8fdcec04a691695fad9a664bea43202b6 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Dr. Stephen Henson" <steve@openssl.org> | ||
| 3 | Date: Tue, 23 Aug 2016 18:14:54 +0100 | ||
| 4 | Subject: [PATCH] Sanity check ticket length. | ||
| 5 | |||
| 6 | If a ticket callback changes the HMAC digest to SHA512 the existing | ||
| 7 | sanity checks are not sufficient and an attacker could perform a DoS | ||
| 8 | attack with a malformed ticket. Add additional checks based on | ||
| 9 | HMAC size. | ||
| 10 | |||
| 11 | Thanks to Shi Lei for reporting this bug. | ||
| 12 | |||
| 13 | CVE-2016-6302 | ||
| 14 | |||
| 15 | Reviewed-by: Rich Salz <rsalz@openssl.org> | ||
| 16 | |||
| 17 | Upstream-Status: Backport | ||
| 18 | CVE: CVE-2016-6302 | ||
| 19 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 20 | |||
| 21 | --- | ||
| 22 | ssl/t1_lib.c | 11 ++++++++--- | ||
| 23 | 1 file changed, 8 insertions(+), 3 deletions(-) | ||
| 24 | |||
| 25 | Index: openssl-1.0.2h/ssl/t1_lib.c | ||
| 26 | =================================================================== | ||
| 27 | --- openssl-1.0.2h.orig/ssl/t1_lib.c | ||
| 28 | +++ openssl-1.0.2h/ssl/t1_lib.c | ||
| 29 | @@ -3397,9 +3397,7 @@ static int tls_decrypt_ticket(SSL *s, co | ||
| 30 | HMAC_CTX hctx; | ||
| 31 | EVP_CIPHER_CTX ctx; | ||
| 32 | SSL_CTX *tctx = s->initial_ctx; | ||
| 33 | - /* Need at least keyname + iv + some encrypted data */ | ||
| 34 | - if (eticklen < 48) | ||
| 35 | - return 2; | ||
| 36 | + | ||
| 37 | /* Initialize session ticket encryption and HMAC contexts */ | ||
| 38 | HMAC_CTX_init(&hctx); | ||
| 39 | EVP_CIPHER_CTX_init(&ctx); | ||
| 40 | @@ -3433,6 +3431,13 @@ static int tls_decrypt_ticket(SSL *s, co | ||
| 41 | if (mlen < 0) { | ||
| 42 | goto err; | ||
| 43 | } | ||
| 44 | + /* Sanity check ticket length: must exceed keyname + IV + HMAC */ | ||
| 45 | + if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { | ||
| 46 | + HMAC_CTX_cleanup(&hctx); | ||
| 47 | + EVP_CIPHER_CTX_cleanup(&ctx); | ||
| 48 | + return 2; | ||
| 49 | + } | ||
| 50 | + | ||
| 51 | eticklen -= mlen; | ||
| 52 | /* Check HMAC of encrypted ticket */ | ||
| 53 | if (HMAC_Update(&hctx, etick, eticklen) <= 0 | ||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-6303.patch b/recipes-connectivity/openssl/openssl/CVE-2016-6303.patch deleted file mode 100644 index 95bdec4..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-6303.patch +++ /dev/null | |||
| @@ -1,36 +0,0 @@ | |||
| 1 | From 1027ad4f34c30b8585592764b9a670ba36888269 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Dr. Stephen Henson" <steve@openssl.org> | ||
| 3 | Date: Fri, 19 Aug 2016 23:28:29 +0100 | ||
| 4 | Subject: [PATCH] Avoid overflow in MDC2_Update() | ||
| 5 | |||
| 6 | Thanks to Shi Lei for reporting this issue. | ||
| 7 | |||
| 8 | CVE-2016-6303 | ||
| 9 | |||
| 10 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
| 11 | (cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07) | ||
| 12 | |||
| 13 | Upstream-Status: Backport | ||
| 14 | CVE: CVE-2016-6303 | ||
| 15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 16 | |||
| 17 | --- | ||
| 18 | crypto/mdc2/mdc2dgst.c | 2 +- | ||
| 19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 20 | |||
| 21 | diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c | ||
| 22 | index 6615cf8..2dce493 100644 | ||
| 23 | --- a/crypto/mdc2/mdc2dgst.c | ||
| 24 | +++ b/crypto/mdc2/mdc2dgst.c | ||
| 25 | @@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len) | ||
| 26 | |||
| 27 | i = c->num; | ||
| 28 | if (i != 0) { | ||
| 29 | - if (i + len < MDC2_BLOCK) { | ||
| 30 | + if (len < MDC2_BLOCK - i) { | ||
| 31 | /* partial block */ | ||
| 32 | memcpy(&(c->data[i]), in, len); | ||
| 33 | c->num += (int)len; | ||
| 34 | -- | ||
| 35 | 2.7.4 | ||
| 36 | |||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch deleted file mode 100644 index 64508b5..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch +++ /dev/null | |||
| @@ -1,75 +0,0 @@ | |||
| 1 | From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matt Caswell <matt@openssl.org> | ||
| 3 | Date: Fri, 9 Sep 2016 10:08:45 +0100 | ||
| 4 | Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth | ||
| 5 | |||
| 6 | A malicious client can send an excessively large OCSP Status Request | ||
| 7 | extension. If that client continually requests renegotiation, | ||
| 8 | sending a large OCSP Status Request extension each time, then there will | ||
| 9 | be unbounded memory growth on the server. This will eventually lead to a | ||
| 10 | Denial Of Service attack through memory exhaustion. Servers with a | ||
| 11 | default configuration are vulnerable even if they do not support OCSP. | ||
| 12 | Builds using the "no-ocsp" build time option are not affected. | ||
| 13 | |||
| 14 | I have also checked other extensions to see if they suffer from a similar | ||
| 15 | problem but I could not find any other issues. | ||
| 16 | |||
| 17 | CVE-2016-6304 | ||
| 18 | |||
| 19 | Issue reported by Shi Lei. | ||
| 20 | |||
| 21 | Reviewed-by: Rich Salz <rsalz@openssl.org> | ||
| 22 | |||
| 23 | Upstream-Status: Backport | ||
| 24 | CVE: CVE-2016-6304 | ||
| 25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 26 | |||
| 27 | --- | ||
| 28 | ssl/t1_lib.c | 24 +++++++++++++++++------- | ||
| 29 | 1 file changed, 17 insertions(+), 7 deletions(-) | ||
| 30 | |||
| 31 | diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c | ||
| 32 | index fbcf2e6..e4b4e27 100644 | ||
| 33 | --- a/ssl/t1_lib.c | ||
| 34 | +++ b/ssl/t1_lib.c | ||
| 35 | @@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, | ||
| 36 | size -= 2; | ||
| 37 | if (dsize > size) | ||
| 38 | goto err; | ||
| 39 | + | ||
| 40 | + /* | ||
| 41 | + * We remove any OCSP_RESPIDs from a previous handshake | ||
| 42 | + * to prevent unbounded memory growth - CVE-2016-6304 | ||
| 43 | + */ | ||
| 44 | + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, | ||
| 45 | + OCSP_RESPID_free); | ||
| 46 | + if (dsize > 0) { | ||
| 47 | + s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); | ||
| 48 | + if (s->tlsext_ocsp_ids == NULL) { | ||
| 49 | + *al = SSL_AD_INTERNAL_ERROR; | ||
| 50 | + return 0; | ||
| 51 | + } | ||
| 52 | + } else { | ||
| 53 | + s->tlsext_ocsp_ids = NULL; | ||
| 54 | + } | ||
| 55 | + | ||
| 56 | while (dsize > 0) { | ||
| 57 | OCSP_RESPID *id; | ||
| 58 | int idsize; | ||
| 59 | @@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, | ||
| 60 | OCSP_RESPID_free(id); | ||
| 61 | goto err; | ||
| 62 | } | ||
| 63 | - if (!s->tlsext_ocsp_ids | ||
| 64 | - && !(s->tlsext_ocsp_ids = | ||
| 65 | - sk_OCSP_RESPID_new_null())) { | ||
| 66 | - OCSP_RESPID_free(id); | ||
| 67 | - *al = SSL_AD_INTERNAL_ERROR; | ||
| 68 | - return 0; | ||
| 69 | - } | ||
| 70 | if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { | ||
| 71 | OCSP_RESPID_free(id); | ||
| 72 | *al = SSL_AD_INTERNAL_ERROR; | ||
| 73 | -- | ||
| 74 | 2.7.4 | ||
| 75 | |||
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-6306.patch b/recipes-connectivity/openssl/openssl/CVE-2016-6306.patch deleted file mode 100644 index 9e7d576..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-6306.patch +++ /dev/null | |||
| @@ -1,71 +0,0 @@ | |||
| 1 | From ff553f837172ecb2b5c8eca257ec3c5619a4b299 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Dr. Stephen Henson" <steve@openssl.org> | ||
| 3 | Date: Sat, 17 Sep 2016 12:36:58 +0100 | ||
| 4 | Subject: [PATCH] Fix small OOB reads. | ||
| 5 | |||
| 6 | In ssl3_get_client_certificate, ssl3_get_server_certificate and | ||
| 7 | ssl3_get_certificate_request check we have enough room | ||
| 8 | before reading a length. | ||
| 9 | |||
| 10 | Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs. | ||
| 11 | |||
| 12 | CVE-2016-6306 | ||
| 13 | |||
| 14 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
| 15 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
| 16 | |||
| 17 | Upstream-Status: Backport | ||
| 18 | CVE: CVE-2016-6306 | ||
| 19 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 20 | |||
| 21 | --- | ||
| 22 | ssl/s3_clnt.c | 11 +++++++++++ | ||
| 23 | ssl/s3_srvr.c | 6 ++++++ | ||
| 24 | 2 files changed, 17 insertions(+) | ||
| 25 | |||
| 26 | Index: openssl-1.0.2h/ssl/s3_clnt.c | ||
| 27 | =================================================================== | ||
| 28 | --- openssl-1.0.2h.orig/ssl/s3_clnt.c | ||
| 29 | +++ openssl-1.0.2h/ssl/s3_clnt.c | ||
| 30 | @@ -1216,6 +1216,12 @@ int ssl3_get_server_certificate(SSL *s) | ||
| 31 | goto f_err; | ||
| 32 | } | ||
| 33 | for (nc = 0; nc < llen;) { | ||
| 34 | + if (nc + 3 > llen) { | ||
| 35 | + al = SSL_AD_DECODE_ERROR; | ||
| 36 | + SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, | ||
| 37 | + SSL_R_CERT_LENGTH_MISMATCH); | ||
| 38 | + goto f_err; | ||
| 39 | + } | ||
| 40 | n2l3(p, l); | ||
| 41 | if ((l + nc + 3) > llen) { | ||
| 42 | al = SSL_AD_DECODE_ERROR; | ||
| 43 | @@ -2167,6 +2173,11 @@ int ssl3_get_certificate_request(SSL *s) | ||
| 44 | } | ||
| 45 | |||
| 46 | for (nc = 0; nc < llen;) { | ||
| 47 | + if (nc + 2 > llen) { | ||
| 48 | + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); | ||
| 49 | + SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG); | ||
| 50 | + goto err; | ||
| 51 | + } | ||
| 52 | n2s(p, l); | ||
| 53 | if ((l + nc + 2) > llen) { | ||
| 54 | if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) | ||
| 55 | Index: openssl-1.0.2h/ssl/s3_srvr.c | ||
| 56 | =================================================================== | ||
| 57 | --- openssl-1.0.2h.orig/ssl/s3_srvr.c | ||
| 58 | +++ openssl-1.0.2h/ssl/s3_srvr.c | ||
| 59 | @@ -3213,6 +3213,12 @@ int ssl3_get_client_certificate(SSL *s) | ||
| 60 | goto f_err; | ||
| 61 | } | ||
| 62 | for (nc = 0; nc < llen;) { | ||
| 63 | + if (nc + 3 > llen) { | ||
| 64 | + al = SSL_AD_DECODE_ERROR; | ||
| 65 | + SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, | ||
| 66 | + SSL_R_CERT_LENGTH_MISMATCH); | ||
| 67 | + goto f_err; | ||
| 68 | + } | ||
| 69 | n2l3(p, l); | ||
| 70 | if ((l + nc + 3) > llen) { | ||
| 71 | al = SSL_AD_DECODE_ERROR; | ||
diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend b/recipes-connectivity/openssl/openssl_1.0.2h.bbappend deleted file mode 100644 index 0f635bf..0000000 --- a/recipes-connectivity/openssl/openssl_1.0.2h.bbappend +++ /dev/null | |||
| @@ -1,14 +0,0 @@ | |||
| 1 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
| 2 | |||
| 3 | SRC_URI += "file://CVE-2016-2178.patch \ | ||
| 4 | file://CVE-2016-2179.patch \ | ||
| 5 | file://CVE-2016-2180.patch \ | ||
| 6 | file://CVE-2016-2181_p1.patch \ | ||
| 7 | file://CVE-2016-2181_p2.patch \ | ||
| 8 | file://CVE-2016-2181_p3.patch \ | ||
| 9 | file://CVE-2016-2182.patch \ | ||
| 10 | file://CVE-2016-6302.patch \ | ||
| 11 | file://CVE-2016-6303.patch \ | ||
| 12 | file://CVE-2016-6304.patch \ | ||
| 13 | file://CVE-2016-6306.patch \ | ||
| 14 | " | ||