diff options
6 files changed, 242 insertions, 5 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2021-23839.patch b/recipes-connectivity/openssl/openssl/CVE-2021-23839.patch new file mode 100644 index 0000000..cc0ff18 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2021-23839.patch @@ -0,0 +1,66 @@ +From 901f1ef7dacb6b3bde63233a1f623e1fa2f0f058 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 22 Jan 2021 16:38:50 +0000 +Subject: [PATCH] Fix the RSA_SSLV23_PADDING padding type + +This also fixes the public function RSA_padding_check_SSLv23. + +Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23 +so that padding is rejected if the nul delimiter byte is not immediately +preceded by at least 8 bytes containing 0x03. Prior to that commit the +padding is rejected if it *is* preceded by at least 8 bytes containing 0x03. + +Presumably this change was made to be consistent with what it says in +appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the +original behaviour was correct. This is fixed in later errata issued for +that RFC. + +This has no impact on libssl for modern versions of OpenSSL because +there is no protocol support for SSLv2 in these versions. However +applications that call RSA_paddin_check_SSLv23 directly, or use the +RSA_SSLV23_PADDING mode may still be impacted. The effect of the original +error is that an RSA message encrypted by an SSLv2 only client will fail to +be decrypted properly by a TLS capable server, or a message encrypted by a +TLS capable client will fail to decrypt on an SSLv2 only server. Most +significantly an RSA message encrypted by a TLS capable client will be +successfully decrypted by a TLS capable server. This last case should fail +due to a rollback being detected. + +Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting +this issue. + +CVE-2021-23839 + +Reviewed-by: Paul Dale <pauli@openssl.org> +--- + crypto/rsa/rsa_ssl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +Index: openssl-1.0.2u/crypto/rsa/rsa_ssl.c +=================================================================== +--- openssl-1.0.2u.orig/crypto/rsa/rsa_ssl.c ++++ openssl-1.0.2u/crypto/rsa/rsa_ssl.c +@@ -104,7 +104,7 @@ int RSA_padding_add_SSLv23(unsigned char + + /* + * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding +- * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also ++ * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also + * preserves error code reporting for backward compatibility. + */ + int RSA_padding_check_SSLv23(unsigned char *to, int tlen, +@@ -171,7 +171,13 @@ int RSA_padding_check_SSLv23(unsigned ch + RSA_R_NULL_BEFORE_BLOCK_MISSING); + mask = ~good; + +- good &= constant_time_ge(threes_in_row, 8); ++ /* ++ * Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note ++ * that RFC5246 incorrectly states this the other way around, i.e. reject ++ * if it is not preceded by 8 consecutive 0x03 bytes. However this is ++ * corrected in subsequent errata for that RFC. ++ */ ++ good &= constant_time_lt(threes_in_row, 8); + err = constant_time_select_int(mask | good, err, + RSA_R_SSLV3_ROLLBACK_ATTACK); + mask = ~good; diff --git a/recipes-connectivity/openssl/openssl/CVE-2021-23840-pre2.patch b/recipes-connectivity/openssl/openssl/CVE-2021-23840-pre2.patch new file mode 100644 index 0000000..5a95f84 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2021-23840-pre2.patch @@ -0,0 +1,42 @@ +Backport of: + +From 4bd0db1feaaf97fbc2bd31f54f1fbdeab80b2b1a Mon Sep 17 00:00:00 2001 +From: Richard Levitte <levitte@openssl.org> +Date: Sun, 9 Dec 2018 14:20:30 +0100 +Subject: [PATCH] make update + +Reviewed-by: Kurt Roeckx <kurt@roeckx.be> +Reviewed-by: Paul Dale <paul.dale@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/7852) + +(cherry picked from commit f2f734d4f9e34643a1d3e5b79d2447cd643519f8) +--- + crypto/err/openssl.txt | 1 + + crypto/evp/evp_err.c | 2 ++ + include/openssl/evperr.h | 1 + + 3 files changed, 4 insertions(+) + +Index: openssl-1.0.2u/crypto/evp/evp_err.c +=================================================================== +--- openssl-1.0.2u.orig/crypto/evp/evp_err.c ++++ openssl-1.0.2u/crypto/evp/evp_err.c +@@ -94,6 +94,7 @@ static ERR_STRING_DATA EVP_str_functs[] + {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, ++ {ERR_FUNC(EVP_F_EVP_ENCRYPTDECRYPTUPDATE), "evp_EncryptDecryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, + {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"}, + {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, +Index: openssl-1.0.2u/crypto/evp/evp.h +=================================================================== +--- openssl-1.0.2u.orig/crypto/evp/evp.h ++++ openssl-1.0.2u/crypto/evp/evp.h +@@ -1491,6 +1491,7 @@ void ERR_load_EVP_strings(void); + # define EVP_F_EVP_DECRYPTFINAL_EX 101 + # define EVP_F_EVP_DECRYPTUPDATE 181 + # define EVP_F_EVP_DIGESTINIT_EX 128 ++# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 + # define EVP_F_EVP_ENCRYPTUPDATE 180 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 diff --git a/recipes-connectivity/openssl/openssl/CVE-2021-23840.patch b/recipes-connectivity/openssl/openssl/CVE-2021-23840.patch new file mode 100644 index 0000000..a56e292 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2021-23840.patch @@ -0,0 +1,85 @@ +Backport of: + +From 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Tue, 2 Feb 2021 17:17:23 +0000 +Subject: [PATCH] Don't overflow the output length in EVP_CipherUpdate calls + +CVE-2021-23840 + +Reviewed-by: Paul Dale <pauli@openssl.org> +--- + crypto/err/openssl.txt | 3 ++- + crypto/evp/evp_enc.c | 27 +++++++++++++++++++++++++++ + crypto/evp/evp_err.c | 4 +++- + include/openssl/evperr.h | 7 +++---- + 4 files changed, 35 insertions(+), 6 deletions(-) + +Index: openssl-1.0.2u/crypto/evp/evp_enc.c +=================================================================== +--- openssl-1.0.2u.orig/crypto/evp/evp_enc.c ++++ openssl-1.0.2u/crypto/evp/evp_enc.c +@@ -357,6 +357,19 @@ static int evp_EncryptDecryptUpdate(EVP_ + return 1; + } else { + j = bl - i; ++ ++ /* ++ * Once we've processed the first j bytes from in, the amount of ++ * data left that is a multiple of the block length is: ++ * (inl - j) & ~(bl - 1) ++ * We must ensure that this amount of data, plus the one block that ++ * we process from ctx->buf does not exceed INT_MAX ++ */ ++ if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { ++ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, ++ EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(&(ctx->buf[i]), in, j); + if (!M_do_cipher(ctx, out, ctx->buf, bl)) + return 0; +@@ -482,6 +495,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct + OPENSSL_assert(b <= sizeof(ctx->final)); + + if (ctx->final_used) { ++ /* ++ * final_used is only ever set if buf_len is 0. Therefore the maximum ++ * length output we will ever see from evp_EncryptDecryptUpdate is ++ * the maximum multiple of the block length that is <= inl, or just: ++ * inl & ~(b - 1) ++ * Since final_used has been set then the final output length is: ++ * (inl & ~(b - 1)) + b ++ * This must never exceed INT_MAX ++ */ ++ if ((inl & ~(b - 1)) > INT_MAX - b) { ++ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW); ++ return 0; ++ } + memcpy(out, ctx->final, b); + out += b; + fix_len = 1; +Index: openssl-1.0.2u/crypto/evp/evp_err.c +=================================================================== +--- openssl-1.0.2u.orig/crypto/evp/evp_err.c ++++ openssl-1.0.2u/crypto/evp/evp_err.c +@@ -216,6 +216,7 @@ static ERR_STRING_DATA EVP_str_reasons[] + {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, ++ {ERR_REASON(EVP_R_OUTPUT_WOULD_OVERFLOW), "output would overflow"}, + {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE), + "pkcs8 unknown broken type"}, + {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"}, +Index: openssl-1.0.2u/crypto/evp/evp.h +=================================================================== +--- openssl-1.0.2u.orig/crypto/evp/evp.h ++++ openssl-1.0.2u/crypto/evp/evp.h +@@ -1603,6 +1603,7 @@ void ERR_load_EVP_strings(void); + # define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 ++# define EVP_R_OUTPUT_WOULD_OVERFLOW 184 + # define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE 117 + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 diff --git a/recipes-connectivity/openssl/openssl/CVE-2021-23841.patch b/recipes-connectivity/openssl/openssl/CVE-2021-23841.patch new file mode 100644 index 0000000..e6c5022 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2021-23841.patch @@ -0,0 +1,40 @@ +Backport of: + +From 122a19ab48091c657f7cb1fb3af9fc07bd557bbf Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Wed, 10 Feb 2021 16:10:36 +0000 +Subject: [PATCH] Fix Null pointer deref in X509_issuer_and_serial_hash() + +The OpenSSL public API function X509_issuer_and_serial_hash() attempts +to create a unique hash value based on the issuer and serial number data +contained within an X509 certificate. However it fails to correctly +handle any errors that may occur while parsing the issuer field (which +might occur if the issuer field is maliciously constructed). This may +subsequently result in a NULL pointer deref and a crash leading to a +potential denial of service attack. + +The function X509_issuer_and_serial_hash() is never directly called by +OpenSSL itself so applications are only vulnerable if they use this +function directly and they use it on certificates that may have been +obtained from untrusted sources. + +CVE-2021-23841 + +Reviewed-by: Richard Levitte <levitte@openssl.org> +Reviewed-by: Paul Dale <pauli@openssl.org> +(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0) +--- + crypto/x509/x509_cmp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/x509/x509_cmp.c ++++ b/crypto/x509/x509_cmp.c +@@ -87,6 +87,8 @@ unsigned long X509_issuer_and_serial_has + + EVP_MD_CTX_init(&ctx); + f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0); ++ if (f == NULL) ++ goto err; + if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) + goto err; + if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f))) diff --git a/recipes-connectivity/openssl/openssl/reproducible-cflags.patch b/recipes-connectivity/openssl/openssl/reproducible-cflags.patch index 2803cb0..b735175 100644 --- a/recipes-connectivity/openssl/openssl/reproducible-cflags.patch +++ b/recipes-connectivity/openssl/openssl/reproducible-cflags.patch @@ -5,11 +5,11 @@ Upstream-Status: Inappropriate [OE specific] Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> ---- Makefile 2018-03-06 14:50:18.342138147 -0800 -+++ Makefile 2018-03-06 15:24:04.794239071 -0800 ---- a/crypto/Makefile -+++ b/crypto/Makefile -@@ -55,7 +55,7 @@ +Index: openssl-1.0.2u/crypto/Makefile +=================================================================== +--- openssl-1.0.2u.orig/crypto/Makefile ++++ openssl-1.0.2u/crypto/Makefile +@@ -57,7 +57,7 @@ top: all: shared buildinf.h: ../Makefile diff --git a/recipes-connectivity/openssl/openssl_1.0.2u.bb b/recipes-connectivity/openssl/openssl_1.0.2u.bb index 7990b87..10707ed 100644 --- a/recipes-connectivity/openssl/openssl_1.0.2u.bb +++ b/recipes-connectivity/openssl/openssl_1.0.2u.bb @@ -48,6 +48,10 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://CVE-2020-1971-3.patch \ file://CVE-2020-1971-4.patch \ file://CVE-2020-1971-5.patch \ + file://CVE-2021-23839.patch \ + file://CVE-2021-23840-pre2.patch \ + file://CVE-2021-23840.patch \ + file://CVE-2021-23841.patch \ " SRC_URI_append_class-target = " \ |