diff options
author | Armin Kuster <akuster808@gmail.com> | 2016-01-29 14:57:07 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-01-30 12:08:37 +0000 |
commit | b387d9b8dff8e2c572ca14f9628ab8298347fd4f (patch) | |
tree | 9f75b3dd7dd99a5a1e42ce65d1b30622d7e16601 /meta/recipes-connectivity | |
parent | 3e89477c8ad980fabd13694fa72a0be2e354bbe2 (diff) | |
download | openembedded-core-contrib-b387d9b8dff8e2c572ca14f9628ab8298347fd4f.tar.gz |
openssl: Security fix CVE-2015-3197
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch | 63 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch new file mode 100644 index 0000000000..dd288c93fb --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch @@ -0,0 +1,63 @@ +From d81a1600588b726c2bdccda7efad3cc7a87d6245 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni <openssl-users@dukhovni.org> +Date: Wed, 30 Dec 2015 22:44:51 -0500 +Subject: [PATCH] Better SSLv2 cipher-suite enforcement + +Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com> + +CVE-2015-3197 + +Reviewed-by: Tim Hudson <tjh@openssl.org> +Reviewed-by: Richard Levitte <levitte@openssl.org> + +Upstream-Status: Backport +https://github.com/openssl/openssl/commit/d81a1600588b726c2bdccda7efad3cc7a87d6245 + +CVE: CVE-2015-3197 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ssl/s2_srvr.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2d/ssl/s2_srvr.c +=================================================================== +--- openssl-1.0.2d.orig/ssl/s2_srvr.c ++++ openssl-1.0.2d/ssl/s2_srvr.c +@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s) + } + + cp = ssl2_get_cipher_by_char(p); +- if (cp == NULL) { ++ if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) { + ssl2_return_error(s, SSL2_PE_NO_CIPHER); + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH); + return (-1); +@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s) + prio = cs; + allow = cl; + } ++ ++ /* Generate list of SSLv2 ciphers shared between client and server */ + for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) { +- if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) { ++ const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z); ++ if ((cp->algorithm_ssl & SSL_SSLV2) == 0 || ++ sk_SSL_CIPHER_find(allow, cp) < 0) { + (void)sk_SSL_CIPHER_delete(prio, z); + z--; + } +@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s) + sk_SSL_CIPHER_free(s->session->ciphers); + s->session->ciphers = prio; + } ++ ++ /* Make sure we have at least one cipher in common */ ++ if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) { ++ ssl2_return_error(s, SSL2_PE_NO_CIPHER); ++ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH); ++ return -1; ++ } + /* + * s->session->ciphers should now have a list of ciphers that are on + * both the client and server. This list is ordered by the order the diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb index 60d5676126..07bdf4b3b9 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb @@ -41,6 +41,7 @@ SRC_URI += "file://configure-targets.patch \ file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \ file://0001-Add-test-for-CVE-2015-3194.patch \ file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ + file://CVE-2015-3197.patch \ " SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a" |