diff options
author | Adrian Dudau <adrian.dudau@enea.com> | 2016-09-27 16:38:51 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2016-09-29 13:37:39 +0200 |
commit | 96cf162f9d9e83121ec43a8baf940d4ebc75b811 (patch) | |
tree | b9f2df27caa54035f33f4aba79bcc060804c0dd4 /recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch | |
parent | f73e0eb5d77764c00d6ae8db10528522fc8516bc (diff) | |
download | meta-el-common-krogoth.tar.gz |
openssl: Revert 9 CVE fixes merged upstreamkrogoth
Revert "openssl: Security fix CVE-2016-6306"
This reverts commit f73e0eb5d77764c00d6ae8db10528522fc8516bc.
Revert "openssl: Security fix CVE-2016-6304"
This reverts commit 35f3007f0e0c56bc2f96ab5893686191d099949f.
Revert "openssl: Security fix CVE-2016-6303"
This reverts commit 744b01090f6cf4984c11bb682693647a62103644.
Revert "openssl: Security fix CVE-2016-6302"
This reverts commit 8ac9ad185c0889af0bfb2fcd90a6987cb972eb0a.
Revert "openssl: Security fix CVE-2016-2182"
This reverts commit c95a5d22dedc5701d18e91e40a0c54802915187d.
Revert "openssl: Security fix CVE-2016-2181"
This reverts commit f0e2e3d84763477138d902f7d48ac2658266aa2b.
Revert "openssl: Security fix CVE-2016-2180"
This reverts commit 5493231d1ff5e9b259cd074245e909b5e39d926e.
Revert "openssl: Security fix CVE-2016-2179"
This reverts commit 331ca6f05824e5b005cbf504233b3c72275181d5.
Revert "openssl: Security fix CVE-2016-2178"
This reverts commit ac47871dfb962355c3c8971cd2fde2e4d03c9790.
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
Diffstat (limited to 'recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch')
-rw-r--r-- | recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch | 91 |
1 files changed, 0 insertions, 91 deletions
diff --git a/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch b/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch deleted file mode 100644 index 9149dbe..0000000 --- a/recipes-connectivity/openssl/openssl/CVE-2016-2181_p1.patch +++ /dev/null | |||
@@ -1,91 +0,0 @@ | |||
1 | From 20744f6b40b5ded059a848f66d6ba922f2a62eb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Caswell <matt@openssl.org> | ||
3 | Date: Tue, 5 Jul 2016 11:46:26 +0100 | ||
4 | Subject: [PATCH] Fix DTLS unprocessed records bug | ||
5 | |||
6 | During a DTLS handshake we may get records destined for the next epoch | ||
7 | arrive before we have processed the CCS. In that case we can't decrypt or | ||
8 | verify the record yet, so we buffer it for later use. When we do receive | ||
9 | the CCS we work through the queue of unprocessed records and process them. | ||
10 | |||
11 | Unfortunately the act of processing wipes out any existing packet data | ||
12 | that we were still working through. This includes any records from the new | ||
13 | epoch that were in the same packet as the CCS. We should only process the | ||
14 | buffered records if we've not got any data left. | ||
15 | |||
16 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2016-2180 patch 1 | ||
20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | ssl/d1_pkt.c | 23 +++++++++++++++++++++-- | ||
24 | 1 file changed, 21 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c | ||
27 | index fe30ec7..1fb119d 100644 | ||
28 | --- a/ssl/d1_pkt.c | ||
29 | +++ b/ssl/d1_pkt.c | ||
30 | @@ -319,6 +319,7 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) | ||
31 | static int dtls1_process_buffered_records(SSL *s) | ||
32 | { | ||
33 | pitem *item; | ||
34 | + SSL3_BUFFER *rb; | ||
35 | |||
36 | item = pqueue_peek(s->d1->unprocessed_rcds.q); | ||
37 | if (item) { | ||
38 | @@ -326,6 +327,19 @@ static int dtls1_process_buffered_records(SSL *s) | ||
39 | if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | ||
40 | return (1); /* Nothing to do. */ | ||
41 | |||
42 | + rb = &s->s3->rbuf; | ||
43 | + | ||
44 | + if (rb->left > 0) { | ||
45 | + /* | ||
46 | + * We've still got data from the current packet to read. There could | ||
47 | + * be a record from the new epoch in it - so don't overwrite it | ||
48 | + * with the unprocessed records yet (we'll do it when we've | ||
49 | + * finished reading the current packet). | ||
50 | + */ | ||
51 | + return 1; | ||
52 | + } | ||
53 | + | ||
54 | + | ||
55 | /* Process all the records. */ | ||
56 | while (pqueue_peek(s->d1->unprocessed_rcds.q)) { | ||
57 | dtls1_get_unprocessed_record(s); | ||
58 | @@ -581,6 +595,7 @@ int dtls1_get_record(SSL *s) | ||
59 | |||
60 | rr = &(s->s3->rrec); | ||
61 | |||
62 | + again: | ||
63 | /* | ||
64 | * The epoch may have changed. If so, process all the pending records. | ||
65 | * This is a non-blocking operation. | ||
66 | @@ -593,7 +608,6 @@ int dtls1_get_record(SSL *s) | ||
67 | return 1; | ||
68 | |||
69 | /* get something from the wire */ | ||
70 | - again: | ||
71 | /* check if we have the header */ | ||
72 | if ((s->rstate != SSL_ST_READ_BODY) || | ||
73 | (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { | ||
74 | @@ -1830,8 +1844,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, | ||
75 | if (rr->epoch == s->d1->r_epoch) | ||
76 | return &s->d1->bitmap; | ||
77 | |||
78 | - /* Only HM and ALERT messages can be from the next epoch */ | ||
79 | + /* | ||
80 | + * Only HM and ALERT messages can be from the next epoch and only if we | ||
81 | + * have already processed all of the unprocessed records from the last | ||
82 | + * epoch | ||
83 | + */ | ||
84 | else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && | ||
85 | + s->d1->unprocessed_rcds.epoch != s->d1->r_epoch && | ||
86 | (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { | ||
87 | *is_next_epoch = 1; | ||
88 | return &s->d1->next_bitmap; | ||
89 | -- | ||
90 | 2.7.4 | ||
91 | |||