diff options
| author | Armin Kuster <akuster808@gmail.com> | 2016-02-06 15:14:46 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-07 17:23:04 +0000 |
| commit | 1098a7bc0cbf034e74df86a2c24c1e5c8b24a900 (patch) | |
| tree | 610becae336d2566bdd7be89cb039f643e2d16b7 | |
| parent | e6d734904db78af4f3843f22ea4cdc5023eb79ce (diff) | |
| download | poky-1098a7bc0cbf034e74df86a2c24c1e5c8b24a900.tar.gz | |
openssl: Security fix CVE-2015-3197
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers
(From OE-Core rev: b387d9b8dff8e2c572ca14f9628ab8298347fd4f)
(From OE-Core rev: c037cbdac6a0e871a60077703432c08be6d29677)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch | 63 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch new file mode 100644 index 0000000000..dd288c93fb --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch | |||
| @@ -0,0 +1,63 @@ | |||
| 1 | From d81a1600588b726c2bdccda7efad3cc7a87d6245 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Viktor Dukhovni <openssl-users@dukhovni.org> | ||
| 3 | Date: Wed, 30 Dec 2015 22:44:51 -0500 | ||
| 4 | Subject: [PATCH] Better SSLv2 cipher-suite enforcement | ||
| 5 | |||
| 6 | Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com> | ||
| 7 | |||
| 8 | CVE-2015-3197 | ||
| 9 | |||
| 10 | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||
| 11 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
| 12 | |||
| 13 | Upstream-Status: Backport | ||
| 14 | https://github.com/openssl/openssl/commit/d81a1600588b726c2bdccda7efad3cc7a87d6245 | ||
| 15 | |||
| 16 | CVE: CVE-2015-3197 | ||
| 17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 18 | |||
| 19 | --- | ||
| 20 | ssl/s2_srvr.c | 15 +++++++++++++-- | ||
| 21 | 1 file changed, 13 insertions(+), 2 deletions(-) | ||
| 22 | |||
| 23 | Index: openssl-1.0.2d/ssl/s2_srvr.c | ||
| 24 | =================================================================== | ||
| 25 | --- openssl-1.0.2d.orig/ssl/s2_srvr.c | ||
| 26 | +++ openssl-1.0.2d/ssl/s2_srvr.c | ||
| 27 | @@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s) | ||
| 28 | } | ||
| 29 | |||
| 30 | cp = ssl2_get_cipher_by_char(p); | ||
| 31 | - if (cp == NULL) { | ||
| 32 | + if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) { | ||
| 33 | ssl2_return_error(s, SSL2_PE_NO_CIPHER); | ||
| 34 | SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH); | ||
| 35 | return (-1); | ||
| 36 | @@ -687,8 +687,12 @@ static int get_client_hello(SSL *s) | ||
| 37 | prio = cs; | ||
| 38 | allow = cl; | ||
| 39 | } | ||
| 40 | + | ||
| 41 | + /* Generate list of SSLv2 ciphers shared between client and server */ | ||
| 42 | for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) { | ||
| 43 | - if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) { | ||
| 44 | + const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z); | ||
| 45 | + if ((cp->algorithm_ssl & SSL_SSLV2) == 0 || | ||
| 46 | + sk_SSL_CIPHER_find(allow, cp) < 0) { | ||
| 47 | (void)sk_SSL_CIPHER_delete(prio, z); | ||
| 48 | z--; | ||
| 49 | } | ||
| 50 | @@ -697,6 +701,13 @@ static int get_client_hello(SSL *s) | ||
| 51 | sk_SSL_CIPHER_free(s->session->ciphers); | ||
| 52 | s->session->ciphers = prio; | ||
| 53 | } | ||
| 54 | + | ||
| 55 | + /* Make sure we have at least one cipher in common */ | ||
| 56 | + if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) { | ||
| 57 | + ssl2_return_error(s, SSL2_PE_NO_CIPHER); | ||
| 58 | + SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH); | ||
| 59 | + return -1; | ||
| 60 | + } | ||
| 61 | /* | ||
| 62 | * s->session->ciphers should now have a list of ciphers that are on | ||
| 63 | * both the client and server. This list is ordered by the order the | ||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb index a4e2f67998..4a96a44d5c 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | |||
| @@ -39,6 +39,7 @@ SRC_URI += "file://configure-targets.patch \ | |||
| 39 | file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \ | 39 | file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \ |
| 40 | file://0001-Add-test-for-CVE-2015-3194.patch \ | 40 | file://0001-Add-test-for-CVE-2015-3194.patch \ |
| 41 | file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ | 41 | file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ |
| 42 | file://CVE-2015-3197.patch \ | ||
| 42 | " | 43 | " |
| 43 | 44 | ||
| 44 | SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a" | 45 | SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a" |
