ed81eb44e1
- update to 1.0.2e
* fixes five security vulnerabilities
* Anon DH ServerKeyExchange with 0 p parameter
(CVE-2015-1794) (bsc#957984)
* BN_mod_exp may produce incorrect results on x86_64
(CVE-2015-3193) (bsc#957814)
* Certificate verify crash with missing PSS parameter
(CVE-2015-3194) (bsc#957815)
* X509_ATTRIBUTE memory leak
(CVE-2015-3195) (bsc#957812)
* Race condition handling PSK identify hint
(CVE-2015-3196) (bsc#957813)
- pulled a refreshed fips patch from Fedora
* openssl-1.0.2a-fips.patch was replaced by
openssl-1.0.2e-fips.patch
- refresh openssl-ocloexec.patch
OBS-URL: https://build.opensuse.org/request/show/347504
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=129
188 lines
7.3 KiB
Diff
188 lines
7.3 KiB
Diff
Index: crypto/bio/b_sock.c
|
|
===================================================================
|
|
--- crypto/bio/b_sock.c.orig 2015-12-05 00:04:11.291027369 +0100
|
|
+++ crypto/bio/b_sock.c 2015-12-05 00:04:13.283055286 +0100
|
|
@@ -723,7 +723,7 @@ int BIO_get_accept_socket(char *host, in
|
|
}
|
|
|
|
again:
|
|
- s = socket(server.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
|
|
+ s = socket(server.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
|
|
if (s == INVALID_SOCKET) {
|
|
SYSerr(SYS_F_SOCKET, get_last_socket_error());
|
|
ERR_add_error_data(3, "port='", host, "'");
|
|
@@ -765,7 +765,7 @@ int BIO_get_accept_socket(char *host, in
|
|
} else
|
|
goto err;
|
|
}
|
|
- cs = socket(client.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
|
|
+ cs = socket(client.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
|
|
if (cs != INVALID_SOCKET) {
|
|
int ii;
|
|
ii = connect(cs, &client.sa, addrlen);
|
|
@@ -847,7 +847,7 @@ int BIO_accept(int sock, char **addr)
|
|
sa.len.s = 0;
|
|
sa.len.i = sizeof(sa.from);
|
|
memset(&sa.from, 0, sizeof(sa.from));
|
|
- ret = accept(sock, &sa.from.sa, (void *)&sa.len);
|
|
+ ret = accept4(sock, &sa.from.sa, (void *)&sa.len, SOCK_CLOEXEC);
|
|
if (sizeof(sa.len.i) != sizeof(sa.len.s) && sa.len.i == 0) {
|
|
OPENSSL_assert(sa.len.s <= sizeof(sa.from));
|
|
sa.len.i = (int)sa.len.s;
|
|
Index: crypto/bio/bss_conn.c
|
|
===================================================================
|
|
--- crypto/bio/bss_conn.c.orig 2015-12-05 00:04:11.291027369 +0100
|
|
+++ crypto/bio/bss_conn.c 2015-12-05 00:04:13.283055286 +0100
|
|
@@ -195,7 +195,7 @@ static int conn_state(BIO *b, BIO_CONNEC
|
|
c->them.sin_addr.s_addr = htonl(l);
|
|
c->state = BIO_CONN_S_CREATE_SOCKET;
|
|
|
|
- ret = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
|
|
+ ret = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, SOCKET_PROTOCOL);
|
|
if (ret == INVALID_SOCKET) {
|
|
SYSerr(SYS_F_SOCKET, get_last_socket_error());
|
|
ERR_add_error_data(4, "host=", c->param_hostname,
|
|
Index: crypto/bio/bss_dgram.c
|
|
===================================================================
|
|
--- crypto/bio/bss_dgram.c.orig 2015-12-05 00:04:11.292027383 +0100
|
|
+++ crypto/bio/bss_dgram.c 2015-12-05 00:04:13.284055300 +0100
|
|
@@ -1177,7 +1177,7 @@ static int dgram_sctp_read(BIO *b, char
|
|
msg.msg_control = cmsgbuf;
|
|
msg.msg_controllen = 512;
|
|
msg.msg_flags = 0;
|
|
- n = recvmsg(b->num, &msg, 0);
|
|
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
|
|
|
|
if (n <= 0) {
|
|
if (n < 0)
|
|
@@ -1802,7 +1802,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
|
|
msg.msg_controllen = 0;
|
|
msg.msg_flags = 0;
|
|
|
|
- n = recvmsg(b->num, &msg, MSG_PEEK);
|
|
+ n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
|
|
if (n <= 0) {
|
|
if ((n < 0) && (get_last_socket_error() != EAGAIN)
|
|
&& (get_last_socket_error() != EWOULDBLOCK))
|
|
@@ -1824,7 +1824,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
|
|
msg.msg_controllen = 0;
|
|
msg.msg_flags = 0;
|
|
|
|
- n = recvmsg(b->num, &msg, 0);
|
|
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
|
|
if (n <= 0) {
|
|
if ((n < 0) && (get_last_socket_error() != EAGAIN)
|
|
&& (get_last_socket_error() != EWOULDBLOCK))
|
|
@@ -1889,7 +1889,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
|
|
fcntl(b->num, F_SETFL, O_NONBLOCK);
|
|
}
|
|
|
|
- n = recvmsg(b->num, &msg, MSG_PEEK);
|
|
+ n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
|
|
|
|
if (is_dry) {
|
|
fcntl(b->num, F_SETFL, sockflags);
|
|
@@ -1931,7 +1931,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
|
|
|
|
sockflags = fcntl(b->num, F_GETFL, 0);
|
|
fcntl(b->num, F_SETFL, O_NONBLOCK);
|
|
- n = recvmsg(b->num, &msg, MSG_PEEK);
|
|
+ n = recvmsg(b->num, &msg, MSG_PEEK|MSG_CMSG_CLOEXEC);
|
|
fcntl(b->num, F_SETFL, sockflags);
|
|
|
|
/* if notification, process and try again */
|
|
@@ -1951,7 +1951,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
|
|
msg.msg_control = NULL;
|
|
msg.msg_controllen = 0;
|
|
msg.msg_flags = 0;
|
|
- n = recvmsg(b->num, &msg, 0);
|
|
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
|
|
|
|
if (data->handle_notifications != NULL)
|
|
data->handle_notifications(b, data->notification_context,
|
|
Index: crypto/bio/bss_file.c
|
|
===================================================================
|
|
--- crypto/bio/bss_file.c.orig 2015-12-05 00:04:11.292027383 +0100
|
|
+++ crypto/bio/bss_file.c 2015-12-05 00:04:49.780566910 +0100
|
|
@@ -118,6 +118,10 @@ static BIO_METHOD methods_filep = {
|
|
static FILE *file_fopen(const char *filename, const char *mode)
|
|
{
|
|
FILE *file = NULL;
|
|
+ size_t modelen = strlen (mode);
|
|
+ char newmode[modelen + 2];
|
|
+
|
|
+ memcpy (mempcpy (newmode, mode, modelen), "e", 2);
|
|
|
|
# if defined(_WIN32) && defined(CP_UTF8)
|
|
int sz, len_0 = (int)strlen(filename) + 1;
|
|
@@ -161,7 +165,7 @@ static FILE *file_fopen(const char *file
|
|
file = fopen(filename, mode);
|
|
}
|
|
# else
|
|
- file = fopen(filename, mode);
|
|
+ file = fopen(filename, newmode);
|
|
# endif
|
|
return (file);
|
|
}
|
|
@@ -282,7 +286,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
|
|
long ret = 1;
|
|
FILE *fp = (FILE *)b->ptr;
|
|
FILE **fpp;
|
|
- char p[4];
|
|
+ char p[5];
|
|
|
|
switch (cmd) {
|
|
case BIO_C_FILE_SEEK:
|
|
@@ -393,6 +397,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
|
|
else
|
|
strcat(p, "t");
|
|
# endif
|
|
+ strcat(p, "e");
|
|
fp = file_fopen(ptr, p);
|
|
if (fp == NULL) {
|
|
SYSerr(SYS_F_FOPEN, get_last_sys_error());
|
|
Index: crypto/rand/rand_unix.c
|
|
===================================================================
|
|
--- crypto/rand/rand_unix.c.orig 2015-12-05 00:04:11.292027383 +0100
|
|
+++ crypto/rand/rand_unix.c 2015-12-05 00:04:13.285055314 +0100
|
|
@@ -269,7 +269,7 @@ int RAND_poll(void)
|
|
|
|
for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) &&
|
|
(n < ENTROPY_NEEDED); i++) {
|
|
- if ((fd = open(randomfiles[i], O_RDONLY
|
|
+ if ((fd = open(randomfiles[i], O_RDONLY|O_CLOEXEC
|
|
# ifdef O_NONBLOCK
|
|
| O_NONBLOCK
|
|
# endif
|
|
Index: crypto/rand/randfile.c
|
|
===================================================================
|
|
--- crypto/rand/randfile.c.orig 2015-12-05 00:04:11.293027397 +0100
|
|
+++ crypto/rand/randfile.c 2015-12-05 00:04:13.285055314 +0100
|
|
@@ -147,7 +147,7 @@ int RAND_load_file(const char *file, lon
|
|
#ifdef OPENSSL_SYS_VMS
|
|
in = vms_fopen(file, "rb", VMS_OPEN_ATTRS);
|
|
#else
|
|
- in = fopen(file, "rb");
|
|
+ in = fopen(file, "rbe");
|
|
#endif
|
|
if (in == NULL)
|
|
goto err;
|
|
@@ -225,7 +225,7 @@ int RAND_write_file(const char *file)
|
|
* chmod(..., 0600) is too late to protect the file, permissions
|
|
* should be restrictive from the start
|
|
*/
|
|
- int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600);
|
|
+ int fd = open(file, O_WRONLY | O_CREAT | O_BINARY | O_CLOEXEC, 0600);
|
|
if (fd != -1)
|
|
out = fdopen(fd, "wb");
|
|
}
|
|
@@ -255,7 +255,7 @@ int RAND_write_file(const char *file)
|
|
out = vms_fopen(file, "wb", VMS_OPEN_ATTRS);
|
|
#else
|
|
if (out == NULL)
|
|
- out = fopen(file, "wb");
|
|
+ out = fopen(file, "wbe");
|
|
#endif
|
|
if (out == NULL)
|
|
goto err;
|