9f18cdd3d8
- openssl 1.0.1k release
bsc#912294 CVE-2014-3571: Fix DTLS segmentation fault in dtls1_get_record.
bsc#912292 CVE-2015-0206: Fix DTLS memory leak in dtls1_buffer_record.
bsc#911399 CVE-2014-3569: Fix issue where no-ssl3 configuration sets method to NULL.
bsc#912015 CVE-2014-3572: Abort handshake if server key exchange
message is omitted for ephemeral ECDH ciphersuites.
bsc#912014 CVE-2015-0204: Remove non-export ephemeral RSA code on client and server.
bsc#912293 CVE-2015-0205: Fixed issue where DH client certificates are accepted without verification.
bsc#912018 CVE-2014-8275: Fix various certificate fingerprint issues.
bsc#912296 CVE-2014-3570: Correct Bignum squaring.
and other bugfixes.
- openssl.keyring: use Matt Caswells current key.
pub 2048R/0E604491 2013-04-30
uid Matt Caswell <frodo@baggins.org>
uid Matt Caswell <matt@openssl.org>
sub 2048R/E3C21B70 2013-04-30
- openssl-1.0.1e-fips.patch: rediffed
- openssl-1.0.1i-noec2m-fix.patch: removed (upstream)
- openssl-ocloexec.patch: rediffed
OBS-URL: https://build.opensuse.org/request/show/280570
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=124
189 lines
5.8 KiB
Diff
189 lines
5.8 KiB
Diff
Index: crypto/bio/b_sock.c
|
|
===================================================================
|
|
--- crypto/bio/b_sock.c.orig
|
|
+++ crypto/bio/b_sock.c
|
|
@@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in
|
|
}
|
|
|
|
again:
|
|
- s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
|
|
+ s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
|
|
if (s == INVALID_SOCKET)
|
|
{
|
|
SYSerr(SYS_F_SOCKET,get_last_socket_error());
|
|
@@ -784,7 +784,7 @@ again:
|
|
}
|
|
else goto err;
|
|
}
|
|
- cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
|
|
+ cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
|
|
if (cs != INVALID_SOCKET)
|
|
{
|
|
int ii;
|
|
@@ -866,7 +866,7 @@ int BIO_accept(int sock, char **addr)
|
|
sa.len.s=0;
|
|
sa.len.i=sizeof(sa.from);
|
|
memset(&sa.from,0,sizeof(sa.from));
|
|
- ret=accept(sock,&sa.from.sa,(void *)&sa.len);
|
|
+ ret=accept4(sock, &sa.from.sa, (void *)&sa.len, SOCK_CLOEXEC);
|
|
if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
|
|
{
|
|
OPENSSL_assert(sa.len.s<=sizeof(sa.from));
|
|
Index: crypto/bio/bss_conn.c
|
|
===================================================================
|
|
--- crypto/bio/bss_conn.c.orig
|
|
+++ crypto/bio/bss_conn.c
|
|
@@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC
|
|
c->them.sin_addr.s_addr=htonl(l);
|
|
c->state=BIO_CONN_S_CREATE_SOCKET;
|
|
|
|
- ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
|
|
+ ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
|
|
if (ret == INVALID_SOCKET)
|
|
{
|
|
SYSerr(SYS_F_SOCKET,get_last_socket_error());
|
|
Index: crypto/bio/bss_dgram.c
|
|
===================================================================
|
|
--- crypto/bio/bss_dgram.c.orig
|
|
+++ crypto/bio/bss_dgram.c
|
|
@@ -1101,7 +1101,7 @@ static int dgram_sctp_read(BIO *b, char
|
|
msg.msg_control = cmsgbuf;
|
|
msg.msg_controllen = 512;
|
|
msg.msg_flags = 0;
|
|
- n = recvmsg(b->num, &msg, 0);
|
|
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
|
|
|
|
if (n <= 0)
|
|
{
|
|
@@ -1688,7 +1688,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
|
|
msg.msg_controllen = 0;
|
|
msg.msg_flags = 0;
|
|
|
|
- n = recvmsg(b->num, &msg, MSG_PEEK);
|
|
+ n = recvmsg(b->num, &msg, MSG_PEEK| MSG_CMSG_CLOEXEC);
|
|
if (n <= 0)
|
|
{
|
|
if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
|
|
@@ -1711,7 +1711,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
|
|
msg.msg_controllen = 0;
|
|
msg.msg_flags = 0;
|
|
|
|
- n = recvmsg(b->num, &msg, 0);
|
|
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
|
|
if (n <= 0)
|
|
{
|
|
if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
|
|
@@ -1772,7 +1772,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
|
|
fcntl(b->num, F_SETFL, O_NONBLOCK);
|
|
}
|
|
|
|
- n = recvmsg(b->num, &msg, MSG_PEEK);
|
|
+ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
|
|
|
|
if (is_dry)
|
|
{
|
|
@@ -1816,7 +1816,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
|
|
|
|
sockflags = fcntl(b->num, F_GETFL, 0);
|
|
fcntl(b->num, F_SETFL, O_NONBLOCK);
|
|
- n = recvmsg(b->num, &msg, MSG_PEEK);
|
|
+ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
|
|
fcntl(b->num, F_SETFL, sockflags);
|
|
|
|
/* if notification, process and try again */
|
|
@@ -1837,7 +1837,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
|
|
msg.msg_control = NULL;
|
|
msg.msg_controllen = 0;
|
|
msg.msg_flags = 0;
|
|
- n = recvmsg(b->num, &msg, 0);
|
|
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
|
|
|
|
if (data->handle_notifications != NULL)
|
|
data->handle_notifications(b, data->notification_context, (void*) &snp);
|
|
Index: crypto/bio/bss_file.c
|
|
===================================================================
|
|
--- crypto/bio/bss_file.c.orig
|
|
+++ crypto/bio/bss_file.c
|
|
@@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename,
|
|
{
|
|
BIO *ret;
|
|
FILE *file=NULL;
|
|
+ size_t modelen = strlen (mode);
|
|
+ char newmode[modelen + 2];
|
|
+
|
|
+ memcpy (mempcpy (newmode, mode, modelen), "e", 2);
|
|
|
|
#if defined(_WIN32) && defined(CP_UTF8)
|
|
int sz, len_0 = (int)strlen(filename)+1;
|
|
@@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename,
|
|
file = fopen(filename,mode);
|
|
}
|
|
#else
|
|
- file=fopen(filename,mode);
|
|
+ file=fopen(filename,newmode);
|
|
#endif
|
|
if (file == NULL)
|
|
{
|
|
@@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
|
|
long ret=1;
|
|
FILE *fp=(FILE *)b->ptr;
|
|
FILE **fpp;
|
|
- char p[4];
|
|
+ char p[5];
|
|
|
|
switch (cmd)
|
|
{
|
|
@@ -392,6 +396,8 @@ static long MS_CALLBACK file_ctrl(BIO *b
|
|
else
|
|
strcat(p,"t");
|
|
#endif
|
|
+ strcat(p, "e");
|
|
+
|
|
fp=fopen(ptr,p);
|
|
if (fp == NULL)
|
|
{
|
|
Index: crypto/rand/rand_unix.c
|
|
===================================================================
|
|
--- crypto/rand/rand_unix.c.orig
|
|
+++ crypto/rand/rand_unix.c
|
|
@@ -262,7 +262,7 @@ int RAND_poll(void)
|
|
for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) &&
|
|
(n < ENTROPY_NEEDED); i++)
|
|
{
|
|
- if ((fd = open(randomfiles[i], O_RDONLY
|
|
+ if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC
|
|
#ifdef O_NONBLOCK
|
|
|O_NONBLOCK
|
|
#endif
|
|
Index: crypto/rand/randfile.c
|
|
===================================================================
|
|
--- crypto/rand/randfile.c.orig
|
|
+++ crypto/rand/randfile.c
|
|
@@ -137,7 +137,7 @@ int RAND_load_file(const char *file, lon
|
|
#ifdef OPENSSL_SYS_VMS
|
|
in=vms_fopen(file,"rb",VMS_OPEN_ATTRS);
|
|
#else
|
|
- in=fopen(file,"rb");
|
|
+ in=fopen(file,"rbe");
|
|
#endif
|
|
if (in == NULL) goto err;
|
|
#if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO)
|
|
@@ -210,7 +210,7 @@ int RAND_write_file(const char *file)
|
|
#endif
|
|
/* chmod(..., 0600) is too late to protect the file,
|
|
* permissions should be restrictive from the start */
|
|
- int fd = open(file, O_WRONLY|O_CREAT|O_BINARY, 0600);
|
|
+ int fd = open(file, O_WRONLY|O_CREAT|O_BINARY|O_CLOEXEC, 0600);
|
|
if (fd != -1)
|
|
out = fdopen(fd, "wb");
|
|
}
|
|
@@ -241,7 +241,7 @@ int RAND_write_file(const char *file)
|
|
out = vms_fopen(file,"wb",VMS_OPEN_ATTRS);
|
|
#else
|
|
if (out == NULL)
|
|
- out = fopen(file,"wb");
|
|
+ out = fopen(file,"wbe");
|
|
#endif
|
|
if (out == NULL) goto err;
|
|
|