From 0bb9b0ad334ee8df58e0017a06adc1863288321b748a8aece1019c229eeda844 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Sat, 26 Apr 2014 15:01:45 +0000 Subject: [PATCH] Accepting request 231108 from Base:System - Build everything with full RELRO (-Wl,-z,relro,-z,now) - Remove -fstack-protector from the hardcoded build options it is already in RPM_OPT_FLAGS and is replaced by -fstack-protector-strong with gcc 4.9 - Remove the "gmp" and "capi" shared engines, nobody noticed but they are just dummies that do nothing. - Use enable-rfc3779 to allow projects such as rpki.net to work in openSUSE and match the functionality available in Debian/Fedora/etc - openssl-buffreelistbug-aka-CVE-2010-5298.patch fix CVE-2010-5298 and disable the internal BUF_FREELISTS functionality. it hides bugs like heartbleed and is there only for systems on which malloc() free() are slow. - ensure we export MALLOC_CHECK and PERTURB during the test suite, now that the freelist functionality is disabled it will help to catch bugs before they hit users. - openssl-libssl-noweakciphers.patch do not offer "export" or "low" quality ciphers by default. using such ciphers is not forbidden but requires an explicit request - openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does not return memory of "num * old_num" but only "num" size fortunately this function is currently unused. (forwarded request 230868 from elvigia) OBS-URL: https://build.opensuse.org/request/show/231108 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=114 --- ...ssl-buffreelistbug-aka-CVE-2010-5298.patch | 13 +++++ openssl-gcc-attributes.patch | 2 +- openssl-libssl-noweakciphers.patch | 11 +++++ openssl.changes | 47 +++++++++++++++++++ openssl.spec | 18 ++++--- 5 files changed, 83 insertions(+), 8 deletions(-) create mode 100644 openssl-buffreelistbug-aka-CVE-2010-5298.patch create mode 100644 openssl-libssl-noweakciphers.patch diff --git a/openssl-buffreelistbug-aka-CVE-2010-5298.patch b/openssl-buffreelistbug-aka-CVE-2010-5298.patch new file mode 100644 index 0000000..02d5cc3 --- /dev/null +++ b/openssl-buffreelistbug-aka-CVE-2010-5298.patch @@ -0,0 +1,13 @@ +--- openssl-1.0.1g.orig/ssl/s3_pkt.c ++++ openssl-1.0.1g/ssl/s3_pkt.c +@@ -1055,8 +1055,8 @@ start: + { + s->rstate=SSL_ST_READ_HEADER; + rr->off=0; +- if (s->mode & SSL_MODE_RELEASE_BUFFERS) +- ssl3_release_read_buffer(s); ++ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) ++ ssl3_release_read_buffer(s); + } + } + return(n); diff --git a/openssl-gcc-attributes.patch b/openssl-gcc-attributes.patch index de2826f..2422937 100644 --- a/openssl-gcc-attributes.patch +++ b/openssl-gcc-attributes.patch @@ -27,7 +27,7 @@ void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, - int line); -void *CRYPTO_remalloc(void *addr,int num, const char *file, int line); -+ int line) __attribute__((alloc_size(2, 3))); ++ int line) __attribute__((alloc_size(3))); +void *CRYPTO_remalloc(void *addr,int num, const char *file, int line) __attribute__((alloc_size(2))); void OPENSSL_cleanse(void *ptr, size_t len); diff --git a/openssl-libssl-noweakciphers.patch b/openssl-libssl-noweakciphers.patch new file mode 100644 index 0000000..0926d6a --- /dev/null +++ b/openssl-libssl-noweakciphers.patch @@ -0,0 +1,11 @@ +--- openssl-1.0.1g.orig/ssl/ssl.h ++++ openssl-1.0.1g/ssl/ssl.h +@@ -331,7 +331,7 @@ extern "C" { + /* The following cipher list is used by default. + * It also is substituted when an application-defined cipher list string + * starts with 'DEFAULT'. */ +-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" ++#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW" + /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always + * starts with a reasonable order, and all we have to do for DEFAULT is + * throwing out anonymous and unencrypted ciphersuites! diff --git a/openssl.changes b/openssl.changes index 45784b5..ce1fd41 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,50 @@ +------------------------------------------------------------------- +Sun Apr 20 00:53:34 UTC 2014 - crrodriguez@opensuse.org + +- Build everything with full RELRO (-Wl,-z,relro,-z,now) +- Remove -fstack-protector from the hardcoded build options + it is already in RPM_OPT_FLAGS and is replaced by + -fstack-protector-strong with gcc 4.9 + +------------------------------------------------------------------- +Sun Apr 20 00:49:25 UTC 2014 - crrodriguez@opensuse.org + +- Remove the "gmp" and "capi" shared engines, nobody noticed + but they are just dummies that do nothing. + +------------------------------------------------------------------- +Sat Apr 19 22:29:10 UTC 2014 - crrodriguez@opensuse.org + +- Use enable-rfc3779 to allow projects such as rpki.net + to work in openSUSE and match the functionality + available in Debian/Fedora/etc + +------------------------------------------------------------------- +Sat Apr 19 22:22:01 UTC 2014 - crrodriguez@opensuse.org + +- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix + CVE-2010-5298 and disable the internal BUF_FREELISTS + functionality. it hides bugs like heartbleed and is + there only for systems on which malloc() free() are slow. + +- ensure we export MALLOC_CHECK and PERTURB during the test + suite, now that the freelist functionality is disabled it + will help to catch bugs before they hit users. + +------------------------------------------------------------------- +Sat Apr 19 03:45:20 UTC 2014 - crrodriguez@opensuse.org + +- openssl-libssl-noweakciphers.patch do not offer "export" + or "low" quality ciphers by default. using such ciphers + is not forbidden but requires an explicit request + +------------------------------------------------------------------- +Fri Apr 18 14:07:47 UTC 2014 - crrodriguez@opensuse.org + +- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does + not return memory of "num * old_num" but only "num" size + fortunately this function is currently unused. + ------------------------------------------------------------------- Fri Apr 11 02:40:34 UTC 2014 - crrodriguez@opensuse.org diff --git a/openssl.spec b/openssl.spec index b83e774..329fd38 100644 --- a/openssl.spec +++ b/openssl.spec @@ -65,6 +65,8 @@ Patch16: openssl-1.0.1e-fips-ec.patch Patch17: openssl-1.0.1e-fips-ctor.patch Patch18: openssl-1.0.1e-new-fips-reqs.patch Patch19: openssl-gcc-attributes.patch +Patch20: openssl-buffreelistbug-aka-CVE-2010-5298.patch +Patch21: openssl-libssl-noweakciphers.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -171,6 +173,8 @@ this package's base documentation. %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 +%patch21 -p1 cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -220,6 +224,7 @@ config_flags="threads shared no-rc5 no-idea \ fips \ %if 0%{suse_version} > 1310 no-ssl2 \ +enable-rfc3779 \ %endif %ifarch x86_64 enable-ec_nistp_64_gcc_128 \ @@ -232,18 +237,16 @@ no-ec2m \ --openssldir=%{ssletcdir} \ $RPM_OPT_FLAGS -O3 -std=gnu99 \ -Wa,--noexecstack \ +-Wl,-z,relro,-z,now \ -fomit-frame-pointer \ -DTERMIO \ -DPURIFY \ -DSSL_FORBID_ENULL \ -D_GNU_SOURCE \ +-DOPENSSL_NO_BUF_FREELISTS \ $(getconf LFS_CFLAGS) \ -%ifnarch hppa aarch64 --Wall \ --fstack-protector " -%else -Wall " -%endif + # #%{!?do_profiling:%define do_profiling 0} #%if %do_profiling @@ -278,7 +281,8 @@ $(getconf LFS_CFLAGS) \ # These files are just there for the make test below... crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac - +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB="" %ifnarch armv4l LD_LIBRARY_PATH=`pwd` make test @@ -401,7 +405,7 @@ cd $RPM_BUILD_ROOT%{_libdir}/ ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so -for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do +for engine in 4758cca atalla nuron sureware ubsec cswift chil aep gmp capi; do rm %{buildroot}/%{_lib}/engines/lib$engine.so done