summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r--meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch98
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.1g.bb1
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch
new file mode 100644
index 0000000000..6dde020a9d
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch
@@ -0,0 +1,98 @@
1From 26a59d9b46574e457870197dffa802871b4c8fc7 Mon Sep 17 00:00:00 2001
2From: Geoff Thorpe <geoff@openssl.org>
3Date: Wed, 15 Oct 2014 03:25:50 -0400
4Subject: [PATCH] Fix no-ssl3 configuration option
5
6CVE-2014-3568
7
8Reviewed-by: Emilia Kasper <emilia@openssl.org>
9Reviewed-by: Rich Salz <rsalz@openssl.org>
10---
11 ssl/s23_clnt.c | 9 +++++++--
12 ssl/s23_srvr.c | 18 +++++++++---------
13 2 files changed, 16 insertions(+), 11 deletions(-)
14
15diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
16index d4e43c3..86ab3de 100644
17--- a/ssl/s23_clnt.c
18+++ b/ssl/s23_clnt.c
19@@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
20 if (ver == SSL2_VERSION)
21 return(SSLv2_client_method());
22 #endif
23+#ifndef OPENSSL_NO_SSL3
24 if (ver == SSL3_VERSION)
25 return(SSLv3_client_method());
26- else if (ver == TLS1_VERSION)
27+#endif
28+ if (ver == TLS1_VERSION)
29 return(TLSv1_client_method());
30 else if (ver == TLS1_1_VERSION)
31 return(TLSv1_1_client_method());
32@@ -698,6 +700,7 @@ static int ssl23_get_server_hello(SSL *s)
33 {
34 /* we have sslv3 or tls1 (server hello or alert) */
35
36+#ifndef OPENSSL_NO_SSL3
37 if ((p[2] == SSL3_VERSION_MINOR) &&
38 !(s->options & SSL_OP_NO_SSLv3))
39 {
40@@ -712,7 +715,9 @@ static int ssl23_get_server_hello(SSL *s)
41 s->version=SSL3_VERSION;
42 s->method=SSLv3_client_method();
43 }
44- else if ((p[2] == TLS1_VERSION_MINOR) &&
45+ else
46+#endif
47+ if ((p[2] == TLS1_VERSION_MINOR) &&
48 !(s->options & SSL_OP_NO_TLSv1))
49 {
50 s->version=TLS1_VERSION;
51diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
52index 567a6b1..93ca7d5 100644
53--- a/ssl/s23_srvr.c
54+++ b/ssl/s23_srvr.c
55@@ -127,9 +127,11 @@ static const SSL_METHOD *ssl23_get_server_method(int ver)
56 if (ver == SSL2_VERSION)
57 return(SSLv2_server_method());
58 #endif
59+#ifndef OPENSSL_NO_SSL3
60 if (ver == SSL3_VERSION)
61 return(SSLv3_server_method());
62- else if (ver == TLS1_VERSION)
63+#endif
64+ if (ver == TLS1_VERSION)
65 return(TLSv1_server_method());
66 else if (ver == TLS1_1_VERSION)
67 return(TLSv1_1_server_method());
68@@ -600,6 +602,12 @@ int ssl23_get_client_hello(SSL *s)
69 if ((type == 2) || (type == 3))
70 {
71 /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
72+ s->method = ssl23_get_server_method(s->version);
73+ if (s->method == NULL)
74+ {
75+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
76+ goto err;
77+ }
78
79 if (!ssl_init_wbio_buffer(s,1)) goto err;
80
81@@ -627,14 +635,6 @@ int ssl23_get_client_hello(SSL *s)
82 s->s3->rbuf.left=0;
83 s->s3->rbuf.offset=0;
84 }
85- if (s->version == TLS1_2_VERSION)
86- s->method = TLSv1_2_server_method();
87- else if (s->version == TLS1_1_VERSION)
88- s->method = TLSv1_1_server_method();
89- else if (s->version == TLS1_VERSION)
90- s->method = TLSv1_server_method();
91- else
92- s->method = SSLv3_server_method();
93 #if 0 /* ssl3_get_client_hello does this */
94 s->client_version=(v[0]<<8)|v[1];
95 #endif
96--
971.7.9.5
98
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
index 8afb21eedf..44e4a6bd04 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -46,6 +46,7 @@ SRC_URI += "file://configure-targets.patch \
46 file://openssl-fix-CVE-2014-3566.patch \ 46 file://openssl-fix-CVE-2014-3566.patch \
47 file://openssl-fix-CVE-2014-3513.patch \ 47 file://openssl-fix-CVE-2014-3513.patch \
48 file://openssl-fix-CVE-2014-3567.patch \ 48 file://openssl-fix-CVE-2014-3567.patch \
49 file://openssl-fix-CVE-2014-3568.patch \
49 " 50 "
50 51
51SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959" 52SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"