aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--recipes-connectivity/openssl/openssl/CVE-2021-23839.patch66
-rw-r--r--recipes-connectivity/openssl/openssl/CVE-2021-23840-pre2.patch42
-rw-r--r--recipes-connectivity/openssl/openssl/CVE-2021-23840.patch85
-rw-r--r--recipes-connectivity/openssl/openssl/CVE-2021-23841.patch40
-rw-r--r--recipes-connectivity/openssl/openssl/reproducible-cflags.patch10
-rw-r--r--recipes-connectivity/openssl/openssl_1.0.2u.bb4
6 files changed, 242 insertions, 5 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2021-23839.patch b/recipes-connectivity/openssl/openssl/CVE-2021-23839.patch
new file mode 100644
index 0000000..cc0ff18
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2021-23839.patch
@@ -0,0 +1,66 @@
+From 901f1ef7dacb6b3bde63233a1f623e1fa2f0f058 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 22 Jan 2021 16:38:50 +0000
+Subject: [PATCH] Fix the RSA_SSLV23_PADDING padding type
+
+This also fixes the public function RSA_padding_check_SSLv23.
+
+Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23
+so that padding is rejected if the nul delimiter byte is not immediately
+preceded by at least 8 bytes containing 0x03. Prior to that commit the
+padding is rejected if it *is* preceded by at least 8 bytes containing 0x03.
+
+Presumably this change was made to be consistent with what it says in
+appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the
+original behaviour was correct. This is fixed in later errata issued for
+that RFC.
+
+This has no impact on libssl for modern versions of OpenSSL because
+there is no protocol support for SSLv2 in these versions. However
+applications that call RSA_paddin_check_SSLv23 directly, or use the
+RSA_SSLV23_PADDING mode may still be impacted. The effect of the original
+error is that an RSA message encrypted by an SSLv2 only client will fail to
+be decrypted properly by a TLS capable server, or a message encrypted by a
+TLS capable client will fail to decrypt on an SSLv2 only server. Most
+significantly an RSA message encrypted by a TLS capable client will be
+successfully decrypted by a TLS capable server. This last case should fail
+due to a rollback being detected.
+
+Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting
+this issue.
+
+CVE-2021-23839
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+---
+ crypto/rsa/rsa_ssl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+Index: openssl-1.0.2u/crypto/rsa/rsa_ssl.c
+===================================================================
+--- openssl-1.0.2u.orig/crypto/rsa/rsa_ssl.c
++++ openssl-1.0.2u/crypto/rsa/rsa_ssl.c
+@@ -104,7 +104,7 @@ int RSA_padding_add_SSLv23(unsigned char
+
+ /*
+ * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
+- * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
++ * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
+ * preserves error code reporting for backward compatibility.
+ */
+ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
+@@ -171,7 +171,13 @@ int RSA_padding_check_SSLv23(unsigned ch
+ RSA_R_NULL_BEFORE_BLOCK_MISSING);
+ mask = ~good;
+
+- good &= constant_time_ge(threes_in_row, 8);
++ /*
++ * Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note
++ * that RFC5246 incorrectly states this the other way around, i.e. reject
++ * if it is not preceded by 8 consecutive 0x03 bytes. However this is
++ * corrected in subsequent errata for that RFC.
++ */
++ good &= constant_time_lt(threes_in_row, 8);
+ err = constant_time_select_int(mask | good, err,
+ RSA_R_SSLV3_ROLLBACK_ATTACK);
+ mask = ~good;
diff --git a/recipes-connectivity/openssl/openssl/CVE-2021-23840-pre2.patch b/recipes-connectivity/openssl/openssl/CVE-2021-23840-pre2.patch
new file mode 100644
index 0000000..5a95f84
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2021-23840-pre2.patch
@@ -0,0 +1,42 @@
+Backport of:
+
+From 4bd0db1feaaf97fbc2bd31f54f1fbdeab80b2b1a Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Sun, 9 Dec 2018 14:20:30 +0100
+Subject: [PATCH] make update
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/7852)
+
+(cherry picked from commit f2f734d4f9e34643a1d3e5b79d2447cd643519f8)
+---
+ crypto/err/openssl.txt | 1 +
+ crypto/evp/evp_err.c | 2 ++
+ include/openssl/evperr.h | 1 +
+ 3 files changed, 4 insertions(+)
+
+Index: openssl-1.0.2u/crypto/evp/evp_err.c
+===================================================================
+--- openssl-1.0.2u.orig/crypto/evp/evp_err.c
++++ openssl-1.0.2u/crypto/evp/evp_err.c
+@@ -94,6 +94,7 @@ static ERR_STRING_DATA EVP_str_functs[]
+ {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"},
+ {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"},
+ {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
++ {ERR_FUNC(EVP_F_EVP_ENCRYPTDECRYPTUPDATE), "evp_EncryptDecryptUpdate"},
+ {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
+ {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"},
+ {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
+Index: openssl-1.0.2u/crypto/evp/evp.h
+===================================================================
+--- openssl-1.0.2u.orig/crypto/evp/evp.h
++++ openssl-1.0.2u/crypto/evp/evp.h
+@@ -1491,6 +1491,7 @@ void ERR_load_EVP_strings(void);
+ # define EVP_F_EVP_DECRYPTFINAL_EX 101
+ # define EVP_F_EVP_DECRYPTUPDATE 181
+ # define EVP_F_EVP_DIGESTINIT_EX 128
++# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219
+ # define EVP_F_EVP_ENCRYPTFINAL_EX 127
+ # define EVP_F_EVP_ENCRYPTUPDATE 180
+ # define EVP_F_EVP_MD_CTX_COPY_EX 110
diff --git a/recipes-connectivity/openssl/openssl/CVE-2021-23840.patch b/recipes-connectivity/openssl/openssl/CVE-2021-23840.patch
new file mode 100644
index 0000000..a56e292
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2021-23840.patch
@@ -0,0 +1,85 @@
+Backport of:
+
+From 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 2 Feb 2021 17:17:23 +0000
+Subject: [PATCH] Don't overflow the output length in EVP_CipherUpdate calls
+
+CVE-2021-23840
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+---
+ crypto/err/openssl.txt | 3 ++-
+ crypto/evp/evp_enc.c | 27 +++++++++++++++++++++++++++
+ crypto/evp/evp_err.c | 4 +++-
+ include/openssl/evperr.h | 7 +++----
+ 4 files changed, 35 insertions(+), 6 deletions(-)
+
+Index: openssl-1.0.2u/crypto/evp/evp_enc.c
+===================================================================
+--- openssl-1.0.2u.orig/crypto/evp/evp_enc.c
++++ openssl-1.0.2u/crypto/evp/evp_enc.c
+@@ -357,6 +357,19 @@ static int evp_EncryptDecryptUpdate(EVP_
+ return 1;
+ } else {
+ j = bl - i;
++
++ /*
++ * Once we've processed the first j bytes from in, the amount of
++ * data left that is a multiple of the block length is:
++ * (inl - j) & ~(bl - 1)
++ * We must ensure that this amount of data, plus the one block that
++ * we process from ctx->buf does not exceed INT_MAX
++ */
++ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
++ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE,
++ EVP_R_OUTPUT_WOULD_OVERFLOW);
++ return 0;
++ }
+ memcpy(&(ctx->buf[i]), in, j);
+ if (!M_do_cipher(ctx, out, ctx->buf, bl))
+ return 0;
+@@ -482,6 +495,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
+ OPENSSL_assert(b <= sizeof(ctx->final));
+
+ if (ctx->final_used) {
++ /*
++ * final_used is only ever set if buf_len is 0. Therefore the maximum
++ * length output we will ever see from evp_EncryptDecryptUpdate is
++ * the maximum multiple of the block length that is <= inl, or just:
++ * inl & ~(b - 1)
++ * Since final_used has been set then the final output length is:
++ * (inl & ~(b - 1)) + b
++ * This must never exceed INT_MAX
++ */
++ if ((inl & ~(b - 1)) > INT_MAX - b) {
++ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW);
++ return 0;
++ }
+ memcpy(out, ctx->final, b);
+ out += b;
+ fix_len = 1;
+Index: openssl-1.0.2u/crypto/evp/evp_err.c
+===================================================================
+--- openssl-1.0.2u.orig/crypto/evp/evp_err.c
++++ openssl-1.0.2u/crypto/evp/evp_err.c
+@@ -216,6 +216,7 @@ static ERR_STRING_DATA EVP_str_reasons[]
+ {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
+ "operation not supported for this keytype"},
+ {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"},
++ {ERR_REASON(EVP_R_OUTPUT_WOULD_OVERFLOW), "output would overflow"},
+ {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),
+ "pkcs8 unknown broken type"},
+ {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"},
+Index: openssl-1.0.2u/crypto/evp/evp.h
+===================================================================
+--- openssl-1.0.2u.orig/crypto/evp/evp.h
++++ openssl-1.0.2u/crypto/evp/evp.h
+@@ -1603,6 +1603,7 @@ void ERR_load_EVP_strings(void);
+ # define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105
+ # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
+ # define EVP_R_OPERATON_NOT_INITIALIZED 151
++# define EVP_R_OUTPUT_WOULD_OVERFLOW 184
+ # define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117
+ # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
+ # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
diff --git a/recipes-connectivity/openssl/openssl/CVE-2021-23841.patch b/recipes-connectivity/openssl/openssl/CVE-2021-23841.patch
new file mode 100644
index 0000000..e6c5022
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/CVE-2021-23841.patch
@@ -0,0 +1,40 @@
+Backport of:
+
+From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 10 Feb 2021 16:10:36 +0000
+Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash()
+
+The OpenSSL public API function X509_issuer_and_serial_hash() attempts
+to create a unique hash value based on the issuer and serial number data
+contained within an X509 certificate. However it fails to correctly
+handle any errors that may occur while parsing the issuer field (which
+might occur if the issuer field is maliciously constructed). This may
+subsequently result in a NULL pointer deref and a crash leading to a
+potential denial of service attack.
+
+The function X509_issuer_and_serial_hash() is never directly called by
+OpenSSL itself so applications are only vulnerable if they use this
+function directly and they use it on certificates that may have been
+obtained from untrusted sources.
+
+CVE-2021-23841
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0)
+---
+ crypto/x509/x509_cmp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/x509/x509_cmp.c
++++ b/crypto/x509/x509_cmp.c
+@@ -87,6 +87,8 @@ unsigned long X509_issuer_and_serial_has
+
+ EVP_MD_CTX_init(&ctx);
+ f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
++ if (f == NULL)
++ goto err;
+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
+ goto err;
+ if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f)))
diff --git a/recipes-connectivity/openssl/openssl/reproducible-cflags.patch b/recipes-connectivity/openssl/openssl/reproducible-cflags.patch
index 2803cb0..b735175 100644
--- a/recipes-connectivity/openssl/openssl/reproducible-cflags.patch
+++ b/recipes-connectivity/openssl/openssl/reproducible-cflags.patch
@@ -5,11 +5,11 @@ Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
---- Makefile 2018-03-06 14:50:18.342138147 -0800
-+++ Makefile 2018-03-06 15:24:04.794239071 -0800
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -55,7 +55,7 @@
+Index: openssl-1.0.2u/crypto/Makefile
+===================================================================
+--- openssl-1.0.2u.orig/crypto/Makefile
++++ openssl-1.0.2u/crypto/Makefile
+@@ -57,7 +57,7 @@ top:
all: shared
buildinf.h: ../Makefile
diff --git a/recipes-connectivity/openssl/openssl_1.0.2u.bb b/recipes-connectivity/openssl/openssl_1.0.2u.bb
index 7990b87..10707ed 100644
--- a/recipes-connectivity/openssl/openssl_1.0.2u.bb
+++ b/recipes-connectivity/openssl/openssl_1.0.2u.bb
@@ -48,6 +48,10 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://CVE-2020-1971-3.patch \
file://CVE-2020-1971-4.patch \
file://CVE-2020-1971-5.patch \
+ file://CVE-2021-23839.patch \
+ file://CVE-2021-23840-pre2.patch \
+ file://CVE-2021-23840.patch \
+ file://CVE-2021-23841.patch \
"
SRC_URI_append_class-target = " \