Acasă Explorează Ajutor
Înregistrare Autentificare
OpenWrt
/
openwrt
oglindă de https://github.com/openwrt/openwrt.git
2
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Răsfoiți Sursa

openssl: update OpenSSL to 1.0.1e, fix Cisco DTLS.

1.0.1d had a rushed fix for CVE-2013-0169 which broke in certain
circumstances. 1.0.1e has the fix for TLS.

Also include a further patch from the 1.0.1 branch which fixes the
breakage this introduced for Cisco's outdated pre-standard version of
DTLS, as used by OpenConnect.

Update mirror URLs to reflect current reality.

Signed-off-by: David Woodhouse <[email protected]>
Signed-off-by: Florian Fainelli <[email protected]>

SVN-Revision: 35600
Florian Fainelli 13 ani în urmă
părinte
c0f6c75cf7
comite
22e8b168c8
2 a modificat fișierele cu 34 adăugiri și 4 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 3 4
      package/libs/openssl/Makefile
  2. 31 0
      package/libs/openssl/patches/120-cisco-dtls-fix.patch

+ 3 - 4
package/libs/openssl/Makefile
Vizualizați fișierul 

@@ -8,15 +8,14 @@
 
 include $(TOPDIR)/rules.mk
 
 
 PKG_NAME:=openssl
 
-PKG_VERSION:=1.0.1d
 
+PKG_VERSION:=1.0.1e
 
 PKG_RELEASE:=1
 
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 
 PKG_SOURCE_URL:=http://www.openssl.org/source/ \
 
-	ftp://ftp.funet.fi/pub/crypt/cryptography/libs/openssl/source/ \
 
-	ftp://ftp.webmonster.de/pub/openssl/source/ \
 
+	ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.openssl.org/source \
 
 	ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/
 
-PKG_MD5SUM:=b92fc634f0f1f31a67ed4175adc5ba33
 
+PKG_MD5SUM:=66bf6f10f060d561929de96f9dfe5b8c
 
 
 PKG_LICENSE:=SSLEAY OPENSSL
 
 PKG_LICENSE_FILES:=LICENSE

+ 31 - 0
package/libs/openssl/patches/120-cisco-dtls-fix.patch
Vizualizați fișierul 

@@ -0,0 +1,31 @@
 
+From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
 
+From: David Woodhouse <[email protected]>
 
+Date: Tue, 12 Feb 2013 14:55:32 +0000
 
+Subject: [PATCH] Check DTLS_BAD_VER for version number.
 
+
 
+The version check for DTLS1_VERSION was redundant as
 
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
 
+check for DTLS1_BAD_VER for compatibility.
 
+
 
+PR:2984
 
+(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
 
+---
 
+ ssl/s3_cbc.c | 2 +-
 
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
+
 
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
 
+index 02edf3f..443a31e 100644
 
+--- a/ssl/s3_cbc.c
 
++++ b/ssl/s3_cbc.c
 
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
 
+ 	unsigned padding_length, good, to_check, i;
 
+ 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
 
+ 	/* Check if version requires explicit IV */
 
+-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
 
++	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
 
+ 		{
 
+ 		/* These lengths are all public so we can test them in
 
+ 		 * non-constant time.
 
+-- 
+1.8.1.2
 
+