summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2015-12-07 16:55:52 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-01-20 17:08:28 +0000
commit5c12661f8cae252b850f749b1809ca5fd23b5815 (patch)
tree641b0ee26d239489169d279d38a5f2435e6c4288 /meta/recipes-connectivity
parentc7e2c072c2c6edeaa7c0ad6c94da34358c5ab791 (diff)
downloadast2050-yocto-poky-5c12661f8cae252b850f749b1809ca5fd23b5815.zip
ast2050-yocto-poky-5c12661f8cae252b850f749b1809ca5fd23b5815.tar.gz
openssl: fix for CVE-2015-3193
(From OE-Core rev: ee47f6ca78d15ec56556d5c078bf20315af457b8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch101
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.2d.bb1
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
new file mode 100644
index 0000000..125016a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
@@ -0,0 +1,101 @@
+From d73cc256c8e256c32ed959456101b73ba9842f72 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Tue, 1 Dec 2015 09:00:32 +0100
+Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry propagating bug
+ (CVE-2015-3193).
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(cherry picked from commit e7c078db57908cbf16074c68034977565ffaf107)
+
+Upstream-Status: Backport
+
+This patch was imported from
+https://git.openssl.org/?p=openssl.git;a=commit;h=d73cc256c8e256c32ed959456101b73ba9842f72
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/bn/asm/x86_64-mont5.pl | 22 +++++++++++++++++++---
+ crypto/bn/bntest.c | 18 ++++++++++++++++++
+ 2 files changed, 37 insertions(+), 3 deletions(-)
+
+Index: openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
+===================================================================
+--- openssl-1.0.2d.orig/crypto/bn/asm/x86_64-mont5.pl
++++ openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
+@@ -1779,6 +1779,15 @@ sqr8x_reduction:
+ .align 32
+ .L8x_tail_done:
+ add (%rdx),%r8 # can this overflow?
++ adc \$0,%r9
++ adc \$0,%r10
++ adc \$0,%r11
++ adc \$0,%r12
++ adc \$0,%r13
++ adc \$0,%r14
++ adc \$0,%r15 # can't overflow, because we
++ # started with "overhung" part
++ # of multiplication
+ xor %rax,%rax
+
+ neg $carry
+@@ -3125,6 +3134,15 @@ sqrx8x_reduction:
+ .align 32
+ .Lsqrx8x_tail_done:
+ add 24+8(%rsp),%r8 # can this overflow?
++ adc \$0,%r9
++ adc \$0,%r10
++ adc \$0,%r11
++ adc \$0,%r12
++ adc \$0,%r13
++ adc \$0,%r14
++ adc \$0,%r15 # can't overflow, because we
++ # started with "overhung" part
++ # of multiplication
+ mov $carry,%rax # xor %rax,%rax
+
+ sub 16+8(%rsp),$carry # mov 16(%rsp),%cf
+@@ -3168,13 +3186,11 @@ my ($rptr,$nptr)=("%rdx","%rbp");
+ my @ri=map("%r$_",(10..13));
+ my @ni=map("%r$_",(14..15));
+ $code.=<<___;
+- xor %rbx,%rbx
++ xor %ebx,%ebx
+ sub %r15,%rsi # compare top-most words
+ adc %rbx,%rbx
+ mov %rcx,%r10 # -$num
+- .byte 0x67
+ or %rbx,%rax
+- .byte 0x67
+ mov %rcx,%r9 # -$num
+ xor \$1,%rax
+ sar \$3+2,%rcx # cf=0
+Index: openssl-1.0.2d/crypto/bn/bntest.c
+===================================================================
+--- openssl-1.0.2d.orig/crypto/bn/bntest.c
++++ openssl-1.0.2d/crypto/bn/bntest.c
+@@ -1027,6 +1027,24 @@ int test_mod_exp_mont_consttime(BIO *bp,
+ return 0;
+ }
+ }
++
++ /* Regression test for carry propagation bug in sqr8x_reduction */
++ BN_hex2bn(&a, "050505050505");
++ BN_hex2bn(&b, "02");
++ BN_hex2bn(&c,
++ "4141414141414141414141274141414141414141414141414141414141414141"
++ "4141414141414141414141414141414141414141414141414141414141414141"
++ "4141414141414141414141800000000000000000000000000000000000000000"
++ "0000000000000000000000000000000000000000000000000000000000000000"
++ "0000000000000000000000000000000000000000000000000000000000000000"
++ "0000000000000000000000000000000000000000000000000000000001");
++ BN_mod_exp(d, a, b, c, ctx);
++ BN_mul(e, a, a, ctx);
++ if (BN_cmp(d, e)) {
++ fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
++ return 0;
++ }
++
+ BN_free(a);
+ BN_free(b);
+ BN_free(c);
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
index c862d5d..ac78e5c 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -35,6 +35,7 @@ SRC_URI += "file://configure-targets.patch \
file://ptest-deps.patch \
file://run-ptest \
file://crypto_use_bigint_in_x86-64_perl.patch \
+ file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
"
SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
OpenPOWER on IntegriCloud