Fix CVE-2024-5535
Signed-off-by: ShenYage <shenyage1@huawei.com> (cherry picked from commit d94a6ace09865caf003e75e5a9510b9a8720ec5c)
This commit is contained in:
ShenYage
openeuler-sync-bot
parent
43373ebdd7
commit
aa4b55ed7a
168
0078-Fix-SSL_select_next_proto-and-add-ALPN-validation-in.patch
Normal file
168
0078-Fix-SSL_select_next_proto-and-add-ALPN-validation-in.patch
Normal file
@ -0,0 +1,168 @@
|
||||
From 85365ebf0d57f82fbaf6b04da477dcba4e82e3a4 Mon Sep 17 00:00:00 2001
|
||||
From: xuhuiyue <xuhuiyue@huawei.com>
|
||||
Date: Fri, 28 Jun 2024 17:31:29 +0800
|
||||
Subject: [PATCH 1/2] Fix SSL_select_next_proto and add ALPN validation in the
|
||||
client
|
||||
|
||||
Fix CVE-2024-5535.
|
||||
|
||||
Signed-off-by: xuhuiyue <xuhuiyue@huawei.com>
|
||||
---
|
||||
.../Library/OpensslLib/openssl/ssl/ssl_lib.c | 63 ++++++++++++-------
|
||||
.../openssl/ssl/statem/extensions_clnt.c | 27 +++++++-
|
||||
.../openssl/ssl/statem/extensions_srvr.c | 3 +-
|
||||
3 files changed, 68 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
|
||||
index ae33d18..cc3f588 100644
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
|
||||
@@ -2731,37 +2731,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
|
||||
unsigned int server_len,
|
||||
const unsigned char *client, unsigned int client_len)
|
||||
{
|
||||
- unsigned int i, j;
|
||||
- const unsigned char *result;
|
||||
- int status = OPENSSL_NPN_UNSUPPORTED;
|
||||
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
|
||||
+
|
||||
+ if (!PACKET_buf_init(&cpkt, client, client_len)
|
||||
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
|
||||
+ || PACKET_remaining(&csubpkt) == 0) {
|
||||
+ *out = NULL;
|
||||
+ *outlen = 0;
|
||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Set the default opportunistic protocol. Will be overwritten if we find
|
||||
+ * a match.
|
||||
+ */
|
||||
+ *out = (unsigned char *)PACKET_data(&csubpkt);
|
||||
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
|
||||
|
||||
/*
|
||||
* For each protocol in server preference order, see if we support it.
|
||||
*/
|
||||
- for (i = 0; i < server_len;) {
|
||||
- for (j = 0; j < client_len;) {
|
||||
- if (server[i] == client[j] &&
|
||||
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
|
||||
- /* We found a match */
|
||||
- result = &server[i];
|
||||
- status = OPENSSL_NPN_NEGOTIATED;
|
||||
- goto found;
|
||||
+ if (PACKET_buf_init(&spkt, server, server_len)) {
|
||||
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
|
||||
+ if (PACKET_remaining(&ssubpkt) == 0)
|
||||
+ continue; /* Invalid - ignore it */
|
||||
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
|
||||
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
|
||||
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
|
||||
+ PACKET_remaining(&ssubpkt))) {
|
||||
+ /* We found a match */
|
||||
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
|
||||
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
|
||||
+ return OPENSSL_NPN_NEGOTIATED;
|
||||
+ }
|
||||
+ }
|
||||
+ /* Ignore spurious trailing bytes in the client list */
|
||||
+ } else {
|
||||
+ /* This should never happen */
|
||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||
}
|
||||
- j += client[j];
|
||||
- j++;
|
||||
}
|
||||
- i += server[i];
|
||||
- i++;
|
||||
+ /* Ignore spurious trailing bytes in the server list */
|
||||
}
|
||||
|
||||
- /* There's no overlap between our protocols and the server's list. */
|
||||
- result = client;
|
||||
- status = OPENSSL_NPN_NO_OVERLAP;
|
||||
-
|
||||
- found:
|
||||
- *out = (unsigned char *)result + 1;
|
||||
- *outlen = result[0];
|
||||
- return status;
|
||||
+ /*
|
||||
+ * There's no overlap between our protocols and the server's list. We use
|
||||
+ * the default opportunistic protocol selected earlier
|
||||
+ */
|
||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_clnt.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_clnt.c
|
||||
index bcce0f1..a307294 100644
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_clnt.c
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_clnt.c
|
||||
@@ -1579,7 +1579,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
||||
PACKET_data(pkt),
|
||||
PACKET_remaining(pkt),
|
||||
s->ctx->ext.npn_select_cb_arg) !=
|
||||
- SSL_TLSEXT_ERR_OK) {
|
||||
+ SSL_TLSEXT_ERR_OK
|
||||
+ || selected_len == 0) {
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
|
||||
SSL_R_BAD_EXTENSION);
|
||||
return 0;
|
||||
@@ -1609,6 +1610,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
||||
size_t chainidx)
|
||||
{
|
||||
size_t len;
|
||||
+ PACKET confpkt, protpkt;
|
||||
+ int valid = 0;
|
||||
|
||||
/* We must have requested it. */
|
||||
if (!s->s3->alpn_sent) {
|
||||
@@ -1629,6 +1632,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
||||
SSL_R_BAD_EXTENSION);
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ /* It must be a protocol that we sent */
|
||||
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
|
||||
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, ERR_R_INTERNAL_ERROR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
|
||||
+ if (PACKET_remaining(&protpkt) != len)
|
||||
+ continue;
|
||||
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
|
||||
+ /* Valid protocol found */
|
||||
+ valid = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!valid) {
|
||||
+ /* The protocol sent from the server does not match one we advertised */
|
||||
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, SSL_R_BAD_EXTENSION);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
OPENSSL_free(s->s3->alpn_selected);
|
||||
s->s3->alpn_selected = OPENSSL_malloc(len);
|
||||
if (s->s3->alpn_selected == NULL) {
|
||||
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_srvr.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_srvr.c
|
||||
index 3b07c6b..0c9b839 100644
|
||||
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_srvr.c
|
||||
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/extensions_srvr.c
|
||||
@@ -1559,9 +1559,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
|
||||
return EXT_RETURN_FAIL;
|
||||
}
|
||||
s->s3->npn_seen = 1;
|
||||
+ return EXT_RETURN_SENT;
|
||||
}
|
||||
|
||||
- return EXT_RETURN_SENT;
|
||||
+ return EXT_RETURN_NOT_SENT;
|
||||
}
|
||||
#endif
|
||||
|
||||
--
|
||||
2.33.0
|
||||
|
||||
1786
0079-Add-a-test-for-ALPN-and-NPN.patch
Normal file
1786
0079-Add-a-test-for-ALPN-and-NPN.patch
Normal file
File diff suppressed because it is too large
Load Diff
11
edk2.spec
11
edk2.spec
@ -5,7 +5,7 @@
|
||||
|
||||
Name: edk2
|
||||
Version: %{stable_date}
|
||||
Release: 18
|
||||
Release: 19
|
||||
Summary: EFI Development Kit II
|
||||
License: BSD-2-Clause-Patent
|
||||
URL: https://github.com/tianocore/edk2
|
||||
@ -111,6 +111,10 @@ Patch0076: 0076-Add-a-test-for-session-cache-overflow.patch
|
||||
# fix CVE-2024-1298
|
||||
Patch0077: 0077-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
|
||||
|
||||
# fix CVE-2024-5535
|
||||
Patch0078: 0078-Fix-SSL_select_next_proto-and-add-ALPN-validation-in.patch
|
||||
Patch0079: 0079-Add-a-test-for-ALPN-and-NPN.patch
|
||||
|
||||
BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command
|
||||
|
||||
%description
|
||||
@ -311,7 +315,10 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jun 12 2024 shenyage<shenyage1@huawei.com> - 202011-17
|
||||
* Thu Jul 11 2024 shenyage<shenyage1@huawei.com> - 202011-19
|
||||
- fix CVE-2024-5535
|
||||
|
||||
* Wed Jun 12 2024 shenyage<shenyage1@huawei.com> - 202011-18
|
||||
- fix CVE-2024-1298
|
||||
|
||||
* Mon Apr 15 2024 shenyage<shenyage1@huawei.com> - 202011-17
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user