various recent openssl CVEs

Change-Id: Ib8989682690a73e5d09fb06617ad9d0938d76ccc
Reviewed-on: https://gerrit.libreoffice.org/9666
Tested-by: Michael Stahl <mstahl@redhat.com>
Reviewed-by: Michael Stahl <mstahl@redhat.com>
(cherry picked from commit 25b34416cb1d5aa5b3bea66cfdab2a5addb43789)
Reviewed-on: https://gerrit.libreoffice.org/9713
Reviewed-by: Tor Lillqvist <tml@collabora.com>
Tested-by: Tor Lillqvist <tml@collabora.com>

10 files changed, 464 insertions, 0 deletions

diff --git a/external/openssl/CVE-2010-5298.patch b/external/openssl/CVE-2010-5298.patch
new file mode 100644
index 000000000000..55251b3c4596
--- /dev/null
+++ b/external/openssl/CVE-2010-5298.patch
@@ -0,0 +1,21 @@
+From: Ben Laurie <ben@links.org>
+Date: Wed, 23 Apr 2014 06:24:03 +0000 (+0100)
+Subject: Fix use after free.
+X-Git-Url: https://git.openssl.org/gitweb/b/?p=openssl.git;a=commitdiff_plain;h=94d1f4b
+
+Fix use after free.
+---
+
+diff --git a/a/ssl/s3_pkt.c b/b/ssl/s3_pkt.c
+index b9e45c7..d601a18 100644
+--- a/a/ssl/s3_pkt.c
++++ b/b/ssl/s3_pkt.c
+@@ -1334,7 +1334,7 @@ start:
+ 				{
+ 				s->rstate=SSL_ST_READ_HEADER;
+ 				rr->off=0;
+-				if (s->mode & SSL_MODE_RELEASE_BUFFERS)
++				if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
+ 					ssl3_release_read_buffer(s);
+ 				}
+ 			}
diff --git a/external/openssl/CVE-2013-4353.patch b/external/openssl/CVE-2013-4353.patch
new file mode 100644
index 000000000000..be7cf4c3b06e
--- /dev/null
+++ b/external/openssl/CVE-2013-4353.patch
@@ -0,0 +1,21 @@
+Fix for TLS record tampering bug. A carefully crafted invalid 
+handshake could crash OpenSSL with a NULL pointer exception.
+Thanks to Anton Johansson for reporting this issues.
+(CVE-2013-4353)
+diff --git a/a/ssl/s3_both.c b/b/ssl/s3_both.c
+index 1e5dcab..53b9390 100644
+--- a/a/ssl/s3_both.c
++++ b/b/ssl/s3_both.c
+@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
+ 	{
+ 	const char *sender;
+ 	int slen;
+-
++	/* If no new cipher setup return immediately: other functions will
++	 * set the appropriate error.
++	 */
++	if (s->s3->tmp.new_cipher == NULL)
++		return;
+ 	if (s->state & SSL_ST_CONNECT)
+ 		{
+ 		sender=s->method->ssl3_enc->server_finished_label;
diff --git a/external/openssl/CVE-2013-6449.patch b/external/openssl/CVE-2013-6449.patch
new file mode 100644
index 000000000000..3da064699dfb
--- /dev/null
+++ b/external/openssl/CVE-2013-6449.patch
@@ -0,0 +1,111 @@
+Use version in SSL_METHOD not SSL structure.
+
+When deciding whether to use TLS 1.2 PRF and record hash algorithms
+use the version number in the corresponding SSL_METHOD structure
+instead of the SSL structure. The SSL structure version is sometimes
+inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
+(CVE-2013-6449)
+
+Also preventively check EVP errors for handshake digests.
+
+diff --git a/a/ssl/s3_lib.c b/b/ssl/s3_lib.c
+index bf832bb..c4ef273 100644
+--- a/a/ssl/s3_lib.c
++++ b/b/ssl/s3_lib.c
+@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
+ long ssl_get_algorithm2(SSL *s)
+ 	{
+ 	long alg2 = s->s3->tmp.new_cipher->algorithm2;
+-	if (TLS1_get_version(s) >= TLS1_2_VERSION &&
++	if (s->method->version == TLS1_2_VERSION &&
+ 	    alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
+ 		return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
+ 	return alg2;
+diff --git a/a/ssl/s3_both.c b/b/ssl/s3_both.c
+index ead01c8..1e5dcab 100644
+--- a/a/ssl/s3_both.c
++++ b/b/ssl/s3_both.c
+@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
+ 
+ 		i=s->method->ssl3_enc->final_finish_mac(s,
+ 			sender,slen,s->s3->tmp.finish_md);
++		if (i == 0)
++			return 0;
+ 		s->s3->tmp.finish_md_len = i;
+ 		memcpy(p, s->s3->tmp.finish_md, i);
+ 		p+=i;
+diff --git a/a/ssl/s3_pkt.c b/b/ssl/s3_pkt.c
+index 804291e..c4bc4e7 100644
+--- a/a/ssl/s3_pkt.c
++++ b/b/ssl/s3_pkt.c
+@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
+ 			if (version != s->version)
+ 				{
+ 				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+-                                if ((s->version & 0xFF00) == (version & 0xFF00))
++                                if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
+                                 	/* Send back error using their minor version number :-) */
+ 					s->version = (unsigned short)version;
+ 				al=SSL_AD_PROTOCOL_VERSION;
+@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
+ 		slen=s->method->ssl3_enc->client_finished_label_len;
+ 		}
+ 
+-	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
++	i = s->method->ssl3_enc->final_finish_mac(s,
+ 		sender,slen,s->s3->tmp.peer_finish_md);
++	if (i == 0)
++		{
++		SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
++		return 0;
++		}
++	s->s3->tmp.peer_finish_md_len = i;
+ 
+ 	return(1);
+ 	}
+diff --git a/a/ssl/s3_srvr.c b/b/ssl/s3_srvr.c
+index e5a8b3f..52efed3 100644
+--- a/a/ssl/s3_srvr.c
++++ b/b/ssl/s3_srvr.c
+@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
+ 	    (s->version != DTLS1_VERSION && s->client_version < s->version))
+ 		{
+ 		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
+-		if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
++		if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 
++			!s->enc_write_ctx && !s->write_hash)
+ 			{
+ 			/* similar to ssl3_get_record, send alert using remote version number */
+ 			s->version = s->client_version;
+diff --git a/a/ssl/t1_enc.c b/b/ssl/t1_enc.c
+index 809ad2e..72015f5 100644
+--- a/a/ssl/t1_enc.c
++++ b/b/ssl/t1_enc.c
+@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
+ 		if (mask & ssl_get_algorithm2(s))
+ 			{
+ 			int hashsize = EVP_MD_size(md);
+-			if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
++			EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
++			if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
+ 				{
+ 				/* internal error: 'buf' is too small for this cipersuite! */
+ 				err = 1;
+ 				}
+ 			else
+ 				{
+-				EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
+-				EVP_DigestFinal_ex(&ctx,q,&i);
+-				if (i != (unsigned int)hashsize) /* can't really happen */
++				if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
++					!EVP_DigestFinal_ex(&ctx,q,&i) ||
++					(i != (unsigned int)hashsize))
+ 					err = 1;
+-				q+=i;
++				q+=hashsize;
+ 				}
+ 			}
+ 		}
+-- 
+1.8.3.1
+
diff --git a/external/openssl/CVE-2013-6450.patch b/external/openssl/CVE-2013-6450.patch
new file mode 100644
index 000000000000..ba45785d996b
--- /dev/null
+++ b/external/openssl/CVE-2013-6450.patch
@@ -0,0 +1,85 @@
+Fix DTLS retransmission from previous session.
+
+For DTLS we might need to retransmit messages from the previous session
+so keep a copy of write context in DTLS retransmission buffers instead
+of replacing it after sending CCS. CVE-2013-6450.
+
+diff --git a/a/ssl/d1_both.c b/b/ssl/d1_both.c
+index 65ec001..7a5596a 100644
+--- a/a/ssl/d1_both.c
++++ b/b/ssl/d1_both.c
+@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
+ static void
+ dtls1_hm_fragment_free(hm_fragment *frag)
+ 	{
++
++	if (frag->msg_header.is_ccs)
++		{
++		EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
++		EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
++		}
+ 	if (frag->fragment) OPENSSL_free(frag->fragment);
+ 	if (frag->reassembly) OPENSSL_free(frag->reassembly);
+ 	OPENSSL_free(frag);
+diff --git a/a/ssl/ssl_locl.h b/b/ssl/ssl_locl.h
+index 96ce9a7..e485907 100644
+--- a/a/ssl/ssl_locl.h
++++ b/b/ssl/ssl_locl.h
+@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
+ extern SSL3_ENC_METHOD SSLv3_enc_data;
+ extern SSL3_ENC_METHOD DTLSv1_enc_data;
+ 
++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
++
+ #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
+ 				s_get_meth) \
+ const SSL_METHOD *func_name(void)  \
+diff --git a/a/ssl/t1_enc.c b/b/ssl/t1_enc.c
+index 72015f5..56db834 100644
+--- a/a/ssl/t1_enc.c
++++ b/b/ssl/t1_enc.c
+@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
+ 			s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
+ 			else
+ 			s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
+-		if (s->enc_write_ctx != NULL)
++		if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
+ 			reuse_dd = 1;
+-		else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
++		else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
+ 			goto err;
+-		else
+-			/* make sure it's intialized in case we exit later with an error */
+-			EVP_CIPHER_CTX_init(s->enc_write_ctx);
+ 		dd= s->enc_write_ctx;
+-		mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
++		if (SSL_IS_DTLS(s))
++			{
++			mac_ctx = EVP_MD_CTX_create();
++			if (!mac_ctx)
++				goto err;
++			s->write_hash = mac_ctx;
++			}
++		else
++			mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
+ #ifndef OPENSSL_NO_COMP
+ 		if (s->compress != NULL)
+ 			{
+diff --git a/a/crypto/evp/digest.c b/b/crypto/evp/digest.c
+index 6fc469f..d14e8e4 100644
+--- a/a/crypto/evp/digest.c
++++ b/b/crypto/evp/digest.c
+@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count,
+ 
+ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
+ 	{
+-	EVP_MD_CTX_cleanup(ctx);
+-	OPENSSL_free(ctx);
++	if (ctx)
++		{
++		EVP_MD_CTX_cleanup(ctx);
++		OPENSSL_free(ctx);
++		}
+ 	}
+ 
+ /* This call frees resources associated with the context */
diff --git a/external/openssl/CVE-2014-0195.patch b/external/openssl/CVE-2014-0195.patch
new file mode 100644
index 000000000000..d9aaa83acd2a
--- /dev/null
+++ b/external/openssl/CVE-2014-0195.patch
@@ -0,0 +1,36 @@
+commit 208d54db20d58c9a5e45e856a0650caadd7d9612
+Author: Dr. Stephen Henson <steve@openssl.org>
+Date:   Tue May 13 18:48:31 2014 +0100
+
+    Fix for CVE-2014-0195
+    
+    A buffer overrun attack can be triggered by sending invalid DTLS fragments
+    to an OpenSSL DTLS client or server. This is potentially exploitable to
+    run arbitrary code on a vulnerable client or server.
+    
+    Fixed by adding consistency check for DTLS fragments.
+    
+    Thanks to Jüri Aedla for reporting this issue.
+
+diff --git a/a/ssl/d1_both.c b/b/ssl/d1_both.c
+index 2e8cf68..07f67f8 100644
+--- a/a/ssl/d1_both.c
++++ b/b/ssl/d1_both.c
+@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ 		frag->msg_header.frag_off = 0;
+ 		}
+ 	else
++		{
+ 		frag = (hm_fragment*) item->data;
++		if (frag->msg_header.msg_len != msg_hdr->msg_len)
++			{
++			item = NULL;
++			frag = NULL;
++			goto err;
++			}
++		}
++
+ 
+ 	/* If message is already reassembled, this must be a
+ 	 * retransmit and can be dropped.
+
diff --git a/external/openssl/CVE-2014-0198.patch b/external/openssl/CVE-2014-0198.patch
new file mode 100644
index 000000000000..0cffb79c7faa
--- /dev/null
+++ b/external/openssl/CVE-2014-0198.patch
@@ -0,0 +1,33 @@
+From: Matt Caswell <matt@openssl.org>
+Date: Sun, 11 May 2014 23:38:37 +0000 (+0100)
+Subject: Fixed NULL pointer dereference. See PR#3321
+X-Git-Url: https://git.openssl.org/gitweb/b/?p=openssl.git;a=commitdiff_plain;h=b107586
+
+Fixed NULL pointer dereference. See PR#3321
+---
+
+diff --git a/a/ssl/s3_pkt.c b/b/ssl/s3_pkt.c
+index 40eb0dd..d961d12 100644
+--- a/a/ssl/s3_pkt.c
++++ b/b/ssl/s3_pkt.c
+@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+ 	SSL3_BUFFER *wb=&(s->s3->wbuf);
+ 	SSL_SESSION *sess;
+ 
+- 	if (wb->buf == NULL)
+-		if (!ssl3_setup_write_buffer(s))
+-			return -1;
+ 
+ 	/* first check if there is a SSL3_BUFFER still being written
+ 	 * out.  This will happen with non blocking IO */
+@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+ 		/* if it went, fall through and send more stuff */
+ 		}
+ 
++ 	if (wb->buf == NULL)
++		if (!ssl3_setup_write_buffer(s))
++			return -1;
++
+ 	if (len == 0 && !create_empty_fragment)
+ 		return 0;
+ 
diff --git a/external/openssl/CVE-2014-0221.patch b/external/openssl/CVE-2014-0221.patch
new file mode 100644
index 000000000000..68186f742908
--- /dev/null
+++ b/external/openssl/CVE-2014-0221.patch
@@ -0,0 +1,34 @@
+commit d30e582446b027868cdabd0994681643682045a4
+Author: Dr. Stephen Henson <steve@openssl.org>
+Date:   Fri May 16 13:00:45 2014 +0100
+
+    Fix CVE-2014-0221
+    
+    Unnecessary recursion when receiving a DTLS hello request can be used to
+    crash a DTLS client. Fixed by handling DTLS hello request without recursion.
+    
+    Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+
+diff --git a/a/ssl/d1_both.c b/b/ssl/d1_both.c
+index 07f67f8..4c2fd03 100644
+--- a/a/ssl/d1_both.c
++++ b/b/ssl/d1_both.c
+@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+ 	int i,al;
+ 	struct hm_header_st msg_hdr;
+ 
++	redo:
+ 	/* see if we have the required fragment already */
+ 	if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
+ 		{
+@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+ 					s->msg_callback_arg);
+ 			
+ 			s->init_num = 0;
+-			return dtls1_get_message_fragment(s, st1, stn,
+-				max, ok);
++			goto redo;
+ 			}
+ 		else /* Incorrectly formated Hello request */
+ 			{
+
diff --git a/external/openssl/CVE-2014-0224.patch b/external/openssl/CVE-2014-0224.patch
new file mode 100644
index 000000000000..8a7aaa78f358
--- /dev/null
+++ b/external/openssl/CVE-2014-0224.patch
@@ -0,0 +1,88 @@
+diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h
+--- a/a/ssl/ssl3.h.keying-mitm	2014-06-02 19:48:04.518100562 +0200
+--- b/b/ssl/ssl3.h	2014-06-02 19:48:04.642103429 +0200
+@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
+ #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
+ #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
+ #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
++#define SSL3_FLAGS_CCS_OK			0x0080
+  
+ /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+  * restart a handshake because of MS SGC and so prevents us
+diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c
+--- a/a/ssl/s3_clnt.c.keying-mitm	2013-02-11 16:26:04.000000000 +0100
+--- b/b/ssl/s3_clnt.c	2014-06-02 19:49:57.042701985 +0200
+@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s)
+ 		case SSL3_ST_CR_FINISHED_A:
+ 		case SSL3_ST_CR_FINISHED_B:
+ 
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
+ 				SSL3_ST_CR_FINISHED_B);
+ 			if (ret <= 0) goto end;
+@@ -916,6 +917,7 @@ int ssl3_get_server_hello(SSL *s)
+ 		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+ 		goto f_err;
+ 		}
++	    s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 	    s->hit=1;
+ 	    }
+ 	else	/* a miss or crap from the other end */
+diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c
+--- a/a/ssl/s3_pkt.c.keying-mitm	2014-06-02 19:48:04.640103383 +0200
+--- b/b/ssl/s3_pkt.c	2014-06-02 19:48:04.643103452 +0200
+@@ -1298,6 +1298,15 @@ start:
+ 			goto f_err;
+ 			}
+ 
++		if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
++			{
++			al=SSL_AD_UNEXPECTED_MESSAGE;
++			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
++			goto f_err;
++			}
++
++		s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
++
+ 		rr->length=0;
+ 
+ 		if (s->msg_callback)
+@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
+ 
+ 	if (s->s3->tmp.key_block == NULL)
+ 		{
+-		if (s->session == NULL) 
++		if (s->session == NULL || s->session->master_key_length == 0)
+ 			{
+ 			/* might happen if dtls1_read_bytes() calls this */
+ 			SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c
+--- a/a/ssl/s3_srvr.c.keying-mitm	2014-06-02 19:48:04.630103151 +0200
+--- b/b/ssl/s3_srvr.c	2014-06-02 19:48:04.643103452 +0200
+@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
+ 		case SSL3_ST_SR_CERT_VRFY_A:
+ 		case SSL3_ST_SR_CERT_VRFY_B:
+ 
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			/* we should decide if we expected this one */
+ 			ret=ssl3_get_cert_verify(s);
+ 			if (ret <= 0) goto end;
+@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
+ 
+ 		case SSL3_ST_SR_FINISHED_A:
+ 		case SSL3_ST_SR_FINISHED_B:
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
+ 				SSL3_ST_SR_FINISHED_B);
+ 			if (ret <= 0) goto end;
+@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
+ 				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+ #else
+ 				if (s->s3->next_proto_neg_seen)
++					{
++					s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 					s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
++					}
+ 				else
+ 					s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+ #endif
diff --git a/external/openssl/CVE-2014-3470.patch b/external/openssl/CVE-2014-3470.patch
new file mode 100644
index 000000000000..da123eef3822
--- /dev/null
+++ b/external/openssl/CVE-2014-3470.patch
@@ -0,0 +1,26 @@
+commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86
+Author: Dr. Stephen Henson <steve@openssl.org>
+Date:   Thu May 29 15:00:05 2014 +0100
+
+    Fix CVE-2014-3470
+    
+    Check session_cert is not NULL before dereferencing it.
+
+diff --git a/a/ssl/s3_clnt.c b/b/ssl/s3_clnt.c
+index d35376d..4324f8d 100644
+--- a/a/ssl/s3_clnt.c
++++ b/b/ssl/s3_clnt.c
+@@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s)
+ 			int ecdh_clnt_cert = 0;
+ 			int field_size = 0;
+ 
++			if (s->session->sess_cert == NULL) 
++				{
++				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
++				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
++				goto err;
++				}
++
+ 			/* Did we send out the client's
+ 			 * ECDH share for use in premaster
+ 			 * computation as part of client certificate?
diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk
index 869a74e11b14..07a775e38930 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -91,7 +91,16 @@ $(eval $(call gb_UnpackedTarball_fix_end_of_line,openssl,\
 ))
 
 $(eval $(call gb_UnpackedTarball_add_patches,openssl,\
+	external/openssl/CVE-2013-6449.patch \
+	external/openssl/CVE-2013-6450.patch \
+	external/openssl/CVE-2013-4353.patch \
 	external/openssl/CVE-2014-0160.patch \
+	external/openssl/CVE-2010-5298.patch \
+	external/openssl/CVE-2014-0195.patch \
+	external/openssl/CVE-2014-0198.patch \
+	external/openssl/CVE-2014-0221.patch \
+	external/openssl/CVE-2014-0224.patch \
+	external/openssl/CVE-2014-3470.patch \
 	$(if $(filter LINUX FREEBSD ANDROID,$(OS)),external/openssl/openssllnx.patch) \
 	$(if $(filter WNTGCC,$(OS)$(COM)),external/openssl/opensslmingw.patch) \
 	$(if $(filter MSC,$(COM)),external/openssl/opensslwnt.patch) \