1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2014-3569.patch b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2014-3569.patch
new file mode 100644
index 0000000000..6cd57b47ba
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2014-3569.patch
@@ -0,0 +1,49 @@
+From 6ce9687b5aba5391fc0de50e18779eb676d0e04d Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Tue, 21 Oct 2014 20:45:15 +0200
+Subject: [PATCH] Keep old method in case of an unsupported protocol
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
+the method to NULL.  We didn't used to do that, and it breaks things.  This is a
+regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c.  Keep the old
+method since the code is not able to deal with a NULL method at this time.
+CVE-2014-3569, PR#3571
+Upstream-Status: Backport
+Reviewed-by: Emilia Käsper <emilia@openssl.org>
+(cherry picked from commit 392fa7a952e97d82eac6958c81ed1e256e6b8ca5)
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ssl/s23_srvr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
+index 93ca7d5..de909b1 100644
+--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
+@@ -602,12 +602,14 @@ int ssl23_get_client_hello(SSL *s)
+        if ((type == 2) || (type == 3))
+                {
+                /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+-                s->method = ssl23_get_server_method(s->version);
+-               if (s->method == NULL)
+               const SSL_METHOD *new_method;
+               new_method = ssl23_get_server_method(s->version);
+               if (new_method == NULL)
+                        {
+                        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+                        goto err;
+                        }
+               s->method = new_method;
+ 
+                if (!ssl_init_wbio_buffer(s,1)) goto err;
+ 
+-- 
+1.9.1

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-CVE-2014-3569.patch b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2014-3569.patch new file mode 100644 index 0000000000..6cd57b47ba --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-CVE-2014-3569.patch
@@ -0,0 +1,49 @@
	1	From 6ce9687b5aba5391fc0de50e18779eb676d0e04d Mon Sep 17 00:00:00 2001
	2	From: Kurt Roeckx <kurt@roeckx.be>
	3	Date: Tue, 21 Oct 2014 20:45:15 +0200
	4	Subject: [PATCH] Keep old method in case of an unsupported protocol
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
	10	the method to NULL. We didn't used to do that, and it breaks things. This is a
	11	regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c. Keep the old
	12	method since the code is not able to deal with a NULL method at this time.
	13
	14	CVE-2014-3569, PR#3571
	15
	16	Upstream-Status: Backport
	17
	18	Reviewed-by: Emilia Käsper <emilia@openssl.org>
	19	(cherry picked from commit 392fa7a952e97d82eac6958c81ed1e256e6b8ca5)
	20
	21	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	22	---
	23	ssl/s23_srvr.c \| 6 ++++--
	24	1 file changed, 4 insertions(+), 2 deletions(-)
	25
	26	diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
	27	index 93ca7d5..de909b1 100644
	28	--- a/ssl/s23_srvr.c
	29	+++ b/ssl/s23_srvr.c
	30	@@ -602,12 +602,14 @@ int ssl23_get_client_hello(SSL *s)
	31	if ((type == 2) \|\| (type == 3))
	32	{
	33	/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
	34	- s->method = ssl23_get_server_method(s->version);
	35	- if (s->method == NULL)
	36	+ const SSL_METHOD *new_method;
	37	+ new_method = ssl23_get_server_method(s->version);
	38	+ if (new_method == NULL)
	39	{
	40	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
	41	goto err;
	42	}
	43	+ s->method = new_method;
	44
	45	if (!ssl_init_wbio_buffer(s,1)) goto err;
	46
	47	--
	48	1.9.1
	49