Accepting request 231108 from Base:System

- Build everything with full RELRO (-Wl,-z,relro,-z,now) - Remove -fstack-protector from the hardcoded build options it is already in RPM_OPT_FLAGS and is replaced by -fstack-protector-strong with gcc 4.9 - Remove the "gmp" and "capi" shared engines, nobody noticed but they are just dummies that do nothing. - Use enable-rfc3779 to allow projects such as rpki.net to work in openSUSE and match the functionality available in Debian/Fedora/etc - openssl-buffreelistbug-aka-CVE-2010-5298.patch fix CVE-2010-5298 and disable the internal BUF_FREELISTS functionality. it hides bugs like heartbleed and is there only for systems on which malloc() free() are slow. - ensure we export MALLOC_CHECK and PERTURB during the test suite, now that the freelist functionality is disabled it will help to catch bugs before they hit users. - openssl-libssl-noweakciphers.patch do not offer "export" or "low" quality ciphers by default. using such ciphers is not forbidden but requires an explicit request - openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does not return memory of "num * old_num" but only "num" size fortunately this function is currently unused. (forwarded request 230868 from elvigia) OBS-URL: https://build.opensuse.org/request/show/231108 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=114
2014-04-26 15:01:45 +00:00 · 2014-04-26 15:01:45 +00:00 · 0bb9b0ad33
commit 0bb9b0ad33
parent 44a951fc87
5 changed files with 83 additions and 8 deletions
--- a/openssl-buffreelistbug-aka-CVE-2010-5298.patch
+++ b/openssl-buffreelistbug-aka-CVE-2010-5298.patch
@ -0,0 +1,13 @@
+--- openssl-1.0.1g.orig/ssl/s3_pkt.c
+++ openssl-1.0.1g/ssl/s3_pkt.c
+@@ -1055,8 +1055,8 @@ start:
+ 				{
+ 				s->rstate=SSL_ST_READ_HEADER;
+ 				rr->off=0;
+-				if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+-					ssl3_release_read_buffer(s);
+				if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
+					    ssl3_release_read_buffer(s);
+ 				}
+ 			}
+ 		return(n);
--- a/openssl-gcc-attributes.patch
+++ b/openssl-gcc-attributes.patch
@ -27,7 +27,7 @@
 void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
 -			   int line);
 -void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
-+			   int line) __attribute__((alloc_size(2, 3)));
+			   int line) __attribute__((alloc_size(3)));
 +void *CRYPTO_remalloc(void *addr,int num, const char *file, int line) __attribute__((alloc_size(2)));
 
 void OPENSSL_cleanse(void *ptr, size_t len);
--- a/openssl-libssl-noweakciphers.patch
+++ b/openssl-libssl-noweakciphers.patch
@ -0,0 +1,11 @@
+--- openssl-1.0.1g.orig/ssl/ssl.h
+++ openssl-1.0.1g/ssl/ssl.h
+@@ -331,7 +331,7 @@ extern "C" {
+ /* The following cipher list is used by default.
+  * It also is substituted when an application-defined cipher list string
+  * starts with 'DEFAULT'. */
+-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW"
+ /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+  * starts with a reasonable order, and all we have to do for DEFAULT is
+  * throwing out anonymous and unencrypted ciphersuites!
--- a/openssl.changes
+++ b/openssl.changes
@ -1,3 +1,50 @@
+-------------------------------------------------------------------
+Sun Apr 20 00:53:34 UTC 2014 - crrodriguez@opensuse.org
+
+- Build everything with full RELRO (-Wl,-z,relro,-z,now)
+- Remove -fstack-protector from the hardcoded build options
+  it is already in RPM_OPT_FLAGS and is replaced by 
+  -fstack-protector-strong with gcc 4.9
+
+-------------------------------------------------------------------
+Sun Apr 20 00:49:25 UTC 2014 - crrodriguez@opensuse.org
+
+- Remove the "gmp" and "capi" shared engines, nobody noticed 
+  but they are just dummies that do nothing. 
+
+-------------------------------------------------------------------
+Sat Apr 19 22:29:10 UTC 2014 - crrodriguez@opensuse.org
+
+- Use enable-rfc3779 to allow projects such as rpki.net 
+  to work in openSUSE and match the functionality
+  available in Debian/Fedora/etc
+
+-------------------------------------------------------------------
+Sat Apr 19 22:22:01 UTC 2014 - crrodriguez@opensuse.org
+
+- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix 
+  CVE-2010-5298 and disable the internal BUF_FREELISTS
+  functionality. it hides bugs like heartbleed and is
+  there only for systems on which malloc() free() are slow.
+
+- ensure we export MALLOC_CHECK and PERTURB during the test
+  suite, now that the freelist functionality is disabled it
+  will help to catch bugs before they hit users.
+
+-------------------------------------------------------------------
+Sat Apr 19 03:45:20 UTC 2014 - crrodriguez@opensuse.org
+
+- openssl-libssl-noweakciphers.patch do not offer "export"
+  or "low" quality ciphers by default. using such ciphers
+  is not forbidden but requires an explicit request
+
+-------------------------------------------------------------------
+Fri Apr 18 14:07:47 UTC 2014 - crrodriguez@opensuse.org
+
+- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does 
+  not return memory of "num * old_num" but only "num" size
+  fortunately this function is currently unused.
+
 -------------------------------------------------------------------
 Fri Apr 11 02:40:34 UTC 2014 - crrodriguez@opensuse.org

--- a/openssl.spec
+++ b/openssl.spec
@ -65,6 +65,8 @@ Patch16:        openssl-1.0.1e-fips-ec.patch
 Patch17:        openssl-1.0.1e-fips-ctor.patch
 Patch18:        openssl-1.0.1e-new-fips-reqs.patch
 Patch19:        openssl-gcc-attributes.patch
+Patch20:        openssl-buffreelistbug-aka-CVE-2010-5298.patch
+Patch21:        openssl-libssl-noweakciphers.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -171,6 +173,8 @@ this package's base documentation.
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
+%patch21 -p1
 cp -p %{S:10} .
 cp -p %{S:11} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
@ -220,6 +224,7 @@ config_flags="threads shared no-rc5 no-idea \
 fips \
 %if 0%{suse_version} > 1310
 no-ssl2 \
+enable-rfc3779 \
 %endif
 %ifarch x86_64 
 enable-ec_nistp_64_gcc_128 \
@ -232,18 +237,16 @@ no-ec2m \
 --openssldir=%{ssletcdir} \
 $RPM_OPT_FLAGS -O3 -std=gnu99 \
 -Wa,--noexecstack \
+-Wl,-z,relro,-z,now \
 -fomit-frame-pointer \
 -DTERMIO \
 -DPURIFY \
 -DSSL_FORBID_ENULL \
 -D_GNU_SOURCE \
+-DOPENSSL_NO_BUF_FREELISTS \
 $(getconf LFS_CFLAGS) \
-%ifnarch hppa aarch64
-Wall \
-fstack-protector "
-%else
 -Wall "
-%endif
+
 #
 #%{!?do_profiling:%define do_profiling 0}
 #%if %do_profiling
@ -278,7 +281,8 @@ $(getconf LFS_CFLAGS) \
 # These files are just there for the make test below...
 crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac
 crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac
-
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=""
 	%ifnarch armv4l
 	LD_LIBRARY_PATH=`pwd` make test
@ -401,7 +405,7 @@ cd $RPM_BUILD_ROOT%{_libdir}/
 ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
 ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so

-for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
+for engine in 4758cca atalla nuron sureware ubsec cswift chil aep gmp capi; do
 rm %{buildroot}/%{_lib}/engines/lib$engine.so
 done