diff --git a/core/openssl-cryptodev/CVE-2014-0160.patch b/core/openssl-cryptodev/CVE-2014-0160.patch new file mode 100644 index 000000000..a96bc64f6 --- /dev/null +++ b/core/openssl-cryptodev/CVE-2014-0160.patch @@ -0,0 +1,94 @@ +Description: fix memory disclosure in TLS heartbeat extension +Origin: upstream, http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 + +Index: openssl-1.0.1f/ssl/d1_both.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/d1_both.c 2014-01-06 08:47:42.000000000 -0500 ++++ openssl-1.0.1f/ssl/d1_both.c 2014-04-07 15:37:38.548342862 -0400 +@@ -1459,26 +1459,36 @@ + unsigned int payload; + unsigned int padding = 16; /* Use minimum padding */ + +- /* Read type and payload length first */ +- hbtype = *p++; +- n2s(p, payload); +- pl = p; +- + if (s->msg_callback) + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, + &s->s3->rrec.data[0], s->s3->rrec.length, + s, s->msg_callback_arg); + ++ /* Read type and payload length first */ ++ if (1 + 2 + 16 > s->s3->rrec.length) ++ return 0; /* silently discard */ ++ hbtype = *p++; ++ n2s(p, payload); ++ if (1 + 2 + payload + 16 > s->s3->rrec.length) ++ return 0; /* silently discard per RFC 6520 sec. 4 */ ++ pl = p; ++ + if (hbtype == TLS1_HB_REQUEST) + { + unsigned char *buffer, *bp; ++ unsigned int write_length = 1 /* heartbeat type */ + ++ 2 /* heartbeat length */ + ++ payload + padding; + int r; + ++ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) ++ return 0; ++ + /* Allocate memory for the response, size is 1 byte + * message type, plus 2 bytes payload length, plus + * payload, plus padding + */ +- buffer = OPENSSL_malloc(1 + 2 + payload + padding); ++ buffer = OPENSSL_malloc(write_length); + bp = buffer; + + /* Enter response type, length and copy payload */ +@@ -1489,11 +1499,11 @@ + /* Random padding */ + RAND_pseudo_bytes(bp, padding); + +- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); ++ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); + + if (r >= 0 && s->msg_callback) + s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, +- buffer, 3 + payload + padding, ++ buffer, write_length, + s, s->msg_callback_arg); + + OPENSSL_free(buffer); +Index: openssl-1.0.1f/ssl/t1_lib.c +=================================================================== +--- openssl-1.0.1f.orig/ssl/t1_lib.c 2014-01-06 08:47:42.000000000 -0500 ++++ openssl-1.0.1f/ssl/t1_lib.c 2014-04-07 15:37:38.548342862 -0400 +@@ -2558,16 +2558,20 @@ + unsigned int payload; + unsigned int padding = 16; /* Use minimum padding */ + +- /* Read type and payload length first */ +- hbtype = *p++; +- n2s(p, payload); +- pl = p; +- + if (s->msg_callback) + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, + &s->s3->rrec.data[0], s->s3->rrec.length, + s, s->msg_callback_arg); + ++ /* Read type and payload length first */ ++ if (1 + 2 + 16 > s->s3->rrec.length) ++ return 0; /* silently discard */ ++ hbtype = *p++; ++ n2s(p, payload); ++ if (1 + 2 + payload + 16 > s->s3->rrec.length) ++ return 0; /* silently discard per RFC 6520 sec. 4 */ ++ pl = p; ++ + if (hbtype == TLS1_HB_REQUEST) + { + unsigned char *buffer, *bp; diff --git a/core/openssl-cryptodev/PKGBUILD b/core/openssl-cryptodev/PKGBUILD index afe124d81..e41a55cdd 100644 --- a/core/openssl-cryptodev/PKGBUILD +++ b/core/openssl-cryptodev/PKGBUILD @@ -8,11 +8,8 @@ # moonman # - replace eng_cryptodev in openssl with the one provided with cryptodev # - get cryptodev.h from cryptodev tarball instead of the kernel headers -# -# - package here for historical reasons; broken beyond 1.0.1e, vulnerable before 1.0.1g buildarch=6 -noautobuild=1 pkgname=openssl-cryptodev _pkgname=openssl @@ -20,7 +17,7 @@ _ver=1.0.1e # use a pacman compatible version scheme pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} #pkgver=$_ver -pkgrel=5 +pkgrel=6 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security' arch=('arm' 'armv7h') url='https://www.openssl.org' @@ -39,7 +36,8 @@ source=("https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz" 'openssl-1.0.1e-fix_pod_syntax-1.patch' "http://download.gna.org/cryptodev-linux/cryptodev-linux-${_cryptover}.tar.gz" 'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch' - 'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch') + 'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch' + 'CVE-2014-0160.patch') md5sums=('66bf6f10f060d561929de96f9dfe5b8c' 'dc78d3d06baffc16217519242ce92478' @@ -47,7 +45,8 @@ md5sums=('66bf6f10f060d561929de96f9dfe5b8c' '88d3bef4bbdc640b0412315d8d347bdf' 'eade38998313c25fd7934719cdf8a2ea' 'ae7848bb152b8834ceff30c8c480d422' - 'c5cc62a47cef72f4e5ad119a88e97ae4') + 'c5cc62a47cef72f4e5ad119a88e97ae4' + '5fd0261f74e5358fe28b725cddd24bbf') prepare() { cd $srcdir/${_pkgname}-$_ver @@ -67,10 +66,13 @@ prepare() { # http://rt.openssl.org/Ticket/Display.html?id=3002 patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch - #Replace eng_cryptodev.c with cryptodev version + # Patch the heartbleed vulnerability + patch -p1 -i $srcdir/CVE-2014-0160.patch + + # Replace eng_cryptodev.c with cryptodev version cp -u ${srcdir}/cryptodev-linux-${_cryptover}/extras/eng_cryptodev.c ${srcdir}/openssl-${_ver}/crypto/engine/ - #Copy the header file + # Copy the header file cp -u ${srcdir}/cryptodev-linux-${_cryptover}/crypto/cryptodev.h ${srcdir}/openssl-${_ver}/crypto/ }