- update to new upstream version, no soname bump needed

- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
    so the compatibility with unfixed clients is not broken. The protocol
    extension is also not final.
This commit is contained in:
Tomáš Mráz 2009-11-12 15:51:40 +00:00
parent e0fe963bd1
commit aabbc9ad89
25 changed files with 775 additions and 2701 deletions

View File

@ -1 +1 @@
openssl-1.0.0-beta3-usa.tar.bz2
openssl-1.0.0-beta4-usa.tar.bz2

View File

@ -1,24 +0,0 @@
This patch fixes a violation of the C aliasing rules that can cause
miscompilation with some compiler versions.
--- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig 2006-10-30 18:21:35.000000000 +0100
+++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c 2006-10-30 18:21:37.000000000 +0100
@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co
static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
{
void *ptr;
- DSO_FUNC_TYPE sym, *tsym = &sym;
+ DSO_FUNC_TYPE sym;
if((dso == NULL) || (symname == NULL))
{
@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO
DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
return(NULL);
}
- *(void **)(tsym) = dlsym(ptr, symname);
+ sym = dlsym(ptr, symname);
if(sym == NULL)
{
DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);

View File

@ -1,36 +0,0 @@
diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
--- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100
+++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100
@@ -34,7 +34,7 @@ default_ca = CA_default # The default c
####################################################################
[ CA_default ]
-dir = ./demoCA # Where everything is kept
+dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
--- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200
+++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100
@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
-CATOP=./demoCA
+CATOP=/etc/pki/CA
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
--- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200
+++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100
@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
$X509="$openssl x509";
$PKCS12="$openssl pkcs12";
-$CATOP="./demoCA";
+$CATOP="/etc/pki/CA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";

View File

@ -1,12 +0,0 @@
diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl.rounds openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl
--- openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl.rounds 2009-09-15 12:09:08.000000000 +0200
+++ openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl 2009-09-15 12:09:48.000000000 +0200
@@ -656,7 +656,7 @@ Camellia_cbc_encrypt:
mov %rsi,$out # out argument
mov %r8,%rbx # ivp argument
mov %rcx,$key # key argument
- mov 272(%rcx),$keyend # grandRounds
+ mov 272(%rcx),${keyend}d # grandRounds
mov %r8,$_ivp
mov %rbp,$_rsp

View File

@ -1,36 +0,0 @@
diff -up openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod
--- openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const 2009-02-14 22:49:37.000000000 +0100
+++ openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod 2009-08-22 16:15:32.000000000 +0200
@@ -11,7 +11,7 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits
const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
- char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size);
+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);
=head1 DESCRIPTION
diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.const openssl-1.0.0-beta3/ssl/ssl_ciph.c
--- openssl-1.0.0-beta3/ssl/ssl_ciph.c.const 2009-08-22 15:56:12.000000000 +0200
+++ openssl-1.0.0-beta3/ssl/ssl_ciph.c 2009-08-22 15:56:12.000000000 +0200
@@ -1458,7 +1458,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
return(cipherstack);
}
-char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
+char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
{
int is_export,pkl,kl;
const char *ver,*exp_str;
diff -up openssl-1.0.0-beta3/ssl/ssl.h.const openssl-1.0.0-beta3/ssl/ssl.h
--- openssl-1.0.0-beta3/ssl/ssl.h.const 2009-08-22 15:56:11.000000000 +0200
+++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-22 15:56:12.000000000 +0200
@@ -1638,7 +1638,7 @@ long SSL_get_default_timeout(const SSL *
int SSL_library_init(void );
-char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
+char *SSL_CIPHER_description(const SSL_CIPHER *,char *buf,int size);
STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
SSL *SSL_dup(SSL *ssl);

View File

@ -1,27 +0,0 @@
diff -up openssl-1.0.0-beta3/apps/tsget.curl openssl-1.0.0-beta3/apps/tsget
--- openssl-1.0.0-beta3/apps/tsget.curl 2006-02-13 00:11:21.000000000 +0100
+++ openssl-1.0.0-beta3/apps/tsget 2009-08-21 15:37:24.000000000 +0200
@@ -7,7 +7,7 @@ use strict;
use IO::Handle;
use Getopt::Std;
use File::Basename;
-use WWW::Curl::easy;
+use WWW::Curl::Easy;
use vars qw(%options);
@@ -37,7 +37,7 @@ sub create_curl {
my $url = shift;
# Create Curl object.
- my $curl = WWW::Curl::easy::new();
+ my $curl = WWW::Curl::Easy::new();
# Error-handling related options.
$curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
@@ -192,4 +192,4 @@ REQUEST: foreach (@ARGV) {
STDERR->printflush(", $output written.\n") if $options{v};
}
$curl->cleanup();
-WWW::Curl::easy::global_cleanup();
+WWW::Curl::Easy::global_cleanup();

View File

@ -1,11 +0,0 @@
diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c.dss1 openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c
--- openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c.dss1 2008-11-05 19:38:56.000000000 +0100
+++ openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c 2009-08-31 12:53:47.000000000 +0200
@@ -186,6 +186,7 @@ static int pkey_dsa_ctrl(EVP_PKEY_CTX *c
case EVP_PKEY_CTRL_MD:
if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
+ EVP_MD_type((const EVP_MD *)p2) != NID_dsa &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
EVP_MD_type((const EVP_MD *)p2) != NID_sha256)
{

View File

@ -1,28 +0,0 @@
Index: openssl/ssl/d1_clnt.c
RCS File: /v/openssl/cvs/openssl/ssl/d1_clnt.c,v
rcsdiff -q -kk '-r1.16.2.10' '-r1.16.2.11' -u '/v/openssl/cvs/openssl/ssl/d1_clnt.c,v' 2>/dev/null
--- openssl/ssl/d1_clnt.c 2009/07/15 11:32:57 1.16.2.10
+++ openssl/ssl/d1_clnt.c 2009/07/24 11:52:32 1.16.2.11
@@ -223,6 +223,8 @@
s->init_num=0;
/* mark client_random uninitialized */
memset(s->s3->client_random,0,sizeof(s->s3->client_random));
+ s->d1->send_cookie = 0;
+ s->hit = 0;
break;
case SSL3_ST_CW_CLNT_HELLO_A:
Index: openssl/ssl/d1_pkt.c
RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v
rcsdiff -q -kk '-r1.27.2.13' '-r1.27.2.14' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null
--- openssl/ssl/d1_pkt.c 2009/07/13 11:44:04 1.27.2.13
+++ openssl/ssl/d1_pkt.c 2009/07/24 11:52:32 1.27.2.14
@@ -775,7 +775,7 @@
/* Check for timeout */
if (dtls1_is_timer_expired(s))
{
- if (dtls1_read_failed(s, -1) > 0);
+ if (dtls1_read_failed(s, -1) > 0)
goto start;
}

View File

@ -1,52 +0,0 @@
diff -up openssl-1.0.0-beta3/Configure.enginesdir openssl-1.0.0-beta3/Configure
--- openssl-1.0.0-beta3/Configure.enginesdir 2009-08-10 19:46:32.000000000 +0200
+++ openssl-1.0.0-beta3/Configure 2009-08-10 19:46:32.000000000 +0200
@@ -616,6 +616,7 @@ my $idx_multilib = $idx++;
my $prefix="";
my $openssldir="";
+my $enginesdir="";
my $exe_ext="";
my $install_prefix="";
my $cross_compile_prefix="";
@@ -820,6 +821,10 @@ PROCESS_ARGS:
{
$openssldir=$1;
}
+ elsif (/^--enginesdir=(.*)$/)
+ {
+ $enginesdir=$1;
+ }
elsif (/^--install.prefix=(.*)$/)
{
$install_prefix=$1;
@@ -1037,7 +1042,7 @@ chop $prefix if $prefix =~ /.\/$/;
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
-
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
print "IsMK1MF=$IsMK1MF\n";
@@ -1645,7 +1650,7 @@ while (<IN>)
# $foo is to become "$prefix/lib$multilib/engines";
# as Makefile.org and engines/Makefile are adapted for
# $multilib suffix.
- my $foo = "$prefix/lib/engines";
+ my $foo = "$enginesdir";
$foo =~ s/\\/\\\\/g;
print OUT "#define ENGINESDIR \"$foo\"\n";
}
diff -up openssl-1.0.0-beta3/engines/Makefile.enginesdir openssl-1.0.0-beta3/engines/Makefile
--- openssl-1.0.0-beta3/engines/Makefile.enginesdir 2009-06-14 04:37:22.000000000 +0200
+++ openssl-1.0.0-beta3/engines/Makefile 2009-08-10 19:46:48.000000000 +0200
@@ -123,7 +123,7 @@ install:
sfx=".so"; \
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
fi; \
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx ); \
done; \
fi

View File

@ -222,7 +222,7 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
@@ -115,6 +121,38 @@ int SSL_library_init(void)
@@ -115,6 +121,40 @@ int SSL_library_init(void)
EVP_add_digest(EVP_sha());
EVP_add_digest(EVP_dss());
#endif
@ -241,6 +241,8 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
+#ifndef OPENSSL_NO_MD5
+ /* needed even in the FIPS mode for TLS MAC */
+ EVP_add_digest(EVP_md5());
+ EVP_add_digest_alias(SN_md5,"ssl2-md5");
+ EVP_add_digest_alias(SN_md5,"ssl3-md5");
+#endif
+#ifndef OPENSSL_NO_SHA
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */

View File

@ -1,12 +0,0 @@
diff -up openssl-1.0.0-beta3/Makefile.org.krb5 openssl-1.0.0-beta3/Makefile.org
--- openssl-1.0.0-beta3/Makefile.org.krb5 2009-04-23 18:12:09.000000000 +0200
+++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:01:16.000000000 +0200
@@ -299,7 +299,7 @@ build-shared: do_$(SHLIB_TARGET) link-sh
do_$(SHLIB_TARGET):
@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
- if [ "$(SHLIBDIRS)" = "ssl" -a -n "$(LIBKRB5)" ]; then \
+ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
libs="$(LIBKRB5) $$libs"; \
fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \

View File

@ -1,253 +0,0 @@
Index: openssl/crypto/asn1/a_set.c
RCS File: /v/openssl/cvs/openssl/crypto/asn1/a_set.c,v
rcsdiff -q -kk '-r1.20' '-r1.20.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/a_set.c,v' 2>/dev/null
--- openssl/crypto/asn1/a_set.c 2009/01/01 18:30:50 1.20
+++ openssl/crypto/asn1/a_set.c 2009/07/27 21:21:25 1.20.2.1
@@ -85,7 +85,7 @@
}
/* int is_set: if TRUE, then sort the contents (i.e. it isn't a SEQUENCE) */
-int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
i2d_of_void *i2d, int ex_tag, int ex_class,
int is_set)
{
@@ -97,8 +97,8 @@
int totSize;
if (a == NULL) return(0);
- for (i=sk_BLOCK_num(a)-1; i>=0; i--)
- ret+=i2d(sk_BLOCK_value(a,i),NULL);
+ for (i=sk_OPENSSL_BLOCK_num(a)-1; i>=0; i--)
+ ret+=i2d(sk_OPENSSL_BLOCK_value(a,i),NULL);
r=ASN1_object_size(1,ret,ex_tag);
if (pp == NULL) return(r);
@@ -109,10 +109,10 @@
/* And then again by Ben */
/* And again by Steve */
- if(!is_set || (sk_BLOCK_num(a) < 2))
+ if(!is_set || (sk_OPENSSL_BLOCK_num(a) < 2))
{
- for (i=0; i<sk_BLOCK_num(a); i++)
- i2d(sk_BLOCK_value(a,i),&p);
+ for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
+ i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
*pp=p;
return(r);
@@ -120,17 +120,17 @@
pStart = p; /* Catch the beg of Setblobs*/
/* In this array we will store the SET blobs */
- rgSetBlob = OPENSSL_malloc(sk_BLOCK_num(a) * sizeof(MYBLOB));
+ rgSetBlob = OPENSSL_malloc(sk_OPENSSL_BLOCK_num(a) * sizeof(MYBLOB));
if (rgSetBlob == NULL)
{
ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
return(0);
}
- for (i=0; i<sk_BLOCK_num(a); i++)
+ for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
{
rgSetBlob[i].pbData = p; /* catch each set encode blob */
- i2d(sk_BLOCK_value(a,i),&p);
+ i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
rgSetBlob[i].cbData = p - rgSetBlob[i].pbData; /* Length of this
SetBlob
*/
@@ -140,7 +140,7 @@
/* Now we have to sort the blobs. I am using a simple algo.
*Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
- qsort( rgSetBlob, sk_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
+ qsort( rgSetBlob, sk_OPENSSL_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
if (!(pTempMem = OPENSSL_malloc(totSize)))
{
ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
@@ -149,7 +149,7 @@
/* Copy to temp mem */
p = pTempMem;
- for(i=0; i<sk_BLOCK_num(a); ++i)
+ for(i=0; i<sk_OPENSSL_BLOCK_num(a); ++i)
{
memcpy(p, rgSetBlob[i].pbData, rgSetBlob[i].cbData);
p += rgSetBlob[i].cbData;
@@ -163,17 +163,18 @@
return(r);
}
-STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
+ const unsigned char **pp,
long length, d2i_of_void *d2i,
- void (*free_func)(BLOCK), int ex_tag,
+ void (*free_func)(OPENSSL_BLOCK), int ex_tag,
int ex_class)
{
ASN1_const_CTX c;
- STACK_OF(BLOCK) *ret=NULL;
+ STACK_OF(OPENSSL_BLOCK) *ret=NULL;
if ((a == NULL) || ((*a) == NULL))
{
- if ((ret=sk_BLOCK_new_null()) == NULL)
+ if ((ret=sk_OPENSSL_BLOCK_new_null()) == NULL)
{
ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
goto err;
@@ -221,7 +222,7 @@
asn1_add_error(*pp,(int)(c.p- *pp));
goto err;
}
- if (!sk_BLOCK_push(ret,s)) goto err;
+ if (!sk_OPENSSL_BLOCK_push(ret,s)) goto err;
}
if (a != NULL) (*a)=ret;
*pp=c.p;
@@ -230,9 +231,9 @@
if ((ret != NULL) && ((a == NULL) || (*a != ret)))
{
if (free_func != NULL)
- sk_BLOCK_pop_free(ret,free_func);
+ sk_OPENSSL_BLOCK_pop_free(ret,free_func);
else
- sk_BLOCK_free(ret);
+ sk_OPENSSL_BLOCK_free(ret);
}
return(NULL);
}
Index: openssl/crypto/asn1/asn1.h
RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn1.h,v
rcsdiff -q -kk '-r1.166.2.3' '-r1.166.2.4' -u '/v/openssl/cvs/openssl/crypto/asn1/asn1.h,v' 2>/dev/null
--- openssl/crypto/asn1/asn1.h 2009/07/24 11:15:55 1.166.2.3
+++ openssl/crypto/asn1/asn1.h 2009/07/27 21:21:25 1.166.2.4
@@ -887,12 +887,13 @@
ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
-int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
i2d_of_void *i2d, int ex_tag, int ex_class,
int is_set);
-STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
+ const unsigned char **pp,
long length, d2i_of_void *d2i,
- void (*free_func)(BLOCK), int ex_tag,
+ void (*free_func)(OPENSSL_BLOCK), int ex_tag,
int ex_class);
#ifndef OPENSSL_NO_BIO
@@ -1045,9 +1046,9 @@
int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num,
unsigned char *data, int max_len);
-STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
- d2i_of_void *d2i, void (*free_func)(BLOCK));
-unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
+ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK));
+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
unsigned char **buf, int *len );
void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i);
void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it);
Index: openssl/crypto/asn1/asn_pack.c
RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v
rcsdiff -q -kk '-r1.19' '-r1.19.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v' 2>/dev/null
--- openssl/crypto/asn1/asn_pack.c 2008/11/12 03:57:49 1.19
+++ openssl/crypto/asn1/asn_pack.c 2009/07/27 21:21:25 1.19.2.1
@@ -66,10 +66,10 @@
/* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
-STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
- d2i_of_void *d2i, void (*free_func)(BLOCK))
+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
+ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK))
{
- STACK_OF(BLOCK) *sk;
+ STACK_OF(OPENSSL_BLOCK) *sk;
const unsigned char *pbuf;
pbuf = buf;
if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
@@ -82,7 +82,7 @@
* OPENSSL_malloc'ed buffer
*/
-unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
unsigned char **buf, int *len)
{
int safelen;
Index: openssl/crypto/stack/safestack.h
RCS File: /v/openssl/cvs/openssl/crypto/stack/safestack.h,v
rcsdiff -q -kk '-r1.72.2.4' '-r1.72.2.5' -u '/v/openssl/cvs/openssl/crypto/stack/safestack.h,v' 2>/dev/null
--- openssl/crypto/stack/safestack.h 2009/07/27 21:08:50 1.72.2.4
+++ openssl/crypto/stack/safestack.h 2009/07/27 21:21:25 1.72.2.5
@@ -128,8 +128,8 @@
* nul-terminated. These should also be distinguished from "normal"
* stacks. */
-typedef void *BLOCK;
-DECLARE_SPECIAL_STACK_OF(BLOCK, void)
+typedef void *OPENSSL_BLOCK;
+DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
/* SKM_sk_... stack macros are internal to safestack.h:
* never use them directly, use sk_<type>_... instead */
@@ -2055,29 +2055,29 @@
#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
-#define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
-#define sk_BLOCK_new_null() ((STACK_OF(BLOCK) *)sk_new_null())
-#define sk_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
-#define sk_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
-#define sk_BLOCK_value(st, i) ((BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(BLOCK), st), i))
-#define sk_BLOCK_num(st) SKM_sk_num(BLOCK, st)
-#define sk_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_FREE_FUNC2(BLOCK, free_func))
-#define sk_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val), i)
-#define sk_BLOCK_free(st) SKM_sk_free(BLOCK, st)
-#define sk_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), i, CHECKED_PTR_OF(void, val))
-#define sk_BLOCK_zero(st) SKM_sk_zero(BLOCK, (st))
-#define sk_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
-#define sk_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
-#define sk_BLOCK_delete(st, i) SKM_sk_delete(BLOCK, (st), (i))
-#define sk_BLOCK_delete_ptr(st, ptr) (BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, ptr))
-#define sk_BLOCK_set_cmp_func(st, cmp) \
+#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
+#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
+#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i))
+#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st)
+#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func))
+#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val), i)
+#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st)
+#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i, CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
+#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i))
+#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, ptr))
+#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp) \
((int (*)(const void * const *,const void * const *)) \
- sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
-#define sk_BLOCK_dup(st) SKM_sk_dup(BLOCK, st)
-#define sk_BLOCK_shift(st) SKM_sk_shift(BLOCK, (st))
-#define sk_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st))
-#define sk_BLOCK_sort(st) SKM_sk_sort(BLOCK, (st))
-#define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st))
+ sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
+#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st)
+#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st))
+#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st))
+#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
#define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))

File diff suppressed because it is too large Load Diff

View File

@ -1,31 +0,0 @@
diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.ctx-free openssl-1.0.0-beta3/ssl/ssl_lib.c
--- openssl-1.0.0-beta3/ssl/ssl_lib.c.ctx-free 2009-10-08 20:44:26.000000000 +0200
+++ openssl-1.0.0-beta3/ssl/ssl_lib.c 2009-10-16 11:56:53.000000000 +0200
@@ -556,7 +556,6 @@ void SSL_free(SSL *s)
if (s->cert != NULL) ssl_cert_free(s->cert);
/* Free up if allocated */
- if (s->ctx) SSL_CTX_free(s->ctx);
#ifndef OPENSSL_NO_TLSEXT
if (s->tlsext_hostname)
OPENSSL_free(s->tlsext_hostname);
@@ -580,6 +579,8 @@ void SSL_free(SSL *s)
if (s->method != NULL) s->method->ssl_free(s);
+ if (s->ctx) SSL_CTX_free(s->ctx);
+
#ifndef OPENSSL_NO_KRB5
if (s->kssl_ctx != NULL)
kssl_ctx_free(s->kssl_ctx);
diff -up openssl-1.0.0-beta3/ssl/s3_lib.c.hbuf-clear openssl-1.0.0-beta3/ssl/s3_lib.c
--- openssl-1.0.0-beta3/ssl/s3_lib.c.hbuf-clear 2009-05-28 20:10:47.000000000 +0200
+++ openssl-1.0.0-beta3/ssl/s3_lib.c 2009-10-16 09:50:24.000000000 +0200
@@ -2211,6 +2211,7 @@ void ssl3_clear(SSL *s)
wlen = s->s3->wbuf.len;
if (s->s3->handshake_buffer) {
BIO_free(s->s3->handshake_buffer);
+ s->s3->handshake_buffer = NULL;
}
if (s->s3->handshake_dgst) {
ssl3_free_digest_list(s);

View File

@ -1,27 +0,0 @@
Index: openssl/ssl/ssl_asn1.c
RCS File: /v/openssl/cvs/openssl/ssl/ssl_asn1.c,v
rcsdiff -q -kk '-r1.36.2.2' '-r1.36.2.3' -u '/v/openssl/cvs/openssl/ssl/ssl_asn1.c,v' 2>/dev/null
--- openssl/ssl/ssl_asn1.c 2009/08/05 15:29:14 1.36.2.2
+++ openssl/ssl/ssl_asn1.c 2009/09/02 13:20:22 1.36.2.3
@@ -413,8 +413,8 @@
}
else
{
- SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION);
- return(NULL);
+ c.error=SSL_R_UNKNOWN_SSL_VERSION;
+ goto err;
}
ret->cipher=NULL;
@@ -505,8 +505,8 @@
{
if (os.length > SSL_MAX_SID_CTX_LENGTH)
{
- ret->sid_ctx_length=os.length;
- SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
+ c.error=SSL_R_BAD_LENGTH;
+ goto err;
}
else
{

View File

@ -1,6 +1,6 @@
diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod
--- openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc 2004-05-20 23:39:50.000000000 +0200
+++ openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod 2009-06-30 12:04:47.000000000 +0200
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc 2009-10-16 17:29:34.000000000 +0200
+++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod 2009-11-12 14:13:21.000000000 +0100
@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
@ -45,8 +45,8 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
+signature algorithm is RSA in each case.
EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
algorithms but using DSS (DSA) for the signature algorithm.
@@ -156,7 +163,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
algorithms but using DSS (DSA) for the signature algorithm. Note: there is
@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
size in bytes.
@ -56,9 +56,9 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
corresponding EVP_MD structures.
diff -up openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod
--- openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
+++ openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod 2009-06-30 12:04:47.000000000 +0200
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
+++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod 2009-11-12 14:11:03.000000000 +0100
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);

View File

@ -0,0 +1,36 @@
diff -up openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir openssl-1.0.0-beta4/apps/CA.pl.in
--- openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir 2006-04-28 02:30:49.000000000 +0200
+++ openssl-1.0.0-beta4/apps/CA.pl.in 2009-11-12 12:33:13.000000000 +0100
@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
$X509="$openssl x509";
$PKCS12="$openssl pkcs12";
-$CATOP="./demoCA";
+$CATOP="/etc/pki/CA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";
diff -up openssl-1.0.0-beta4/apps/CA.sh.ca-dir openssl-1.0.0-beta4/apps/CA.sh
--- openssl-1.0.0-beta4/apps/CA.sh.ca-dir 2009-10-15 19:27:47.000000000 +0200
+++ openssl-1.0.0-beta4/apps/CA.sh 2009-11-12 12:35:14.000000000 +0100
@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
+if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
diff -up openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir openssl-1.0.0-beta4/apps/openssl.cnf
--- openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir 2009-11-12 12:33:13.000000000 +0100
+++ openssl-1.0.0-beta4/apps/openssl.cnf 2009-11-12 12:33:13.000000000 +0100
@@ -39,7 +39,7 @@ default_ca = CA_default # The default c
####################################################################
[ CA_default ]
-dir = ./demoCA # Where everything is kept
+dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.

View File

@ -1,7 +1,7 @@
diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/apps/s_client.c
--- openssl-1.0.0-beta3/apps/s_client.c.default-paths 2009-06-30 18:10:24.000000000 +0200
+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 18:17:52.000000000 +0200
@@ -888,12 +888,13 @@ bad:
diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c
--- openssl-1.0.0-beta4/apps/s_client.c.default-paths 2009-08-12 15:21:26.000000000 +0200
+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 12:26:32.000000000 +0100
@@ -889,12 +889,13 @@ bad:
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
@ -19,10 +19,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/a
}
#ifndef OPENSSL_NO_TLSEXT
diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/apps/s_server.c
--- openssl-1.0.0-beta3/apps/s_server.c.default-paths 2009-06-30 18:10:24.000000000 +0200
+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 18:18:40.000000000 +0200
@@ -1403,12 +1403,13 @@ bad:
diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c
--- openssl-1.0.0-beta4/apps/s_server.c.default-paths 2009-10-28 18:49:37.000000000 +0100
+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 12:31:23.000000000 +0100
@@ -1408,12 +1408,13 @@ bad:
}
#endif
@ -40,9 +40,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
}
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
@@ -1457,8 +1458,11 @@ bad:
SSL_CTX_sess_set_cache_size(ctx2,128);
@@ -1465,8 +1466,11 @@ bad:
else
SSL_CTX_sess_set_cache_size(ctx2,128);
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
@ -54,9 +54,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
{
ERR_print_errors(bio_err);
}
diff -up openssl-1.0.0-beta3/apps/s_time.c.default-paths openssl-1.0.0-beta3/apps/s_time.c
--- openssl-1.0.0-beta3/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
+++ openssl-1.0.0-beta3/apps/s_time.c 2009-08-05 18:00:35.000000000 +0200
diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c
--- openssl-1.0.0-beta4/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
+++ openssl-1.0.0-beta4/apps/s_time.c 2009-11-12 12:26:32.000000000 +0100
@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();

View File

@ -0,0 +1,25 @@
Adding struct member is ABI breaker however as the structure is always allocated by
the library calls we just move it to the end and it should be reasonably safe.
diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
--- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi 2009-11-12 14:34:37.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/dtls1.h 2009-11-12 14:47:57.000000000 +0100
@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
*/
record_pqueue buffered_app_data;
- /* Is set when listening for new connections with dtls1_listen() */
- unsigned int listen;
-
unsigned int mtu; /* max DTLS packet size */
struct hm_header_st w_msg_hdr;
@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
unsigned int retransmitting;
unsigned int change_cipher_spec_ok;
+ /* Is set when listening for new connections with dtls1_listen() */
+ unsigned int listen;
+
} DTLS1_STATE;
typedef struct dtls1_record_data_st

View File

@ -0,0 +1,52 @@
diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
--- openssl-1.0.0-beta4/Configure.enginesdir 2009-11-12 12:17:59.000000000 +0100
+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:19:45.000000000 +0100
@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
my $prefix="";
my $libdir="";
my $openssldir="";
+my $enginesdir="";
my $exe_ext="";
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
my $cross_compile_prefix="";
@@ -833,6 +834,10 @@ PROCESS_ARGS:
{
$openssldir=$1;
}
+ elsif (/^--enginesdir=(.*)$/)
+ {
+ $enginesdir=$1;
+ }
elsif (/^--install.prefix=(.*)$/)
{
$install_prefix=$1;
@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/;
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
-
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
print "IsMK1MF=$IsMK1MF\n";
@@ -1676,7 +1681,7 @@ while (<IN>)
# $foo is to become "$prefix/lib$multilib/engines";
# as Makefile.org and engines/Makefile are adapted for
# $multilib suffix.
- my $foo = "$prefix/lib/engines";
+ my $foo = "$enginesdir";
$foo =~ s/\\/\\\\/g;
print OUT "#define ENGINESDIR \"$foo\"\n";
}
diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile
--- openssl-1.0.0-beta4/engines/Makefile.enginesdir 2009-11-10 02:52:52.000000000 +0100
+++ openssl-1.0.0-beta4/engines/Makefile 2009-11-12 12:23:06.000000000 +0100
@@ -124,7 +124,7 @@ install:
sfx=".so"; \
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
fi; \
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
done; \
fi

View File

@ -1,7 +1,7 @@
diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
--- openssl-1.0.0-beta3/Configure.redhat 2009-07-08 10:50:52.000000000 +0200
+++ openssl-1.0.0-beta3/Configure 2009-08-04 22:46:59.000000000 +0200
@@ -331,32 +331,32 @@ my %table=(
diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
--- openssl-1.0.0-beta4/Configure.redhat 2009-11-09 15:11:13.000000000 +0100
+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:15:27.000000000 +0100
@@ -336,32 +336,32 @@ my %table=(
####
# *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate...
@ -27,9 +27,9 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
#### SPARC Linux setups
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
@ -46,7 +46,7 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
@@ -370,8 +370,8 @@ my %table=(
@@ -375,8 +375,8 @@ my %table=(
#
# <appro@fy.chalmers.se>
#

View File

@ -0,0 +1,237 @@
diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c
--- openssl-1.0.0-beta4/apps/s_cb.c.reneg 2009-10-15 20:48:47.000000000 +0200
+++ openssl-1.0.0-beta4/apps/s_cb.c 2009-11-12 15:02:30.000000000 +0100
@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c
extname = "server ticket";
break;
+ case TLSEXT_TYPE_renegotiate:
+ extname = "renegotiate";
+ break;
+
#ifdef TLSEXT_TYPE_opaque_prf_input
case TLSEXT_TYPE_opaque_prf_input:
extname = "opaque PRF input";
diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c
--- openssl-1.0.0-beta4/apps/s_client.c.reneg 2009-11-12 14:57:48.000000000 +0100
+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 15:01:48.000000000 +0100
@@ -343,6 +343,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -status - request certificate status from server\n");
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
#endif
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
}
#ifndef OPENSSL_NO_TLSEXT
@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv)
#endif
else if (strcmp(*argv,"-serverpref") == 0)
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
else if (strcmp(*argv,"-cipher") == 0)
{
if (--argc < 1) goto bad;
diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c
--- openssl-1.0.0-beta4/apps/s_server.c.reneg 2009-11-12 14:57:48.000000000 +0100
+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 15:01:48.000000000 +0100
@@ -491,6 +491,7 @@ static void sv_usage(void)
BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2);
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
#endif
}
@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[])
verify_return_error = 1;
else if (strcmp(*argv,"-serverpref") == 0)
{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
else if (strcmp(*argv,"-cipher") == 0)
{
if (--argc < 1) goto bad;
diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h
--- openssl-1.0.0-beta4/ssl/tls1.h.reneg 2009-11-12 14:57:47.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/tls1.h 2009-11-12 15:02:30.000000000 +0100
@@ -201,6 +201,9 @@ extern "C" {
# define TLSEXT_TYPE_opaque_prf_input ?? */
#endif
+/* Temporary extension type */
+#define TLSEXT_TYPE_renegotiate 0xff01
+
/* NameType value from RFC 3546 */
#define TLSEXT_NAMETYPE_host_name 0
/* status request value from RFC 3546 */
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c
--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg 2009-11-08 15:36:32.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-12 15:02:30.000000000 +0100
@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex
ret+=size_str;
}
+ /* Add the renegotiation option: TODOEKR switch */
+ {
+ int el;
+
+ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
+ {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return NULL;
+ }
+
+ if((limit - p - 4 - el) < 0) return NULL;
+
+ s2n(TLSEXT_TYPE_renegotiate,ret);
+ s2n(el,ret);
+
+ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
+ {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return NULL;
+ }
+
+ ret += el;
+ }
+
#ifndef OPENSSL_NO_EC
if (s->tlsext_ecpointformatlist != NULL)
{
@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex
s2n(TLSEXT_TYPE_server_name,ret);
s2n(0,ret);
}
+
+ if(s->s3->send_connection_binding)
+ {
+ int el;
+
+ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
+ {
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return NULL;
+ }
+
+ if((limit - p - 4 - el) < 0) return NULL;
+
+ s2n(TLSEXT_TYPE_renegotiate,ret);
+ s2n(el,ret);
+
+ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
+ {
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return NULL;
+ }
+
+ ret += el;
+ }
+
#ifndef OPENSSL_NO_EC
if (s->tlsext_ecpointformatlist != NULL)
{
@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
unsigned short size;
unsigned short len;
unsigned char *data = *p;
+ int renegotiate_seen = 0;
+
s->servername_done = 0;
s->tlsext_status_type = -1;
+ s->s3->send_connection_binding = 0;
if (data >= (d+n-2))
+ {
+ if (s->new_session
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ /* We should always see one extension: the renegotiate extension */
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
return 1;
+ }
n2s(data,len);
if (data > (d+n-len))
@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s,
return 0;
}
}
+ else if (type == TLSEXT_TYPE_renegotiate)
+ {
+ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
+ return 0;
+ renegotiate_seen = 1;
+ }
else if (type == TLSEXT_TYPE_status_request
&& s->ctx->tlsext_status_cb)
{
@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
/* session ticket processed earlier */
data+=size;
}
+
+ if (s->new_session && !renegotiate_seen
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
+
*p = data;
return 1;
@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s,
unsigned short size;
unsigned short len;
unsigned char *data = *p;
-
int tlsext_servername = 0;
+ int renegotiate_seen = 0;
if (data >= (d+n-2))
+ {
+ /* Because the client does not see any renegotiation during an
+ attack, we must enforce this on all server hellos, even the
+ first */
+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ /* We should always see one extension: the renegotiate extension */
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
return 1;
+ }
n2s(data,len);
@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
/* Set flag to expect CertificateStatus message */
s->tlsext_status_expected = 1;
}
-
+ else if (type == TLSEXT_TYPE_renegotiate)
+ {
+ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
+ return 0;
+ renegotiate_seen = 1;
+ }
data+=size;
}
@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s,
return 0;
}
+ if (!renegotiate_seen
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ return 0;
+ }
+
if (!s->hit && tlsext_servername == 1)
{
if (s->tlsext_hostname)

View File

@ -11,7 +11,7 @@
# 1.0.0 soversion = 10
%define soversion 10
%define beta beta3
%define beta beta4
# Number of threads to spawn when testing some threading fixes.
%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
Release: 0.10.%{beta}%{?dist}
Release: 0.11.%{beta}%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-%{beta}-usa.tar.bz2
@ -35,41 +35,32 @@ Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
Source11: README.FIPS
# Build changes
Patch0: openssl-1.0.0-beta3-redhat.patch
Patch0: openssl-1.0.0-beta4-redhat.patch
Patch1: openssl-1.0.0-beta3-defaults.patch
Patch2: openssl-1.0.0-beta3-krb5.patch
Patch3: openssl-1.0.0-beta3-soversion.patch
Patch4: openssl-1.0.0-beta3-enginesdir.patch
Patch4: openssl-1.0.0-beta4-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch
# Bug fixes
Patch21: openssl-0.9.8b-aliasing-bug.patch
Patch23: openssl-1.0.0-beta3-default-paths.patch
Patch23: openssl-1.0.0-beta4-default-paths.patch
# Functionality changes
Patch32: openssl-0.9.8g-ia64.patch
Patch33: openssl-0.9.8j-ca-dir.patch
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
Patch35: openssl-0.9.8j-version-add-engines.patch
Patch38: openssl-1.0.0-beta3-cipher-change.patch
Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
Patch40: openssl-1.0.0-beta3-fips.patch
Patch40: openssl-1.0.0-beta4-fips.patch
Patch41: openssl-1.0.0-beta3-fipscheck.patch
Patch43: openssl-1.0.0-beta3-fipsmode.patch
Patch44: openssl-1.0.0-beta3-fipsrng.patch
Patch45: openssl-0.9.8j-env-nozlib.patch
Patch47: openssl-0.9.8j-readme-warning.patch
Patch48: openssl-0.9.8j-bad-mime.patch
Patch49: openssl-0.9.8k-algo-doc.patch
Patch50: openssl-1.0.0-beta3-curl.patch
Patch51: openssl-1.0.0-beta3-const.patch
Patch52: openssl-1.0.0-beta3-dss1.patch
Patch49: openssl-1.0.0-beta4-algo-doc.patch
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
# Backported fixes including security fixes
Patch60: openssl-1.0.0-beta3-namingstr.patch
Patch61: openssl-1.0.0-beta3-namingblk.patch
Patch62: openssl-1.0.0-beta3-camellia-rounds.patch
Patch63: openssl-1.0.0-beta3-dtls1-fix.patch
Patch64: openssl-1.0.0-beta3-ssl-session.patch
Patch65: openssl-1.0.0-beta3-ssl-free.patch
Patch60: openssl-1.0.0-beta4-reneg.patch
License: OpenSSL
Group: System Environment/Libraries
@ -124,14 +115,11 @@ from other formats to the formats used by the OpenSSL toolkit.
%{SOURCE1} > /dev/null
%patch0 -p1 -b .redhat
%patch1 -p1 -b .defaults
# Fix link line for libssl (bug #111154).
%patch2 -p1 -b .krb5
%patch3 -p1 -b .soversion
%patch4 -p1 -b .enginesdir
%patch5 -p1 -b .no-rpath
%patch6 -p1 -b .use-localhost
%patch21 -p1 -b .aliasing-bug
%patch23 -p1 -b .default-paths
%patch32 -p1 -b .ia64
@ -148,15 +136,9 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch47 -p1 -b .warning
%patch48 -p1 -b .bad-mime
%patch49 -p1 -b .algo-doc
%patch50 -p1 -b .curl
%patch51 -p1 -b .const
%patch52 -p1 -b .dss1
%patch60 -p1 -b .namingstr
%patch61 -p1 -b .namingblk
%patch62 -p1 -b .cmll-rounds
%patch63 -p1 -b .dtls1-fix
%patch64 -p1 -b .ssl-session
%patch65 -p1 -b .ssl-free
%patch50 -p1 -b .dtls1-abi
%patch60 -p1 -b .reneg
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@ -405,6 +387,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig
%changelog
* Thu Nov 12 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.11.beta4
- update to new upstream version, no soname bump needed
- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
so the compatibility with unfixed clients is not broken. The
protocol extension is also not final.
* Fri Oct 16 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.10.beta3
- fix use of freed memory if SSL_CTX_free() is called before
SSL_free() (#521342)

View File

@ -1 +1 @@
9926dcf78e797a12d8e3ffd7a018824b openssl-1.0.0-beta3-usa.tar.bz2
1fc0e41c230d0698f834413dfba864ad openssl-1.0.0-beta4-usa.tar.bz2