diff options
| author | Armin Kuster <akuster808@gmail.com> | 2016-02-06 15:14:47 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-07 17:23:04 +0000 |
| commit | 165fa6ce6213ab2b9610732a4926496b78ca4038 (patch) | |
| tree | 9a5870a31692f5f7fb2ff0a657bb482bd00f91a5 | |
| parent | 1098a7bc0cbf034e74df86a2c24c1e5c8b24a900 (diff) | |
| download | poky-165fa6ce6213ab2b9610732a4926496b78ca4038.tar.gz | |
openssl: Security fix CVE-2016-0701
CVE-2016-0701 OpenSSL: DH small subgroups
(From OE-Core rev: c5868a7cd0a28c5800dfa4be1c9d98d3de08cd12)
(From OE-Core rev: 5e73d0e88c28ca1e948f5c463b9d9d1001251a42)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
3 files changed, 260 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch new file mode 100644 index 0000000000..cf2d9a7b04 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch | |||
| @@ -0,0 +1,102 @@ | |||
| 1 | From 878e2c5b13010329c203f309ed0c8f2113f85648 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matt Caswell <matt@openssl.org> | ||
| 3 | Date: Mon, 18 Jan 2016 11:31:58 +0000 | ||
| 4 | Subject: [PATCH] Prevent small subgroup attacks on DH/DHE | ||
| 5 | |||
| 6 | Historically OpenSSL only ever generated DH parameters based on "safe" | ||
| 7 | primes. More recently (in version 1.0.2) support was provided for | ||
| 8 | generating X9.42 style parameter files such as those required for RFC | ||
| 9 | 5114 support. The primes used in such files may not be "safe". Where an | ||
| 10 | application is using DH configured with parameters based on primes that | ||
| 11 | are not "safe" then an attacker could use this fact to find a peer's | ||
| 12 | private DH exponent. This attack requires that the attacker complete | ||
| 13 | multiple handshakes in which the peer uses the same DH exponent. | ||
| 14 | |||
| 15 | A simple mitigation is to ensure that y^q (mod p) == 1 | ||
| 16 | |||
| 17 | CVE-2016-0701 (fix part 1 of 2) | ||
| 18 | |||
| 19 | Issue reported by Antonio Sanso. | ||
| 20 | |||
| 21 | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> | ||
| 22 | |||
| 23 | Upstream-Status: Backport | ||
| 24 | |||
| 25 | https://github.com/openssl/openssl/commit/878e2c5b13010329c203f309ed0c8f2113f85648 | ||
| 26 | |||
| 27 | CVE: CVE-2016-0701 | ||
| 28 | Signed-of-by: Armin Kuster <akuster@mvisa.com> | ||
| 29 | |||
| 30 | --- | ||
| 31 | crypto/dh/dh.h | 1 + | ||
| 32 | crypto/dh/dh_check.c | 35 +++++++++++++++++++++++++---------- | ||
| 33 | 2 files changed, 26 insertions(+), 10 deletions(-) | ||
| 34 | |||
| 35 | diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h | ||
| 36 | index b177673..5498a9d 100644 | ||
| 37 | --- a/crypto/dh/dh.h | ||
| 38 | +++ b/crypto/dh/dh.h | ||
| 39 | @@ -174,6 +174,7 @@ struct dh_st { | ||
| 40 | /* DH_check_pub_key error codes */ | ||
| 41 | # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 | ||
| 42 | # define DH_CHECK_PUBKEY_TOO_LARGE 0x02 | ||
| 43 | +# define DH_CHECK_PUBKEY_INVALID 0x03 | ||
| 44 | |||
| 45 | /* | ||
| 46 | * primes p where (p-1)/2 is prime too are called "safe"; we define this for | ||
| 47 | diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c | ||
| 48 | index 347467c..5adedc0 100644 | ||
| 49 | --- a/crypto/dh/dh_check.c | ||
| 50 | +++ b/crypto/dh/dh_check.c | ||
| 51 | @@ -151,23 +151,38 @@ int DH_check(const DH *dh, int *ret) | ||
| 52 | int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) | ||
| 53 | { | ||
| 54 | int ok = 0; | ||
| 55 | - BIGNUM *q = NULL; | ||
| 56 | + BIGNUM *tmp = NULL; | ||
| 57 | + BN_CTX *ctx = NULL; | ||
| 58 | |||
| 59 | *ret = 0; | ||
| 60 | - q = BN_new(); | ||
| 61 | - if (q == NULL) | ||
| 62 | + ctx = BN_CTX_new(); | ||
| 63 | + if (ctx == NULL) | ||
| 64 | goto err; | ||
| 65 | - BN_set_word(q, 1); | ||
| 66 | - if (BN_cmp(pub_key, q) <= 0) | ||
| 67 | + BN_CTX_start(ctx); | ||
| 68 | + tmp = BN_CTX_get(ctx); | ||
| 69 | + if (tmp == NULL) | ||
| 70 | + goto err; | ||
| 71 | + BN_set_word(tmp, 1); | ||
| 72 | + if (BN_cmp(pub_key, tmp) <= 0) | ||
| 73 | *ret |= DH_CHECK_PUBKEY_TOO_SMALL; | ||
| 74 | - BN_copy(q, dh->p); | ||
| 75 | - BN_sub_word(q, 1); | ||
| 76 | - if (BN_cmp(pub_key, q) >= 0) | ||
| 77 | + BN_copy(tmp, dh->p); | ||
| 78 | + BN_sub_word(tmp, 1); | ||
| 79 | + if (BN_cmp(pub_key, tmp) >= 0) | ||
| 80 | *ret |= DH_CHECK_PUBKEY_TOO_LARGE; | ||
| 81 | |||
| 82 | + if (dh->q != NULL) { | ||
| 83 | + /* Check pub_key^q == 1 mod p */ | ||
| 84 | + if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) | ||
| 85 | + goto err; | ||
| 86 | + if (!BN_is_one(tmp)) | ||
| 87 | + *ret |= DH_CHECK_PUBKEY_INVALID; | ||
| 88 | + } | ||
| 89 | + | ||
| 90 | ok = 1; | ||
| 91 | err: | ||
| 92 | - if (q != NULL) | ||
| 93 | - BN_free(q); | ||
| 94 | + if (ctx != NULL) { | ||
| 95 | + BN_CTX_end(ctx); | ||
| 96 | + BN_CTX_free(ctx); | ||
| 97 | + } | ||
| 98 | return (ok); | ||
| 99 | } | ||
| 100 | -- | ||
| 101 | 2.3.5 | ||
| 102 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch new file mode 100644 index 0000000000..05caf0a99e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch | |||
| @@ -0,0 +1,156 @@ | |||
| 1 | From c5b831f21d0d29d1e517d139d9d101763f60c9a2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Matt Caswell <matt@openssl.org> | ||
| 3 | Date: Thu, 17 Dec 2015 02:57:20 +0000 | ||
| 4 | Subject: [PATCH] Always generate DH keys for ephemeral DH cipher suites | ||
| 5 | |||
| 6 | Modified version of the commit ffaef3f15 in the master branch by Stephen | ||
| 7 | Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always | ||
| 8 | generates a new DH key for every handshake regardless. | ||
| 9 | |||
| 10 | CVE-2016-0701 (fix part 2 or 2) | ||
| 11 | |||
| 12 | Issue reported by Antonio Sanso | ||
| 13 | |||
| 14 | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> | ||
| 15 | |||
| 16 | Upstream-Status: Backport | ||
| 17 | |||
| 18 | https://github.com/openssl/openssl/commit/c5b831f21d0d29d1e517d139d9d101763f60c9a2 | ||
| 19 | |||
| 20 | CVE: CVE-2016-0701 #2 | ||
| 21 | Signed-of-by: Armin Kuster <akuster@mvisa.com> | ||
| 22 | |||
| 23 | --- | ||
| 24 | doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 29 +++++------------------------ | ||
| 25 | ssl/s3_lib.c | 14 -------------- | ||
| 26 | ssl/s3_srvr.c | 17 +++-------------- | ||
| 27 | ssl/ssl.h | 2 +- | ||
| 28 | 4 files changed, 9 insertions(+), 53 deletions(-) | ||
| 29 | |||
| 30 | Index: openssl-1.0.2d/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | ||
| 31 | =================================================================== | ||
| 32 | --- openssl-1.0.2d.orig/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | ||
| 33 | +++ openssl-1.0.2d/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | ||
| 34 | @@ -48,25 +48,8 @@ even if he gets hold of the normal (cert | ||
| 35 | only used for signing. | ||
| 36 | |||
| 37 | In order to perform a DH key exchange the server must use a DH group | ||
| 38 | -(DH parameters) and generate a DH key. | ||
| 39 | -The server will always generate a new DH key during the negotiation | ||
| 40 | -if either the DH parameters are supplied via callback or the | ||
| 41 | -SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both). | ||
| 42 | -It will immediately create a DH key if DH parameters are supplied via | ||
| 43 | -SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. | ||
| 44 | -In this case, | ||
| 45 | -it may happen that a key is generated on initialization without later | ||
| 46 | -being needed, while on the other hand the computer time during the | ||
| 47 | -negotiation is being saved. | ||
| 48 | - | ||
| 49 | -If "strong" primes were used to generate the DH parameters, it is not strictly | ||
| 50 | -necessary to generate a new key for each handshake but it does improve forward | ||
| 51 | -secrecy. If it is not assured that "strong" primes were used, | ||
| 52 | -SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup | ||
| 53 | -attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the | ||
| 54 | -computer time needed during negotiation, but it is not very large, so | ||
| 55 | -application authors/users should consider always enabling this option. | ||
| 56 | -The option is required to implement perfect forward secrecy (PFS). | ||
| 57 | +(DH parameters) and generate a DH key. The server will always generate | ||
| 58 | +a new DH key during the negotiation. | ||
| 59 | |||
| 60 | As generating DH parameters is extremely time consuming, an application | ||
| 61 | should not generate the parameters on the fly but supply the parameters. | ||
| 62 | @@ -93,10 +76,9 @@ can supply the DH parameters via a callb | ||
| 63 | Previous versions of the callback used B<is_export> and B<keylength> | ||
| 64 | parameters to control parameter generation for export and non-export | ||
| 65 | cipher suites. Modern servers that do not support export ciphersuites | ||
| 66 | -are advised to either use SSL_CTX_set_tmp_dh() in combination with | ||
| 67 | -SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore | ||
| 68 | -B<keylength> and B<is_export> and simply supply at least 2048-bit | ||
| 69 | -parameters in the callback. | ||
| 70 | +are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use | ||
| 71 | +the callback but ignore B<keylength> and B<is_export> and simply | ||
| 72 | +supply at least 2048-bit parameters in the callback. | ||
| 73 | |||
| 74 | =head1 EXAMPLES | ||
| 75 | |||
| 76 | @@ -128,7 +110,6 @@ partly left out.) | ||
| 77 | if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { | ||
| 78 | /* Error. */ | ||
| 79 | } | ||
| 80 | - SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); | ||
| 81 | ... | ||
| 82 | |||
| 83 | =head1 RETURN VALUES | ||
| 84 | Index: openssl-1.0.2d/ssl/s3_lib.c | ||
| 85 | =================================================================== | ||
| 86 | --- openssl-1.0.2d.orig/ssl/s3_lib.c | ||
| 87 | +++ openssl-1.0.2d/ssl/s3_lib.c | ||
| 88 | @@ -3206,13 +3206,6 @@ long ssl3_ctrl(SSL *s, int cmd, long lar | ||
| 89 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); | ||
| 90 | return (ret); | ||
| 91 | } | ||
| 92 | - if (!(s->options & SSL_OP_SINGLE_DH_USE)) { | ||
| 93 | - if (!DH_generate_key(dh)) { | ||
| 94 | - DH_free(dh); | ||
| 95 | - SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); | ||
| 96 | - return (ret); | ||
| 97 | - } | ||
| 98 | - } | ||
| 99 | if (s->cert->dh_tmp != NULL) | ||
| 100 | DH_free(s->cert->dh_tmp); | ||
| 101 | s->cert->dh_tmp = dh; | ||
| 102 | @@ -3710,13 +3703,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd | ||
| 103 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); | ||
| 104 | return 0; | ||
| 105 | } | ||
| 106 | - if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) { | ||
| 107 | - if (!DH_generate_key(new)) { | ||
| 108 | - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); | ||
| 109 | - DH_free(new); | ||
| 110 | - return 0; | ||
| 111 | - } | ||
| 112 | - } | ||
| 113 | if (cert->dh_tmp != NULL) | ||
| 114 | DH_free(cert->dh_tmp); | ||
| 115 | cert->dh_tmp = new; | ||
| 116 | Index: openssl-1.0.2d/ssl/s3_srvr.c | ||
| 117 | =================================================================== | ||
| 118 | --- openssl-1.0.2d.orig/ssl/s3_srvr.c | ||
| 119 | +++ openssl-1.0.2d/ssl/s3_srvr.c | ||
| 120 | @@ -1684,20 +1684,9 @@ int ssl3_send_server_key_exchange(SSL *s | ||
| 121 | } | ||
| 122 | |||
| 123 | s->s3->tmp.dh = dh; | ||
| 124 | - if ((dhp->pub_key == NULL || | ||
| 125 | - dhp->priv_key == NULL || | ||
| 126 | - (s->options & SSL_OP_SINGLE_DH_USE))) { | ||
| 127 | - if (!DH_generate_key(dh)) { | ||
| 128 | - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); | ||
| 129 | - goto err; | ||
| 130 | - } | ||
| 131 | - } else { | ||
| 132 | - dh->pub_key = BN_dup(dhp->pub_key); | ||
| 133 | - dh->priv_key = BN_dup(dhp->priv_key); | ||
| 134 | - if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) { | ||
| 135 | - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); | ||
| 136 | - goto err; | ||
| 137 | - } | ||
| 138 | + if (!DH_generate_key(dh)) { | ||
| 139 | + SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); | ||
| 140 | + goto err; | ||
| 141 | } | ||
| 142 | r[0] = dh->p; | ||
| 143 | r[1] = dh->g; | ||
| 144 | Index: openssl-1.0.2d/ssl/ssl.h | ||
| 145 | =================================================================== | ||
| 146 | --- openssl-1.0.2d.orig/ssl/ssl.h | ||
| 147 | +++ openssl-1.0.2d/ssl/ssl.h | ||
| 148 | @@ -625,7 +625,7 @@ struct ssl_session_st { | ||
| 149 | # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L | ||
| 150 | /* If set, always create a new key when using tmp_ecdh parameters */ | ||
| 151 | # define SSL_OP_SINGLE_ECDH_USE 0x00080000L | ||
| 152 | -/* If set, always create a new key when using tmp_dh parameters */ | ||
| 153 | +/* Does nothing: retained for compatibility */ | ||
| 154 | # define SSL_OP_SINGLE_DH_USE 0x00100000L | ||
| 155 | /* Does nothing: retained for compatibiity */ | ||
| 156 | # define SSL_OP_EPHEMERAL_RSA 0x0 | ||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb index 4a96a44d5c..726896b825 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | |||
| @@ -40,6 +40,8 @@ SRC_URI += "file://configure-targets.patch \ | |||
| 40 | file://0001-Add-test-for-CVE-2015-3194.patch \ | 40 | file://0001-Add-test-for-CVE-2015-3194.patch \ |
| 41 | file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ | 41 | file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ |
| 42 | file://CVE-2015-3197.patch \ | 42 | file://CVE-2015-3197.patch \ |
| 43 | file://CVE-2016-0701_1.patch \ | ||
| 44 | file://CVE-2016-0701_2.patch \ | ||
| 43 | " | 45 | " |
| 44 | 46 | ||
| 45 | SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a" | 47 | SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a" |
