2 files changed, 212 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch
new file mode 100644
index 0000000000..a93bf23451
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch
@@ -0,0 +1,211 @@
+From 2b0532f3984324ebe1236a63d15893792384328d Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 15 Oct 2014 01:20:38 +0100
+Subject: [PATCH] Fix for SRTP Memory Leak
+CVE-2014-3513
+This issue was reported to OpenSSL on 26th September 2014, based on an origi
+issue and patch developed by the LibreSSL project. Further analysis of the i
+was performed by the OpenSSL team.
+The fix was developed by the OpenSSL team.
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
+---
+ ssl/d1_srtp.c |   93 +++++++++++++++++++--------------------------------------
+ ssl/t1_lib.c  |    9 +++---
+ 2 files changed, 36 insertions(+), 66 deletions(-)
+diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
+index ab9c419..535539b 100644
+--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
+@@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name,
+        return 1;
+        }
+ 
+-static int find_profile_by_num(unsigned profile_num,
+-                              SRTP_PROTECTION_PROFILE **pptr)
+-       {
+-       SRTP_PROTECTION_PROFILE *p;
+-
+-       p=srtp_known_profiles;
+-       while(p->name)
+-               {
+-               if(p->id == profile_num)
+-                       {
+-                       *pptr=p;
+-                       return 0;
+-                       }
+-               p++;
+-               }
+-
+-       return 1;
+-       }
+-
+ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
+        {
+        STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
+@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE
+                if(!find_profile_by_name(ptr,&p,
+                                         col ? col-ptr : (int)strlen(ptr)))
+                        {
+                       if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
+                               {
+                               SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+                               sk_SRTP_PROTECTION_PROFILE_free(profiles);
+                               return 1;
+                               }
+
+                        sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
+                        }
+                else
+                        {
+                        SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
+                       sk_SRTP_PROTECTION_PROFILE_free(profiles);
+                        return 1;
+                        }
+ 
+@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max
+ 
+ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
+        {
+-       SRTP_PROTECTION_PROFILE *cprof,*sprof;
+-       STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
+       SRTP_PROTECTION_PROFILE *sprof;
+       STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
+         int ct;
+         int mki_len;
+-       int i,j;
+-       int id;
+-       int ret;
+       int i, srtp_pref;
+       unsigned int id;
+ 
+          /* Length value + the MKI length */
+         if(len < 3)
+@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
+                return 1;
+                }
+ 
+       srvr=SSL_get_srtp_profiles(s);
+       s->srtp_profile = NULL;
+       /* Search all profiles for a match initially */
+       srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
+         
+-       clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
+-
+        while(ct)
+                {
+                n2s(d,id);
+                ct-=2;
+                 len-=2;
+ 
+-               if(!find_profile_by_num(id,&cprof))
+               /*
+                * Only look for match in profiles of higher preference than
+                * current match.
+                * If no profiles have been have been configured then this
+                * does nothing.
+                */
+               for (i = 0; i < srtp_pref; i++)
+                        {
+-                       sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
+-                       }
+-               else
+-                       {
+-                       ; /* Ignore */
+                       sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
+                       if (sprof->id == id)
+                               {
+                               s->srtp_profile = sprof;
+                               srtp_pref = i;
+                               break;
+                               }
+                        }
+                }
+ 
+@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
+                return 1;
+                }
+ 
+-       srvr=SSL_get_srtp_profiles(s);
+-
+-       /* Pick our most preferred profile. If no profiles have been
+-        configured then the outer loop doesn't run 
+-        (sk_SRTP_PROTECTION_PROFILE_num() = -1)
+-        and so we just return without doing anything */
+-       for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
+-               {
+-               sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
+-
+-               for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
+-                       {
+-                       cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
+-            
+-                       if(cprof->id==sprof->id)
+-                               {
+-                               s->srtp_profile=sprof;
+-                               *al=0;
+-                               ret=0;
+-                               goto done;
+-                               }
+-                       }
+-               }
+-
+-       ret=0;
+-    
+-done:
+-       if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
+-
+-       return ret;
+       return 0;
+        }
+ 
+ int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 022a4fb..12ee3c9 100644
+--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
+@@ -643,7 +643,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
+ #endif
+ 
+ #ifndef OPENSSL_NO_SRTP
+-        if(SSL_get_srtp_profiles(s))
+       if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
+                 {
+                 int el;
+ 
+@@ -806,7 +806,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
+ #endif
+ 
+ #ifndef OPENSSL_NO_SRTP
+-        if(s->srtp_profile)
+       if(SSL_IS_DTLS(s) && s->srtp_profile)
+                 {
+                 int el;
+ 
+@@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
+ 
+                /* session ticket processed earlier */
+ #ifndef OPENSSL_NO_SRTP
+-               else if (type == TLSEXT_TYPE_use_srtp)
+               else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
+                        && type == TLSEXT_TYPE_use_srtp)
+                        {
+                        if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
+                                                              al))
+@@ -1698,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
+                        }
+ #endif
+ #ifndef OPENSSL_NO_SRTP
+-               else if (type == TLSEXT_TYPE_use_srtp)
+               else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
+                        {
+                         if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
+                                                              al))
+-- 
+1.7.9.5
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
index 7623f0d985..82828226fa 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -45,6 +45,7 @@ SRC_URI += "file://configure-targets.patch \
            file://openssl-1.0.1e-cve-2014-3470.patch \
            file://openssl-CVE-2010-5298.patch \
            file://openssl-fix-CVE-2014-3566.patch \
+            file://openssl-fix-CVE-2014-3513.patch \
           "
 SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"

diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch new file mode 100644 index 0000000000..a93bf23451 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3513.patch
@@ -0,0 +1,211 @@
		1	From 2b0532f3984324ebe1236a63d15893792384328d Mon Sep 17 00:00:00 2001
		2	From: Matt Caswell <matt@openssl.org>
		3	Date: Wed, 15 Oct 2014 01:20:38 +0100
		4	Subject: [PATCH] Fix for SRTP Memory Leak
		5
		6	CVE-2014-3513
		7
		8	This issue was reported to OpenSSL on 26th September 2014, based on an origi
		9	issue and patch developed by the LibreSSL project. Further analysis of the i
		10	was performed by the OpenSSL team.
		11
		12	The fix was developed by the OpenSSL team.
		13
		14	Reviewed-by: Tim Hudson <tjh@openssl.org>
		15	Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com>
		16	---
		17	ssl/d1_srtp.c \| 93 +++++++++++++++++++--------------------------------------
		18	ssl/t1_lib.c \| 9 +++---
		19	2 files changed, 36 insertions(+), 66 deletions(-)
		20
		21	diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
		22	index ab9c419..535539b 100644
		23	--- a/ssl/d1_srtp.c
		24	+++ b/ssl/d1_srtp.c
		25	@@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name,
		26	return 1;
		27	}
		28
		29	-static int find_profile_by_num(unsigned profile_num,
		30	- SRTP_PROTECTION_PROFILE **pptr)
		31	- {
		32	- SRTP_PROTECTION_PROFILE *p;
		33	-
		34	- p=srtp_known_profiles;
		35	- while(p->name)
		36	- {
		37	- if(p->id == profile_num)
		38	- {
		39	- *pptr=p;
		40	- return 0;
		41	- }
		42	- p++;
		43	- }
		44	-
		45	- return 1;
		46	- }
		47	-
		48	static int ssl_ctx_make_profiles(const char profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) *out)
		49	{
		50	STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
		51	@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE
		52	if(!find_profile_by_name(ptr,&p,
		53	col ? col-ptr : (int)strlen(ptr)))
		54	{
		55	+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
		56	+ {
		57	+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
		58	+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
		59	+ return 1;
		60	+ }
		61	+
		62	sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
		63	}
		64	else
		65	{
		66	SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
		67	+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
		68	return 1;
		69	}
		70
		71	@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL s, unsigned char p, int *len, int max
		72
		73	int ssl_parse_clienthello_use_srtp_ext(SSL s, unsigned char d, int len,int *al)
		74	{
		75	- SRTP_PROTECTION_PROFILE cprof,sprof;
		76	- STACK_OF(SRTP_PROTECTION_PROFILE) clnt=0,srvr;
		77	+ SRTP_PROTECTION_PROFILE *sprof;
		78	+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
		79	int ct;
		80	int mki_len;
		81	- int i,j;
		82	- int id;
		83	- int ret;
		84	+ int i, srtp_pref;
		85	+ unsigned int id;
		86
		87	/* Length value + the MKI length */
		88	if(len < 3)
		89	@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(SSL s, unsigned char d, int len,int *al
		90	return 1;
		91	}
		92
		93	+ srvr=SSL_get_srtp_profiles(s);
		94	+ s->srtp_profile = NULL;
		95	+ /* Search all profiles for a match initially */
		96	+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
		97
		98	- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
		99	-
		100	while(ct)
		101	{
		102	n2s(d,id);
		103	ct-=2;
		104	len-=2;
		105
		106	- if(!find_profile_by_num(id,&cprof))
		107	+ /*
		108	+ * Only look for match in profiles of higher preference than
		109	+ * current match.
		110	+ * If no profiles have been have been configured then this
		111	+ * does nothing.
		112	+ */
		113	+ for (i = 0; i < srtp_pref; i++)
		114	{
		115	- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
		116	- }
		117	- else
		118	- {
		119	- ; /* Ignore */
		120	+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
		121	+ if (sprof->id == id)
		122	+ {
		123	+ s->srtp_profile = sprof;
		124	+ srtp_pref = i;
		125	+ break;
		126	+ }
		127	}
		128	}
		129
		130	@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL s, unsigned char d, int len,int *al
		131	return 1;
		132	}
		133
		134	- srvr=SSL_get_srtp_profiles(s);
		135	-
		136	- /* Pick our most preferred profile. If no profiles have been
		137	- configured then the outer loop doesn't run
		138	- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
		139	- and so we just return without doing anything */
		140	- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
		141	- {
		142	- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
		143	-
		144	- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
		145	- {
		146	- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
		147	-
		148	- if(cprof->id==sprof->id)
		149	- {
		150	- s->srtp_profile=sprof;
		151	- *al=0;
		152	- ret=0;
		153	- goto done;
		154	- }
		155	- }
		156	- }
		157	-
		158	- ret=0;
		159	-
		160	-done:
		161	- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
		162	-
		163	- return ret;
		164	+ return 0;
		165	}
		166
		167	int ssl_add_serverhello_use_srtp_ext(SSL s, unsigned char p, int *len, int maxlen)
		168	diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
		169	index 022a4fb..12ee3c9 100644
		170	--- a/ssl/t1_lib.c
		171	+++ b/ssl/t1_lib.c
		172	@@ -643,7 +643,7 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *buf, unsigned c
		173	#endif
		174
		175	#ifndef OPENSSL_NO_SRTP
		176	- if(SSL_get_srtp_profiles(s))
		177	+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
		178	{
		179	int el;
		180
		181	@@ -806,7 +806,7 @@ unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *buf, unsigned c
		182	#endif
		183
		184	#ifndef OPENSSL_NO_SRTP
		185	- if(s->srtp_profile)
		186	+ if(SSL_IS_DTLS(s) && s->srtp_profile)
		187	{
		188	int el;
		189
		190	@@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d, in
		191
		192	/* session ticket processed earlier */
		193	#ifndef OPENSSL_NO_SRTP
		194	- else if (type == TLSEXT_TYPE_use_srtp)
		195	+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
		196	+ && type == TLSEXT_TYPE_use_srtp)
		197	{
		198	if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
		199	al))
		200	@@ -1698,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL s, unsigned char p, unsigned char d, in
		201	}
		202	#endif
		203	#ifndef OPENSSL_NO_SRTP
		204	- else if (type == TLSEXT_TYPE_use_srtp)
		205	+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
		206	{
		207	if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
		208	al))
		209	--
		210	1.7.9.5
		211


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb index 7623f0d985..82828226fa 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -45,6 +45,7 @@ SRC_URI += "file://configure-targets.patch \
45	file://openssl-1.0.1e-cve-2014-3470.patch \	45	file://openssl-1.0.1e-cve-2014-3470.patch \
46	file://openssl-CVE-2010-5298.patch \	46	file://openssl-CVE-2010-5298.patch \
47	file://openssl-fix-CVE-2014-3566.patch \	47	file://openssl-fix-CVE-2014-3566.patch \
		48	file://openssl-fix-CVE-2014-3513.patch \
48	"	49	"
49		50
50	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"	51	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"