diff options
Diffstat (limited to 'share/security/patches/SA-14:03/openssl.patch')
-rw-r--r-- | share/security/patches/SA-14:03/openssl.patch | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/share/security/patches/SA-14:03/openssl.patch b/share/security/patches/SA-14:03/openssl.patch new file mode 100644 index 0000000000..2a681158fa --- /dev/null +++ b/share/security/patches/SA-14:03/openssl.patch @@ -0,0 +1,91 @@ +Index: crypto/openssl/ssl/d1_both.c +=================================================================== +--- crypto/openssl/ssl/d1_both.c (revision 260378) ++++ crypto/openssl/ssl/d1_both.c (working copy) +@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int + static void + dtls1_hm_fragment_free(hm_fragment *frag) + { ++ ++ if (frag->msg_header.is_ccs) ++ { ++ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); ++ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); ++ } + if (frag->fragment) OPENSSL_free(frag->fragment); + if (frag->reassembly) OPENSSL_free(frag->reassembly); + OPENSSL_free(frag); +Index: crypto/openssl/ssl/s3_both.c +=================================================================== +--- crypto/openssl/ssl/s3_both.c (revision 260378) ++++ crypto/openssl/ssl/s3_both.c (working copy) +@@ -208,7 +208,11 @@ static void ssl3_take_mac(SSL *s) + { + const char *sender; + int slen; +- ++ /* If no new cipher setup return immediately: other functions will ++ * set the appropriate error. ++ */ ++ if (s->s3->tmp.new_cipher == NULL) ++ return; + if (s->state & SSL_ST_CONNECT) + { + sender=s->method->ssl3_enc->server_finished_label; +Index: crypto/openssl/ssl/s3_lib.c +=================================================================== +--- crypto/openssl/ssl/s3_lib.c (revision 260378) ++++ crypto/openssl/ssl/s3_lib.c (working copy) +@@ -4274,7 +4274,7 @@ need to go to SSL_ST_ACCEPT. + long ssl_get_algorithm2(SSL *s) + { + long alg2 = s->s3->tmp.new_cipher->algorithm2; +- if (TLS1_get_version(s) >= TLS1_2_VERSION && ++ if (s->method->version == TLS1_2_VERSION && + alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) + return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; + return alg2; +Index: crypto/openssl/ssl/ssl_locl.h +=================================================================== +--- crypto/openssl/ssl/ssl_locl.h (revision 260378) ++++ crypto/openssl/ssl/ssl_locl.h (working copy) +@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; + extern SSL3_ENC_METHOD SSLv3_enc_data; + extern SSL3_ENC_METHOD DTLSv1_enc_data; + ++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) ++ + #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ + s_get_meth) \ + const SSL_METHOD *func_name(void) \ +Index: crypto/openssl/ssl/t1_enc.c +=================================================================== +--- crypto/openssl/ssl/t1_enc.c (revision 260378) ++++ crypto/openssl/ssl/t1_enc.c (working copy) +@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which) + s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; + else + s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; +- if (s->enc_write_ctx != NULL) ++ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) + reuse_dd = 1; +- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) ++ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) + goto err; ++ dd= s->enc_write_ctx; ++ if (SSL_IS_DTLS(s)) ++ { ++ mac_ctx = EVP_MD_CTX_create(); ++ if (!mac_ctx) ++ goto err; ++ s->write_hash = mac_ctx; ++ } + else +- /* make sure it's intialized in case we exit later with an error */ +- EVP_CIPHER_CTX_init(s->enc_write_ctx); +- dd= s->enc_write_ctx; +- mac_ctx = ssl_replace_hash(&s->write_hash,NULL); ++ mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + #ifndef OPENSSL_NO_COMP + if (s->compress != NULL) + { |