aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2016-01-29 14:57:07 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-30 12:08:37 +0000
commitb387d9b8dff8e2c572ca14f9628ab8298347fd4f (patch)
tree9f75b3dd7dd99a5a1e42ce65d1b30622d7e16601
parent3e89477c8ad980fabd13694fa72a0be2e354bbe2 (diff)
downloadopenembedded-core-contrib-b387d9b8dff8e2c572ca14f9628ab8298347fd4f.tar.gz
openssl: Security fix CVE-2015-3197
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch63
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.2d.bb1
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
new file mode 100644
index 0000000000..dd288c93fb
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
@@ -0,0 +1,63 @@
+From d81a1600588b726c2bdccda7efad3cc7a87d6245 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Wed, 30 Dec 2015 22:44:51 -0500
+Subject: [PATCH] Better SSLv2 cipher-suite enforcement
+
+Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>
+
+CVE-2015-3197
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+https://github.com/openssl/openssl/commit/d81a1600588b726c2bdccda7efad3cc7a87d6245
+
+CVE: CVE-2015-3197
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/s2_srvr.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+Index: openssl-1.0.2d/ssl/s2_srvr.c
+===================================================================
+--- openssl-1.0.2d.orig/ssl/s2_srvr.c
++++ openssl-1.0.2d/ssl/s2_srvr.c
+@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
+ }
+
+ cp = ssl2_get_cipher_by_char(p);
+- if (cp == NULL) {
++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+ return (-1);
+@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
+ prio = cs;
+ allow = cl;
+ }
++
++ /* Generate list of SSLv2 ciphers shared between client and server */
+ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
+- if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
++ sk_SSL_CIPHER_find(allow, cp) < 0) {
+ (void)sk_SSL_CIPHER_delete(prio, z);
+ z--;
+ }
+@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
++
++ /* Make sure we have at least one cipher in common */
++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
++ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++ return -1;
++ }
+ /*
+ * s->session->ciphers should now have a list of ciphers that are on
+ * both the client and server. This list is ordered by the order the
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
index 60d5676126..07bdf4b3b9 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -41,6 +41,7 @@ SRC_URI += "file://configure-targets.patch \
file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
file://0001-Add-test-for-CVE-2015-3194.patch \
file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
+ file://CVE-2015-3197.patch \
"
SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"