bump to openssl-1.0.1g

Change-Id: I1e0ee6aa3d136c75309c5c70011da787806efa1f

bump to openssl-1.0.1g
Change-Id: I1e0ee6aa3d136c75309c5c70011da787806efa1f
ccd048fa · Caolán McNamara · a3416803 · ccd048fa · a3416803 · ccd048fa
Kaydet (Commit) ccd048fa authored Nis 08, 2014 tarafından Caolán McNamara
Showing with 1 addition and 110 deletions

download.lst download.lst +1 -1

CVE-2014-0160.patch external/openssl/CVE-2014-0160.patch +0 -108

UnpackedTarball_openssl.mk external/openssl/UnpackedTarball_openssl.mk +0 -1

No files found.
--- a/download.lst
+++ b/download.lst
@@ -98,7 +98,7 @@ export MYTHES_TARBALL := 46e92b68e31e858512b680b3b61dc4c1-mythes-1.2.3.tar.gz
 export NEON_TARBALL := ff369e69ef0f0143beb5626164e87ae2-neon-0.29.5.tar.gz
 export NSS_TARBALL := 06beb053e257d9e22641339c905c6eba-nss-3.15.3-with-nspr-4.10.2.tar.gz
 export OPENLDAP_TARBALL := 804c6cb5698db30b75ad0ff1c25baefd-openldap-2.4.31.tgz
-export OPENSSL_TARBALL := 66bf6f10f060d561929de96f9dfe5b8c-openssl-1.0.1e.tar.gz
+export OPENSSL_TARBALL := de62b43dfcd858e66a74bee1c834e959-openssl-1.0.1g.tar.gz
 export ORCUS_TARBALL := 7681383be6ce489d84c1c74f4e7f9643-liborcus-0.7.0.tar.bz2
 export PIXMAN_TARBALL := c63f411b3ad147db2bcce1bf262a0e02-pixman-0.24.4.tar.bz2
 export PNG_TARBALL := 9e5d864bce8f06751bbd99962ecf4aad-libpng-1.5.10.tar.gz

--- a/external/openssl/CVE-2014-0160.patch
+++ b/external/openssl/CVE-2014-0160.patch
-From: Dr. Stephen Henson <steve@openssl.org>
-Date: Sat, 5 Apr 2014 23:51:06 +0000 (+0100)
-Subject: Add heartbeat extension bounds check.
-X-Git-Tag: OpenSSL_1_0_1g~3
-X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=96db902
-
-Add heartbeat extension bounds check.
-
-A missing bounds check in the handling of the TLS heartbeat extension
-can be used to reveal up to 64k of memory to a connected client or
-server.
-
-Thanks for Neel Mehta of Google Security for discovering this bug and to
-Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
-preparing the fix (CVE-2014-0160)
---
-
-diff --git a/a/ssl/d1_both.c b/ssl/d1_both.c
-index 7a5596a..2e8cf68 100644
--- a/a/ssl/d1_both.c
-+++ a/b/ssl/d1_both.c
-@@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s)
- 	unsigned int payload;
- 	unsigned int padding = 16; /* Use minimum padding */
- 
-	/* Read type and payload length first */
-	hbtype = *p++;
-	n2s(p, payload);
-	pl = p;
-
- 	if (s->msg_callback)
- 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- 			&s->s3->rrec.data[0], s->s3->rrec.length,
- 			s, s->msg_callback_arg);
- 
-+	/* Read type and payload length first */
-+	if (1 + 2 + 16 > s->s3->rrec.length)
-+		return 0; /* silently discard */
-+	hbtype = *p++;
-+	n2s(p, payload);
-+	if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+		return 0; /* silently discard per RFC 6520 sec. 4 */
-+	pl = p;
-+
- 	if (hbtype == TLS1_HB_REQUEST)
- 		{
- 		unsigned char *buffer, *bp;
-+		unsigned int write_length = 1 /* heartbeat type */ +
-+					    2 /* heartbeat length */ +
-+					    payload + padding;
- 		int r;
- 
-+		if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
-+			return 0;
-+
- 		/* Allocate memory for the response, size is 1 byte
- 		 * message type, plus 2 bytes payload length, plus
- 		 * payload, plus padding
- 		 */
-		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
-+		buffer = OPENSSL_malloc(write_length);
- 		bp = buffer;
- 
- 		/* Enter response type, length and copy payload */
-@@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s)
- 		/* Random padding */
- 		RAND_pseudo_bytes(bp, padding);
- 
-		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
-+		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
- 
- 		if (r >= 0 && s->msg_callback)
- 			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-				buffer, 3 + payload + padding,
-+				buffer, write_length,
- 				s, s->msg_callback_arg);
- 
- 		OPENSSL_free(buffer);
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index b82fada..bddffd9 100644
--- a/a/ssl/t1_lib.c
-+++ a/b/ssl/t1_lib.c
-@@ -2588,16 +2588,20 @@ tls1_process_heartbeat(SSL *s)
- 	unsigned int payload;
- 	unsigned int padding = 16; /* Use minimum padding */
- 
-	/* Read type and payload length first */
-	hbtype = *p++;
-	n2s(p, payload);
-	pl = p;
-
- 	if (s->msg_callback)
- 		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- 			&s->s3->rrec.data[0], s->s3->rrec.length,
- 			s, s->msg_callback_arg);
- 
-+	/* Read type and payload length first */
-+	if (1 + 2 + 16 > s->s3->rrec.length)
-+		return 0; /* silently discard */
-+	hbtype = *p++;
-+	n2s(p, payload);
-+	if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+		return 0; /* silently discard per RFC 6520 sec. 4 */
-+	pl = p;
-+
- 	if (hbtype == TLS1_HB_REQUEST)
- 		{
- 		unsigned char *buffer, *bp;
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -91,7 +91,6 @@ $(eval $(call gb_UnpackedTarball_fix_end_of_line,openssl,\
 ))

 $(eval $(call gb_UnpackedTarball_add_patches,openssl,\
-	external/openssl/CVE-2014-0160.patch \
 	$(if $(filter LINUX FREEBSD ANDROID,$(OS)),external/openssl/openssllnx.patch) \
 	$(if $(filter WNTGCC,$(OS)$(COM)),external/openssl/opensslmingw.patch) \
 	$(if $(filter MSC,$(COM)),external/openssl/opensslwnt.patch) \