core/openssl-cryptodev patch heartbleed vulnerability

2025-01-17 23:34:07 +00:00 · 2014-04-08 23:22:15 -06:00 · 2014-04-08 23:22:15 -06:00 · 3a89775fda
commit 3a89775fda
parent fbb7c7a01b
2 changed files with 104 additions and 8 deletions
--- a/core/openssl-cryptodev/CVE-2014-0160.patch
+++ b/core/openssl-cryptodev/CVE-2014-0160.patch
@ -0,0 +1,94 @@
+Description: fix memory disclosure in TLS heartbeat extension
+Origin: upstream, http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
+
+Index: openssl-1.0.1f/ssl/d1_both.c
+===================================================================
+--- openssl-1.0.1f.orig/ssl/d1_both.c	2014-01-06 08:47:42.000000000 -0500
+++ openssl-1.0.1f/ssl/d1_both.c	2014-04-07 15:37:38.548342862 -0400
+@@ -1459,26 +1459,36 @@
+ 	unsigned int payload;
+ 	unsigned int padding = 16; /* Use minimum padding */
+ 
+-	/* Read type and payload length first */
+-	hbtype = *p++;
+-	n2s(p, payload);
+-	pl = p;
+-
+ 	if (s->msg_callback)
+ 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
+ 			&s->s3->rrec.data[0], s->s3->rrec.length,
+ 			s, s->msg_callback_arg);
+ 
+	/* Read type and payload length first */
+	if (1 + 2 + 16 > s->s3->rrec.length)
+		return 0; /* silently discard */
+	hbtype = *p++;
+	n2s(p, payload);
+	if (1 + 2 + payload + 16 > s->s3->rrec.length)
+		return 0; /* silently discard per RFC 6520 sec. 4 */
+	pl = p;
+
+ 	if (hbtype == TLS1_HB_REQUEST)
+ 		{
+ 		unsigned char *buffer, *bp;
+		unsigned int write_length = 1 /* heartbeat type */ +
+					    2 /* heartbeat length */ +
+					    payload + padding;
+ 		int r;
+ 
+		if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
+			return 0;
+
+ 		/* Allocate memory for the response, size is 1 byte
+ 		 * message type, plus 2 bytes payload length, plus
+ 		 * payload, plus padding
+ 		 */
+-		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
+		buffer = OPENSSL_malloc(write_length);
+ 		bp = buffer;
+ 
+ 		/* Enter response type, length and copy payload */
+@@ -1489,11 +1499,11 @@
+ 		/* Random padding */
+ 		RAND_pseudo_bytes(bp, padding);
+ 
+-		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
+		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
+ 
+ 		if (r >= 0 && s->msg_callback)
+ 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
+-				buffer, 3 + payload + padding,
+				buffer, write_length,
+ 				s, s->msg_callback_arg);
+ 
+ 		OPENSSL_free(buffer);
+Index: openssl-1.0.1f/ssl/t1_lib.c
+===================================================================
+--- openssl-1.0.1f.orig/ssl/t1_lib.c	2014-01-06 08:47:42.000000000 -0500
+++ openssl-1.0.1f/ssl/t1_lib.c	2014-04-07 15:37:38.548342862 -0400
+@@ -2558,16 +2558,20 @@
+ 	unsigned int payload;
+ 	unsigned int padding = 16; /* Use minimum padding */
+ 
+-	/* Read type and payload length first */
+-	hbtype = *p++;
+-	n2s(p, payload);
+-	pl = p;
+-
+ 	if (s->msg_callback)
+ 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
+ 			&s->s3->rrec.data[0], s->s3->rrec.length,
+ 			s, s->msg_callback_arg);
+ 
+	/* Read type and payload length first */
+	if (1 + 2 + 16 > s->s3->rrec.length)
+		return 0; /* silently discard */
+	hbtype = *p++;
+	n2s(p, payload);
+	if (1 + 2 + payload + 16 > s->s3->rrec.length)
+		return 0; /* silently discard per RFC 6520 sec. 4 */
+	pl = p;
+
+ 	if (hbtype == TLS1_HB_REQUEST)
+ 		{
+ 		unsigned char *buffer, *bp;
--- a/core/openssl-cryptodev/PKGBUILD
+++ b/core/openssl-cryptodev/PKGBUILD
@ -8,11 +8,8 @@
 #	moonman <moonman [dot] ca [at] gmail [dot] com>
 #  - replace eng_cryptodev in openssl with the one provided with cryptodev
 #  - get cryptodev.h from cryptodev tarball instead of the kernel headers
-#
-#  - package here for historical reasons; broken beyond 1.0.1e, vulnerable before 1.0.1g

 buildarch=6
-noautobuild=1

 pkgname=openssl-cryptodev
 _pkgname=openssl
@ -20,7 +17,7 @@ _ver=1.0.1e
 # use a pacman compatible version scheme
 pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
 #pkgver=$_ver
-pkgrel=5
+pkgrel=6
 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
 arch=('arm' 'armv7h')
 url='https://www.openssl.org'
@ -39,7 +36,8 @@ source=("https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz"
        'openssl-1.0.1e-fix_pod_syntax-1.patch'
        "http://download.gna.org/cryptodev-linux/cryptodev-linux-${_cryptover}.tar.gz"
        'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch'
-        'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch')
+        'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch'
+        'CVE-2014-0160.patch')

 md5sums=('66bf6f10f060d561929de96f9dfe5b8c'
         'dc78d3d06baffc16217519242ce92478'
@ -47,7 +45,8 @@ md5sums=('66bf6f10f060d561929de96f9dfe5b8c'
         '88d3bef4bbdc640b0412315d8d347bdf'
         'eade38998313c25fd7934719cdf8a2ea'
         'ae7848bb152b8834ceff30c8c480d422'
-         'c5cc62a47cef72f4e5ad119a88e97ae4')
+         'c5cc62a47cef72f4e5ad119a88e97ae4'
+         '5fd0261f74e5358fe28b725cddd24bbf')

 prepare() {
        cd $srcdir/${_pkgname}-$_ver
@ -67,10 +66,13 @@ prepare() {
        # http://rt.openssl.org/Ticket/Display.html?id=3002
        patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch

-        #Replace eng_cryptodev.c with cryptodev version
+        # Patch the heartbleed vulnerability
+        patch -p1 -i $srcdir/CVE-2014-0160.patch
+
+        # Replace eng_cryptodev.c with cryptodev version
        cp -u ${srcdir}/cryptodev-linux-${_cryptover}/extras/eng_cryptodev.c ${srcdir}/openssl-${_ver}/crypto/engine/

-        #Copy the header file
+        # Copy the header file
        cp -u ${srcdir}/cryptodev-linux-${_cryptover}/crypto/cryptodev.h ${srcdir}/openssl-${_ver}/crypto/

 }