diff options
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3568.patch')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3568.patch | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3568.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3568.patch new file mode 100644 index 0000000000..7313f9b2c3 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-fix-CVE-2014-3568.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | From 26a59d9b46574e457870197dffa802871b4c8fc7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Geoff Thorpe <geoff@openssl.org> | ||
3 | Date: Wed, 15 Oct 2014 03:25:50 -0400 | ||
4 | Subject: [PATCH] Fix no-ssl3 configuration option | ||
5 | |||
6 | CVE-2014-3568 | ||
7 | |||
8 | Reviewed-by: Emilia Kasper <emilia@openssl.org> | ||
9 | Reviewed-by: Rich Salz <rsalz@openssl.org> | ||
10 | Signed-off-by: Catalin Popeanga <catalin.popeanga@enea.com> | ||
11 | --- | ||
12 | ssl/s23_clnt.c | 9 +++++++-- | ||
13 | ssl/s23_srvr.c | 18 +++++++++--------- | ||
14 | 2 files changed, 16 insertions(+), 11 deletions(-) | ||
15 | |||
16 | diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c | ||
17 | index d4e43c3..86ab3de 100644 | ||
18 | --- a/ssl/s23_clnt.c | ||
19 | +++ b/ssl/s23_clnt.c | ||
20 | @@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_client_method(int ver) | ||
21 | if (ver == SSL2_VERSION) | ||
22 | return(SSLv2_client_method()); | ||
23 | #endif | ||
24 | +#ifndef OPENSSL_NO_SSL3 | ||
25 | if (ver == SSL3_VERSION) | ||
26 | return(SSLv3_client_method()); | ||
27 | - else if (ver == TLS1_VERSION) | ||
28 | +#endif | ||
29 | + if (ver == TLS1_VERSION) | ||
30 | return(TLSv1_client_method()); | ||
31 | else if (ver == TLS1_1_VERSION) | ||
32 | return(TLSv1_1_client_method()); | ||
33 | @@ -698,6 +700,7 @@ static int ssl23_get_server_hello(SSL *s) | ||
34 | { | ||
35 | /* we have sslv3 or tls1 (server hello or alert) */ | ||
36 | |||
37 | +#ifndef OPENSSL_NO_SSL3 | ||
38 | if ((p[2] == SSL3_VERSION_MINOR) && | ||
39 | !(s->options & SSL_OP_NO_SSLv3)) | ||
40 | { | ||
41 | @@ -712,7 +715,9 @@ static int ssl23_get_server_hello(SSL *s) | ||
42 | s->version=SSL3_VERSION; | ||
43 | s->method=SSLv3_client_method(); | ||
44 | } | ||
45 | - else if ((p[2] == TLS1_VERSION_MINOR) && | ||
46 | + else | ||
47 | +#endif | ||
48 | + if ((p[2] == TLS1_VERSION_MINOR) && | ||
49 | !(s->options & SSL_OP_NO_TLSv1)) | ||
50 | { | ||
51 | s->version=TLS1_VERSION; | ||
52 | diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c | ||
53 | index 567a6b1..93ca7d5 100644 | ||
54 | --- a/ssl/s23_srvr.c | ||
55 | +++ b/ssl/s23_srvr.c | ||
56 | @@ -127,9 +127,11 @@ static const SSL_METHOD *ssl23_get_server_method(int ver) | ||
57 | if (ver == SSL2_VERSION) | ||
58 | return(SSLv2_server_method()); | ||
59 | #endif | ||
60 | +#ifndef OPENSSL_NO_SSL3 | ||
61 | if (ver == SSL3_VERSION) | ||
62 | return(SSLv3_server_method()); | ||
63 | - else if (ver == TLS1_VERSION) | ||
64 | +#endif | ||
65 | + if (ver == TLS1_VERSION) | ||
66 | return(TLSv1_server_method()); | ||
67 | else if (ver == TLS1_1_VERSION) | ||
68 | return(TLSv1_1_server_method()); | ||
69 | @@ -600,6 +602,12 @@ int ssl23_get_client_hello(SSL *s) | ||
70 | if ((type == 2) || (type == 3)) | ||
71 | { | ||
72 | /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ | ||
73 | + s->method = ssl23_get_server_method(s->version); | ||
74 | + if (s->method == NULL) | ||
75 | + { | ||
76 | + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); | ||
77 | + goto err; | ||
78 | + } | ||
79 | |||
80 | if (!ssl_init_wbio_buffer(s,1)) goto err; | ||
81 | |||
82 | @@ -627,14 +635,6 @@ int ssl23_get_client_hello(SSL *s) | ||
83 | s->s3->rbuf.left=0; | ||
84 | s->s3->rbuf.offset=0; | ||
85 | } | ||
86 | - if (s->version == TLS1_2_VERSION) | ||
87 | - s->method = TLSv1_2_server_method(); | ||
88 | - else if (s->version == TLS1_1_VERSION) | ||
89 | - s->method = TLSv1_1_server_method(); | ||
90 | - else if (s->version == TLS1_VERSION) | ||
91 | - s->method = TLSv1_server_method(); | ||
92 | - else | ||
93 | - s->method = SSLv3_server_method(); | ||
94 | #if 0 /* ssl3_get_client_hello does this */ | ||
95 | s->client_version=(v[0]<<8)|v[1]; | ||
96 | #endif | ||
97 | -- | ||
98 | 1.7.9.5 | ||
99 | |||