From 66d6e487093d30df81e7b6ba920289bcd42a7408c257b5e1652b365d0b3a6ec3 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Wed, 18 Jun 2014 05:47:41 +0000 Subject: [PATCH] Accepting request 236989 from Base:System NOTE: I submitted perl-Net-SSLeay 1.64 update to devel:languages:perl which fixes its regression. - updated openssl to 1.0.1h (bnc#880891): - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. - openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream - CVE-2014-0198.patch: removed, upstream - 0009-Fix-double-frees.patch: removed, upstream - 0012-Fix-eckey_priv_encode.patch: removed, upstream - 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream - 0018-fix-coverity-issues-966593-966596.patch: removed, upstream - 0020-Initialize-num-properly.patch: removed, upstream - 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream - 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream - 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream - 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream - 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase - openssl-1.0.1c-ipv6-apps.patch: refreshed - openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed - Added new SUSE default cipher suite openssl-1.0.1e-add-suse-default-cipher.patch OBS-URL: https://build.opensuse.org/request/show/236989 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=118 --- ...bcrypto-Hide-library-private-symbols.patch | 345 ++++++++++----- 0009-Fix-double-frees.patch | 51 --- 0012-Fix-eckey_priv_encode.patch | 26 -- 0017-Double-free-in-i2o_ECPublicKey.patch | 31 -- 0018-fix-coverity-issues-966593-966596.patch | 26 -- 0020-Initialize-num-properly.patch | 27 -- ...ow-concurrent-BN_MONT_CTX_set_locked.patch | 85 ---- ...prevent-underflow-in-base64-decoding.patch | 30 -- ...er-dereference-in-PKCS7_dataDecode-r.patch | 63 --- ...ue-966597-error-line-is-not-always-i.patch | 49 --- CVE-2014-0198.patch | 15 - openssl-1.0.1c-ipv6-apps.patch | 31 +- ....0.1e-add-suse-default-cipher-header.patch | 16 + openssl-1.0.1e-add-suse-default-cipher.patch | 39 ++ ...e-add-test-suse-default-cipher-suite.patch | 30 ++ openssl-1.0.1g.tar.gz | 3 - openssl-1.0.1g.tar.gz.asc | 17 - openssl-1.0.1h.tar.gz | 3 + openssl-1.0.1h.tar.gz.asc | 17 + ...ssl-buffreelistbug-aka-CVE-2010-5298.patch | 13 - openssl-fix-pod-syntax.diff | 411 +----------------- openssl.changes | 40 ++ openssl.spec | 31 +- 23 files changed, 419 insertions(+), 980 deletions(-) delete mode 100644 0009-Fix-double-frees.patch delete mode 100644 0012-Fix-eckey_priv_encode.patch delete mode 100644 0017-Double-free-in-i2o_ECPublicKey.patch delete mode 100644 0018-fix-coverity-issues-966593-966596.patch delete mode 100644 0020-Initialize-num-properly.patch delete mode 100644 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch delete mode 100644 0023-evp-prevent-underflow-in-base64-decoding.patch delete mode 100644 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch delete mode 100644 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch delete mode 100644 CVE-2014-0198.patch create mode 100644 openssl-1.0.1e-add-suse-default-cipher-header.patch create mode 100644 openssl-1.0.1e-add-suse-default-cipher.patch create mode 100644 openssl-1.0.1e-add-test-suse-default-cipher-suite.patch delete mode 100644 openssl-1.0.1g.tar.gz delete mode 100644 openssl-1.0.1g.tar.gz.asc create mode 100644 openssl-1.0.1h.tar.gz create mode 100644 openssl-1.0.1h.tar.gz.asc delete mode 100644 openssl-buffreelistbug-aka-CVE-2010-5298.patch diff --git a/0001-libcrypto-Hide-library-private-symbols.patch b/0001-libcrypto-Hide-library-private-symbols.patch index edec3f4..1e43037 100644 --- a/0001-libcrypto-Hide-library-private-symbols.patch +++ b/0001-libcrypto-Hide-library-private-symbols.patch @@ -37,8 +37,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols crypto/x509v3/pcy_int.h | 3 +++ 31 files changed, 85 insertions(+), 17 deletions(-) ---- openssl-1.0.1g.orig/apps/Makefile -+++ openssl-1.0.1g/apps/Makefile +Index: openssl-1.0.1h/apps/Makefile +=================================================================== +--- openssl-1.0.1h.orig/apps/Makefile ++++ openssl-1.0.1h/apps/Makefile @@ -20,7 +20,7 @@ EXE_EXT= SHLIB_TARGET= @@ -48,8 +50,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols GENERAL=Makefile makeapps.com install.com ---- openssl-1.0.1g.orig/crypto/asn1/asn1_locl.h -+++ openssl-1.0.1g/crypto/asn1/asn1_locl.h +Index: openssl-1.0.1h/crypto/asn1/asn1_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/asn1/asn1_locl.h ++++ openssl-1.0.1h/crypto/asn1/asn1_locl.h @@ -58,6 +58,8 @@ /* Internal ASN1 structures and functions: not for application use */ @@ -65,8 +69,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols }; + +#pragma GCC visibility pop ---- openssl-1.0.1g.orig/crypto/bn/bn_lcl.h -+++ openssl-1.0.1g/crypto/bn/bn_lcl.h +Index: openssl-1.0.1h/crypto/bn/bn_lcl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/bn/bn_lcl.h ++++ openssl-1.0.1h/crypto/bn/bn_lcl.h @@ -483,6 +483,8 @@ extern "C" { #undef bn_div_words #endif @@ -85,8 +91,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #ifdef __cplusplus } #endif ---- openssl-1.0.1g.orig/crypto/camellia/cmll_locl.h -+++ openssl-1.0.1g/crypto/camellia/cmll_locl.h +Index: openssl-1.0.1h/crypto/camellia/cmll_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/camellia/cmll_locl.h ++++ openssl-1.0.1h/crypto/camellia/cmll_locl.h @@ -68,6 +68,8 @@ #ifndef HEADER_CAMELLIA_LOCL_H #define HEADER_CAMELLIA_LOCL_H @@ -102,8 +110,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols CAMELLIA_KEY *key); +#pragma GCC visibility pop #endif /* #ifndef HEADER_CAMELLIA_LOCL_H */ ---- openssl-1.0.1g.orig/crypto/cast/cast_lcl.h -+++ openssl-1.0.1g/crypto/cast/cast_lcl.h +Index: openssl-1.0.1h/crypto/cast/cast_lcl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/cast/cast_lcl.h ++++ openssl-1.0.1h/crypto/cast/cast_lcl.h @@ -217,6 +217,7 @@ } #endif @@ -117,8 +127,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols extern const CAST_LONG CAST_S_table6[256]; extern const CAST_LONG CAST_S_table7[256]; +#pragma GCC visibility pop ---- openssl-1.0.1g.orig/crypto/cms/cms_lcl.h -+++ openssl-1.0.1g/crypto/cms/cms_lcl.h +Index: openssl-1.0.1h/crypto/cms/cms_lcl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/cms/cms_lcl.h ++++ openssl-1.0.1h/crypto/cms/cms_lcl.h @@ -426,6 +426,8 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerA #define CMS_RECIPINFO_ISSUER_SERIAL 0 #define CMS_RECIPINFO_KEYIDENTIFIER 1 @@ -138,8 +150,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #ifdef __cplusplus } #endif ---- openssl-1.0.1g.orig/crypto/des/des_locl.h -+++ openssl-1.0.1g/crypto/des/des_locl.h +Index: openssl-1.0.1h/crypto/des/des_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/des/des_locl.h ++++ openssl-1.0.1h/crypto/des/des_locl.h @@ -421,10 +421,12 @@ PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \ } @@ -153,16 +167,20 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #ifdef OPENSSL_SMALL_FOOTPRINT #undef DES_UNROLL ---- openssl-1.0.1g.orig/crypto/dsa/dsa_locl.h -+++ openssl-1.0.1g/crypto/dsa/dsa_locl.h +Index: openssl-1.0.1h/crypto/dsa/dsa_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/dsa/dsa_locl.h ++++ openssl-1.0.1h/crypto/dsa/dsa_locl.h @@ -57,4 +57,4 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, unsigned char *seed_out, - int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); + int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) __attribute__ ((visibility ("hidden"))); ---- openssl-1.0.1g.orig/crypto/ec/ec_lcl.h -+++ openssl-1.0.1g/crypto/ec/ec_lcl.h +Index: openssl-1.0.1h/crypto/ec/ec_lcl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/ec/ec_lcl.h ++++ openssl-1.0.1h/crypto/ec/ec_lcl.h @@ -88,6 +88,8 @@ /* Structure details are not part of the exported interface, * so all this may change in future versions. */ @@ -178,8 +196,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #endif + +#pragma GCC visibility pop ---- openssl-1.0.1g.orig/crypto/ecdh/ech_locl.h -+++ openssl-1.0.1g/crypto/ecdh/ech_locl.h +Index: openssl-1.0.1h/crypto/ecdh/ech_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/ecdh/ech_locl.h ++++ openssl-1.0.1h/crypto/ecdh/ech_locl.h @@ -58,6 +58,8 @@ #include @@ -196,8 +216,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols - +#pragma GCC visibility pop #endif /* HEADER_ECH_LOCL_H */ ---- openssl-1.0.1g.orig/crypto/ecdsa/ecs_locl.h -+++ openssl-1.0.1g/crypto/ecdsa/ecs_locl.h +Index: openssl-1.0.1h/crypto/ecdsa/ecs_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/ecdsa/ecs_locl.h ++++ openssl-1.0.1h/crypto/ecdsa/ecs_locl.h @@ -61,6 +61,8 @@ #include @@ -214,8 +236,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols +#pragma GCC visibility pop + #endif /* HEADER_ECS_LOCL_H */ ---- openssl-1.0.1g.orig/crypto/engine/eng_int.h -+++ openssl-1.0.1g/crypto/engine/eng_int.h +Index: openssl-1.0.1h/crypto/engine/eng_int.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/engine/eng_int.h ++++ openssl-1.0.1h/crypto/engine/eng_int.h @@ -68,6 +68,8 @@ /* Take public definitions from engine.h */ #include @@ -232,8 +256,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols - +#pragma GCC visibility pop #endif /* HEADER_ENGINE_INT_H */ ---- openssl-1.0.1g.orig/crypto/engine/eng_rsax.c -+++ openssl-1.0.1g/crypto/engine/eng_rsax.c +Index: openssl-1.0.1h/crypto/engine/eng_rsax.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/engine/eng_rsax.c ++++ openssl-1.0.1h/crypto/engine/eng_rsax.c @@ -262,7 +262,7 @@ static int mod_exp_pre_compute_data_512( void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */ UINT64 *g, /* 512 bits, 8 qwords */ @@ -243,8 +269,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols typedef struct st_e_rsax_mod_ctx { ---- openssl-1.0.1g.orig/crypto/evp/e_aes.c -+++ openssl-1.0.1g/crypto/evp/e_aes.c +Index: openssl-1.0.1h/crypto/evp/e_aes.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/evp/e_aes.c ++++ openssl-1.0.1h/crypto/evp/e_aes.c @@ -108,6 +108,8 @@ typedef struct #define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4)) @@ -290,8 +318,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { ---- openssl-1.0.1g.orig/crypto/evp/e_aes_cbc_hmac_sha1.c -+++ openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c +Index: openssl-1.0.1h/crypto/evp/e_aes_cbc_hmac_sha1.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/evp/e_aes_cbc_hmac_sha1.c ++++ openssl-1.0.1h/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -97,6 +97,8 @@ typedef struct extern unsigned int OPENSSL_ia32cap_P[2]; #define AESNI_CAPABLE (1<<(57-32)) @@ -310,8 +340,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, ---- openssl-1.0.1g.orig/crypto/evp/evp_locl.h -+++ openssl-1.0.1g/crypto/evp/evp_locl.h +Index: openssl-1.0.1h/crypto/evp/evp_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/evp/evp_locl.h ++++ openssl-1.0.1h/crypto/evp/evp_locl.h @@ -263,6 +263,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void EVP_CIPHER_get_asn1_iv, \ NULL) @@ -330,8 +362,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #ifdef OPENSSL_FIPS #ifdef OPENSSL_DOING_MAKEDEPEND ---- openssl-1.0.1g.orig/crypto/md4/md4_locl.h -+++ openssl-1.0.1g/crypto/md4/md4_locl.h +Index: openssl-1.0.1h/crypto/md4/md4_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/md4/md4_locl.h ++++ openssl-1.0.1h/crypto/md4/md4_locl.h @@ -65,7 +65,7 @@ #define MD4_LONG_LOG2 2 /* default to 32 bits */ #endif @@ -341,8 +375,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #define DATA_ORDER_IS_LITTLE_ENDIAN ---- openssl-1.0.1g.orig/crypto/md5/md5_locl.h -+++ openssl-1.0.1g/crypto/md5/md5_locl.h +Index: openssl-1.0.1h/crypto/md5/md5_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/md5/md5_locl.h ++++ openssl-1.0.1h/crypto/md5/md5_locl.h @@ -74,7 +74,7 @@ # endif #endif @@ -352,8 +388,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #define DATA_ORDER_IS_LITTLE_ENDIAN ---- openssl-1.0.1g.orig/crypto/modes/modes_lcl.h -+++ openssl-1.0.1g/crypto/modes/modes_lcl.h +Index: openssl-1.0.1h/crypto/modes/modes_lcl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/modes/modes_lcl.h ++++ openssl-1.0.1h/crypto/modes/modes_lcl.h @@ -83,6 +83,8 @@ typedef unsigned char u8; #define PUTU32(p,v) ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v)) #endif @@ -369,8 +407,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols }; - +#pragma GCC visibility pop ---- openssl-1.0.1g.orig/crypto/o_str.h -+++ openssl-1.0.1g/crypto/o_str.h +Index: openssl-1.0.1h/crypto/o_str.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/o_str.h ++++ openssl-1.0.1h/crypto/o_str.h @@ -61,8 +61,12 @@ #include /* to get size_t */ @@ -384,8 +424,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols +#pragma GCC visibility pop + #endif ---- openssl-1.0.1g.orig/crypto/o_time.h -+++ openssl-1.0.1g/crypto/o_time.h +Index: openssl-1.0.1h/crypto/o_time.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/o_time.h ++++ openssl-1.0.1h/crypto/o_time.h @@ -61,7 +61,11 @@ #include @@ -398,8 +440,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols +#pragma GCC visibility pop + #endif ---- openssl-1.0.1g.orig/crypto/ripemd/rmd_locl.h -+++ openssl-1.0.1g/crypto/ripemd/rmd_locl.h +Index: openssl-1.0.1h/crypto/ripemd/rmd_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/ripemd/rmd_locl.h ++++ openssl-1.0.1h/crypto/ripemd/rmd_locl.h @@ -76,7 +76,7 @@ # endif #endif @@ -409,16 +453,20 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #define DATA_ORDER_IS_LITTLE_ENDIAN ---- openssl-1.0.1g.orig/crypto/rsa/rsa_locl.h -+++ openssl-1.0.1g/crypto/rsa/rsa_locl.h +Index: openssl-1.0.1h/crypto/rsa/rsa_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/rsa/rsa_locl.h ++++ openssl-1.0.1h/crypto/rsa/rsa_locl.h @@ -1,4 +1,4 @@ extern int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len, unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf, size_t siglen, - RSA *rsa); + RSA *rsa) __attribute__ ((visibility ("hidden"))); ---- openssl-1.0.1g.orig/crypto/sha/sha256.c -+++ openssl-1.0.1g/crypto/sha/sha256.c +Index: openssl-1.0.1h/crypto/sha/sha256.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/sha/sha256.c ++++ openssl-1.0.1h/crypto/sha/sha256.c @@ -110,7 +110,7 @@ int SHA224_Final (unsigned char *md, SHA #ifndef SHA256_ASM static @@ -428,8 +476,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #include "md32_common.h" ---- openssl-1.0.1g.orig/crypto/sha/sha512.c -+++ openssl-1.0.1g/crypto/sha/sha512.c +Index: openssl-1.0.1h/crypto/sha/sha512.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/sha/sha512.c ++++ openssl-1.0.1h/crypto/sha/sha512.c @@ -94,7 +94,7 @@ fips_md_init(SHA512) #ifndef SHA512_ASM static @@ -439,8 +489,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols int SHA512_Final (unsigned char *md, SHA512_CTX *c) { ---- openssl-1.0.1g.orig/crypto/sha/sha_locl.h -+++ openssl-1.0.1g/crypto/sha/sha_locl.h +Index: openssl-1.0.1h/crypto/sha/sha_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/sha/sha_locl.h ++++ openssl-1.0.1h/crypto/sha/sha_locl.h @@ -108,7 +108,7 @@ static void sha_block_data_order (SHA_CT #ifndef SHA1_ASM static @@ -450,8 +502,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #else # error "Either SHA_0 or SHA_1 must be defined." ---- openssl-1.0.1g.orig/crypto/store/str_locl.h -+++ openssl-1.0.1g/crypto/store/str_locl.h +Index: openssl-1.0.1h/crypto/store/str_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/store/str_locl.h ++++ openssl-1.0.1h/crypto/store/str_locl.h @@ -62,6 +62,8 @@ #include #include @@ -468,8 +522,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols - +#pragma GCC visibility pop #endif ---- openssl-1.0.1g.orig/crypto/ui/ui_locl.h -+++ openssl-1.0.1g/crypto/ui/ui_locl.h +Index: openssl-1.0.1h/crypto/ui/ui_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/ui/ui_locl.h ++++ openssl-1.0.1h/crypto/ui/ui_locl.h @@ -66,6 +66,8 @@ #undef _ #endif @@ -486,15 +542,19 @@ Subject: [PATCH] libcrypto: Hide library-private symbols - +#pragma GCC visibility pop #endif ---- openssl-1.0.1g.orig/crypto/whrlpool/wp_locl.h -+++ openssl-1.0.1g/crypto/whrlpool/wp_locl.h +Index: openssl-1.0.1h/crypto/whrlpool/wp_locl.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/whrlpool/wp_locl.h ++++ openssl-1.0.1h/crypto/whrlpool/wp_locl.h @@ -1,3 +1,3 @@ #include -void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t); +void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t) __attribute__ ((visibility ("hidden"))); ---- openssl-1.0.1g.orig/crypto/x509v3/ext_dat.h -+++ openssl-1.0.1g/crypto/x509v3/ext_dat.h +Index: openssl-1.0.1h/crypto/x509v3/ext_dat.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/x509v3/ext_dat.h ++++ openssl-1.0.1h/crypto/x509v3/ext_dat.h @@ -57,6 +57,8 @@ */ /* This file contains a table of "standard" extensions */ @@ -512,8 +572,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols /* Number of standard extensions */ #define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *)) ---- openssl-1.0.1g.orig/crypto/x509v3/pcy_int.h -+++ openssl-1.0.1g/crypto/x509v3/pcy_int.h +Index: openssl-1.0.1h/crypto/x509v3/pcy_int.h +=================================================================== +--- openssl-1.0.1h.orig/crypto/x509v3/pcy_int.h ++++ openssl-1.0.1h/crypto/x509v3/pcy_int.h @@ -56,6 +56,7 @@ * */ @@ -528,8 +590,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const X509_POLICY_CACHE *policy_cache_set(X509 *x); + +#pragma GCC visibility pop ---- openssl-1.0.1g.orig/crypto/modes/gcm128.c -+++ openssl-1.0.1g/crypto/modes/gcm128.c +Index: openssl-1.0.1h/crypto/modes/gcm128.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/modes/gcm128.c ++++ openssl-1.0.1h/crypto/modes/gcm128.c @@ -567,8 +567,8 @@ static void gcm_ghash_4bit(u64 Xi[2],con } #endif @@ -554,8 +618,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols # if defined(__i386) || defined(__i386__) || defined(_M_IX86) # define GHASH_ASM_X86 ---- openssl-1.0.1g.orig/crypto/evp/e_rc4_hmac_md5.c -+++ openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c +Index: openssl-1.0.1h/crypto/evp/e_rc4_hmac_md5.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/evp/e_rc4_hmac_md5.c ++++ openssl-1.0.1h/crypto/evp/e_rc4_hmac_md5.c @@ -78,7 +78,7 @@ typedef struct #define NO_PAYLOAD_LENGTH ((size_t)-1) @@ -565,8 +631,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #define data(ctx) ((EVP_RC4_HMAC_MD5 *)(ctx)->cipher_data) ---- openssl-1.0.1g.orig/crypto/cmac/cm_ameth.c -+++ openssl-1.0.1g/crypto/cmac/cm_ameth.c +Index: openssl-1.0.1h/crypto/cmac/cm_ameth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/cmac/cm_ameth.c ++++ openssl-1.0.1h/crypto/cmac/cm_ameth.c @@ -73,6 +73,7 @@ static void cmac_key_free(EVP_PKEY *pkey CMAC_CTX_free(cmctx); } @@ -575,8 +643,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = { EVP_PKEY_CMAC, ---- openssl-1.0.1g.orig/crypto/evp/pmeth_lib.c -+++ openssl-1.0.1g/crypto/evp/pmeth_lib.c +Index: openssl-1.0.1h/crypto/evp/pmeth_lib.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/evp/pmeth_lib.c ++++ openssl-1.0.1h/crypto/evp/pmeth_lib.c @@ -70,7 +70,7 @@ typedef int sk_cmp_fn_type(const char * const *a, const char * const *b); @@ -586,8 +656,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth; extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth; ---- openssl-1.0.1g.orig/crypto/cmac/cm_pmeth.c -+++ openssl-1.0.1g/crypto/cmac/cm_pmeth.c +Index: openssl-1.0.1h/crypto/cmac/cm_pmeth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/cmac/cm_pmeth.c ++++ openssl-1.0.1h/crypto/cmac/cm_pmeth.c @@ -188,6 +188,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C return -2; } @@ -596,8 +668,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_METHOD cmac_pkey_meth = { EVP_PKEY_CMAC, ---- openssl-1.0.1g.orig/crypto/rand/md_rand.c -+++ openssl-1.0.1g/crypto/rand/md_rand.c +Index: openssl-1.0.1h/crypto/rand/md_rand.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/rand/md_rand.c ++++ openssl-1.0.1h/crypto/rand/md_rand.c @@ -164,7 +164,7 @@ static int ssleay_rand_nopseudo_bytes(un static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num); static int ssleay_rand_status(void); @@ -607,8 +681,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols ssleay_rand_seed, ssleay_rand_nopseudo_bytes, ssleay_rand_cleanup, ---- openssl-1.0.1g.orig/crypto/dh/dh_ameth.c -+++ openssl-1.0.1g/crypto/dh/dh_ameth.c +Index: openssl-1.0.1h/crypto/dh/dh_ameth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/dh/dh_ameth.c ++++ openssl-1.0.1h/crypto/dh/dh_ameth.c @@ -466,6 +466,7 @@ int DHparams_print(BIO *bp, const DH *x) return do_dh_print(bp, x, 4, NULL, 0); } @@ -617,8 +693,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_ASN1_METHOD dh_asn1_meth = { EVP_PKEY_DH, ---- openssl-1.0.1g.orig/crypto/dh/dh_pmeth.c -+++ openssl-1.0.1g/crypto/dh/dh_pmeth.c +Index: openssl-1.0.1h/crypto/dh/dh_pmeth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/dh/dh_pmeth.c ++++ openssl-1.0.1h/crypto/dh/dh_pmeth.c @@ -217,6 +217,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * return 1; } @@ -627,8 +705,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_METHOD dh_pkey_meth = { EVP_PKEY_DH, ---- openssl-1.0.1g.orig/crypto/dsa/dsa_ameth.c -+++ openssl-1.0.1g/crypto/dsa/dsa_ameth.c +Index: openssl-1.0.1h/crypto/dsa/dsa_ameth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/dsa/dsa_ameth.c ++++ openssl-1.0.1h/crypto/dsa/dsa_ameth.c @@ -639,7 +639,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, } @@ -638,8 +718,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = { ---- openssl-1.0.1g.orig/crypto/dsa/dsa_pmeth.c -+++ openssl-1.0.1g/crypto/dsa/dsa_pmeth.c +Index: openssl-1.0.1h/crypto/dsa/dsa_pmeth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/dsa/dsa_pmeth.c ++++ openssl-1.0.1h/crypto/dsa/dsa_pmeth.c @@ -281,6 +281,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX return DSA_generate_key(pkey->pkey.dsa); } @@ -648,9 +730,11 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_METHOD dsa_pkey_meth = { EVP_PKEY_DSA, ---- openssl-1.0.1g.orig/crypto/ec/ec_ameth.c -+++ openssl-1.0.1g/crypto/ec/ec_ameth.c -@@ -625,6 +625,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, +Index: openssl-1.0.1h/crypto/ec/ec_ameth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/ec/ec_ameth.c ++++ openssl-1.0.1h/crypto/ec/ec_ameth.c +@@ -626,6 +626,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, } @@ -658,8 +742,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { EVP_PKEY_EC, ---- openssl-1.0.1g.orig/crypto/ec/ec_pmeth.c -+++ openssl-1.0.1g/crypto/ec/ec_pmeth.c +Index: openssl-1.0.1h/crypto/ec/ec_pmeth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/ec/ec_pmeth.c ++++ openssl-1.0.1h/crypto/ec/ec_pmeth.c @@ -304,6 +304,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * return EC_KEY_generate_key(pkey->pkey.ec); } @@ -668,8 +754,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_METHOD ec_pkey_meth = { EVP_PKEY_EC, ---- openssl-1.0.1g.orig/crypto/hmac/hm_ameth.c -+++ openssl-1.0.1g/crypto/hmac/hm_ameth.c +Index: openssl-1.0.1h/crypto/hmac/hm_ameth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/hmac/hm_ameth.c ++++ openssl-1.0.1h/crypto/hmac/hm_ameth.c @@ -138,6 +138,7 @@ static int old_hmac_encode(const EVP_PKE #endif @@ -678,8 +766,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = { EVP_PKEY_HMAC, ---- openssl-1.0.1g.orig/crypto/hmac/hm_pmeth.c -+++ openssl-1.0.1g/crypto/hmac/hm_pmeth.c +Index: openssl-1.0.1h/crypto/hmac/hm_pmeth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/hmac/hm_pmeth.c ++++ openssl-1.0.1h/crypto/hmac/hm_pmeth.c @@ -235,6 +235,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C return -2; } @@ -688,8 +778,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_METHOD hmac_pkey_meth = { EVP_PKEY_HMAC, ---- openssl-1.0.1g.orig/crypto/rsa/rsa_ameth.c -+++ openssl-1.0.1g/crypto/rsa/rsa_ameth.c +Index: openssl-1.0.1h/crypto/rsa/rsa_ameth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/rsa/rsa_ameth.c ++++ openssl-1.0.1h/crypto/rsa/rsa_ameth.c @@ -657,6 +657,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx return 2; } @@ -698,8 +790,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { { ---- openssl-1.0.1g.orig/crypto/rsa/rsa_pmeth.c -+++ openssl-1.0.1g/crypto/rsa/rsa_pmeth.c +Index: openssl-1.0.1h/crypto/rsa/rsa_pmeth.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.0.1h/crypto/rsa/rsa_pmeth.c @@ -685,6 +685,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX return ret; } @@ -708,8 +802,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols const EVP_PKEY_METHOD rsa_pkey_meth = { EVP_PKEY_RSA, ---- openssl-1.0.1g.orig/crypto/objects/obj_xref.c -+++ openssl-1.0.1g/crypto/objects/obj_xref.c +Index: openssl-1.0.1h/crypto/objects/obj_xref.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/objects/obj_xref.c ++++ openssl-1.0.1h/crypto/objects/obj_xref.c @@ -60,7 +60,7 @@ #include "obj_xref.h" @@ -719,8 +815,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols static int sig_cmp(const nid_triple *a, const nid_triple *b) { ---- openssl-1.0.1g.orig/crypto/pem/pem_lib.c -+++ openssl-1.0.1g/crypto/pem/pem_lib.c +Index: openssl-1.0.1h/crypto/pem/pem_lib.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/pem/pem_lib.c ++++ openssl-1.0.1h/crypto/pem/pem_lib.c @@ -80,7 +80,7 @@ const char PEM_version[]="PEM" OPENSSL_V static int load_iv(char **fromp,unsigned char *to, int num); @@ -730,8 +828,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols int PEM_def_callback(char *buf, int num, int w, void *key) { ---- openssl-1.0.1g.orig/crypto/asn1/tasn_prn.c -+++ openssl-1.0.1g/crypto/asn1/tasn_prn.c +Index: openssl-1.0.1h/crypto/asn1/tasn_prn.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/asn1/tasn_prn.c ++++ openssl-1.0.1h/crypto/asn1/tasn_prn.c @@ -72,7 +72,7 @@ /* ASN1_PCTX routines */ @@ -741,8 +841,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols { ASN1_PCTX_FLAGS_SHOW_ABSENT, /* flags */ 0, /* nm_flags */ ---- openssl-1.0.1g.orig/crypto/bn/bn_exp.c -+++ openssl-1.0.1g/crypto/bn/bn_exp.c +Index: openssl-1.0.1h/crypto/bn/bn_exp.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/bn/bn_exp.c ++++ openssl-1.0.1h/crypto/bn/bn_exp.c @@ -684,11 +684,11 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr { void bn_mul_mont_gather5(BN_ULONG *rp,const BN_ULONG *ap, @@ -758,8 +860,10 @@ Subject: [PATCH] libcrypto: Hide library-private symbols BN_ULONG *np=mont->N.d, *n0=mont->n0; ---- openssl-1.0.1g.orig/crypto/bn/bn_gf2m.c -+++ openssl-1.0.1g/crypto/bn/bn_gf2m.c +Index: openssl-1.0.1h/crypto/bn/bn_gf2m.c +=================================================================== +--- openssl-1.0.1h.orig/crypto/bn/bn_gf2m.c ++++ openssl-1.0.1h/crypto/bn/bn_gf2m.c @@ -220,7 +220,7 @@ static void bn_GF2m_mul_2x2(BN_ULONG *r, r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */ } @@ -769,3 +873,34 @@ Subject: [PATCH] libcrypto: Hide library-private symbols #endif /* Add polynomials a and b and store result in r; r could be a or b, a and b +Index: openssl-1.0.1h/test/Makefile +=================================================================== +--- openssl-1.0.1h.orig/test/Makefile ++++ openssl-1.0.1h/test/Makefile +@@ -75,7 +75,7 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_ + $(RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \ + $(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \ + $(EVPTEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \ +- $(ASN1TEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) ++ $(ASN1TEST)$(EXE_EXT) + + # $(METHTEST)$(EXE_EXT) + +@@ -87,7 +87,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATES + $(MDC2TEST).o $(RMDTEST).o \ + $(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \ + $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ +- $(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(HEARTBEATTEST).o ++ $(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o + + SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ + $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ +@@ -140,7 +140,7 @@ alltests: \ + test_enc test_x509 test_rsa test_crl test_sid \ + test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ + test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \ +- test_jpake test_srp test_cms test_heartbeat ++ test_jpake test_srp test_cms + + test_evp: + ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt diff --git a/0009-Fix-double-frees.patch b/0009-Fix-double-frees.patch deleted file mode 100644 index ac24d4d..0000000 --- a/0009-Fix-double-frees.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 9c8dc84ac16a2f21063ae36809d202d0284ecf82 Mon Sep 17 00:00:00 2001 -From: Ben Laurie -Date: Tue, 22 Apr 2014 13:11:56 +0100 -Subject: [PATCH 09/17] Fix double frees. - ---- - CHANGES | 3 ++- - crypto/pkcs7/pk7_doit.c | 1 + - crypto/ts/ts_rsp_verify.c | 1 + - ssl/d1_srvr.c | 1 + - 4 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c -index 77fda3b..4c12a9d 100644 ---- a/crypto/pkcs7/pk7_doit.c -+++ b/crypto/pkcs7/pk7_doit.c -@@ -928,6 +928,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) - if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0) - goto err; - OPENSSL_free(abuf); -+ abuf = NULL; - if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) - goto err; - abuf = OPENSSL_malloc(siglen); -diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c -index afe16af..b7d170a 100644 ---- a/crypto/ts/ts_rsp_verify.c -+++ b/crypto/ts/ts_rsp_verify.c -@@ -629,6 +629,7 @@ static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, - X509_ALGOR_free(*md_alg); - OPENSSL_free(*imprint); - *imprint_len = 0; -+ *imprint = NULL; - return 0; - } - -diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c -index 9975e20..1384ab0 100644 ---- a/ssl/d1_srvr.c -+++ b/ssl/d1_srvr.c -@@ -1356,6 +1356,7 @@ int dtls1_send_server_key_exchange(SSL *s) - (unsigned char *)encodedPoint, - encodedlen); - OPENSSL_free(encodedPoint); -+ encodedPoint = NULL; - p += encodedlen; - } - #endif --- -1.8.4.5 - diff --git a/0012-Fix-eckey_priv_encode.patch b/0012-Fix-eckey_priv_encode.patch deleted file mode 100644 index 7a41324..0000000 --- a/0012-Fix-eckey_priv_encode.patch +++ /dev/null @@ -1,26 +0,0 @@ -From f0816174d264b11f6f4ccb41c75883640a2416bb Mon Sep 17 00:00:00 2001 -From: mancha -Date: Thu, 24 Apr 2014 19:06:20 +0000 -Subject: [PATCH 12/17] Fix eckey_priv_encode() - -Fix eckey_priv_encode to return an error on failure of i2d_ECPrivateKey. ---- - CHANGES | 4 ++++ - crypto/ec/ec_ameth.c | 1 + - 2 files changed, 5 insertions(+) - -diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c -index 0ce4524..f715a23 100644 ---- a/crypto/ec/ec_ameth.c -+++ b/crypto/ec/ec_ameth.c -@@ -352,6 +352,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) - EC_KEY_set_enc_flags(ec_key, old_flags); - OPENSSL_free(ep); - ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); -+ return 0; - } - /* restore old encoding flags */ - EC_KEY_set_enc_flags(ec_key, old_flags); --- -1.8.4.5 - diff --git a/0017-Double-free-in-i2o_ECPublicKey.patch b/0017-Double-free-in-i2o_ECPublicKey.patch deleted file mode 100644 index e897722..0000000 --- a/0017-Double-free-in-i2o_ECPublicKey.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 8eb094b9460575a328ba04708147c91fc267b394 Mon Sep 17 00:00:00 2001 -From: David Ramos -Date: Sat, 3 May 2014 12:00:27 +0200 -Subject: [PATCH 17/17] Double free in i2o_ECPublicKey - -PR: 3338 ---- - crypto/ec/ec_asn1.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c -index 145807b..e94f34e 100644 ---- a/crypto/ec/ec_asn1.c -+++ b/crypto/ec/ec_asn1.c -@@ -1435,8 +1435,11 @@ int i2o_ECPublicKey(EC_KEY *a, unsigned char **out) - *out, buf_len, NULL)) - { - ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB); -- OPENSSL_free(*out); -- *out = NULL; -+ if (new_buffer) -+ { -+ OPENSSL_free(*out); -+ *out = NULL; -+ } - return 0; - } - if (!new_buffer) --- -1.8.4.5 - diff --git a/0018-fix-coverity-issues-966593-966596.patch b/0018-fix-coverity-issues-966593-966596.patch deleted file mode 100644 index b069b17..0000000 --- a/0018-fix-coverity-issues-966593-966596.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 7b7b18c57e899201338d91083bc49cc8c5a915fc Mon Sep 17 00:00:00 2001 -From: Tim Hudson -Date: Mon, 5 May 2014 06:41:22 +1000 -Subject: [PATCH 18/23] - fix coverity issues 966593-966596 - ---- - crypto/srp/srp_vfy.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c -index 4a3d13e..fdca19f 100644 ---- a/crypto/srp/srp_vfy.c -+++ b/crypto/srp/srp_vfy.c -@@ -93,6 +93,9 @@ static int t_fromb64(unsigned char *a, const char *src) - else a[i] = loc - b64table; - ++i; - } -+ /* if nothing valid to process we have a zero length response */ -+ if (i == 0) -+ return 0; - size = i; - i = size - 1; - j = size; --- -1.8.4.5 - diff --git a/0020-Initialize-num-properly.patch b/0020-Initialize-num-properly.patch deleted file mode 100644 index ca5e94a..0000000 --- a/0020-Initialize-num-properly.patch +++ /dev/null @@ -1,27 +0,0 @@ -From a41d5174e27c99d1caefd76a8e927c814ede509e Mon Sep 17 00:00:00 2001 -From: "Dr. Stephen Henson" -Date: Tue, 6 May 2014 14:07:37 +0100 -Subject: [PATCH 20/23] Initialize num properly. - -PR#3289 -PR#3345 -(cherry picked from commit 3ba1e406c2309adb427ced9815ebf05f5b58d155) ---- - crypto/evp/bio_b64.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c -index ac6d441..16863fe 100644 ---- a/crypto/evp/bio_b64.c -+++ b/crypto/evp/bio_b64.c -@@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl) - else if (ctx->start) - { - q=p=(unsigned char *)ctx->tmp; -+ num = 0; - for (j=0; j -Date: Sun, 4 May 2014 16:19:22 -0400 -Subject: [PATCH 22/23] bignum: allow concurrent BN_MONT_CTX_set_locked() - -The lazy-initialisation of BN_MONT_CTX was serialising all threads, as -noted by Daniel Sands and co at Sandia. This was to handle the case that -2 or more threads race to lazy-init the same context, but stunted all -scalability in the case where 2 or more threads are doing unrelated -things! We favour the latter case by punishing the former. The init work -gets done by each thread that finds the context to be uninitialised, and -we then lock the "set" logic after that work is done - the winning -thread's work gets used, the losing threads throw away what they've done. - -Signed-off-by: Geoff Thorpe ---- - crypto/bn/bn_mont.c | 46 ++++++++++++++++++++++++++-------------------- - 1 file changed, 26 insertions(+), 20 deletions(-) - -diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c -index 427b5cf..ee8532c 100644 ---- a/crypto/bn/bn_mont.c -+++ b/crypto/bn/bn_mont.c -@@ -478,32 +478,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) - BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, - const BIGNUM *mod, BN_CTX *ctx) - { -- int got_write_lock = 0; - BN_MONT_CTX *ret; - - CRYPTO_r_lock(lock); -- if (!*pmont) -+ ret = *pmont; -+ CRYPTO_r_unlock(lock); -+ if (ret) -+ return ret; -+ -+ /* We don't want to serialise globally while doing our lazy-init math in -+ * BN_MONT_CTX_set. That punishes threads that are doing independent -+ * things. Instead, punish the case where more than one thread tries to -+ * lazy-init the same 'pmont', by having each do the lazy-init math work -+ * independently and only use the one from the thread that wins the race -+ * (the losers throw away the work they've done). */ -+ ret = BN_MONT_CTX_new(); -+ if (!ret) -+ return NULL; -+ if (!BN_MONT_CTX_set(ret, mod, ctx)) - { -- CRYPTO_r_unlock(lock); -- CRYPTO_w_lock(lock); -- got_write_lock = 1; -+ BN_MONT_CTX_free(ret); -+ return NULL; -+ } - -- if (!*pmont) -- { -- ret = BN_MONT_CTX_new(); -- if (ret && !BN_MONT_CTX_set(ret, mod, ctx)) -- BN_MONT_CTX_free(ret); -- else -- *pmont = ret; -- } -+ /* The locked compare-and-set, after the local work is done. */ -+ CRYPTO_w_lock(lock); -+ if (*pmont) -+ { -+ BN_MONT_CTX_free(ret); -+ ret = *pmont; - } -- -- ret = *pmont; -- -- if (got_write_lock) -- CRYPTO_w_unlock(lock); - else -- CRYPTO_r_unlock(lock); -- -+ *pmont = ret; -+ CRYPTO_w_unlock(lock); - return ret; - } --- -1.8.4.5 - diff --git a/0023-evp-prevent-underflow-in-base64-decoding.patch b/0023-evp-prevent-underflow-in-base64-decoding.patch deleted file mode 100644 index f33cd74..0000000 --- a/0023-evp-prevent-underflow-in-base64-decoding.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d0666f289ac013094bbbf547bfbcd616199b7d2d Mon Sep 17 00:00:00 2001 -From: Geoff Thorpe -Date: Sun, 4 May 2014 18:44:14 -0400 -Subject: [PATCH 23/23] evp: prevent underflow in base64 decoding - -This patch resolves RT ticket #2608. - -Thanks to Robert Dugal for originally spotting this, and to David -Ramos for noticing that the ball had been dropped. - -Signed-off-by: Geoff Thorpe ---- - crypto/evp/encode.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c -index 28546a8..4654bdc 100644 ---- a/crypto/evp/encode.c -+++ b/crypto/evp/encode.c -@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, - v=EVP_DecodeBlock(out,d,n); - n=0; - if (v < 0) { rv=0; goto end; } -+ if (eof > v) { rv=-1; goto end; } - ret+=(v-eof); - } - else --- -1.8.4.5 - diff --git a/0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch b/0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch deleted file mode 100644 index 388bed4..0000000 --- a/0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch +++ /dev/null @@ -1,63 +0,0 @@ -From c6a47f988c19093e4716d58dbed92938c18e1640 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 7 May 2014 23:21:02 +0100 -Subject: [PATCH 24/25] Fixed NULL pointer dereference in PKCS7_dataDecode - reported by David Ramos in PR#3339 - ---- - crypto/pkcs7/pk7_doit.c | 5 +++++ - crypto/pkcs7/pkcs7.h | 1 + - crypto/pkcs7/pkcs7err.c | 3 ++- - 3 files changed, 8 insertions(+), 1 deletion(-) - -diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c -index 4c12a9d..d91aa11 100644 ---- a/crypto/pkcs7/pk7_doit.c -+++ b/crypto/pkcs7/pk7_doit.c -@@ -440,6 +440,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) - { - case NID_pkcs7_signed: - data_body=PKCS7_get_octet_string(p7->d.sign->contents); -+ if (!PKCS7_is_detached(p7) && data_body == NULL) -+ { -+ PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE); -+ goto err; -+ } - md_sk=p7->d.sign->md_algs; - break; - case NID_pkcs7_signedAndEnveloped: -diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h -index e4d4431..04f6037 100644 ---- a/crypto/pkcs7/pkcs7.h -+++ b/crypto/pkcs7/pkcs7.h -@@ -453,6 +453,7 @@ void ERR_load_PKCS7_strings(void); - #define PKCS7_R_ERROR_SETTING_CIPHER 121 - #define PKCS7_R_INVALID_MIME_TYPE 131 - #define PKCS7_R_INVALID_NULL_POINTER 143 -+#define PKCS7_R_INVALID_SIGNED_DATA_TYPE 155 - #define PKCS7_R_MIME_NO_CONTENT_TYPE 132 - #define PKCS7_R_MIME_PARSE_ERROR 133 - #define PKCS7_R_MIME_SIG_PARSE_ERROR 134 -diff --git a/crypto/pkcs7/pkcs7err.c b/crypto/pkcs7/pkcs7err.c -index d0af32a..f3db08e 100644 ---- a/crypto/pkcs7/pkcs7err.c -+++ b/crypto/pkcs7/pkcs7err.c -@@ -1,6 +1,6 @@ - /* crypto/pkcs7/pkcs7err.c */ - /* ==================================================================== -- * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. -+ * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -130,6 +130,7 @@ static ERR_STRING_DATA PKCS7_str_reasons[]= - {ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"}, - {ERR_REASON(PKCS7_R_INVALID_MIME_TYPE) ,"invalid mime type"}, - {ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"}, -+{ERR_REASON(PKCS7_R_INVALID_SIGNED_DATA_TYPE),"invalid signed data type"}, - {ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"}, - {ERR_REASON(PKCS7_R_MIME_PARSE_ERROR) ,"mime parse error"}, - {ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"}, --- -1.8.4.5 - diff --git a/0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch b/0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch deleted file mode 100644 index 60fba81..0000000 --- a/0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 6a60b414318ec4315ee016c3e15777c448603115 Mon Sep 17 00:00:00 2001 -From: Tim Hudson -Date: Mon, 5 May 2014 08:22:42 +1000 -Subject: [PATCH 25/25] fix coverity issue 966597 - error line is not always - initialised - ---- - ssl/ssl_asn1.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c -index 38540be..4775003 100644 ---- a/ssl/ssl_asn1.c -+++ b/ssl/ssl_asn1.c -@@ -408,6 +408,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, - if (os.length != 3) - { - c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH; -+ c.line=__LINE__; - goto err; - } - id=0x02000000L| -@@ -420,6 +421,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, - if (os.length != 2) - { - c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH; -+ c.line=__LINE__; - goto err; - } - id=0x03000000L| -@@ -429,6 +431,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, - else - { - c.error=SSL_R_UNKNOWN_SSL_VERSION; -+ c.line=__LINE__; - goto err; - } - -@@ -521,6 +524,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, - if (os.length > SSL_MAX_SID_CTX_LENGTH) - { - c.error=SSL_R_BAD_LENGTH; -+ c.line=__LINE__; - goto err; - } - else --- -1.8.4.5 - diff --git a/CVE-2014-0198.patch b/CVE-2014-0198.patch deleted file mode 100644 index 68c82d0..0000000 --- a/CVE-2014-0198.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: openssl-1.0.1g/ssl/s3_pkt.c -=================================================================== ---- openssl-1.0.1g.orig/ssl/s3_pkt.c -+++ openssl-1.0.1g/ssl/s3_pkt.c -@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ - if (i <= 0) - return(i); - /* if it went, fall through and send more stuff */ -+ /* we may have released our buffer, so get it again */ -+ if (wb->buf == NULL) -+ if (!ssl3_setup_write_buffer(s)) -+ return -1; - } - - if (len == 0 && !create_empty_fragment) diff --git a/openssl-1.0.1c-ipv6-apps.patch b/openssl-1.0.1c-ipv6-apps.patch index db8ff95..a904772 100644 --- a/openssl-1.0.1c-ipv6-apps.patch +++ b/openssl-1.0.1c-ipv6-apps.patch @@ -1,7 +1,7 @@ -Index: openssl-1.0.1g/apps/s_apps.h +Index: openssl-1.0.1h/apps/s_apps.h =================================================================== ---- openssl-1.0.1g.orig/apps/s_apps.h -+++ openssl-1.0.1g/apps/s_apps.h +--- openssl-1.0.1h.orig/apps/s_apps.h ++++ openssl-1.0.1h/apps/s_apps.h @@ -148,7 +148,7 @@ typedef fd_mask fd_set; #define PORT_STR "4433" #define PROTOCOL "tcp" @@ -24,10 +24,10 @@ Index: openssl-1.0.1g/apps/s_apps.h long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret); -Index: openssl-1.0.1g/apps/s_client.c +Index: openssl-1.0.1h/apps/s_client.c =================================================================== ---- openssl-1.0.1g.orig/apps/s_client.c -+++ openssl-1.0.1g/apps/s_client.c +--- openssl-1.0.1h.orig/apps/s_client.c ++++ openssl-1.0.1h/apps/s_client.c @@ -567,7 +567,7 @@ int MAIN(int argc, char **argv) int cbuf_len,cbuf_off; int sbuf_len,sbuf_off; @@ -62,10 +62,10 @@ Index: openssl-1.0.1g/apps/s_client.c { BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); SHUTDOWN(s); -Index: openssl-1.0.1g/apps/s_server.c +Index: openssl-1.0.1h/apps/s_server.c =================================================================== ---- openssl-1.0.1g.orig/apps/s_server.c -+++ openssl-1.0.1g/apps/s_server.c +--- openssl-1.0.1h.orig/apps/s_server.c ++++ openssl-1.0.1h/apps/s_server.c @@ -933,7 +933,7 @@ int MAIN(int argc, char *argv[]) { X509_VERIFY_PARAM *vpm = NULL; @@ -97,10 +97,10 @@ Index: openssl-1.0.1g/apps/s_server.c print_stats(bio_s_out,ctx); ret=0; end: -Index: openssl-1.0.1g/apps/s_socket.c +Index: openssl-1.0.1h/apps/s_socket.c =================================================================== ---- openssl-1.0.1g.orig/apps/s_socket.c -+++ openssl-1.0.1g/apps/s_socket.c +--- openssl-1.0.1h.orig/apps/s_socket.c ++++ openssl-1.0.1h/apps/s_socket.c @@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha static void ssl_sock_cleanup(void); #endif @@ -182,7 +182,7 @@ Index: openssl-1.0.1g/apps/s_socket.c { - i=0; - i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); -- if (i < 0) { perror("keepalive"); return(0); } +- if (i < 0) { closesocket(s); perror("keepalive"); return(0); } + int i=0; + i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE, + (char *)&i,sizeof(i)); @@ -359,7 +359,7 @@ Index: openssl-1.0.1g/apps/s_socket.c int len; /* struct linger ling; */ -@@ -431,135 +473,58 @@ redoit: +@@ -431,138 +473,59 @@ redoit: */ if (host == NULL) goto end; @@ -388,6 +388,7 @@ Index: openssl-1.0.1g/apps/s_socket.c + if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) { perror("OPENSSL_malloc"); + closesocket(ret); return(0); } - BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); @@ -396,11 +397,13 @@ Index: openssl-1.0.1g/apps/s_socket.c - if (h2 == NULL) - { - BIO_printf(bio_err,"gethostbyname failure\n"); +- closesocket(ret); - return(0); - } - if (h2->h_addrtype != AF_INET) - { - BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); +- closesocket(ret); - return(0); - } + strcpy(*host, buffer); diff --git a/openssl-1.0.1e-add-suse-default-cipher-header.patch b/openssl-1.0.1e-add-suse-default-cipher-header.patch new file mode 100644 index 0000000..146e81d --- /dev/null +++ b/openssl-1.0.1e-add-suse-default-cipher-header.patch @@ -0,0 +1,16 @@ +Index: openssl-1.0.1g/ssl/ssl.h +=================================================================== +--- openssl-1.0.1g.orig/ssl/ssl.h ++++ openssl-1.0.1g/ssl/ssl.h +@@ -332,9 +332,11 @@ extern "C" { + * It also is substituted when an application-defined cipher list string + * starts with 'DEFAULT'. */ + #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES" ++ + #define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ + "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ + "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA" ++ + /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always + * starts with a reasonable order, and all we have to do for DEFAULT is + * throwing out anonymous and unencrypted ciphersuites! diff --git a/openssl-1.0.1e-add-suse-default-cipher.patch b/openssl-1.0.1e-add-suse-default-cipher.patch new file mode 100644 index 0000000..179cb19 --- /dev/null +++ b/openssl-1.0.1e-add-suse-default-cipher.patch @@ -0,0 +1,39 @@ +Index: openssl-1.0.1g/ssl/ssl_ciph.c +=================================================================== +--- openssl-1.0.1g.orig/ssl/ssl_ciph.c ++++ openssl-1.0.1g/ssl/ssl_ciph.c +@@ -1470,7 +1470,17 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + */ + ok = 1; + rule_p = rule_str; +- if (strncmp(rule_str,"DEFAULT",7) == 0) ++ ++ if (strncmp(rule_str,"DEFAULT_SUSE",12) == 0) ++ { ++ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, ++ &head, &tail, ca_list); ++ rule_p += 12; ++ if (*rule_p == ':') ++ rule_p++; ++ } ++ ++ else if (strncmp(rule_str,"DEFAULT",7) == 0) + { + ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, + &head, &tail, ca_list); +Index: openssl-1.0.1g/ssl/ssl.h +=================================================================== +--- openssl-1.0.1g.orig/ssl/ssl.h ++++ openssl-1.0.1g/ssl/ssl.h +@@ -331,7 +331,10 @@ extern "C" { + /* The following cipher list is used by default. + * It also is substituted when an application-defined cipher list string + * starts with 'DEFAULT'. */ +-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW" ++#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES" ++#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ ++ "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ ++ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA" + /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always + * starts with a reasonable order, and all we have to do for DEFAULT is + * throwing out anonymous and unencrypted ciphersuites! diff --git a/openssl-1.0.1e-add-test-suse-default-cipher-suite.patch b/openssl-1.0.1e-add-test-suse-default-cipher-suite.patch new file mode 100644 index 0000000..a3308ba --- /dev/null +++ b/openssl-1.0.1e-add-test-suse-default-cipher-suite.patch @@ -0,0 +1,30 @@ +Index: openssl-1.0.1f/test/testssl +=================================================================== +--- openssl-1.0.1f.orig/test/testssl ++++ openssl-1.0.1f/test/testssl +@@ -136,6 +136,25 @@ for protocol in TLSv1.2 SSLv3; do + done + done + ++echo "Testing default ciphersuites" ++ ++for cipher_suite in DEFAULT_SUSE DEFAULT; do ++ ../util/shlib_wrap.sh ../apps/openssl ciphers $cipher_suite ++ if [ $? -ne 0 ]; then ++ echo "Failed default ciphersuite $cipher_suite" ++ exit 1 ++ fi ++done ++ ++echo "Testing if MD5, DES and RC4 are excluded from DEFAULT_SUSE cipher suite" ++../util/shlib_wrap.sh ../apps/openssl ciphers DEFAULT_SUSE| grep "MD5\|RC4\|DES-[^CBC3]" ++ ++if [ $? -ne 1 ];then ++ echo "weak ciphers are present on DEFAULT_SUSE cipher suite" ++ exit 1 ++fi ++ ++ + ############################################################################# + + if ../util/shlib_wrap.sh ../apps/openssl no-dh; then diff --git a/openssl-1.0.1g.tar.gz b/openssl-1.0.1g.tar.gz deleted file mode 100644 index 8f923b3..0000000 --- a/openssl-1.0.1g.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:53cb818c3b90e507a8348f4f5eaedb05d8bfe5358aabb508b7263cc670c3e028 -size 4509047 diff --git a/openssl-1.0.1g.tar.gz.asc b/openssl-1.0.1g.tar.gz.asc deleted file mode 100644 index 7a33be6..0000000 --- a/openssl-1.0.1g.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iQIcBAABCAAGBQJTQtiaAAoJENNXdQf6QOniuAkP/2hFMcb2NEG36by4oleDQQA1 -xw/qiE5NryMU7+bwwhjvVdGsyeLnnPxN0K5fFVlsWHFIJCArZ/ERsR3xJfldSoZX -xz/PgU4JAWT7vkhIR0zW2SInzxdX2hUsonG3dRqVY5JVX3aAMkcIanczpxrv39Cb -ZeKwStINV5HOXH++Y7O4SWsFF3w2H4cmijyF2QQngrvyGkkS4C1Wy/PH54rAQrSH -phfsDlULL48/4NPul9LiRK6clgf+6DtOa9eY/NF+enjmEw2B73PRt1DmCaaaabWU -RwKHyVZUvXGhZYnPnfriz+V09FEq9SMEyyCBg2JeTljESPaPKxPP53ueI7OTo3B8 -cyXcVMq3nckgq3XI1j/Z/BJVTO6Zp/thTlkGv35O/+AgdY/lWiMictFYLLfbHC1Z -9A9gbwuhO7pc1BrQF0vhIR+NlHAq4fVA81xHrClsIWebs8XjaH4zLRoeYBKqK0+m -4T2vf78yh+viiSOU2KpQdi4kWOUpCMVBa4CJclyAWdX+jjhnrudWcV5JwCz1KtNK -Pdaje0WrJ8gqAKpZC88q2vhVZF8FQt2YGhe16sGM5N9aSeg0/GMd1rAbJPUlpQ41 -/b64wg+J3/ZQsRDfNvXwIgaGa1Ur8mUv/hmtAr1ecXK+rOcn6wcoouWwDYcOCQj/ -opNSFe0Slj1X6unB62z2 -=9S5s ------END PGP SIGNATURE----- diff --git a/openssl-1.0.1h.tar.gz b/openssl-1.0.1h.tar.gz new file mode 100644 index 0000000..54200ed --- /dev/null +++ b/openssl-1.0.1h.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d1c8a9836aa63e2c6adb684186cbd4371c9e9dcc01d6e3bb447abf2d4d3d093 +size 4475692 diff --git a/openssl-1.0.1h.tar.gz.asc b/openssl-1.0.1h.tar.gz.asc new file mode 100644 index 0000000..7147b6c --- /dev/null +++ b/openssl-1.0.1h.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iQIcBAABCAAGBQJTkDweAAoJENNXdQf6QOnizlMQAJ/tw6A4s/TMQjiLTapBAJzJ +b5W2/nOD87oa0HL2aKvTHb0R7RKuvqGR71kgWaPOPJUwyLEWG1SinTeYR0J+yl0K +5y8TE8p4AwnAEp1JcMfbljl3tkyRXOVqS1idkvcBKBawurL68jfyWWkzZ1D2wZtE +LEmVm0diQIDSACuisnonE2Q8YvtqV4/imuX4BEZlZ+iNNdL0+NEuLB+xIWSl84lb +YqM0cXQ09SIZZL+nvO0t5PBNJcQM/6w9TPKDFReQxvhVkdqoWa/o2FfeSgRLNDIu +gGPTe0cEGUpOYyeC/SbLUOppCsRNBbzWjdRotEOV1GO2dMihZaMZZedJDhAhh5q6 +Z1wctpZGxq/vMIQ669Wayj2OxAtluCjW8GwlaJRi7XfB/fCk1NDFezTL4hhWRhIh +mvI4oKO7TC2/OhJ2YvNGqYeqNzsIJbszn7bipvbF5KNf0eNtrUoRWsNPia9nRlca +2yzAxCCx2QtR0PV52/c5Xbfm/Ljxta9ZKgQgAjApz5+YMsap9LyQhklc+r7tETij +yv3Vf3Xft6n4VtKxHsecebl9VZXsz/hCjHN3PmYI0SLZDZOFBdIYoju2ttspH1pH +aBXTitvmBUsDIss2fjJJQLX22TgTpTS3FyPb9zlN+ecE/0HJcGIJUAi80i1gldzH +DQhyf3Qf17vW5g28E7Iv +=oxkH +-----END PGP SIGNATURE----- diff --git a/openssl-buffreelistbug-aka-CVE-2010-5298.patch b/openssl-buffreelistbug-aka-CVE-2010-5298.patch deleted file mode 100644 index 02d5cc3..0000000 --- a/openssl-buffreelistbug-aka-CVE-2010-5298.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- openssl-1.0.1g.orig/ssl/s3_pkt.c -+++ openssl-1.0.1g/ssl/s3_pkt.c -@@ -1055,8 +1055,8 @@ start: - { - s->rstate=SSL_ST_READ_HEADER; - rr->off=0; -- if (s->mode & SSL_MODE_RELEASE_BUFFERS) -- ssl3_release_read_buffer(s); -+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) -+ ssl3_release_read_buffer(s); - } - } - return(n); diff --git a/openssl-fix-pod-syntax.diff b/openssl-fix-pod-syntax.diff index 776bb1d..da96f29 100644 --- a/openssl-fix-pod-syntax.diff +++ b/openssl-fix-pod-syntax.diff @@ -59,88 +59,10 @@ Content-Length: 12835 doc/ssl/SSL_write.pod | 2 +- 23 files changed, 59 insertions(+), 55 deletions(-) -Index: openssl-1.0.1g/doc/apps/cms.pod +Index: openssl-1.0.1h/doc/apps/ts.pod =================================================================== ---- openssl-1.0.1g.orig/doc/apps/cms.pod -+++ openssl-1.0.1g/doc/apps/cms.pod -@@ -450,28 +450,28 @@ remains DER. - - =over 4 - --=item 0 -+=item Z<>0 - - the operation was completely successfully. - --=item 1 -+=item Z<>1 - - an error occurred parsing the command options. - --=item 2 -+=item Z<>2 - - one of the input files could not be read. - --=item 3 -+=item Z<>3 - - an error occurred creating the CMS file or when reading the MIME - message. - --=item 4 -+=item Z<>4 - - an error occurred decrypting or verifying the message. - --=item 5 -+=item Z<>5 - - the message was verified correctly but an error occurred writing out - the signers certificates. -Index: openssl-1.0.1g/doc/apps/smime.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/apps/smime.pod -+++ openssl-1.0.1g/doc/apps/smime.pod -@@ -308,28 +308,28 @@ remains DER. - - =over 4 - --=item 0 -+=item Z<>0 - - the operation was completely successfully. - --=item 1 -+=item Z<>1 - - an error occurred parsing the command options. - --=item 2 -+=item Z<>2 - - one of the input files could not be read. - --=item 3 -+=item Z<>3 - - an error occurred creating the PKCS#7 file or when reading the MIME - message. - --=item 4 -+=item Z<>4 - - an error occurred decrypting or verifying the message. - --=item 5 -+=item Z<>5 - - the message was verified correctly but an error occurred writing out - the signers certificates. -Index: openssl-1.0.1g/doc/apps/ts.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/apps/ts.pod -+++ openssl-1.0.1g/doc/apps/ts.pod +--- openssl-1.0.1h.orig/doc/apps/ts.pod ++++ openssl-1.0.1h/doc/apps/ts.pod @@ -58,19 +58,19 @@ time. Here is a brief description of the =over 4 @@ -164,10 +86,10 @@ Index: openssl-1.0.1g/doc/apps/ts.pod The TSA client receives the time stamp token and verifies the signature on it. It also checks if the token contains the same hash -Index: openssl-1.0.1g/doc/crypto/OPENSSL_ia32cap.pod +Index: openssl-1.0.1h/doc/crypto/OPENSSL_ia32cap.pod =================================================================== ---- openssl-1.0.1g.orig/doc/crypto/OPENSSL_ia32cap.pod -+++ openssl-1.0.1g/doc/crypto/OPENSSL_ia32cap.pod +--- openssl-1.0.1h.orig/doc/crypto/OPENSSL_ia32cap.pod ++++ openssl-1.0.1h/doc/crypto/OPENSSL_ia32cap.pod @@ -20,6 +20,8 @@ toolkit initialization, but can be manip crypto library behaviour. For the moment of this writing six bits are significant, namely: @@ -186,10 +108,10 @@ Index: openssl-1.0.1g/doc/crypto/OPENSSL_ia32cap.pod For example, clearing bit #26 at run-time disables high-performance SSE2 code present in the crypto library. You might have to do this if target OpenSSL application is executed on SSE2 capable CPU, but under -Index: openssl-1.0.1g/doc/crypto/rand.pod +Index: openssl-1.0.1h/doc/crypto/rand.pod =================================================================== ---- openssl-1.0.1g.orig/doc/crypto/rand.pod -+++ openssl-1.0.1g/doc/crypto/rand.pod +--- openssl-1.0.1h.orig/doc/crypto/rand.pod ++++ openssl-1.0.1h/doc/crypto/rand.pod @@ -74,16 +74,16 @@ First up I will state the things I belie =over 4 @@ -241,318 +163,3 @@ Index: openssl-1.0.1g/doc/crypto/rand.pod Given the random number output stream, it should not be possible to determine the RNG state or the next random number. -Index: openssl-1.0.1g/doc/ssl/SSL_COMP_add_compression_method.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_COMP_add_compression_method.pod -+++ openssl-1.0.1g/doc/ssl/SSL_COMP_add_compression_method.pod -@@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may re - - =over 4 - --=item 0 -+=item Z<>0 - - The operation succeeded. - --=item 1 -+=item Z<>1 - - The operation failed. Check the error queue to find out the reason. - -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_add_session.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_add_session.pod -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_add_session.pod -@@ -52,13 +52,13 @@ The following values are returned by all - - =over 4 - --=item 0 -+=item Z<>0 - - The operation failed. In case of the add operation, it was tried to add - the same (identical) session twice. In case of the remove operation, the - session was not found in the cache. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_load_verify_locations.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_load_verify_locations.pod -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_load_verify_locations.pod -@@ -100,13 +100,13 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item Z<>0 - - The operation failed because B and B are NULL or the - processing at one of the locations specified failed. Check the error - stack to find out the reason. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_set_client_CA_list.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_set_client_CA_list.pod -@@ -66,13 +66,13 @@ values: - - =over 4 - --=item 0 -+=item Z<>0 - - A failure while manipulating the STACK_OF(X509_NAME) object occurred or - the X509_NAME could not be extracted from B. Check the error stack - to find out the reason. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_set_session_id_context.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_set_session_id_context.pod -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_set_session_id_context.pod -@@ -64,13 +64,13 @@ return the following values: - - =over 4 - --=item 0 -+=item Z<>0 - - The length B of the session id context B exceeded - the maximum allowed length of B. The error - is logged to the error stack. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_set_ssl_version.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_set_ssl_version.pod -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_set_ssl_version.pod -@@ -42,11 +42,11 @@ and SSL_set_ssl_method(): - - =over 4 - --=item 0 -+=item Z<>0 - - The new choice failed, check the error stack to find out the reason. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -@@ -96,7 +96,7 @@ data to B and return the length of - connection will fail with decryption_error before it will be finished - completely. - --=item 0 -+=item Z<>0 - - PSK identity was not found. An "unknown_psk_identity" alert message - will be sent and the connection setup fails. -Index: openssl-1.0.1g/doc/ssl/SSL_accept.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_accept.pod -+++ openssl-1.0.1g/doc/ssl/SSL_accept.pod -@@ -44,13 +44,13 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item Z<>0 - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item Z<>1 - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -Index: openssl-1.0.1g/doc/ssl/SSL_clear.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_clear.pod -+++ openssl-1.0.1g/doc/ssl/SSL_clear.pod -@@ -56,12 +56,12 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item Z<>0 - - The SSL_clear() operation could not be performed. Check the error stack to - find out the reason. - --=item 1 -+=item Z<>1 - - The SSL_clear() operation was successful. - -Index: openssl-1.0.1g/doc/ssl/SSL_connect.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_connect.pod -+++ openssl-1.0.1g/doc/ssl/SSL_connect.pod -@@ -41,13 +41,13 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item Z<>0 - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item Z<>1 - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -Index: openssl-1.0.1g/doc/ssl/SSL_do_handshake.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_do_handshake.pod -+++ openssl-1.0.1g/doc/ssl/SSL_do_handshake.pod -@@ -45,13 +45,13 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item Z<>0 - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item Z<>1 - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -Index: openssl-1.0.1g/doc/ssl/SSL_read.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_read.pod -+++ openssl-1.0.1g/doc/ssl/SSL_read.pod -@@ -86,7 +86,7 @@ The following return values can occur: - The read operation was successful; the return value is the number of - bytes actually read from the TLS/SSL connection. - --=item 0 -+=item Z<>0 - - The read operation was not successful. The reason may either be a clean - shutdown due to a "close notify" alert sent by the peer (in which case -Index: openssl-1.0.1g/doc/ssl/SSL_session_reused.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_session_reused.pod -+++ openssl-1.0.1g/doc/ssl/SSL_session_reused.pod -@@ -27,11 +27,11 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item Z<>0 - - A new session was negotiated. - --=item 1 -+=item Z<>1 - - A session was reused. - -Index: openssl-1.0.1g/doc/ssl/SSL_set_fd.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_set_fd.pod -+++ openssl-1.0.1g/doc/ssl/SSL_set_fd.pod -@@ -35,11 +35,11 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item Z<>0 - - The operation failed. Check the error stack to find out why. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_set_session.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_set_session.pod -+++ openssl-1.0.1g/doc/ssl/SSL_set_session.pod -@@ -37,11 +37,11 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item Z<>0 - - The operation failed; check the error stack to find out the reason. - --=item 1 -+=item Z<>1 - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_shutdown.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_shutdown.pod -+++ openssl-1.0.1g/doc/ssl/SSL_shutdown.pod -@@ -92,19 +92,19 @@ The following return values can occur: - - =over 4 - --=item 0 -+=item Z<>0 - - The shutdown is not yet finished. Call SSL_shutdown() for a second time, - if a bidirectional shutdown shall be performed. - The output of L may be misleading, as an - erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. - --=item 1 -+=item Z<>1 - - The shutdown was successfully completed. The "close notify" alert was sent - and the peer's "close notify" alert was received. - --=item -1 -+=item Z<>-1 - - The shutdown was not successful because a fatal error occurred either - at the protocol level or a connection failure occurred. It can also occur if -Index: openssl-1.0.1g/doc/ssl/SSL_write.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_write.pod -+++ openssl-1.0.1g/doc/ssl/SSL_write.pod -@@ -79,7 +79,7 @@ The following return values can occur: - The write operation was successful, the return value is the number of - bytes actually written to the TLS/SSL connection. - --=item 0 -+=item Z<>0 - - The write operation was not successful. Probably the underlying connection - was closed. Call SSL_get_error() with the return value B to find out, diff --git a/openssl.changes b/openssl.changes index e6b8654..9cc0ded 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Thu Jun 5 14:37:19 UTC 2014 - meissner@suse.com + +- updated openssl to 1.0.1h (bnc#880891): + - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted + handshake can force the use of weak keying material in OpenSSL + SSL/TLS clients and servers. + - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an + OpenSSL DTLS client the code can be made to recurse eventually crashing + in a DoS attack. + - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer + overrun attack can be triggered by sending invalid DTLS fragments to + an OpenSSL DTLS client or server. This is potentially exploitable to + run arbitrary code on a vulnerable client or server. + - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous + ECDH ciphersuites are subject to a denial of service attack. +- openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream +- CVE-2014-0198.patch: removed, upstream +- 0009-Fix-double-frees.patch: removed, upstream +- 0012-Fix-eckey_priv_encode.patch: removed, upstream +- 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream +- 0018-fix-coverity-issues-966593-966596.patch: removed, upstream +- 0020-Initialize-num-properly.patch: removed, upstream +- 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream +- 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream +- 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream +- 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream + +- 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase +- openssl-1.0.1c-ipv6-apps.patch: refreshed +- openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed + +------------------------------------------------------------------- +Wed May 21 12:19:53 UTC 2014 - vpereira@novell.com + +- Added new SUSE default cipher suite + openssl-1.0.1e-add-suse-default-cipher.patch + openssl-1.0.1e-add-suse-default-cipher-header.patch + openssl-1.0.1e-add-test-suse-default-cipher-suite.patch + ------------------------------------------------------------------- Fri May 9 04:42:46 UTC 2014 - crrodriguez@opensuse.org diff --git a/openssl.spec b/openssl.spec index 8c24008..d744617 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ Provides: ssl %ifarch ppc64 Obsoletes: openssl-64bit %endif -Version: 1.0.1g +Version: 1.0.1h Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -65,21 +65,14 @@ Patch16: openssl-1.0.1e-fips-ec.patch Patch17: openssl-1.0.1e-fips-ctor.patch Patch18: openssl-1.0.1e-new-fips-reqs.patch Patch19: openssl-gcc-attributes.patch -Patch20: openssl-buffreelistbug-aka-CVE-2010-5298.patch Patch21: openssl-libssl-noweakciphers.patch -Patch22: CVE-2014-0198.patch -Patch23: 0009-Fix-double-frees.patch -Patch24: 0012-Fix-eckey_priv_encode.patch -Patch25: 0017-Double-free-in-i2o_ECPublicKey.patch Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch -Patch27: 0018-fix-coverity-issues-966593-966596.patch -Patch28: 0020-Initialize-num-properly.patch -Patch29: 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch -Patch30: 0023-evp-prevent-underflow-in-base64-decoding.patch -Patch31: 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch -Patch32: 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch Patch33: openssl-no-egd.patch Patch34: openssl-fips-hidden.patch +Patch35: openssl-1.0.1e-add-suse-default-cipher.patch +Patch36: openssl-1.0.1e-add-suse-default-cipher-header.patch +Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -186,21 +179,13 @@ this package's base documentation. %patch17 -p1 %patch18 -p1 %patch19 -p1 -%patch20 -p1 %patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 %patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure"