diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-connectivity/openssl')
7 files changed, 246 insertions, 13 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc index f3a2c5abd..2ef8b38be 100644 --- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc +++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc @@ -107,18 +107,24 @@ do_configure () { linux-gnu64-x86_64) target=linux-x86_64 ;; - linux-mips) - target=debian-mips + linux-gnun32-mips*el) + target=debian-mipsn32el + ;; + linux-gnun32-mips*) + target=debian-mipsn32 + ;; + linux-mips*64*el) + target=debian-mips64el ;; - linux-mipsel) + linux-mips*64*) + target=debian-mips64 + ;; + linux-mips*el) target=debian-mipsel ;; - linux-*-mips64 | linux-mips64) - target=debian-mips64 - ;; - linux-*-mips64el | linux-mips64el) - target=debian-mips64el - ;; + linux-mips*) + target=debian-mips + ;; linux-microblaze*|linux-nios2*) target=linux-generic32 ;; diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch new file mode 100644 index 000000000..04ef52682 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch @@ -0,0 +1,46 @@ +From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001 +From: Alexandru Moise <alexandru.moise@windriver.com> +Date: Tue, 7 Feb 2017 11:13:19 +0200 +Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory (or bogus +MAC value is produced if x86 MD5 assembly module is involved). Since +hash operation is read-only it is not considered to be exploitable +beyond a DoS condition. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +8e20499629b6bcf868d0072c7011e590b5c2294d + +Upstream-Status: Backport + +Reviewed-by: Rich Salz <rsalz@openssl.org> +Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com> +--- + crypto/evp/e_rc4_hmac_md5.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c +index 5e92855..3293419 100644 +--- a/crypto/evp/e_rc4_hmac_md5.c ++++ b/crypto/evp/e_rc4_hmac_md5.c +@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + len = p[arg - 2] << 8 | p[arg - 1]; + + if (!ctx->encrypt) { ++ if (len < MD5_DIGEST_LENGTH) ++ return -1; + len -= MD5_DIGEST_LENGTH; + p[arg - 2] = len >> 8; + p[arg - 1] = len; +-- +2.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch new file mode 100644 index 000000000..b56b2d5bd --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch @@ -0,0 +1,53 @@ +From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001 +From: Alexandru Moise <alexandru.moise@windriver.com> +Date: Tue, 7 Feb 2017 11:16:13 +0200 +Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally a crash in 32-bit build was reported CHACHA20-POLY1305 +cipher. The crash is triggered by truncated packet and is result +of excessive hashing to the edge of accessible memory. Since hash +operation is read-only it is not considered to be exploitable +beyond a DoS condition. Other ciphers were hardened. + +Thanks to Robert Święcki for report. + +CVE-2017-3731 + +Backported from upstream commit: +2198b3a55de681e1f3c23edb0586afe13f438051 + +Upstream-Status: Backport + +Reviewed-by: Rich Salz <rsalz@openssl.org> +Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com> +--- + crypto/evp/e_aes.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 1734a82..16dcd10 100644 +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { + unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1]; + /* Correct length for explicit IV */ ++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) ++ return 0; + len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; + /* If decrypting correct for tag too */ +- if (!c->encrypt) ++ if (!c->encrypt) { ++ if (len < EVP_GCM_TLS_TAG_LEN) ++ return 0; + len -= EVP_GCM_TLS_TAG_LEN; ++ } + c->buf[arg - 2] = len >> 8; + c->buf[arg - 1] = len & 0xff; + } +-- +2.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2016-7055.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2016-7055.patch new file mode 100644 index 000000000..83a74cdac --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2016-7055.patch @@ -0,0 +1,43 @@ +From 57c4b9f6a2f800b41ce2836986fe33640f6c3f8a Mon Sep 17 00:00:00 2001 +From: Andy Polyakov <appro@openssl.org> +Date: Sun, 6 Nov 2016 18:33:17 +0100 +Subject: [PATCH] bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity). + +Reviewed-by: Rich Salz <rsalz@openssl.org> +(cherry picked from commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a) + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/57c4b9f6a2f800b41ce2836986fe33640f6c3f8a] +CVE: CVE-2016-7055 +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + crypto/bn/asm/x86_64-mont.pl | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl +index 044fd7e..80492d8 100755 +--- a/crypto/bn/asm/x86_64-mont.pl ++++ b/crypto/bn/asm/x86_64-mont.pl +@@ -1148,18 +1148,17 @@ $code.=<<___; + mulx 2*8($aptr),%r15,%r13 # ... + adox -3*8($tptr),%r11 + adcx %r15,%r12 +- adox $zero,%r12 ++ adox -2*8($tptr),%r12 + adcx $zero,%r13 ++ adox $zero,%r13 + + mov $bptr,8(%rsp) # off-load &b[i] +- .byte 0x67 + mov $mi,%r15 + imulq 24(%rsp),$mi # "t[0]"*n0 + xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0 + + mulx 3*8($aptr),%rax,%r14 + mov $mi,%rdx +- adox -2*8($tptr),%r12 + adcx %rax,%r13 + adox -1*8($tptr),%r13 + adcx $zero,%r14 +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch new file mode 100644 index 000000000..58c9ee784 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch @@ -0,0 +1,69 @@ +From d795f5f20a29adecf92c09459a3ee07ffac01a99 Mon Sep 17 00:00:00 2001 +From: Rich Salz <rsalz@akamai.com> +Date: Sat, 13 Jun 2015 17:03:39 -0400 +Subject: [PATCH] Use SHA256 not MD5 as default digest. + +Commit f8547f62c212837dbf44fb7e2755e5774a59a57b upstream. + +Upstream-Status: Backport +Backport from OpenSSL 2.0 to OpenSSL 1.0.2 +Commit f8547f62c212837dbf44fb7e2755e5774a59a57b + +CVE: CVE-2004-2761 + + The MD5 Message-Digest Algorithm is not collision resistant, + which makes it easier for context-dependent attackers to + conduct spoofing attacks, as demonstrated by attacks on the + use of MD5 in the signature algorithm of an X.509 certificate. + +Reviewed-by: Viktor Dukhovni <viktor@openssl.org> +Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> +Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com> +--- + apps/ca.c | 2 +- + apps/dgst.c | 2 +- + apps/enc.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/apps/ca.c b/apps/ca.c +index 3b7336c..8f3a84b 100644 +--- a/apps/ca.c ++++ b/apps/ca.c +@@ -1612,7 +1612,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, + } else + BIO_printf(bio_err, "Signature ok\n"); + +- if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL) ++ if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL) + goto err; + + ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, +diff --git a/apps/dgst.c b/apps/dgst.c +index 95e5fa3..0d1529f 100644 +--- a/apps/dgst.c ++++ b/apps/dgst.c +@@ -442,7 +442,7 @@ int MAIN(int argc, char **argv) + goto end; + } + if (md == NULL) +- md = EVP_md5(); ++ md = EVP_sha256(); + if (!EVP_DigestInit_ex(mctx, md, impl)) { + BIO_printf(bio_err, "Error setting digest %s\n", pname); + ERR_print_errors(bio_err); +diff --git a/apps/enc.c b/apps/enc.c +index 7b7c70b..a7d944c 100644 +--- a/apps/enc.c ++++ b/apps/enc.c +@@ -344,7 +344,7 @@ int MAIN(int argc, char **argv) + } + + if (dgst == NULL) { +- dgst = EVP_md5(); ++ dgst = EVP_sha256(); + } + + if (bufsize != NULL) { +-- +1.9.1 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh index f67f41554..6620fdcb5 100644 --- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh +++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh @@ -114,11 +114,11 @@ link_hash() LINKFILE=${HASH}.${TAG}${SUFFIX} done - echo "${1} => ${LINKFILE}" + echo "${3} => ${LINKFILE}" # assume any system with a POSIX shell will either support symlinks or # do something to handle this gracefully - ln -s ${1} ${LINKFILE} + ln -s ${3} ${LINKFILE} return 0 } @@ -142,7 +142,19 @@ hash_dir() ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE do - check_file ${FILE} + REAL_FILE=${FILE} + # if we run on build host then get to the real files in rootfs + if [ -n "${SYSROOT}" -a -h ${FILE} ] + then + FILE=$( readlink ${FILE} ) + # check the symlink is absolute (or dangling in other word) + if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ] + then + REAL_FILE=${SYSROOT}/${FILE} + fi + fi + + check_file ${REAL_FILE} local FILE_TYPE=${?} local TYPE_STR='' @@ -157,7 +169,7 @@ hash_dir() continue fi - link_hash ${FILE} ${TYPE_STR} + link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} done } diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb index 257e3cfc4..b6fb12634 100644 --- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb +++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb @@ -5,6 +5,7 @@ require openssl.inc DEPENDS += "cryptodev-linux" CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" +CFLAG_append_class-native = " -fPIC" LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" @@ -40,6 +41,9 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \ file://configure-musl-target.patch \ file://parallel.patch \ file://openssl-util-perlpath.pl-cwd.patch \ + file://CVE-2016-7055.patch \ + file://0001-CVE-2017-3731.patch \ + file://0002-CVE-2017-3731.patch \ " SRC_URI[md5sum] = "96322138f0b69e61b7212bc53d5e912b" SRC_URI[sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431" |
