Fix CVE-2014-3568

Fix no-ssl3 configuration option This patch is a backport from OpenSSL_1.0.1j. Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
author: Catalin Popeanga <Catalin.Popeanga@enea.com> 2014-10-15 17:36:23 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-06 20:19:36 +0200
commit: 68e1d0057391ad64603e8fd824c16b58a2d88b19 (patch)
tree: dec2775e284d306915e060fc5b3399a7edf4f4e6
parent: 6f221e66d41547cd46df26cacc00cc07d73c71a5 (diff)
download: poky-68e1d0057391ad64603e8fd824c16b58a2d88b19.tar.gz
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch
new file mode 100644
index 0000000000..6dde020a9d
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch
@@ -0,0 +1,98 @@
+From 26a59d9b46574e457870197dffa802871b4c8fc7 Mon Sep 17 00:00:00 2001
+From: Geoff Thorpe <geoff@openssl.org>
+Date: Wed, 15 Oct 2014 03:25:50 -0400
+Subject: [PATCH] Fix no-ssl3 configuration option
+CVE-2014-3568
+Reviewed-by: Emilia Kasper <emilia@openssl.org>
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+---
+ ssl/s23_clnt.c |    9 +++++++--
+ ssl/s23_srvr.c |   18 +++++++++---------
+ 2 files changed, 16 insertions(+), 11 deletions(-)
+diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
+index d4e43c3..86ab3de 100644
+--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
+@@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
+        if (ver == SSL2_VERSION)
+                return(SSLv2_client_method());
+ #endif
+#ifndef OPENSSL_NO_SSL3
+        if (ver == SSL3_VERSION)
+                return(SSLv3_client_method());
+-       else if (ver == TLS1_VERSION)
+#endif
+       if (ver == TLS1_VERSION)
+                return(TLSv1_client_method());
+        else if (ver == TLS1_1_VERSION)
+                return(TLSv1_1_client_method());
+@@ -698,6 +700,7 @@ static int ssl23_get_server_hello(SSL *s)
+                {
+                /* we have sslv3 or tls1 (server hello or alert) */
+ 
+#ifndef OPENSSL_NO_SSL3
+                if ((p[2] == SSL3_VERSION_MINOR) &&
+                        !(s->options & SSL_OP_NO_SSLv3))
+                        {
+@@ -712,7 +715,9 @@ static int ssl23_get_server_hello(SSL *s)
+                        s->version=SSL3_VERSION;
+                        s->method=SSLv3_client_method();
+                        }
+-               else if ((p[2] == TLS1_VERSION_MINOR) &&
+               else
+#endif
+               if ((p[2] == TLS1_VERSION_MINOR) &&
+                        !(s->options & SSL_OP_NO_TLSv1))
+                        {
+                        s->version=TLS1_VERSION;
+diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
+index 567a6b1..93ca7d5 100644
+--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
+@@ -127,9 +127,11 @@ static const SSL_METHOD *ssl23_get_server_method(int ver)
+        if (ver == SSL2_VERSION)
+                return(SSLv2_server_method());
+ #endif
+#ifndef OPENSSL_NO_SSL3
+        if (ver == SSL3_VERSION)
+                return(SSLv3_server_method());
+-       else if (ver == TLS1_VERSION)
+#endif
+       if (ver == TLS1_VERSION)
+                return(TLSv1_server_method());
+        else if (ver == TLS1_1_VERSION)
+                return(TLSv1_1_server_method());
+@@ -600,6 +602,12 @@ int ssl23_get_client_hello(SSL *s)
+        if ((type == 2) || (type == 3))
+                {
+                /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
+                s->method = ssl23_get_server_method(s->version);
+               if (s->method == NULL)
+                       {
+                       SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+                       goto err;
+                       }
+ 
+                if (!ssl_init_wbio_buffer(s,1)) goto err;
+ 
+@@ -627,14 +635,6 @@ int ssl23_get_client_hello(SSL *s)
+                        s->s3->rbuf.left=0;
+                        s->s3->rbuf.offset=0;
+                        }
+-               if (s->version == TLS1_2_VERSION)
+-                       s->method = TLSv1_2_server_method();
+-               else if (s->version == TLS1_1_VERSION)
+-                       s->method = TLSv1_1_server_method();
+-               else if (s->version == TLS1_VERSION)
+-                       s->method = TLSv1_server_method();
+-               else
+-                       s->method = SSLv3_server_method();
+ #if 0 /* ssl3_get_client_hello does this */
+                s->client_version=(v[0]<<8)|v[1];
+ #endif
+-- 
+1.7.9.5
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
index 8afb21eedf..44e4a6bd04 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -46,6 +46,7 @@ SRC_URI += "file://configure-targets.patch \
            file://openssl-fix-CVE-2014-3566.patch \
            file://openssl-fix-CVE-2014-3513.patch \
            file://openssl-fix-CVE-2014-3567.patch \
+            file://openssl-fix-CVE-2014-3568.patch \
           "
 SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"
author	Catalin Popeanga <Catalin.Popeanga@enea.com>	2014-10-15 17:36:23 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-06 20:19:36 +0200
commit	68e1d0057391ad64603e8fd824c16b58a2d88b19 (patch)
tree	dec2775e284d306915e060fc5b3399a7edf4f4e6
parent	6f221e66d41547cd46df26cacc00cc07d73c71a5 (diff)
download	poky-68e1d0057391ad64603e8fd824c16b58a2d88b19.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch new file mode 100644 index 0000000000..6dde020a9d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3568.patch
@@ -0,0 +1,98 @@
		1	From 26a59d9b46574e457870197dffa802871b4c8fc7 Mon Sep 17 00:00:00 2001
		2	From: Geoff Thorpe <geoff@openssl.org>
		3	Date: Wed, 15 Oct 2014 03:25:50 -0400
		4	Subject: [PATCH] Fix no-ssl3 configuration option
		5
		6	CVE-2014-3568
		7
		8	Reviewed-by: Emilia Kasper <emilia@openssl.org>
		9	Reviewed-by: Rich Salz <rsalz@openssl.org>
		10	---
		11	ssl/s23_clnt.c \| 9 +++++++--
		12	ssl/s23_srvr.c \| 18 +++++++++---------
		13	2 files changed, 16 insertions(+), 11 deletions(-)
		14
		15	diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
		16	index d4e43c3..86ab3de 100644
		17	--- a/ssl/s23_clnt.c
		18	+++ b/ssl/s23_clnt.c
		19	@@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
		20	if (ver == SSL2_VERSION)
		21	return(SSLv2_client_method());
		22	#endif
		23	+#ifndef OPENSSL_NO_SSL3
		24	if (ver == SSL3_VERSION)
		25	return(SSLv3_client_method());
		26	- else if (ver == TLS1_VERSION)
		27	+#endif
		28	+ if (ver == TLS1_VERSION)
		29	return(TLSv1_client_method());
		30	else if (ver == TLS1_1_VERSION)
		31	return(TLSv1_1_client_method());
		32	@@ -698,6 +700,7 @@ static int ssl23_get_server_hello(SSL *s)
		33	{
		34	/* we have sslv3 or tls1 (server hello or alert) */
		35
		36	+#ifndef OPENSSL_NO_SSL3
		37	if ((p[2] == SSL3_VERSION_MINOR) &&
		38	!(s->options & SSL_OP_NO_SSLv3))
		39	{
		40	@@ -712,7 +715,9 @@ static int ssl23_get_server_hello(SSL *s)
		41	s->version=SSL3_VERSION;
		42	s->method=SSLv3_client_method();
		43	}
		44	- else if ((p[2] == TLS1_VERSION_MINOR) &&
		45	+ else
		46	+#endif
		47	+ if ((p[2] == TLS1_VERSION_MINOR) &&
		48	!(s->options & SSL_OP_NO_TLSv1))
		49	{
		50	s->version=TLS1_VERSION;
		51	diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
		52	index 567a6b1..93ca7d5 100644
		53	--- a/ssl/s23_srvr.c
		54	+++ b/ssl/s23_srvr.c
		55	@@ -127,9 +127,11 @@ static const SSL_METHOD *ssl23_get_server_method(int ver)
		56	if (ver == SSL2_VERSION)
		57	return(SSLv2_server_method());
		58	#endif
		59	+#ifndef OPENSSL_NO_SSL3
		60	if (ver == SSL3_VERSION)
		61	return(SSLv3_server_method());
		62	- else if (ver == TLS1_VERSION)
		63	+#endif
		64	+ if (ver == TLS1_VERSION)
		65	return(TLSv1_server_method());
		66	else if (ver == TLS1_1_VERSION)
		67	return(TLSv1_1_server_method());
		68	@@ -600,6 +602,12 @@ int ssl23_get_client_hello(SSL *s)
		69	if ((type == 2) \|\| (type == 3))
		70	{
		71	/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
		72	+ s->method = ssl23_get_server_method(s->version);
		73	+ if (s->method == NULL)
		74	+ {
		75	+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
		76	+ goto err;
		77	+ }
		78
		79	if (!ssl_init_wbio_buffer(s,1)) goto err;
		80
		81	@@ -627,14 +635,6 @@ int ssl23_get_client_hello(SSL *s)
		82	s->s3->rbuf.left=0;
		83	s->s3->rbuf.offset=0;
		84	}
		85	- if (s->version == TLS1_2_VERSION)
		86	- s->method = TLSv1_2_server_method();
		87	- else if (s->version == TLS1_1_VERSION)
		88	- s->method = TLSv1_1_server_method();
		89	- else if (s->version == TLS1_VERSION)
		90	- s->method = TLSv1_server_method();
		91	- else
		92	- s->method = SSLv3_server_method();
		93	#if 0 /* ssl3_get_client_hello does this */
		94	s->client_version=(v[0]<<8)\|v[1];
		95	#endif
		96	--
		97	1.7.9.5
		98


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb index 8afb21eedf..44e4a6bd04 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -46,6 +46,7 @@ SRC_URI += "file://configure-targets.patch \
46	file://openssl-fix-CVE-2014-3566.patch \	46	file://openssl-fix-CVE-2014-3566.patch \
47	file://openssl-fix-CVE-2014-3513.patch \	47	file://openssl-fix-CVE-2014-3513.patch \
48	file://openssl-fix-CVE-2014-3567.patch \	48	file://openssl-fix-CVE-2014-3567.patch \
		49	file://openssl-fix-CVE-2014-3568.patch \
49	"	50	"
50		51
51	SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"	52	SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"