summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Fainelli <florian@openwrt.org>2013-02-14 13:00:03 +0000
committerFlorian Fainelli <florian@openwrt.org>2013-02-14 13:00:03 +0000
commit22e8b168c8908bf8941e9bdc0edada36dcdea95b (patch)
tree8721e8caa0357c8c1fd1418ee7b083f459602038
parentc0f6c75cf777e549e76f4e82ed89c2d5833246dc (diff)
downloadmtk-20170518-22e8b168c8908bf8941e9bdc0edada36dcdea95b.zip
mtk-20170518-22e8b168c8908bf8941e9bdc0edada36dcdea95b.tar.gz
mtk-20170518-22e8b168c8908bf8941e9bdc0edada36dcdea95b.tar.bz2
openssl: update OpenSSL to 1.0.1e, fix Cisco DTLS.
1.0.1d had a rushed fix for CVE-2013-0169 which broke in certain circumstances. 1.0.1e has the fix for TLS. Also include a further patch from the 1.0.1 branch which fixes the breakage this introduced for Cisco's outdated pre-standard version of DTLS, as used by OpenConnect. Update mirror URLs to reflect current reality. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: Florian Fainelli <florian@openwrt.org> SVN-Revision: 35600
-rw-r--r--package/libs/openssl/Makefile7
-rw-r--r--package/libs/openssl/patches/120-cisco-dtls-fix.patch31
2 files changed, 34 insertions, 4 deletions
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 39ec4cf..a8b3257 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -8,15 +8,14 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
-PKG_VERSION:=1.0.1d
+PKG_VERSION:=1.0.1e
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.openssl.org/source/ \
- ftp://ftp.funet.fi/pub/crypt/cryptography/libs/openssl/source/ \
- ftp://ftp.webmonster.de/pub/openssl/source/ \
+ ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.openssl.org/source \
ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/
-PKG_MD5SUM:=b92fc634f0f1f31a67ed4175adc5ba33
+PKG_MD5SUM:=66bf6f10f060d561929de96f9dfe5b8c
PKG_LICENSE:=SSLEAY OPENSSL
PKG_LICENSE_FILES:=LICENSE
diff --git a/package/libs/openssl/patches/120-cisco-dtls-fix.patch b/package/libs/openssl/patches/120-cisco-dtls-fix.patch
new file mode 100644
index 0000000..11e6bb5
--- /dev/null
+++ b/package/libs/openssl/patches/120-cisco-dtls-fix.patch
@@ -0,0 +1,31 @@
+From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: [PATCH] Check DTLS_BAD_VER for version number.
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+PR:2984
+(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
+---
+ ssl/s3_cbc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ unsigned padding_length, good, to_check, i;
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ /* These lengths are all public so we can test them in
+ * non-constant time.
+--
+1.8.1.2
+