diff options
Diffstat (limited to 'meta/recipes-connectivity/openssl')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch | 98 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.1g.bb | 1 |
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch new file mode 100644 index 0000000000..6dde020a9d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From 26a59d9b46574e457870197dffa802871b4c8fc7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Geoff Thorpe <geoff@openssl.org> | ||
3 | Date: Wed, 15 Oct 2014 03:25:50 -0400 | ||
4 | Subject: [PATCH] Fix no-ssl3 configuration option | ||
5 | |||
6 | CVE-2014-3568 | ||
7 | |||
8 | Reviewed-by: Emilia Kasper <emilia@openssl.org> | ||
9 | Reviewed-by: Rich Salz <rsalz@openssl.org> | ||
10 | --- | ||
11 | ssl/s23_clnt.c | 9 +++++++-- | ||
12 | ssl/s23_srvr.c | 18 +++++++++--------- | ||
13 | 2 files changed, 16 insertions(+), 11 deletions(-) | ||
14 | |||
15 | diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c | ||
16 | index d4e43c3..86ab3de 100644 | ||
17 | --- a/ssl/s23_clnt.c | ||
18 | +++ b/ssl/s23_clnt.c | ||
19 | @@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_client_method(int ver) | ||
20 | if (ver == SSL2_VERSION) | ||
21 | return(SSLv2_client_method()); | ||
22 | #endif | ||
23 | +#ifndef OPENSSL_NO_SSL3 | ||
24 | if (ver == SSL3_VERSION) | ||
25 | return(SSLv3_client_method()); | ||
26 | - else if (ver == TLS1_VERSION) | ||
27 | +#endif | ||
28 | + if (ver == TLS1_VERSION) | ||
29 | return(TLSv1_client_method()); | ||
30 | else if (ver == TLS1_1_VERSION) | ||
31 | return(TLSv1_1_client_method()); | ||
32 | @@ -698,6 +700,7 @@ static int ssl23_get_server_hello(SSL *s) | ||
33 | { | ||
34 | /* we have sslv3 or tls1 (server hello or alert) */ | ||
35 | |||
36 | +#ifndef OPENSSL_NO_SSL3 | ||
37 | if ((p[2] == SSL3_VERSION_MINOR) && | ||
38 | !(s->options & SSL_OP_NO_SSLv3)) | ||
39 | { | ||
40 | @@ -712,7 +715,9 @@ static int ssl23_get_server_hello(SSL *s) | ||
41 | s->version=SSL3_VERSION; | ||
42 | s->method=SSLv3_client_method(); | ||
43 | } | ||
44 | - else if ((p[2] == TLS1_VERSION_MINOR) && | ||
45 | + else | ||
46 | +#endif | ||
47 | + if ((p[2] == TLS1_VERSION_MINOR) && | ||
48 | !(s->options & SSL_OP_NO_TLSv1)) | ||
49 | { | ||
50 | s->version=TLS1_VERSION; | ||
51 | diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c | ||
52 | index 567a6b1..93ca7d5 100644 | ||
53 | --- a/ssl/s23_srvr.c | ||
54 | +++ b/ssl/s23_srvr.c | ||
55 | @@ -127,9 +127,11 @@ static const SSL_METHOD *ssl23_get_server_method(int ver) | ||
56 | if (ver == SSL2_VERSION) | ||
57 | return(SSLv2_server_method()); | ||
58 | #endif | ||
59 | +#ifndef OPENSSL_NO_SSL3 | ||
60 | if (ver == SSL3_VERSION) | ||
61 | return(SSLv3_server_method()); | ||
62 | - else if (ver == TLS1_VERSION) | ||
63 | +#endif | ||
64 | + if (ver == TLS1_VERSION) | ||
65 | return(TLSv1_server_method()); | ||
66 | else if (ver == TLS1_1_VERSION) | ||
67 | return(TLSv1_1_server_method()); | ||
68 | @@ -600,6 +602,12 @@ int ssl23_get_client_hello(SSL *s) | ||
69 | if ((type == 2) || (type == 3)) | ||
70 | { | ||
71 | /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ | ||
72 | + s->method = ssl23_get_server_method(s->version); | ||
73 | + if (s->method == NULL) | ||
74 | + { | ||
75 | + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); | ||
76 | + goto err; | ||
77 | + } | ||
78 | |||
79 | if (!ssl_init_wbio_buffer(s,1)) goto err; | ||
80 | |||
81 | @@ -627,14 +635,6 @@ int ssl23_get_client_hello(SSL *s) | ||
82 | s->s3->rbuf.left=0; | ||
83 | s->s3->rbuf.offset=0; | ||
84 | } | ||
85 | - if (s->version == TLS1_2_VERSION) | ||
86 | - s->method = TLSv1_2_server_method(); | ||
87 | - else if (s->version == TLS1_1_VERSION) | ||
88 | - s->method = TLSv1_1_server_method(); | ||
89 | - else if (s->version == TLS1_VERSION) | ||
90 | - s->method = TLSv1_server_method(); | ||
91 | - else | ||
92 | - s->method = SSLv3_server_method(); | ||
93 | #if 0 /* ssl3_get_client_hello does this */ | ||
94 | s->client_version=(v[0]<<8)|v[1]; | ||
95 | #endif | ||
96 | -- | ||
97 | 1.7.9.5 | ||
98 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb index 8afb21eedf..44e4a6bd04 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb | |||
@@ -46,6 +46,7 @@ SRC_URI += "file://configure-targets.patch \ | |||
46 | file://openssl-fix-CVE-2014-3566.patch \ | 46 | file://openssl-fix-CVE-2014-3566.patch \ |
47 | file://openssl-fix-CVE-2014-3513.patch \ | 47 | file://openssl-fix-CVE-2014-3513.patch \ |
48 | file://openssl-fix-CVE-2014-3567.patch \ | 48 | file://openssl-fix-CVE-2014-3567.patch \ |
49 | file://openssl-fix-CVE-2014-3568.patch \ | ||
49 | " | 50 | " |
50 | 51 | ||
51 | SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959" | 52 | SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959" |