pool/openssl
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 236989 from Base:System

Browse Source 
NOTE: 

I submitted perl-Net-SSLeay 1.64 update to devel:languages:perl which
fixes its regression.



- updated openssl to 1.0.1h (bnc#880891):
  - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
    handshake can force the use of weak keying material in OpenSSL
    SSL/TLS clients and servers.
  - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
    OpenSSL DTLS client the code can be made to recurse eventually crashing
    in a DoS attack.
  - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
    overrun attack can be triggered by sending invalid DTLS fragments to
    an OpenSSL DTLS client or server. This is potentially exploitable to
    run arbitrary code on a vulnerable client or server.
  - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous
    ECDH ciphersuites are subject to a denial of service attack.
- openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream
- CVE-2014-0198.patch: removed, upstream
- 0009-Fix-double-frees.patch: removed, upstream
- 0012-Fix-eckey_priv_encode.patch: removed, upstream
- 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream
- 0018-fix-coverity-issues-966593-966596.patch: removed, upstream
- 0020-Initialize-num-properly.patch: removed, upstream
- 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream
- 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream
- 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream
- 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream
- 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase
- openssl-1.0.1c-ipv6-apps.patch: refreshed
- openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed

- Added new SUSE default cipher suite
  openssl-1.0.1e-add-suse-default-cipher.patch

OBS-URL: https://build.opensuse.org/request/show/236989
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=118
This commit is contained in:
Stephan Kulow 2014-06-18 05:47:41 +00:00 committed by Git OBS Bridge
parent 6a3418284a
commit 66d6e48709
23 changed files with 419 additions and 980 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

345
0001-libcrypto-Hide-library-private-symbols.patch
View File

@ -37,8 +37,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
crypto/x509v3/pcy_int.h | 3 +++
31 files changed, 85 insertions(+), 17 deletions(-)
--- openssl-1.0.1g.orig/apps/Makefile
+++ openssl-1.0.1g/apps/Makefile
Index: openssl-1.0.1h/apps/Makefile
===================================================================
--- openssl-1.0.1h.orig/apps/Makefile
+++ openssl-1.0.1h/apps/Makefile
@@ -20,7 +20,7 @@ EXE_EXT=
SHLIB_TARGET=
@ -48,8 +50,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
GENERAL=Makefile makeapps.com install.com
--- openssl-1.0.1g.orig/crypto/asn1/asn1_locl.h
+++ openssl-1.0.1g/crypto/asn1/asn1_locl.h
Index: openssl-1.0.1h/crypto/asn1/asn1_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/asn1/asn1_locl.h
+++ openssl-1.0.1h/crypto/asn1/asn1_locl.h
@@ -58,6 +58,8 @@
/* Internal ASN1 structures and functions: not for application use */
@ -65,8 +69,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
};
+
+#pragma GCC visibility pop
--- openssl-1.0.1g.orig/crypto/bn/bn_lcl.h
+++ openssl-1.0.1g/crypto/bn/bn_lcl.h
Index: openssl-1.0.1h/crypto/bn/bn_lcl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/bn/bn_lcl.h
+++ openssl-1.0.1h/crypto/bn/bn_lcl.h
@@ -483,6 +483,8 @@ extern "C" {
#undef bn_div_words
#endif
@ -85,8 +91,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#ifdef __cplusplus
}
#endif
--- openssl-1.0.1g.orig/crypto/camellia/cmll_locl.h
+++ openssl-1.0.1g/crypto/camellia/cmll_locl.h
Index: openssl-1.0.1h/crypto/camellia/cmll_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/camellia/cmll_locl.h
+++ openssl-1.0.1h/crypto/camellia/cmll_locl.h
@@ -68,6 +68,8 @@
#ifndef HEADER_CAMELLIA_LOCL_H
#define HEADER_CAMELLIA_LOCL_H
@ -102,8 +110,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
CAMELLIA_KEY *key);
+#pragma GCC visibility pop
#endif /* #ifndef HEADER_CAMELLIA_LOCL_H */
--- openssl-1.0.1g.orig/crypto/cast/cast_lcl.h
+++ openssl-1.0.1g/crypto/cast/cast_lcl.h
Index: openssl-1.0.1h/crypto/cast/cast_lcl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/cast/cast_lcl.h
+++ openssl-1.0.1h/crypto/cast/cast_lcl.h
@@ -217,6 +217,7 @@
}
#endif
@ -117,8 +127,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
extern const CAST_LONG CAST_S_table6[256];
extern const CAST_LONG CAST_S_table7[256];
+#pragma GCC visibility pop
--- openssl-1.0.1g.orig/crypto/cms/cms_lcl.h
+++ openssl-1.0.1g/crypto/cms/cms_lcl.h
Index: openssl-1.0.1h/crypto/cms/cms_lcl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/cms/cms_lcl.h
+++ openssl-1.0.1h/crypto/cms/cms_lcl.h
@@ -426,6 +426,8 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerA
#define CMS_RECIPINFO_ISSUER_SERIAL 0
#define CMS_RECIPINFO_KEYIDENTIFIER 1
@ -138,8 +150,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#ifdef __cplusplus
}
#endif
--- openssl-1.0.1g.orig/crypto/des/des_locl.h
+++ openssl-1.0.1g/crypto/des/des_locl.h
Index: openssl-1.0.1h/crypto/des/des_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/des/des_locl.h
+++ openssl-1.0.1h/crypto/des/des_locl.h
@@ -421,10 +421,12 @@
PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
}
@ -153,16 +167,20 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#ifdef OPENSSL_SMALL_FOOTPRINT
#undef DES_UNROLL
--- openssl-1.0.1g.orig/crypto/dsa/dsa_locl.h
+++ openssl-1.0.1g/crypto/dsa/dsa_locl.h
Index: openssl-1.0.1h/crypto/dsa/dsa_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/dsa/dsa_locl.h
+++ openssl-1.0.1h/crypto/dsa/dsa_locl.h
@@ -57,4 +57,4 @@
int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
unsigned char *seed_out,
- int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
+ int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) __attribute__ ((visibility ("hidden")));
--- openssl-1.0.1g.orig/crypto/ec/ec_lcl.h
+++ openssl-1.0.1g/crypto/ec/ec_lcl.h
Index: openssl-1.0.1h/crypto/ec/ec_lcl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/ec/ec_lcl.h
+++ openssl-1.0.1h/crypto/ec/ec_lcl.h
@@ -88,6 +88,8 @@
/* Structure details are not part of the exported interface,
* so all this may change in future versions. */
@ -178,8 +196,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#endif
+
+#pragma GCC visibility pop
--- openssl-1.0.1g.orig/crypto/ecdh/ech_locl.h
+++ openssl-1.0.1g/crypto/ecdh/ech_locl.h
Index: openssl-1.0.1h/crypto/ecdh/ech_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/ecdh/ech_locl.h
+++ openssl-1.0.1h/crypto/ecdh/ech_locl.h
@@ -58,6 +58,8 @@
#include <openssl/ecdh.h>
@ -196,8 +216,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
-
+#pragma GCC visibility pop
#endif /* HEADER_ECH_LOCL_H */
--- openssl-1.0.1g.orig/crypto/ecdsa/ecs_locl.h
+++ openssl-1.0.1g/crypto/ecdsa/ecs_locl.h
Index: openssl-1.0.1h/crypto/ecdsa/ecs_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/ecdsa/ecs_locl.h
+++ openssl-1.0.1h/crypto/ecdsa/ecs_locl.h
@@ -61,6 +61,8 @@
#include <openssl/ecdsa.h>
@ -214,8 +236,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
+#pragma GCC visibility pop
+
#endif /* HEADER_ECS_LOCL_H */
--- openssl-1.0.1g.orig/crypto/engine/eng_int.h
+++ openssl-1.0.1g/crypto/engine/eng_int.h
Index: openssl-1.0.1h/crypto/engine/eng_int.h
===================================================================
--- openssl-1.0.1h.orig/crypto/engine/eng_int.h
+++ openssl-1.0.1h/crypto/engine/eng_int.h
@@ -68,6 +68,8 @@
/* Take public definitions from engine.h */
#include <openssl/engine.h>
@ -232,8 +256,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
-
+#pragma GCC visibility pop
#endif /* HEADER_ENGINE_INT_H */
--- openssl-1.0.1g.orig/crypto/engine/eng_rsax.c
+++ openssl-1.0.1g/crypto/engine/eng_rsax.c
Index: openssl-1.0.1h/crypto/engine/eng_rsax.c
===================================================================
--- openssl-1.0.1h.orig/crypto/engine/eng_rsax.c
+++ openssl-1.0.1h/crypto/engine/eng_rsax.c
@@ -262,7 +262,7 @@ static int mod_exp_pre_compute_data_512(
void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
UINT64 *g, /* 512 bits, 8 qwords */
@ -243,8 +269,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
typedef struct st_e_rsax_mod_ctx
{
--- openssl-1.0.1g.orig/crypto/evp/e_aes.c
+++ openssl-1.0.1g/crypto/evp/e_aes.c
Index: openssl-1.0.1h/crypto/evp/e_aes.c
===================================================================
--- openssl-1.0.1h.orig/crypto/evp/e_aes.c
+++ openssl-1.0.1h/crypto/evp/e_aes.c
@@ -108,6 +108,8 @@ typedef struct
#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
@ -290,8 +318,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
--- openssl-1.0.1g.orig/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c
Index: openssl-1.0.1h/crypto/evp/e_aes_cbc_hmac_sha1.c
===================================================================
--- openssl-1.0.1h.orig/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ openssl-1.0.1h/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -97,6 +97,8 @@ typedef struct
extern unsigned int OPENSSL_ia32cap_P[2];
#define AESNI_CAPABLE (1<<(57-32))
@ -310,8 +340,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data)
static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
--- openssl-1.0.1g.orig/crypto/evp/evp_locl.h
+++ openssl-1.0.1g/crypto/evp/evp_locl.h
Index: openssl-1.0.1h/crypto/evp/evp_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/evp/evp_locl.h
+++ openssl-1.0.1h/crypto/evp/evp_locl.h
@@ -263,6 +263,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
EVP_CIPHER_get_asn1_iv, \
NULL)
@ -330,8 +362,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#ifdef OPENSSL_FIPS
#ifdef OPENSSL_DOING_MAKEDEPEND
--- openssl-1.0.1g.orig/crypto/md4/md4_locl.h
+++ openssl-1.0.1g/crypto/md4/md4_locl.h
Index: openssl-1.0.1h/crypto/md4/md4_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/md4/md4_locl.h
+++ openssl-1.0.1h/crypto/md4/md4_locl.h
@@ -65,7 +65,7 @@
#define MD4_LONG_LOG2 2 /* default to 32 bits */
#endif
@ -341,8 +375,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#define DATA_ORDER_IS_LITTLE_ENDIAN
--- openssl-1.0.1g.orig/crypto/md5/md5_locl.h
+++ openssl-1.0.1g/crypto/md5/md5_locl.h
Index: openssl-1.0.1h/crypto/md5/md5_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/md5/md5_locl.h
+++ openssl-1.0.1h/crypto/md5/md5_locl.h
@@ -74,7 +74,7 @@
# endif
#endif
@ -352,8 +388,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#define DATA_ORDER_IS_LITTLE_ENDIAN
--- openssl-1.0.1g.orig/crypto/modes/modes_lcl.h
+++ openssl-1.0.1g/crypto/modes/modes_lcl.h
Index: openssl-1.0.1h/crypto/modes/modes_lcl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/modes/modes_lcl.h
+++ openssl-1.0.1h/crypto/modes/modes_lcl.h
@@ -83,6 +83,8 @@ typedef unsigned char u8;
#define PUTU32(p,v) ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v))
#endif
@ -369,8 +407,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
};
-
+#pragma GCC visibility pop
--- openssl-1.0.1g.orig/crypto/o_str.h
+++ openssl-1.0.1g/crypto/o_str.h
Index: openssl-1.0.1h/crypto/o_str.h
===================================================================
--- openssl-1.0.1h.orig/crypto/o_str.h
+++ openssl-1.0.1h/crypto/o_str.h
@@ -61,8 +61,12 @@
#include <stddef.h> /* to get size_t */
@ -384,8 +424,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
+#pragma GCC visibility pop
+
#endif
--- openssl-1.0.1g.orig/crypto/o_time.h
+++ openssl-1.0.1g/crypto/o_time.h
Index: openssl-1.0.1h/crypto/o_time.h
===================================================================
--- openssl-1.0.1h.orig/crypto/o_time.h
+++ openssl-1.0.1h/crypto/o_time.h
@@ -61,7 +61,11 @@
#include <time.h>
@ -398,8 +440,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
+#pragma GCC visibility pop
+
#endif
--- openssl-1.0.1g.orig/crypto/ripemd/rmd_locl.h
+++ openssl-1.0.1g/crypto/ripemd/rmd_locl.h
Index: openssl-1.0.1h/crypto/ripemd/rmd_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/ripemd/rmd_locl.h
+++ openssl-1.0.1h/crypto/ripemd/rmd_locl.h
@@ -76,7 +76,7 @@
# endif
#endif
@ -409,16 +453,20 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#define DATA_ORDER_IS_LITTLE_ENDIAN
--- openssl-1.0.1g.orig/crypto/rsa/rsa_locl.h
+++ openssl-1.0.1g/crypto/rsa/rsa_locl.h
Index: openssl-1.0.1h/crypto/rsa/rsa_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/rsa/rsa_locl.h
+++ openssl-1.0.1h/crypto/rsa/rsa_locl.h
@@ -1,4 +1,4 @@
extern int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
unsigned char *rm, size_t *prm_len,
const unsigned char *sigbuf, size_t siglen,
- RSA *rsa);
+ RSA *rsa) __attribute__ ((visibility ("hidden")));
--- openssl-1.0.1g.orig/crypto/sha/sha256.c
+++ openssl-1.0.1g/crypto/sha/sha256.c
Index: openssl-1.0.1h/crypto/sha/sha256.c
===================================================================
--- openssl-1.0.1h.orig/crypto/sha/sha256.c
+++ openssl-1.0.1h/crypto/sha/sha256.c
@@ -110,7 +110,7 @@ int SHA224_Final (unsigned char *md, SHA
#ifndef SHA256_ASM
static
@ -428,8 +476,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#include "md32_common.h"
--- openssl-1.0.1g.orig/crypto/sha/sha512.c
+++ openssl-1.0.1g/crypto/sha/sha512.c
Index: openssl-1.0.1h/crypto/sha/sha512.c
===================================================================
--- openssl-1.0.1h.orig/crypto/sha/sha512.c
+++ openssl-1.0.1h/crypto/sha/sha512.c
@@ -94,7 +94,7 @@ fips_md_init(SHA512)
#ifndef SHA512_ASM
static
@ -439,8 +489,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
int SHA512_Final (unsigned char *md, SHA512_CTX *c)
{
--- openssl-1.0.1g.orig/crypto/sha/sha_locl.h
+++ openssl-1.0.1g/crypto/sha/sha_locl.h
Index: openssl-1.0.1h/crypto/sha/sha_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/sha/sha_locl.h
+++ openssl-1.0.1h/crypto/sha/sha_locl.h
@@ -108,7 +108,7 @@ static void sha_block_data_order (SHA_CT
#ifndef SHA1_ASM
static
@ -450,8 +502,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#else
# error "Either SHA_0 or SHA_1 must be defined."
--- openssl-1.0.1g.orig/crypto/store/str_locl.h
+++ openssl-1.0.1g/crypto/store/str_locl.h
Index: openssl-1.0.1h/crypto/store/str_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/store/str_locl.h
+++ openssl-1.0.1h/crypto/store/str_locl.h
@@ -62,6 +62,8 @@
#include <openssl/crypto.h>
#include <openssl/store.h>
@ -468,8 +522,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
-
+#pragma GCC visibility pop
#endif
--- openssl-1.0.1g.orig/crypto/ui/ui_locl.h
+++ openssl-1.0.1g/crypto/ui/ui_locl.h
Index: openssl-1.0.1h/crypto/ui/ui_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/ui/ui_locl.h
+++ openssl-1.0.1h/crypto/ui/ui_locl.h
@@ -66,6 +66,8 @@
#undef _
#endif
@ -486,15 +542,19 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
-
+#pragma GCC visibility pop
#endif
--- openssl-1.0.1g.orig/crypto/whrlpool/wp_locl.h
+++ openssl-1.0.1g/crypto/whrlpool/wp_locl.h
Index: openssl-1.0.1h/crypto/whrlpool/wp_locl.h
===================================================================
--- openssl-1.0.1h.orig/crypto/whrlpool/wp_locl.h
+++ openssl-1.0.1h/crypto/whrlpool/wp_locl.h
@@ -1,3 +1,3 @@
#include <openssl/whrlpool.h>
-void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t);
+void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t) __attribute__ ((visibility ("hidden")));
--- openssl-1.0.1g.orig/crypto/x509v3/ext_dat.h
+++ openssl-1.0.1g/crypto/x509v3/ext_dat.h
Index: openssl-1.0.1h/crypto/x509v3/ext_dat.h
===================================================================
--- openssl-1.0.1h.orig/crypto/x509v3/ext_dat.h
+++ openssl-1.0.1h/crypto/x509v3/ext_dat.h
@@ -57,6 +57,8 @@
*/
/* This file contains a table of "standard" extensions */
@ -512,8 +572,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
/* Number of standard extensions */
#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
--- openssl-1.0.1g.orig/crypto/x509v3/pcy_int.h
+++ openssl-1.0.1g/crypto/x509v3/pcy_int.h
Index: openssl-1.0.1h/crypto/x509v3/pcy_int.h
===================================================================
--- openssl-1.0.1h.orig/crypto/x509v3/pcy_int.h
+++ openssl-1.0.1h/crypto/x509v3/pcy_int.h
@@ -56,6 +56,7 @@
*
*/
@ -528,8 +590,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const X509_POLICY_CACHE *policy_cache_set(X509 *x);
+
+#pragma GCC visibility pop
--- openssl-1.0.1g.orig/crypto/modes/gcm128.c
+++ openssl-1.0.1g/crypto/modes/gcm128.c
Index: openssl-1.0.1h/crypto/modes/gcm128.c
===================================================================
--- openssl-1.0.1h.orig/crypto/modes/gcm128.c
+++ openssl-1.0.1h/crypto/modes/gcm128.c
@@ -567,8 +567,8 @@ static void gcm_ghash_4bit(u64 Xi[2],con
}
#endif
@ -554,8 +618,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
# if defined(__i386) || defined(__i386__) || defined(_M_IX86)
# define GHASH_ASM_X86
--- openssl-1.0.1g.orig/crypto/evp/e_rc4_hmac_md5.c
+++ openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c
Index: openssl-1.0.1h/crypto/evp/e_rc4_hmac_md5.c
===================================================================
--- openssl-1.0.1h.orig/crypto/evp/e_rc4_hmac_md5.c
+++ openssl-1.0.1h/crypto/evp/e_rc4_hmac_md5.c
@@ -78,7 +78,7 @@ typedef struct
#define NO_PAYLOAD_LENGTH ((size_t)-1)
@ -565,8 +631,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#define data(ctx) ((EVP_RC4_HMAC_MD5 *)(ctx)->cipher_data)
--- openssl-1.0.1g.orig/crypto/cmac/cm_ameth.c
+++ openssl-1.0.1g/crypto/cmac/cm_ameth.c
Index: openssl-1.0.1h/crypto/cmac/cm_ameth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/cmac/cm_ameth.c
+++ openssl-1.0.1h/crypto/cmac/cm_ameth.c
@@ -73,6 +73,7 @@ static void cmac_key_free(EVP_PKEY *pkey
CMAC_CTX_free(cmctx);
}
@ -575,8 +643,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_ASN1_METHOD cmac_asn1_meth =
{
EVP_PKEY_CMAC,
--- openssl-1.0.1g.orig/crypto/evp/pmeth_lib.c
+++ openssl-1.0.1g/crypto/evp/pmeth_lib.c
Index: openssl-1.0.1h/crypto/evp/pmeth_lib.c
===================================================================
--- openssl-1.0.1h.orig/crypto/evp/pmeth_lib.c
+++ openssl-1.0.1h/crypto/evp/pmeth_lib.c
@@ -70,7 +70,7 @@
typedef int sk_cmp_fn_type(const char * const *a, const char * const *b);
@ -586,8 +656,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth;
extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth;
--- openssl-1.0.1g.orig/crypto/cmac/cm_pmeth.c
+++ openssl-1.0.1g/crypto/cmac/cm_pmeth.c
Index: openssl-1.0.1h/crypto/cmac/cm_pmeth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/cmac/cm_pmeth.c
+++ openssl-1.0.1h/crypto/cmac/cm_pmeth.c
@@ -188,6 +188,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C
return -2;
}
@ -596,8 +668,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_METHOD cmac_pkey_meth =
{
EVP_PKEY_CMAC,
--- openssl-1.0.1g.orig/crypto/rand/md_rand.c
+++ openssl-1.0.1g/crypto/rand/md_rand.c
Index: openssl-1.0.1h/crypto/rand/md_rand.c
===================================================================
--- openssl-1.0.1h.orig/crypto/rand/md_rand.c
+++ openssl-1.0.1h/crypto/rand/md_rand.c
@@ -164,7 +164,7 @@ static int ssleay_rand_nopseudo_bytes(un
static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
static int ssleay_rand_status(void);
@ -607,8 +681,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
ssleay_rand_seed,
ssleay_rand_nopseudo_bytes,
ssleay_rand_cleanup,
--- openssl-1.0.1g.orig/crypto/dh/dh_ameth.c
+++ openssl-1.0.1g/crypto/dh/dh_ameth.c
Index: openssl-1.0.1h/crypto/dh/dh_ameth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/dh/dh_ameth.c
+++ openssl-1.0.1h/crypto/dh/dh_ameth.c
@@ -466,6 +466,7 @@ int DHparams_print(BIO *bp, const DH *x)
return do_dh_print(bp, x, 4, NULL, 0);
}
@ -617,8 +693,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_ASN1_METHOD dh_asn1_meth =
{
EVP_PKEY_DH,
--- openssl-1.0.1g.orig/crypto/dh/dh_pmeth.c
+++ openssl-1.0.1g/crypto/dh/dh_pmeth.c
Index: openssl-1.0.1h/crypto/dh/dh_pmeth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/dh/dh_pmeth.c
+++ openssl-1.0.1h/crypto/dh/dh_pmeth.c
@@ -217,6 +217,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *
return 1;
}
@ -627,8 +705,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_METHOD dh_pkey_meth =
{
EVP_PKEY_DH,
--- openssl-1.0.1g.orig/crypto/dsa/dsa_ameth.c
+++ openssl-1.0.1g/crypto/dsa/dsa_ameth.c
Index: openssl-1.0.1h/crypto/dsa/dsa_ameth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/dsa/dsa_ameth.c
+++ openssl-1.0.1h/crypto/dsa/dsa_ameth.c
@@ -639,7 +639,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
}
@ -638,8 +718,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] =
{
--- openssl-1.0.1g.orig/crypto/dsa/dsa_pmeth.c
+++ openssl-1.0.1g/crypto/dsa/dsa_pmeth.c
Index: openssl-1.0.1h/crypto/dsa/dsa_pmeth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/dsa/dsa_pmeth.c
+++ openssl-1.0.1h/crypto/dsa/dsa_pmeth.c
@@ -281,6 +281,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX
return DSA_generate_key(pkey->pkey.dsa);
}
@ -648,9 +730,11 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_METHOD dsa_pkey_meth =
{
EVP_PKEY_DSA,
--- openssl-1.0.1g.orig/crypto/ec/ec_ameth.c
+++ openssl-1.0.1g/crypto/ec/ec_ameth.c
@@ -625,6 +625,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey,
Index: openssl-1.0.1h/crypto/ec/ec_ameth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/ec/ec_ameth.c
+++ openssl-1.0.1h/crypto/ec/ec_ameth.c
@@ -626,6 +626,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey,
}
@ -658,8 +742,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_ASN1_METHOD eckey_asn1_meth =
{
EVP_PKEY_EC,
--- openssl-1.0.1g.orig/crypto/ec/ec_pmeth.c
+++ openssl-1.0.1g/crypto/ec/ec_pmeth.c
Index: openssl-1.0.1h/crypto/ec/ec_pmeth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/ec/ec_pmeth.c
+++ openssl-1.0.1h/crypto/ec/ec_pmeth.c
@@ -304,6 +304,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
return EC_KEY_generate_key(pkey->pkey.ec);
}
@ -668,8 +754,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_METHOD ec_pkey_meth =
{
EVP_PKEY_EC,
--- openssl-1.0.1g.orig/crypto/hmac/hm_ameth.c
+++ openssl-1.0.1g/crypto/hmac/hm_ameth.c
Index: openssl-1.0.1h/crypto/hmac/hm_ameth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/hmac/hm_ameth.c
+++ openssl-1.0.1h/crypto/hmac/hm_ameth.c
@@ -138,6 +138,7 @@ static int old_hmac_encode(const EVP_PKE
#endif
@ -678,8 +766,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_ASN1_METHOD hmac_asn1_meth =
{
EVP_PKEY_HMAC,
--- openssl-1.0.1g.orig/crypto/hmac/hm_pmeth.c
+++ openssl-1.0.1g/crypto/hmac/hm_pmeth.c
Index: openssl-1.0.1h/crypto/hmac/hm_pmeth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/hmac/hm_pmeth.c
+++ openssl-1.0.1h/crypto/hmac/hm_pmeth.c
@@ -235,6 +235,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C
return -2;
}
@ -688,8 +778,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_METHOD hmac_pkey_meth =
{
EVP_PKEY_HMAC,
--- openssl-1.0.1g.orig/crypto/rsa/rsa_ameth.c
+++ openssl-1.0.1g/crypto/rsa/rsa_ameth.c
Index: openssl-1.0.1h/crypto/rsa/rsa_ameth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/rsa/rsa_ameth.c
+++ openssl-1.0.1h/crypto/rsa/rsa_ameth.c
@@ -657,6 +657,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx
return 2;
}
@ -698,8 +790,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] =
{
{
--- openssl-1.0.1g.orig/crypto/rsa/rsa_pmeth.c
+++ openssl-1.0.1g/crypto/rsa/rsa_pmeth.c
Index: openssl-1.0.1h/crypto/rsa/rsa_pmeth.c
===================================================================
--- openssl-1.0.1h.orig/crypto/rsa/rsa_pmeth.c
+++ openssl-1.0.1h/crypto/rsa/rsa_pmeth.c
@@ -685,6 +685,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX
return ret;
}
@ -708,8 +802,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
const EVP_PKEY_METHOD rsa_pkey_meth =
{
EVP_PKEY_RSA,
--- openssl-1.0.1g.orig/crypto/objects/obj_xref.c
+++ openssl-1.0.1g/crypto/objects/obj_xref.c
Index: openssl-1.0.1h/crypto/objects/obj_xref.c
===================================================================
--- openssl-1.0.1h.orig/crypto/objects/obj_xref.c
+++ openssl-1.0.1h/crypto/objects/obj_xref.c
@@ -60,7 +60,7 @@
#include "obj_xref.h"
@ -719,8 +815,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
static int sig_cmp(const nid_triple *a, const nid_triple *b)
{
--- openssl-1.0.1g.orig/crypto/pem/pem_lib.c
+++ openssl-1.0.1g/crypto/pem/pem_lib.c
Index: openssl-1.0.1h/crypto/pem/pem_lib.c
===================================================================
--- openssl-1.0.1h.orig/crypto/pem/pem_lib.c
+++ openssl-1.0.1h/crypto/pem/pem_lib.c
@@ -80,7 +80,7 @@ const char PEM_version[]="PEM" OPENSSL_V
static int load_iv(char **fromp,unsigned char *to, int num);
@ -730,8 +828,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
int PEM_def_callback(char *buf, int num, int w, void *key)
{
--- openssl-1.0.1g.orig/crypto/asn1/tasn_prn.c
+++ openssl-1.0.1g/crypto/asn1/tasn_prn.c
Index: openssl-1.0.1h/crypto/asn1/tasn_prn.c
===================================================================
--- openssl-1.0.1h.orig/crypto/asn1/tasn_prn.c
+++ openssl-1.0.1h/crypto/asn1/tasn_prn.c
@@ -72,7 +72,7 @@
/* ASN1_PCTX routines */
@ -741,8 +841,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
{
ASN1_PCTX_FLAGS_SHOW_ABSENT, /* flags */
0, /* nm_flags */
--- openssl-1.0.1g.orig/crypto/bn/bn_exp.c
+++ openssl-1.0.1g/crypto/bn/bn_exp.c
Index: openssl-1.0.1h/crypto/bn/bn_exp.c
===================================================================
--- openssl-1.0.1h.orig/crypto/bn/bn_exp.c
+++ openssl-1.0.1h/crypto/bn/bn_exp.c
@@ -684,11 +684,11 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
{
void bn_mul_mont_gather5(BN_ULONG *rp,const BN_ULONG *ap,
@ -758,8 +860,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
BN_ULONG *np=mont->N.d, *n0=mont->n0;
--- openssl-1.0.1g.orig/crypto/bn/bn_gf2m.c
+++ openssl-1.0.1g/crypto/bn/bn_gf2m.c
Index: openssl-1.0.1h/crypto/bn/bn_gf2m.c
===================================================================
--- openssl-1.0.1h.orig/crypto/bn/bn_gf2m.c
+++ openssl-1.0.1h/crypto/bn/bn_gf2m.c
@@ -220,7 +220,7 @@ static void bn_GF2m_mul_2x2(BN_ULONG *r,
r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */
}
@ -769,3 +873,34 @@ Subject: [PATCH] libcrypto: Hide library-private symbols
#endif
/* Add polynomials a and b and store result in r; r could be a or b, a and b
Index: openssl-1.0.1h/test/Makefile
===================================================================
--- openssl-1.0.1h.orig/test/Makefile
+++ openssl-1.0.1h/test/Makefile
@@ -75,7 +75,7 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_
$(RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \
$(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \
$(EVPTEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \
- $(ASN1TEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT)
+ $(ASN1TEST)$(EXE_EXT)
# $(METHTEST)$(EXE_EXT)
@@ -87,7 +87,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATES
$(MDC2TEST).o $(RMDTEST).o \
$(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \
$(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \
- $(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(HEARTBEATTEST).o
+ $(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o
SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
$(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \
@@ -140,7 +140,7 @@ alltests: \
test_enc test_x509 test_rsa test_crl test_sid \
test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \
- test_jpake test_srp test_cms test_heartbeat
+ test_jpake test_srp test_cms
test_evp:
../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt

51
0009-Fix-double-frees.patch
View File

@ -1,51 +0,0 @@
From 9c8dc84ac16a2f21063ae36809d202d0284ecf82 Mon Sep 17 00:00:00 2001
From: Ben Laurie <ben@links.org>
Date: Tue, 22 Apr 2014 13:11:56 +0100
Subject: [PATCH 09/17] Fix double frees.
---
CHANGES | 3 ++-
crypto/pkcs7/pk7_doit.c | 1 +
crypto/ts/ts_rsp_verify.c | 1 +
ssl/d1_srvr.c | 1 +
4 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 77fda3b..4c12a9d 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -928,6 +928,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0)
goto err;
OPENSSL_free(abuf);
+ abuf = NULL;
if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
goto err;
abuf = OPENSSL_malloc(siglen);
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index afe16af..b7d170a 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -629,6 +629,7 @@ static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
X509_ALGOR_free(*md_alg);
OPENSSL_free(*imprint);
*imprint_len = 0;
+ *imprint = NULL;
return 0;
}
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 9975e20..1384ab0 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -1356,6 +1356,7 @@ int dtls1_send_server_key_exchange(SSL *s)
(unsigned char *)encodedPoint,
encodedlen);
OPENSSL_free(encodedPoint);
+ encodedPoint = NULL;
p += encodedlen;
}
#endif
--
1.8.4.5

26
0012-Fix-eckey_priv_encode.patch
View File

@ -1,26 +0,0 @@
From f0816174d264b11f6f4ccb41c75883640a2416bb Mon Sep 17 00:00:00 2001
From: mancha <mancha1@zoho.com>
Date: Thu, 24 Apr 2014 19:06:20 +0000
Subject: [PATCH 12/17] Fix eckey_priv_encode()
Fix eckey_priv_encode to return an error on failure of i2d_ECPrivateKey.
---
CHANGES | 4 ++++
crypto/ec/ec_ameth.c | 1 +
2 files changed, 5 insertions(+)
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 0ce4524..f715a23 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -352,6 +352,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
EC_KEY_set_enc_flags(ec_key, old_flags);
OPENSSL_free(ep);
ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
+ return 0;
}
/* restore old encoding flags */
EC_KEY_set_enc_flags(ec_key, old_flags);
--
1.8.4.5

31
0017-Double-free-in-i2o_ECPublicKey.patch
View File

@ -1,31 +0,0 @@
From 8eb094b9460575a328ba04708147c91fc267b394 Mon Sep 17 00:00:00 2001
From: David Ramos <daramos@stanford.edu>
Date: Sat, 3 May 2014 12:00:27 +0200
Subject: [PATCH 17/17] Double free in i2o_ECPublicKey
PR: 3338
---
crypto/ec/ec_asn1.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 145807b..e94f34e 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1435,8 +1435,11 @@ int i2o_ECPublicKey(EC_KEY *a, unsigned char **out)
*out, buf_len, NULL))
{
ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB);
- OPENSSL_free(*out);
- *out = NULL;
+ if (new_buffer)
+ {
+ OPENSSL_free(*out);
+ *out = NULL;
+ }
return 0;
}
if (!new_buffer)
--
1.8.4.5

26
0018-fix-coverity-issues-966593-966596.patch
View File

@ -1,26 +0,0 @@
From 7b7b18c57e899201338d91083bc49cc8c5a915fc Mon Sep 17 00:00:00 2001
From: Tim Hudson <tjh@cryptsoft.com>
Date: Mon, 5 May 2014 06:41:22 +1000
Subject: [PATCH 18/23] - fix coverity issues 966593-966596
---
crypto/srp/srp_vfy.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 4a3d13e..fdca19f 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -93,6 +93,9 @@ static int t_fromb64(unsigned char *a, const char *src)
else a[i] = loc - b64table;
++i;
}
+ /* if nothing valid to process we have a zero length response */
+ if (i == 0)
+ return 0;
size = i;
i = size - 1;
j = size;
--
1.8.4.5

27
0020-Initialize-num-properly.patch
View File

@ -1,27 +0,0 @@
From a41d5174e27c99d1caefd76a8e927c814ede509e Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 6 May 2014 14:07:37 +0100
Subject: [PATCH 20/23] Initialize num properly.
PR#3289
PR#3345
(cherry picked from commit 3ba1e406c2309adb427ced9815ebf05f5b58d155)
---
crypto/evp/bio_b64.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c
index ac6d441..16863fe 100644
--- a/crypto/evp/bio_b64.c
+++ b/crypto/evp/bio_b64.c
@@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl)
else if (ctx->start)
{
q=p=(unsigned char *)ctx->tmp;
+ num = 0;
for (j=0; j<i; j++)
{
if (*(q++) != '\n') continue;
--
1.8.4.5

85
0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
View File

@ -1,85 +0,0 @@
From d8afda60a991791f27cfac79186b1f8a4f4e30a0 Mon Sep 17 00:00:00 2001
From: Geoff Thorpe <geoff@openssl.org>
Date: Sun, 4 May 2014 16:19:22 -0400
Subject: [PATCH 22/23] bignum: allow concurrent BN_MONT_CTX_set_locked()
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as
noted by Daniel Sands and co at Sandia. This was to handle the case that
2 or more threads race to lazy-init the same context, but stunted all
scalability in the case where 2 or more threads are doing unrelated
things! We favour the latter case by punishing the former. The init work
gets done by each thread that finds the context to be uninitialised, and
we then lock the "set" logic after that work is done - the winning
thread's work gets used, the losing threads throw away what they've done.
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
---
crypto/bn/bn_mont.c | 46 ++++++++++++++++++++++++++--------------------
1 file changed, 26 insertions(+), 20 deletions(-)
diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index 427b5cf..ee8532c 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -478,32 +478,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
const BIGNUM *mod, BN_CTX *ctx)
{
- int got_write_lock = 0;
BN_MONT_CTX *ret;
CRYPTO_r_lock(lock);
- if (!*pmont)
+ ret = *pmont;
+ CRYPTO_r_unlock(lock);
+ if (ret)
+ return ret;
+
+ /* We don't want to serialise globally while doing our lazy-init math in
+ * BN_MONT_CTX_set. That punishes threads that are doing independent
+ * things. Instead, punish the case where more than one thread tries to
+ * lazy-init the same 'pmont', by having each do the lazy-init math work
+ * independently and only use the one from the thread that wins the race
+ * (the losers throw away the work they've done). */
+ ret = BN_MONT_CTX_new();
+ if (!ret)
+ return NULL;
+ if (!BN_MONT_CTX_set(ret, mod, ctx))
{
- CRYPTO_r_unlock(lock);
- CRYPTO_w_lock(lock);
- got_write_lock = 1;
+ BN_MONT_CTX_free(ret);
+ return NULL;
+ }
- if (!*pmont)
- {
- ret = BN_MONT_CTX_new();
- if (ret && !BN_MONT_CTX_set(ret, mod, ctx))
- BN_MONT_CTX_free(ret);
- else
- *pmont = ret;
- }
+ /* The locked compare-and-set, after the local work is done. */
+ CRYPTO_w_lock(lock);
+ if (*pmont)
+ {
+ BN_MONT_CTX_free(ret);
+ ret = *pmont;
}
-
- ret = *pmont;
-
- if (got_write_lock)
- CRYPTO_w_unlock(lock);
else
- CRYPTO_r_unlock(lock);
-
+ *pmont = ret;
+ CRYPTO_w_unlock(lock);
return ret;
}
--
1.8.4.5

30
0023-evp-prevent-underflow-in-base64-decoding.patch
View File

@ -1,30 +0,0 @@
From d0666f289ac013094bbbf547bfbcd616199b7d2d Mon Sep 17 00:00:00 2001
From: Geoff Thorpe <geoff@openssl.org>
Date: Sun, 4 May 2014 18:44:14 -0400
Subject: [PATCH 23/23] evp: prevent underflow in base64 decoding
This patch resolves RT ticket #2608.
Thanks to Robert Dugal for originally spotting this, and to David
Ramos for noticing that the ball had been dropped.
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
---
crypto/evp/encode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
index 28546a8..4654bdc 100644
--- a/crypto/evp/encode.c
+++ b/crypto/evp/encode.c
@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
v=EVP_DecodeBlock(out,d,n);
n=0;
if (v < 0) { rv=0; goto end; }
+ if (eof > v) { rv=-1; goto end; }
ret+=(v-eof);
}
else
--
1.8.4.5

63
0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
View File

@ -1,63 +0,0 @@
From c6a47f988c19093e4716d58dbed92938c18e1640 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 7 May 2014 23:21:02 +0100
Subject: [PATCH 24/25] Fixed NULL pointer dereference in PKCS7_dataDecode
reported by David Ramos in PR#3339
---
crypto/pkcs7/pk7_doit.c | 5 +++++
crypto/pkcs7/pkcs7.h | 1 +
crypto/pkcs7/pkcs7err.c | 3 ++-
3 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 4c12a9d..d91aa11 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -440,6 +440,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
{
case NID_pkcs7_signed:
data_body=PKCS7_get_octet_string(p7->d.sign->contents);
+ if (!PKCS7_is_detached(p7) && data_body == NULL)
+ {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE);
+ goto err;
+ }
md_sk=p7->d.sign->md_algs;
break;
case NID_pkcs7_signedAndEnveloped:
diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h
index e4d4431..04f6037 100644
--- a/crypto/pkcs7/pkcs7.h
+++ b/crypto/pkcs7/pkcs7.h
@@ -453,6 +453,7 @@ void ERR_load_PKCS7_strings(void);
#define PKCS7_R_ERROR_SETTING_CIPHER 121
#define PKCS7_R_INVALID_MIME_TYPE 131
#define PKCS7_R_INVALID_NULL_POINTER 143
+#define PKCS7_R_INVALID_SIGNED_DATA_TYPE 155
#define PKCS7_R_MIME_NO_CONTENT_TYPE 132
#define PKCS7_R_MIME_PARSE_ERROR 133
#define PKCS7_R_MIME_SIG_PARSE_ERROR 134
diff --git a/crypto/pkcs7/pkcs7err.c b/crypto/pkcs7/pkcs7err.c
index d0af32a..f3db08e 100644
--- a/crypto/pkcs7/pkcs7err.c
+++ b/crypto/pkcs7/pkcs7err.c
@@ -1,6 +1,6 @@
/* crypto/pkcs7/pkcs7err.c */
/* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -130,6 +130,7 @@ static ERR_STRING_DATA PKCS7_str_reasons[]=
{ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"},
{ERR_REASON(PKCS7_R_INVALID_MIME_TYPE) ,"invalid mime type"},
{ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"},
+{ERR_REASON(PKCS7_R_INVALID_SIGNED_DATA_TYPE),"invalid signed data type"},
{ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"},
{ERR_REASON(PKCS7_R_MIME_PARSE_ERROR) ,"mime parse error"},
{ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"},
--
1.8.4.5

49
0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
View File

@ -1,49 +0,0 @@
From 6a60b414318ec4315ee016c3e15777c448603115 Mon Sep 17 00:00:00 2001
From: Tim Hudson <tjh@cryptsoft.com>
Date: Mon, 5 May 2014 08:22:42 +1000
Subject: [PATCH 25/25] fix coverity issue 966597 - error line is not always
initialised
---
ssl/ssl_asn1.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 38540be..4775003 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -408,6 +408,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
if (os.length != 3)
{
c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
+ c.line=__LINE__;
goto err;
}
id=0x02000000L|
@@ -420,6 +421,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
if (os.length != 2)
{
c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
+ c.line=__LINE__;
goto err;
}
id=0x03000000L|
@@ -429,6 +431,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
else
{
c.error=SSL_R_UNKNOWN_SSL_VERSION;
+ c.line=__LINE__;
goto err;
}
@@ -521,6 +524,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
if (os.length > SSL_MAX_SID_CTX_LENGTH)
{
c.error=SSL_R_BAD_LENGTH;
+ c.line=__LINE__;
goto err;
}
else
--
1.8.4.5

15
CVE-2014-0198.patch
View File

@ -1,15 +0,0 @@
Index: openssl-1.0.1g/ssl/s3_pkt.c
===================================================================
--- openssl-1.0.1g.orig/ssl/s3_pkt.c
+++ openssl-1.0.1g/ssl/s3_pkt.c
@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ
if (i <= 0)
return(i);
/* if it went, fall through and send more stuff */
+ /* we may have released our buffer, so get it again */
+ if (wb->buf == NULL)
+ if (!ssl3_setup_write_buffer(s))
+ return -1;
}
if (len == 0 && !create_empty_fragment)

31
openssl-1.0.1c-ipv6-apps.patch
View File

@ -1,7 +1,7 @@
Index: openssl-1.0.1g/apps/s_apps.h
Index: openssl-1.0.1h/apps/s_apps.h
===================================================================
--- openssl-1.0.1g.orig/apps/s_apps.h
+++ openssl-1.0.1g/apps/s_apps.h
--- openssl-1.0.1h.orig/apps/s_apps.h
+++ openssl-1.0.1h/apps/s_apps.h
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
#define PORT_STR "4433"
#define PROTOCOL "tcp"
@ -24,10 +24,10 @@ Index: openssl-1.0.1g/apps/s_apps.h
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
Index: openssl-1.0.1g/apps/s_client.c
Index: openssl-1.0.1h/apps/s_client.c
===================================================================
--- openssl-1.0.1g.orig/apps/s_client.c
+++ openssl-1.0.1g/apps/s_client.c
--- openssl-1.0.1h.orig/apps/s_client.c
+++ openssl-1.0.1h/apps/s_client.c
@@ -567,7 +567,7 @@ int MAIN(int argc, char **argv)
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
@ -62,10 +62,10 @@ Index: openssl-1.0.1g/apps/s_client.c
{
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
SHUTDOWN(s);
Index: openssl-1.0.1g/apps/s_server.c
Index: openssl-1.0.1h/apps/s_server.c
===================================================================
--- openssl-1.0.1g.orig/apps/s_server.c
+++ openssl-1.0.1g/apps/s_server.c
--- openssl-1.0.1h.orig/apps/s_server.c
+++ openssl-1.0.1h/apps/s_server.c
@@ -933,7 +933,7 @@ int MAIN(int argc, char *argv[])
{
X509_VERIFY_PARAM *vpm = NULL;
@ -97,10 +97,10 @@ Index: openssl-1.0.1g/apps/s_server.c
print_stats(bio_s_out,ctx);
ret=0;
end:
Index: openssl-1.0.1g/apps/s_socket.c
Index: openssl-1.0.1h/apps/s_socket.c
===================================================================
--- openssl-1.0.1g.orig/apps/s_socket.c
+++ openssl-1.0.1g/apps/s_socket.c
--- openssl-1.0.1h.orig/apps/s_socket.c
+++ openssl-1.0.1h/apps/s_socket.c
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
static void ssl_sock_cleanup(void);
#endif
@ -182,7 +182,7 @@ Index: openssl-1.0.1g/apps/s_socket.c
{
- i=0;
- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
- if (i < 0) { perror("keepalive"); return(0); }
- if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
+ int i=0;
+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,
+ (char *)&i,sizeof(i));
@ -359,7 +359,7 @@ Index: openssl-1.0.1g/apps/s_socket.c
int len;
/* struct linger ling; */
@@ -431,135 +473,58 @@ redoit:
@@ -431,138 +473,59 @@ redoit:
*/
if (host == NULL) goto end;
@ -388,6 +388,7 @@ Index: openssl-1.0.1g/apps/s_socket.c
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
{
perror("OPENSSL_malloc");
closesocket(ret);
return(0);
}
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
@ -396,11 +397,13 @@ Index: openssl-1.0.1g/apps/s_socket.c
- if (h2 == NULL)
- {
- BIO_printf(bio_err,"gethostbyname failure\n");
- closesocket(ret);
- return(0);
- }
- if (h2->h_addrtype != AF_INET)
- {
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
- closesocket(ret);
- return(0);
- }
+ strcpy(*host, buffer);

16
openssl-1.0.1e-add-suse-default-cipher-header.patch Normal file
View File

@ -0,0 +1,16 @@
Index: openssl-1.0.1g/ssl/ssl.h
===================================================================
--- openssl-1.0.1g.orig/ssl/ssl.h
+++ openssl-1.0.1g/ssl/ssl.h
@@ -332,9 +332,11 @@ extern "C" {
* It also is substituted when an application-defined cipher list string
* starts with 'DEFAULT'. */
#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
+
#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
"DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
"AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
+
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
* throwing out anonymous and unencrypted ciphersuites!

39
openssl-1.0.1e-add-suse-default-cipher.patch Normal file
View File

@ -0,0 +1,39 @@
Index: openssl-1.0.1g/ssl/ssl_ciph.c
===================================================================
--- openssl-1.0.1g.orig/ssl/ssl_ciph.c
+++ openssl-1.0.1g/ssl/ssl_ciph.c
@@ -1470,7 +1470,17 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*/
ok = 1;
rule_p = rule_str;
- if (strncmp(rule_str,"DEFAULT",7) == 0)
+
+ if (strncmp(rule_str,"DEFAULT_SUSE",12) == 0)
+ {
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
+ &head, &tail, ca_list);
+ rule_p += 12;
+ if (*rule_p == ':')
+ rule_p++;
+ }
+
+ else if (strncmp(rule_str,"DEFAULT",7) == 0)
{
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
&head, &tail, ca_list);
Index: openssl-1.0.1g/ssl/ssl.h
===================================================================
--- openssl-1.0.1g.orig/ssl/ssl.h
+++ openssl-1.0.1g/ssl/ssl.h
@@ -331,7 +331,10 @@ extern "C" {
/* The following cipher list is used by default.
* It also is substituted when an application-defined cipher list string
* starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW"
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
+#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+ "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
* throwing out anonymous and unencrypted ciphersuites!

30
openssl-1.0.1e-add-test-suse-default-cipher-suite.patch Normal file
View File

@ -0,0 +1,30 @@
Index: openssl-1.0.1f/test/testssl
===================================================================
--- openssl-1.0.1f.orig/test/testssl
+++ openssl-1.0.1f/test/testssl
@@ -136,6 +136,25 @@ for protocol in TLSv1.2 SSLv3; do
done
done
+echo "Testing default ciphersuites"
+
+for cipher_suite in DEFAULT_SUSE DEFAULT; do
+ ../util/shlib_wrap.sh ../apps/openssl ciphers $cipher_suite
+ if [ $? -ne 0 ]; then
+ echo "Failed default ciphersuite $cipher_suite"
+ exit 1
+ fi
+done
+
+echo "Testing if MD5, DES and RC4 are excluded from DEFAULT_SUSE cipher suite"
+../util/shlib_wrap.sh ../apps/openssl ciphers DEFAULT_SUSE| grep "MD5\|RC4\|DES-[^CBC3]"
+
+if [ $? -ne 1 ];then
+ echo "weak ciphers are present on DEFAULT_SUSE cipher suite"
+ exit 1
+fi
+
+
#############################################################################
if ../util/shlib_wrap.sh ../apps/openssl no-dh; then

3
openssl-1.0.1g.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:53cb818c3b90e507a8348f4f5eaedb05d8bfe5358aabb508b7263cc670c3e028
size 4509047

17
openssl-1.0.1g.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCAAGBQJTQtiaAAoJENNXdQf6QOniuAkP/2hFMcb2NEG36by4oleDQQA1
xw/qiE5NryMU7+bwwhjvVdGsyeLnnPxN0K5fFVlsWHFIJCArZ/ERsR3xJfldSoZX
xz/PgU4JAWT7vkhIR0zW2SInzxdX2hUsonG3dRqVY5JVX3aAMkcIanczpxrv39Cb
ZeKwStINV5HOXH++Y7O4SWsFF3w2H4cmijyF2QQngrvyGkkS4C1Wy/PH54rAQrSH
phfsDlULL48/4NPul9LiRK6clgf+6DtOa9eY/NF+enjmEw2B73PRt1DmCaaaabWU
RwKHyVZUvXGhZYnPnfriz+V09FEq9SMEyyCBg2JeTljESPaPKxPP53ueI7OTo3B8
cyXcVMq3nckgq3XI1j/Z/BJVTO6Zp/thTlkGv35O/+AgdY/lWiMictFYLLfbHC1Z
9A9gbwuhO7pc1BrQF0vhIR+NlHAq4fVA81xHrClsIWebs8XjaH4zLRoeYBKqK0+m
4T2vf78yh+viiSOU2KpQdi4kWOUpCMVBa4CJclyAWdX+jjhnrudWcV5JwCz1KtNK
Pdaje0WrJ8gqAKpZC88q2vhVZF8FQt2YGhe16sGM5N9aSeg0/GMd1rAbJPUlpQ41
/b64wg+J3/ZQsRDfNvXwIgaGa1Ur8mUv/hmtAr1ecXK+rOcn6wcoouWwDYcOCQj/
opNSFe0Slj1X6unB62z2
=9S5s
-----END PGP SIGNATURE-----

3
openssl-1.0.1h.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9d1c8a9836aa63e2c6adb684186cbd4371c9e9dcc01d6e3bb447abf2d4d3d093
size 4475692

17
openssl-1.0.1h.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCAAGBQJTkDweAAoJENNXdQf6QOnizlMQAJ/tw6A4s/TMQjiLTapBAJzJ
b5W2/nOD87oa0HL2aKvTHb0R7RKuvqGR71kgWaPOPJUwyLEWG1SinTeYR0J+yl0K
5y8TE8p4AwnAEp1JcMfbljl3tkyRXOVqS1idkvcBKBawurL68jfyWWkzZ1D2wZtE
LEmVm0diQIDSACuisnonE2Q8YvtqV4/imuX4BEZlZ+iNNdL0+NEuLB+xIWSl84lb
YqM0cXQ09SIZZL+nvO0t5PBNJcQM/6w9TPKDFReQxvhVkdqoWa/o2FfeSgRLNDIu
gGPTe0cEGUpOYyeC/SbLUOppCsRNBbzWjdRotEOV1GO2dMihZaMZZedJDhAhh5q6
Z1wctpZGxq/vMIQ669Wayj2OxAtluCjW8GwlaJRi7XfB/fCk1NDFezTL4hhWRhIh
mvI4oKO7TC2/OhJ2YvNGqYeqNzsIJbszn7bipvbF5KNf0eNtrUoRWsNPia9nRlca
2yzAxCCx2QtR0PV52/c5Xbfm/Ljxta9ZKgQgAjApz5+YMsap9LyQhklc+r7tETij
yv3Vf3Xft6n4VtKxHsecebl9VZXsz/hCjHN3PmYI0SLZDZOFBdIYoju2ttspH1pH
aBXTitvmBUsDIss2fjJJQLX22TgTpTS3FyPb9zlN+ecE/0HJcGIJUAi80i1gldzH
DQhyf3Qf17vW5g28E7Iv
=oxkH
-----END PGP SIGNATURE-----

13
openssl-buffreelistbug-aka-CVE-2010-5298.patch
View File

@ -1,13 +0,0 @@
--- openssl-1.0.1g.orig/ssl/s3_pkt.c
+++ openssl-1.0.1g/ssl/s3_pkt.c
@@ -1055,8 +1055,8 @@ start:
{
s->rstate=SSL_ST_READ_HEADER;
rr->off=0;
- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
- ssl3_release_read_buffer(s);
+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
+ ssl3_release_read_buffer(s);
}
}
return(n);

411
openssl-fix-pod-syntax.diff
View File

@ -59,88 +59,10 @@ Content-Length: 12835
doc/ssl/SSL_write.pod | 2 +-
23 files changed, 59 insertions(+), 55 deletions(-)
Index: openssl-1.0.1g/doc/apps/cms.pod
Index: openssl-1.0.1h/doc/apps/ts.pod
===================================================================
--- openssl-1.0.1g.orig/doc/apps/cms.pod
+++ openssl-1.0.1g/doc/apps/cms.pod
@@ -450,28 +450,28 @@ remains DER.
=over 4
-=item 0
+=item Z<>0
the operation was completely successfully.
-=item 1
+=item Z<>1
an error occurred parsing the command options.
-=item 2
+=item Z<>2
one of the input files could not be read.
-=item 3
+=item Z<>3
an error occurred creating the CMS file or when reading the MIME
message.
-=item 4
+=item Z<>4
an error occurred decrypting or verifying the message.
-=item 5
+=item Z<>5
the message was verified correctly but an error occurred writing out
the signers certificates.
Index: openssl-1.0.1g/doc/apps/smime.pod
===================================================================
--- openssl-1.0.1g.orig/doc/apps/smime.pod
+++ openssl-1.0.1g/doc/apps/smime.pod
@@ -308,28 +308,28 @@ remains DER.
=over 4
-=item 0
+=item Z<>0
the operation was completely successfully.
-=item 1
+=item Z<>1
an error occurred parsing the command options.
-=item 2
+=item Z<>2
one of the input files could not be read.
-=item 3
+=item Z<>3
an error occurred creating the PKCS#7 file or when reading the MIME
message.
-=item 4
+=item Z<>4
an error occurred decrypting or verifying the message.
-=item 5
+=item Z<>5
the message was verified correctly but an error occurred writing out
the signers certificates.
Index: openssl-1.0.1g/doc/apps/ts.pod
===================================================================
--- openssl-1.0.1g.orig/doc/apps/ts.pod
+++ openssl-1.0.1g/doc/apps/ts.pod
--- openssl-1.0.1h.orig/doc/apps/ts.pod
+++ openssl-1.0.1h/doc/apps/ts.pod
@@ -58,19 +58,19 @@ time. Here is a brief description of the
=over 4
@ -164,10 +86,10 @@ Index: openssl-1.0.1g/doc/apps/ts.pod
The TSA client receives the time stamp token and verifies the
signature on it. It also checks if the token contains the same hash
Index: openssl-1.0.1g/doc/crypto/OPENSSL_ia32cap.pod
Index: openssl-1.0.1h/doc/crypto/OPENSSL_ia32cap.pod
===================================================================
--- openssl-1.0.1g.orig/doc/crypto/OPENSSL_ia32cap.pod
+++ openssl-1.0.1g/doc/crypto/OPENSSL_ia32cap.pod
--- openssl-1.0.1h.orig/doc/crypto/OPENSSL_ia32cap.pod
+++ openssl-1.0.1h/doc/crypto/OPENSSL_ia32cap.pod
@@ -20,6 +20,8 @@ toolkit initialization, but can be manip
crypto library behaviour. For the moment of this writing six bits are
significant, namely:
@ -186,10 +108,10 @@ Index: openssl-1.0.1g/doc/crypto/OPENSSL_ia32cap.pod
For example, clearing bit #26 at run-time disables high-performance
SSE2 code present in the crypto library. You might have to do this if
target OpenSSL application is executed on SSE2 capable CPU, but under
Index: openssl-1.0.1g/doc/crypto/rand.pod
Index: openssl-1.0.1h/doc/crypto/rand.pod
===================================================================
--- openssl-1.0.1g.orig/doc/crypto/rand.pod
+++ openssl-1.0.1g/doc/crypto/rand.pod
--- openssl-1.0.1h.orig/doc/crypto/rand.pod
+++ openssl-1.0.1h/doc/crypto/rand.pod
@@ -74,16 +74,16 @@ First up I will state the things I belie
=over 4
@ -241,318 +163,3 @@ Index: openssl-1.0.1g/doc/crypto/rand.pod
Given the random number output stream, it should not be possible to determine
the RNG state or the next random number.
Index: openssl-1.0.1g/doc/ssl/SSL_COMP_add_compression_method.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_COMP_add_compression_method.pod
+++ openssl-1.0.1g/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may re
=over 4
-=item 0
+=item Z<>0
The operation succeeded.
-=item 1
+=item Z<>1
The operation failed. Check the error queue to find out the reason.
Index: openssl-1.0.1g/doc/ssl/SSL_CTX_add_session.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_add_session.pod
+++ openssl-1.0.1g/doc/ssl/SSL_CTX_add_session.pod
@@ -52,13 +52,13 @@ The following values are returned by all
=over 4
-=item 0
+=item Z<>0
The operation failed. In case of the add operation, it was tried to add
the same (identical) session twice. In case of the remove operation, the
session was not found in the cache.
-=item 1
+=item Z<>1
The operation succeeded.
Index: openssl-1.0.1g/doc/ssl/SSL_CTX_load_verify_locations.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_load_verify_locations.pod
+++ openssl-1.0.1g/doc/ssl/SSL_CTX_load_verify_locations.pod
@@ -100,13 +100,13 @@ The following return values can occur:
=over 4
-=item 0
+=item Z<>0
The operation failed because B<CAfile> and B<CApath> are NULL or the
processing at one of the locations specified failed. Check the error
stack to find out the reason.
-=item 1
+=item Z<>1
The operation succeeded.
Index: openssl-1.0.1g/doc/ssl/SSL_CTX_set_client_CA_list.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod
+++ openssl-1.0.1g/doc/ssl/SSL_CTX_set_client_CA_list.pod
@@ -66,13 +66,13 @@ values:
=over 4
-=item 0
+=item Z<>0
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
the X509_NAME could not be extracted from B<cacert>. Check the error stack
to find out the reason.
-=item 1
+=item Z<>1
The operation succeeded.
Index: openssl-1.0.1g/doc/ssl/SSL_CTX_set_session_id_context.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_set_session_id_context.pod
+++ openssl-1.0.1g/doc/ssl/SSL_CTX_set_session_id_context.pod
@@ -64,13 +64,13 @@ return the following values:
=over 4
-=item 0
+=item Z<>0
The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded
the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error
is logged to the error stack.
-=item 1
+=item Z<>1
The operation succeeded.
Index: openssl-1.0.1g/doc/ssl/SSL_CTX_set_ssl_version.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_set_ssl_version.pod
+++ openssl-1.0.1g/doc/ssl/SSL_CTX_set_ssl_version.pod
@@ -42,11 +42,11 @@ and SSL_set_ssl_method():
=over 4
-=item 0
+=item Z<>0
The new choice failed, check the error stack to find out the reason.
-=item 1
+=item Z<>1
The operation succeeded.
Index: openssl-1.0.1g/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
+++ openssl-1.0.1g/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
@@ -96,7 +96,7 @@ data to B<psk> and return the length of
connection will fail with decryption_error before it will be finished
completely.
-=item 0
+=item Z<>0
PSK identity was not found. An "unknown_psk_identity" alert message
will be sent and the connection setup fails.
Index: openssl-1.0.1g/doc/ssl/SSL_accept.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_accept.pod
+++ openssl-1.0.1g/doc/ssl/SSL_accept.pod
@@ -44,13 +44,13 @@ The following return values can occur:
=over 4
-=item 0
+=item Z<>0
The TLS/SSL handshake was not successful but was shut down controlled and
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
-=item 1
+=item Z<>1
The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
established.
Index: openssl-1.0.1g/doc/ssl/SSL_clear.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_clear.pod
+++ openssl-1.0.1g/doc/ssl/SSL_clear.pod
@@ -56,12 +56,12 @@ The following return values can occur:
=over 4
-=item 0
+=item Z<>0
The SSL_clear() operation could not be performed. Check the error stack to
find out the reason.
-=item 1
+=item Z<>1
The SSL_clear() operation was successful.
Index: openssl-1.0.1g/doc/ssl/SSL_connect.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_connect.pod
+++ openssl-1.0.1g/doc/ssl/SSL_connect.pod
@@ -41,13 +41,13 @@ The following return values can occur:
=over 4
-=item 0
+=item Z<>0
The TLS/SSL handshake was not successful but was shut down controlled and
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
-=item 1
+=item Z<>1
The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
established.
Index: openssl-1.0.1g/doc/ssl/SSL_do_handshake.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_do_handshake.pod
+++ openssl-1.0.1g/doc/ssl/SSL_do_handshake.pod
@@ -45,13 +45,13 @@ The following return values can occur:
=over 4
-=item 0
+=item Z<>0
The TLS/SSL handshake was not successful but was shut down controlled and
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
-=item 1
+=item Z<>1
The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
established.
Index: openssl-1.0.1g/doc/ssl/SSL_read.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_read.pod
+++ openssl-1.0.1g/doc/ssl/SSL_read.pod
@@ -86,7 +86,7 @@ The following return values can occur:
The read operation was successful; the return value is the number of
bytes actually read from the TLS/SSL connection.
-=item 0
+=item Z<>0
The read operation was not successful. The reason may either be a clean
shutdown due to a "close notify" alert sent by the peer (in which case
Index: openssl-1.0.1g/doc/ssl/SSL_session_reused.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_session_reused.pod
+++ openssl-1.0.1g/doc/ssl/SSL_session_reused.pod
@@ -27,11 +27,11 @@ The following return values can occur:
=over 4
-=item 0
+=item Z<>0
A new session was negotiated.
-=item 1
+=item Z<>1
A session was reused.
Index: openssl-1.0.1g/doc/ssl/SSL_set_fd.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_set_fd.pod
+++ openssl-1.0.1g/doc/ssl/SSL_set_fd.pod
@@ -35,11 +35,11 @@ The following return values can occur:
=over 4
-=item 0
+=item Z<>0
The operation failed. Check the error stack to find out why.
-=item 1
+=item Z<>1
The operation succeeded.
Index: openssl-1.0.1g/doc/ssl/SSL_set_session.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_set_session.pod
+++ openssl-1.0.1g/doc/ssl/SSL_set_session.pod
@@ -37,11 +37,11 @@ The following return values can occur:
=over 4
-=item 0
+=item Z<>0
The operation failed; check the error stack to find out the reason.
-=item 1
+=item Z<>1
The operation succeeded.
Index: openssl-1.0.1g/doc/ssl/SSL_shutdown.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_shutdown.pod
+++ openssl-1.0.1g/doc/ssl/SSL_shutdown.pod
@@ -92,19 +92,19 @@ The following return values can occur:
=over 4
-=item 0
+=item Z<>0
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
if a bidirectional shutdown shall be performed.
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
-=item 1
+=item Z<>1
The shutdown was successfully completed. The "close notify" alert was sent
and the peer's "close notify" alert was received.
-=item -1
+=item Z<>-1
The shutdown was not successful because a fatal error occurred either
at the protocol level or a connection failure occurred. It can also occur if
Index: openssl-1.0.1g/doc/ssl/SSL_write.pod
===================================================================
--- openssl-1.0.1g.orig/doc/ssl/SSL_write.pod
+++ openssl-1.0.1g/doc/ssl/SSL_write.pod
@@ -79,7 +79,7 @@ The following return values can occur:
The write operation was successful, the return value is the number of
bytes actually written to the TLS/SSL connection.
-=item 0
+=item Z<>0
The write operation was not successful. Probably the underlying connection
was closed. Call SSL_get_error() with the return value B<ret> to find out,

40
openssl.changes
View File

@ -1,3 +1,43 @@
-------------------------------------------------------------------
Thu Jun 5 14:37:19 UTC 2014 - meissner@suse.com
- updated openssl to 1.0.1h (bnc#880891):
- CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
- CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.
- CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
overrun attack can be triggered by sending invalid DTLS fragments to
an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
- CVE-2014-3470: Fix bug in TLS code where clients enable anonymous
ECDH ciphersuites are subject to a denial of service attack.
- openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream
- CVE-2014-0198.patch: removed, upstream
- 0009-Fix-double-frees.patch: removed, upstream
- 0012-Fix-eckey_priv_encode.patch: removed, upstream
- 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream
- 0018-fix-coverity-issues-966593-966596.patch: removed, upstream
- 0020-Initialize-num-properly.patch: removed, upstream
- 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream
- 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream
- 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream
- 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream
- 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase
- openssl-1.0.1c-ipv6-apps.patch: refreshed
- openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed
-------------------------------------------------------------------
Wed May 21 12:19:53 UTC 2014 - vpereira@novell.com
- Added new SUSE default cipher suite
openssl-1.0.1e-add-suse-default-cipher.patch
openssl-1.0.1e-add-suse-default-cipher-header.patch
openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
-------------------------------------------------------------------
Fri May 9 04:42:46 UTC 2014 - crrodriguez@opensuse.org

31
openssl.spec
View File

@ -29,7 +29,7 @@ Provides: ssl
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
Version: 1.0.1g
Version: 1.0.1h
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
@ -65,21 +65,14 @@ Patch16: openssl-1.0.1e-fips-ec.patch
Patch17: openssl-1.0.1e-fips-ctor.patch
Patch18: openssl-1.0.1e-new-fips-reqs.patch
Patch19: openssl-gcc-attributes.patch
Patch20: openssl-buffreelistbug-aka-CVE-2010-5298.patch
Patch21: openssl-libssl-noweakciphers.patch
Patch22: CVE-2014-0198.patch
Patch23: 0009-Fix-double-frees.patch
Patch24: 0012-Fix-eckey_priv_encode.patch
Patch25: 0017-Double-free-in-i2o_ECPublicKey.patch
Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
Patch27: 0018-fix-coverity-issues-966593-966596.patch
Patch28: 0020-Initialize-num-properly.patch
Patch29: 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
Patch30: 0023-evp-prevent-underflow-in-base64-decoding.patch
Patch31: 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
Patch32: 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
Patch33: openssl-no-egd.patch
Patch34: openssl-fips-hidden.patch
Patch35: openssl-1.0.1e-add-suse-default-cipher.patch
Patch36: openssl-1.0.1e-add-suse-default-cipher-header.patch
Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -186,21 +179,13 @@ this package's base documentation.
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
cp -p %{S:10} .
cp -p %{S:11} .
echo "adding/overwriting some entries in the 'table' hash in Configure"