2 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch
new file mode 100644
index 0000000000..64508b57c2
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch
@@ -0,0 +1,75 @@
+From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 9 Sep 2016 10:08:45 +0100
+Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth
+A malicious client can send an excessively large OCSP Status Request
+extension. If that client continually requests renegotiation,
+sending a large OCSP Status Request extension each time, then there will
+be unbounded memory growth on the server. This will eventually lead to a
+Denial Of Service attack through memory exhaustion. Servers with a
+default configuration are vulnerable even if they do not support OCSP.
+Builds using the "no-ocsp" build time option are not affected.
+I have also checked other extensions to see if they suffer from a similar
+problem but I could not find any other issues.
+CVE-2016-6304
+Issue reported by Shi Lei.
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Upstream-Status: Backport
+CVE: CVE-2016-6304
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ssl/t1_lib.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index fbcf2e6..e4b4e27 100644
+--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
+@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+                 size -= 2;
+                 if (dsize > size)
+                     goto err;
+
+                /*
+                 * We remove any OCSP_RESPIDs from a previous handshake
+                 * to prevent unbounded memory growth - CVE-2016-6304
+                 */
+                sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
+                                        OCSP_RESPID_free);
+                if (dsize > 0) {
+                    s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
+                    if (s->tlsext_ocsp_ids == NULL) {
+                        *al = SSL_AD_INTERNAL_ERROR;
+                        return 0;
+                    }
+                } else {
+                    s->tlsext_ocsp_ids = NULL;
+                }
+
+                 while (dsize > 0) {
+                     OCSP_RESPID *id;
+                     int idsize;
+@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+                         OCSP_RESPID_free(id);
+                         goto err;
+                     }
+-                    if (!s->tlsext_ocsp_ids
+-                        && !(s->tlsext_ocsp_ids =
+-                             sk_OCSP_RESPID_new_null())) {
+-                        OCSP_RESPID_free(id);
+-                        *al = SSL_AD_INTERNAL_ERROR;
+-                        return 0;
+-                    }
+                     if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
+                         OCSP_RESPID_free(id);
+                         *al = SSL_AD_INTERNAL_ERROR;
+-- 
+2.7.4
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
index 2e42e173a2..a12f59d18a 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -47,6 +47,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
            file://CVE-2016-2182.patch \
            file://CVE-2016-6302.patch \
            file://CVE-2016-6303.patch \
+            file://CVE-2016-6304.patch \
           "
 SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
 SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch new file mode 100644 index 0000000000..64508b57c2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch
@@ -0,0 +1,75 @@
		1	From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001
		2	From: Matt Caswell <matt@openssl.org>
		3	Date: Fri, 9 Sep 2016 10:08:45 +0100
		4	Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth
		5
		6	A malicious client can send an excessively large OCSP Status Request
		7	extension. If that client continually requests renegotiation,
		8	sending a large OCSP Status Request extension each time, then there will
		9	be unbounded memory growth on the server. This will eventually lead to a
		10	Denial Of Service attack through memory exhaustion. Servers with a
		11	default configuration are vulnerable even if they do not support OCSP.
		12	Builds using the "no-ocsp" build time option are not affected.
		13
		14	I have also checked other extensions to see if they suffer from a similar
		15	problem but I could not find any other issues.
		16
		17	CVE-2016-6304
		18
		19	Issue reported by Shi Lei.
		20
		21	Reviewed-by: Rich Salz <rsalz@openssl.org>
		22
		23	Upstream-Status: Backport
		24	CVE: CVE-2016-6304
		25	Signed-off-by: Armin Kuster <akuster@mvista.com>
		26
		27	---
		28	ssl/t1_lib.c \| 24 +++++++++++++++++-------
		29	1 file changed, 17 insertions(+), 7 deletions(-)
		30
		31	diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
		32	index fbcf2e6..e4b4e27 100644
		33	--- a/ssl/t1_lib.c
		34	+++ b/ssl/t1_lib.c
		35	@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL s, unsigned char *p,
		36	size -= 2;
		37	if (dsize > size)
		38	goto err;
		39	+
		40	+ /*
		41	+ * We remove any OCSP_RESPIDs from a previous handshake
		42	+ * to prevent unbounded memory growth - CVE-2016-6304
		43	+ */
		44	+ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
		45	+ OCSP_RESPID_free);
		46	+ if (dsize > 0) {
		47	+ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
		48	+ if (s->tlsext_ocsp_ids == NULL) {
		49	+ *al = SSL_AD_INTERNAL_ERROR;
		50	+ return 0;
		51	+ }
		52	+ } else {
		53	+ s->tlsext_ocsp_ids = NULL;
		54	+ }
		55	+
		56	while (dsize > 0) {
		57	OCSP_RESPID *id;
		58	int idsize;
		59	@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL s, unsigned char *p,
		60	OCSP_RESPID_free(id);
		61	goto err;
		62	}
		63	- if (!s->tlsext_ocsp_ids
		64	- && !(s->tlsext_ocsp_ids =
		65	- sk_OCSP_RESPID_new_null())) {
		66	- OCSP_RESPID_free(id);
		67	- *al = SSL_AD_INTERNAL_ERROR;
		68	- return 0;
		69	- }
		70	if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
		71	OCSP_RESPID_free(id);
		72	*al = SSL_AD_INTERNAL_ERROR;
		73	--
		74	2.7.4
		75


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb index 2e42e173a2..a12f59d18a 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb
@@ -47,6 +47,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \
47	file://CVE-2016-2182.patch \	47	file://CVE-2016-2182.patch \
48	file://CVE-2016-6302.patch \	48	file://CVE-2016-6302.patch \
49	file://CVE-2016-6303.patch \	49	file://CVE-2016-6303.patch \
		50	file://CVE-2016-6304.patch \
50	"	51	"
51	SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"	52	SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
52	SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"	53	SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"