- update to final 1.0.0 upstream release
This commit is contained in:
Tomáš Mráz
parent
e8799f082e
commit
b825afeee6
|
|
@ -1 +1 @@
|
||||||
openssl-1.0.0-beta4-usa.tar.bz2
|
openssl-1.0.0-usa.tar.bz2
|
||||||
|
|
|
||||||
File diff suppressed because it is too large
Load Diff
|
|
@ -1,45 +0,0 @@
|
||||||
diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c
|
|
||||||
--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100
|
|
||||||
@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK
|
|
||||||
}
|
|
||||||
else ret= *a;
|
|
||||||
|
|
||||||
- ret->save_type=type;
|
|
||||||
- ret->type=EVP_PKEY_type(type);
|
|
||||||
- switch (ret->type)
|
|
||||||
+ if (!EVP_PKEY_set_type(ret, type))
|
|
||||||
+ {
|
|
||||||
+ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ switch (EVP_PKEY_id(ret))
|
|
||||||
{
|
|
||||||
#ifndef OPENSSL_NO_RSA
|
|
||||||
case EVP_PKEY_RSA:
|
|
||||||
diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c
|
|
||||||
--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200
|
|
||||||
+++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100
|
|
||||||
@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey,
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
/* If we have an ENGINE release it */
|
|
||||||
if (pkey->engine)
|
|
||||||
+ {
|
|
||||||
ENGINE_finish(pkey->engine);
|
|
||||||
+ pkey->engine = NULL;
|
|
||||||
+ }
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
if (str)
|
|
||||||
diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c
|
|
||||||
--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100
|
|
||||||
@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm,
|
|
||||||
offset= -offset;
|
|
||||||
}
|
|
||||||
atm.type=ctm->type;
|
|
||||||
+ atm.flags = 0;
|
|
||||||
atm.length=sizeof(buff2);
|
|
||||||
atm.data=(unsigned char *)buff2;
|
|
||||||
|
|
||||||
|
|
@ -1,56 +0,0 @@
|
||||||
diff -up openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl
|
|
||||||
--- openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl.binutils 2009-11-12 15:17:29.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/crypto/md5/asm/md5-x86_64.pl 2009-11-12 17:26:08.000000000 +0100
|
|
||||||
@@ -19,6 +19,7 @@ my $code;
|
|
||||||
sub round1_step
|
|
||||||
{
|
|
||||||
my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
|
|
||||||
+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
|
|
||||||
$code .= " mov 0*4(%rsi), %r10d /* (NEXT STEP) X[0] */\n" if ($pos == -1);
|
|
||||||
$code .= " mov %edx, %r11d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
|
|
||||||
$code .= <<EOF;
|
|
||||||
@@ -43,6 +44,7 @@ EOF
|
|
||||||
sub round2_step
|
|
||||||
{
|
|
||||||
my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
|
|
||||||
+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
|
|
||||||
$code .= " mov 1*4(%rsi), %r10d /* (NEXT STEP) X[1] */\n" if ($pos == -1);
|
|
||||||
$code .= " mov %edx, %r11d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
|
|
||||||
$code .= " mov %edx, %r12d /* (NEXT STEP) z' = %edx */\n" if ($pos == -1);
|
|
||||||
@@ -69,6 +71,7 @@ EOF
|
|
||||||
sub round3_step
|
|
||||||
{
|
|
||||||
my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
|
|
||||||
+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
|
|
||||||
$code .= " mov 5*4(%rsi), %r10d /* (NEXT STEP) X[5] */\n" if ($pos == -1);
|
|
||||||
$code .= " mov %ecx, %r11d /* (NEXT STEP) y' = %ecx */\n" if ($pos == -1);
|
|
||||||
$code .= <<EOF;
|
|
||||||
@@ -91,6 +94,7 @@ EOF
|
|
||||||
sub round4_step
|
|
||||||
{
|
|
||||||
my ($pos, $dst, $x, $y, $z, $k_next, $T_i, $s) = @_;
|
|
||||||
+ $T_i = unpack("l",pack("l", hex($T_i))); # convert to 32-bit signed decimal
|
|
||||||
$code .= " mov 0*4(%rsi), %r10d /* (NEXT STEP) X[0] */\n" if ($pos == -1);
|
|
||||||
$code .= " mov \$0xffffffff, %r11d\n" if ($pos == -1);
|
|
||||||
$code .= " xor %edx, %r11d /* (NEXT STEP) not z' = not %edx*/\n"
|
|
||||||
diff -up openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl
|
|
||||||
--- openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl.binutils 2009-11-12 15:17:29.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/crypto/sha/asm/sha1-x86_64.pl 2009-11-12 17:24:18.000000000 +0100
|
|
||||||
@@ -150,7 +150,7 @@ ___
|
|
||||||
sub BODY_20_39 {
|
|
||||||
my ($i,$a,$b,$c,$d,$e,$f)=@_;
|
|
||||||
my $j=$i+1;
|
|
||||||
-my $K=($i<40)?0x6ed9eba1:0xca62c1d6;
|
|
||||||
+my $K=($i<40)?0x6ed9eba1:-0x359d3e2a;
|
|
||||||
$code.=<<___ if ($i<79);
|
|
||||||
lea $K($xi,$e),$f
|
|
||||||
mov `4*($j%16)`(%rsp),$xi
|
|
||||||
@@ -187,7 +187,7 @@ sub BODY_40_59 {
|
|
||||||
my ($i,$a,$b,$c,$d,$e,$f)=@_;
|
|
||||||
my $j=$i+1;
|
|
||||||
$code.=<<___;
|
|
||||||
- lea 0x8f1bbcdc($xi,$e),$f
|
|
||||||
+ lea -0x70e44324($xi,$e),$f
|
|
||||||
mov `4*($j%16)`(%rsp),$xi
|
|
||||||
mov $b,$t0
|
|
||||||
mov $b,$t1
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
||||||
Do not enforce the renegotiation extension on the client - too many broken servers remain.
|
|
||||||
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
|
|
||||||
--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg 2009-11-12 15:17:29.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-18 14:04:19.000000000 +0100
|
|
||||||
@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
||||||
|
|
||||||
if (data >= (d+n-2))
|
|
||||||
{
|
|
||||||
+#if 0
|
|
||||||
/* Because the client does not see any renegotiation during an
|
|
||||||
attack, we must enforce this on all server hellos, even the
|
|
||||||
first */
|
|
||||||
@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
||||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if 0
|
|
||||||
if (!renegotiate_seen
|
|
||||||
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
||||||
{
|
|
||||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
if (!s->hit && tlsext_servername == 1)
|
|
||||||
{
|
|
||||||
|
|
@ -1,219 +0,0 @@
|
||||||
diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c
|
|
||||||
--- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 2009-11-09 15:09:53.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/crypto/bio/b_sock.c 2009-11-23 08:50:45.000000000 +0100
|
|
||||||
@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr)
|
|
||||||
if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
|
|
||||||
{
|
|
||||||
OPENSSL_assert(sa.len.s<=sizeof(sa.from));
|
|
||||||
- sa.len.i = (unsigned int)sa.len.s;
|
|
||||||
+ sa.len.i = (int)sa.len.s;
|
|
||||||
+ /* use sa.len.i from this point */
|
|
||||||
}
|
|
||||||
if (ret == INVALID_SOCKET)
|
|
||||||
{
|
|
||||||
diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c
|
|
||||||
--- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 2009-10-15 19:41:44.000000000 +0200
|
|
||||||
+++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c 2009-11-23 08:50:45.000000000 +0100
|
|
||||||
@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp=
|
|
||||||
|
|
||||||
typedef struct bio_dgram_data_st
|
|
||||||
{
|
|
||||||
+ union {
|
|
||||||
+ struct sockaddr sa;
|
|
||||||
+ struct sockaddr_in sa_in;
|
|
||||||
#if OPENSSL_USE_IPV6
|
|
||||||
- struct sockaddr_storage peer;
|
|
||||||
-#else
|
|
||||||
- struct sockaddr_in peer;
|
|
||||||
+ struct sockaddr_in6 sa_in6;
|
|
||||||
#endif
|
|
||||||
+ } peer;
|
|
||||||
unsigned int connected;
|
|
||||||
unsigned int _errno;
|
|
||||||
unsigned int mtu;
|
|
||||||
@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out,
|
|
||||||
int ret=0;
|
|
||||||
bio_dgram_data *data = (bio_dgram_data *)b->ptr;
|
|
||||||
|
|
||||||
+ struct {
|
|
||||||
+ /*
|
|
||||||
+ * See commentary in b_sock.c. <appro>
|
|
||||||
+ */
|
|
||||||
+ union { size_t s; int i; } len;
|
|
||||||
+ union {
|
|
||||||
+ struct sockaddr sa;
|
|
||||||
+ struct sockaddr_in sa_in;
|
|
||||||
#if OPENSSL_USE_IPV6
|
|
||||||
- struct sockaddr_storage peer;
|
|
||||||
-#else
|
|
||||||
- struct sockaddr_in peer;
|
|
||||||
+ struct sockaddr_in6 sa_in6;
|
|
||||||
#endif
|
|
||||||
- int peerlen = sizeof(peer);
|
|
||||||
+ } peer;
|
|
||||||
+ } sa;
|
|
||||||
+
|
|
||||||
+ sa.len.s=0;
|
|
||||||
+ sa.len.i=sizeof(sa.peer);
|
|
||||||
|
|
||||||
if (out != NULL)
|
|
||||||
{
|
|
||||||
clear_socket_error();
|
|
||||||
- memset(&peer, 0x00, peerlen);
|
|
||||||
- /* Last arg in recvfrom is signed on some platforms and
|
|
||||||
- * unsigned on others. It is of type socklen_t on some
|
|
||||||
- * but this is not universal. Cast to (void *) to avoid
|
|
||||||
- * compiler warnings.
|
|
||||||
- */
|
|
||||||
+ memset(&sa.peer, 0x00, sizeof(sa.peer));
|
|
||||||
dgram_adjust_rcv_timeout(b);
|
|
||||||
- ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen);
|
|
||||||
+ ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len);
|
|
||||||
+ if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
|
|
||||||
+ {
|
|
||||||
+ OPENSSL_assert(sa.len.s<=sizeof(sa.peer));
|
|
||||||
+ sa.len.i = (int)sa.len.s;
|
|
||||||
+ }
|
|
||||||
dgram_reset_rcv_timeout(b);
|
|
||||||
|
|
||||||
if ( ! data->connected && ret >= 0)
|
|
||||||
- BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer);
|
|
||||||
+ BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer);
|
|
||||||
|
|
||||||
BIO_clear_retry_flags(b);
|
|
||||||
if (ret < 0)
|
|
||||||
@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha
|
|
||||||
if ( data->connected )
|
|
||||||
ret=writesocket(b->num,in,inl);
|
|
||||||
else
|
|
||||||
-#if OPENSSL_USE_IPV6
|
|
||||||
- if (data->peer.ss_family == AF_INET)
|
|
||||||
#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
|
|
||||||
- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
|
|
||||||
+ ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer));
|
|
||||||
#else
|
|
||||||
- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
|
|
||||||
-#endif
|
|
||||||
- else
|
|
||||||
-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
|
|
||||||
- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
|
|
||||||
-#else
|
|
||||||
- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
|
|
||||||
-#endif
|
|
||||||
-#else
|
|
||||||
-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
|
|
||||||
- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
|
|
||||||
-#else
|
|
||||||
- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
|
|
||||||
-#endif
|
|
||||||
+ ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer));
|
|
||||||
#endif
|
|
||||||
|
|
||||||
BIO_clear_retry_flags(b);
|
|
||||||
@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd,
|
|
||||||
else
|
|
||||||
{
|
|
||||||
#endif
|
|
||||||
+ switch (to->sa_family)
|
|
||||||
+ {
|
|
||||||
+ case AF_INET:
|
|
||||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
|
|
||||||
+ break;
|
|
||||||
#if OPENSSL_USE_IPV6
|
|
||||||
- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
|
|
||||||
-#else
|
|
||||||
- memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
|
|
||||||
-#endif
|
|
||||||
+ case AF_INET6:
|
|
||||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
|
|
||||||
+ break;
|
|
||||||
+#endif
|
|
||||||
+ default:
|
|
||||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa));
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
#if 0
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd,
|
|
||||||
if ( to != NULL)
|
|
||||||
{
|
|
||||||
data->connected = 1;
|
|
||||||
+ switch (to->sa_family)
|
|
||||||
+ {
|
|
||||||
+ case AF_INET:
|
|
||||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
|
|
||||||
+ break;
|
|
||||||
#if OPENSSL_USE_IPV6
|
|
||||||
- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
|
|
||||||
-#else
|
|
||||||
- memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
|
|
||||||
-#endif
|
|
||||||
+ case AF_INET6:
|
|
||||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
|
|
||||||
+ break;
|
|
||||||
+#endif
|
|
||||||
+ default:
|
|
||||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa));
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
data->connected = 0;
|
|
||||||
-#if OPENSSL_USE_IPV6
|
|
||||||
- memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage));
|
|
||||||
-#else
|
|
||||||
- memset(&(data->peer), 0x00, sizeof(struct sockaddr_in));
|
|
||||||
-#endif
|
|
||||||
+ memset(&(data->peer), 0x00, sizeof(data->peer));
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case BIO_CTRL_DGRAM_GET_PEER:
|
|
||||||
to = (struct sockaddr *) ptr;
|
|
||||||
-
|
|
||||||
+ switch (to->sa_family)
|
|
||||||
+ {
|
|
||||||
+ case AF_INET:
|
|
||||||
+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in)));
|
|
||||||
+ break;
|
|
||||||
#if OPENSSL_USE_IPV6
|
|
||||||
- memcpy(to, &(data->peer), sizeof(struct sockaddr_storage));
|
|
||||||
- ret = sizeof(struct sockaddr_storage);
|
|
||||||
-#else
|
|
||||||
- memcpy(to, &(data->peer), sizeof(struct sockaddr_in));
|
|
||||||
- ret = sizeof(struct sockaddr_in);
|
|
||||||
-#endif
|
|
||||||
+ case AF_INET6:
|
|
||||||
+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6)));
|
|
||||||
+ break;
|
|
||||||
+#endif
|
|
||||||
+ default:
|
|
||||||
+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa)));
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
break;
|
|
||||||
case BIO_CTRL_DGRAM_SET_PEER:
|
|
||||||
to = (struct sockaddr *) ptr;
|
|
||||||
-
|
|
||||||
+ switch (to->sa_family)
|
|
||||||
+ {
|
|
||||||
+ case AF_INET:
|
|
||||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
|
|
||||||
+ break;
|
|
||||||
#if OPENSSL_USE_IPV6
|
|
||||||
- memcpy(&(data->peer), to, sizeof(struct sockaddr_storage));
|
|
||||||
-#else
|
|
||||||
- memcpy(&(data->peer), to, sizeof(struct sockaddr_in));
|
|
||||||
-#endif
|
|
||||||
+ case AF_INET6:
|
|
||||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
|
|
||||||
+ break;
|
|
||||||
+#endif
|
|
||||||
+ default:
|
|
||||||
+ memcpy(&data->peer,to,sizeof(data->peer.sa));
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
break;
|
|
||||||
case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
|
|
||||||
memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));
|
|
||||||
|
|
@ -22,7 +22,7 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
|
||||||
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):\$(SHLIB_SONAMEVER)",
|
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
|
|
||||||
|
|
@ -1,93 +0,0 @@
|
||||||
Better error reporting for unsafe renegotiation.
|
|
||||||
diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
|
|
||||||
--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100
|
|
||||||
@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
|
||||||
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
|
|
||||||
{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
|
|
||||||
{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
|
|
||||||
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
|
|
||||||
{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
|
|
||||||
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
|
|
||||||
{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
|
|
||||||
{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
|
|
||||||
{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
|
|
||||||
@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
|
||||||
{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
|
|
||||||
{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
|
|
||||||
{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
|
|
||||||
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
|
|
||||||
{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
|
|
||||||
{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
|
|
||||||
{ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
|
|
||||||
diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
|
|
||||||
--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100
|
|
||||||
@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
|
|
||||||
#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
|
|
||||||
#define SSL_F_SSL_NEW 186
|
|
||||||
#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
|
|
||||||
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
|
|
||||||
#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
|
|
||||||
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
|
|
||||||
#define SSL_F_SSL_PEEK 270
|
|
||||||
#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
|
|
||||||
#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
|
|
||||||
@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
|
|
||||||
#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
|
|
||||||
#define SSL_R_UNKNOWN_SSL_VERSION 254
|
|
||||||
#define SSL_R_UNKNOWN_STATE 255
|
|
||||||
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
|
|
||||||
#define SSL_R_UNSUPPORTED_CIPHER 256
|
|
||||||
#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
|
|
||||||
#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
|
|
||||||
diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
|
|
||||||
--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100
|
|
||||||
@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
|
|
||||||
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
|
|
||||||
goto err;
|
|
||||||
#else
|
|
||||||
+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
||||||
+ {
|
|
||||||
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
/* we are talking sslv2 */
|
|
||||||
/* we need to clean up the SSLv3/TLSv1 setup and put in the
|
|
||||||
* sslv2 stuff. */
|
|
||||||
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
|
|
||||||
--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100
|
|
||||||
@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
|
||||||
{
|
|
||||||
/* We should always see one extension: the renegotiate extension */
|
|
||||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
|
||||||
if (s->new_session && !renegotiate_seen
|
|
||||||
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
||||||
{
|
|
||||||
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
|
||||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
||||||
{
|
|
||||||
/* We should always see one extension: the renegotiate extension */
|
|
||||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
||||||
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
||||||
{
|
|
||||||
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
@ -1,237 +0,0 @@
|
||||||
diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c
|
|
||||||
--- openssl-1.0.0-beta4/apps/s_cb.c.reneg 2009-10-15 20:48:47.000000000 +0200
|
|
||||||
+++ openssl-1.0.0-beta4/apps/s_cb.c 2009-11-12 15:02:30.000000000 +0100
|
|
||||||
@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c
|
|
||||||
extname = "server ticket";
|
|
||||||
break;
|
|
||||||
|
|
||||||
+ case TLSEXT_TYPE_renegotiate:
|
|
||||||
+ extname = "renegotiate";
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
#ifdef TLSEXT_TYPE_opaque_prf_input
|
|
||||||
case TLSEXT_TYPE_opaque_prf_input:
|
|
||||||
extname = "opaque PRF input";
|
|
||||||
diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c
|
|
||||||
--- openssl-1.0.0-beta4/apps/s_client.c.reneg 2009-11-12 14:57:48.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 15:01:48.000000000 +0100
|
|
||||||
@@ -343,6 +343,7 @@ static void sc_usage(void)
|
|
||||||
BIO_printf(bio_err," -status - request certificate status from server\n");
|
|
||||||
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
|
||||||
#endif
|
|
||||||
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_TLSEXT
|
|
||||||
@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv)
|
|
||||||
#endif
|
|
||||||
else if (strcmp(*argv,"-serverpref") == 0)
|
|
||||||
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
|
|
||||||
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
|
||||||
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
|
||||||
else if (strcmp(*argv,"-cipher") == 0)
|
|
||||||
{
|
|
||||||
if (--argc < 1) goto bad;
|
|
||||||
diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c
|
|
||||||
--- openssl-1.0.0-beta4/apps/s_server.c.reneg 2009-11-12 14:57:48.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 15:01:48.000000000 +0100
|
|
||||||
@@ -491,6 +491,7 @@ static void sv_usage(void)
|
|
||||||
BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2);
|
|
||||||
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
|
|
||||||
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
|
||||||
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[])
|
|
||||||
verify_return_error = 1;
|
|
||||||
else if (strcmp(*argv,"-serverpref") == 0)
|
|
||||||
{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
|
|
||||||
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
|
||||||
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
|
||||||
else if (strcmp(*argv,"-cipher") == 0)
|
|
||||||
{
|
|
||||||
if (--argc < 1) goto bad;
|
|
||||||
diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h
|
|
||||||
--- openssl-1.0.0-beta4/ssl/tls1.h.reneg 2009-11-12 14:57:47.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/ssl/tls1.h 2009-11-12 15:02:30.000000000 +0100
|
|
||||||
@@ -201,6 +201,9 @@ extern "C" {
|
|
||||||
# define TLSEXT_TYPE_opaque_prf_input ?? */
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+/* Temporary extension type */
|
|
||||||
+#define TLSEXT_TYPE_renegotiate 0xff01
|
|
||||||
+
|
|
||||||
/* NameType value from RFC 3546 */
|
|
||||||
#define TLSEXT_NAMETYPE_host_name 0
|
|
||||||
/* status request value from RFC 3546 */
|
|
||||||
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c
|
|
||||||
--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg 2009-11-08 15:36:32.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-12 15:02:30.000000000 +0100
|
|
||||||
@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex
|
|
||||||
ret+=size_str;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Add the renegotiation option: TODOEKR switch */
|
|
||||||
+ {
|
|
||||||
+ int el;
|
|
||||||
+
|
|
||||||
+ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
|
|
||||||
+ {
|
|
||||||
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if((limit - p - 4 - el) < 0) return NULL;
|
|
||||||
+
|
|
||||||
+ s2n(TLSEXT_TYPE_renegotiate,ret);
|
|
||||||
+ s2n(el,ret);
|
|
||||||
+
|
|
||||||
+ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
|
|
||||||
+ {
|
|
||||||
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret += el;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
if (s->tlsext_ecpointformatlist != NULL)
|
|
||||||
{
|
|
||||||
@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex
|
|
||||||
s2n(TLSEXT_TYPE_server_name,ret);
|
|
||||||
s2n(0,ret);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if(s->s3->send_connection_binding)
|
|
||||||
+ {
|
|
||||||
+ int el;
|
|
||||||
+
|
|
||||||
+ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
|
|
||||||
+ {
|
|
||||||
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if((limit - p - 4 - el) < 0) return NULL;
|
|
||||||
+
|
|
||||||
+ s2n(TLSEXT_TYPE_renegotiate,ret);
|
|
||||||
+ s2n(el,ret);
|
|
||||||
+
|
|
||||||
+ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
|
|
||||||
+ {
|
|
||||||
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret += el;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
if (s->tlsext_ecpointformatlist != NULL)
|
|
||||||
{
|
|
||||||
@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
|
||||||
unsigned short size;
|
|
||||||
unsigned short len;
|
|
||||||
unsigned char *data = *p;
|
|
||||||
+ int renegotiate_seen = 0;
|
|
||||||
+
|
|
||||||
s->servername_done = 0;
|
|
||||||
s->tlsext_status_type = -1;
|
|
||||||
+ s->s3->send_connection_binding = 0;
|
|
||||||
|
|
||||||
if (data >= (d+n-2))
|
|
||||||
+ {
|
|
||||||
+ if (s->new_session
|
|
||||||
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
||||||
+ {
|
|
||||||
+ /* We should always see one extension: the renegotiate extension */
|
|
||||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
return 1;
|
|
||||||
+ }
|
|
||||||
n2s(data,len);
|
|
||||||
|
|
||||||
if (data > (d+n-len))
|
|
||||||
@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ else if (type == TLSEXT_TYPE_renegotiate)
|
|
||||||
+ {
|
|
||||||
+ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
|
|
||||||
+ return 0;
|
|
||||||
+ renegotiate_seen = 1;
|
|
||||||
+ }
|
|
||||||
else if (type == TLSEXT_TYPE_status_request
|
|
||||||
&& s->ctx->tlsext_status_cb)
|
|
||||||
{
|
|
||||||
@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
|
||||||
/* session ticket processed earlier */
|
|
||||||
data+=size;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (s->new_session && !renegotiate_seen
|
|
||||||
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
||||||
+ {
|
|
||||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
|
|
||||||
*p = data;
|
|
||||||
return 1;
|
|
||||||
@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
||||||
unsigned short size;
|
|
||||||
unsigned short len;
|
|
||||||
unsigned char *data = *p;
|
|
||||||
-
|
|
||||||
int tlsext_servername = 0;
|
|
||||||
+ int renegotiate_seen = 0;
|
|
||||||
|
|
||||||
if (data >= (d+n-2))
|
|
||||||
+ {
|
|
||||||
+ /* Because the client does not see any renegotiation during an
|
|
||||||
+ attack, we must enforce this on all server hellos, even the
|
|
||||||
+ first */
|
|
||||||
+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
||||||
+ {
|
|
||||||
+ /* We should always see one extension: the renegotiate extension */
|
|
||||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
return 1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
n2s(data,len);
|
|
||||||
|
|
||||||
@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
||||||
/* Set flag to expect CertificateStatus message */
|
|
||||||
s->tlsext_status_expected = 1;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+ else if (type == TLSEXT_TYPE_renegotiate)
|
|
||||||
+ {
|
|
||||||
+ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
|
|
||||||
+ return 0;
|
|
||||||
+ renegotiate_seen = 1;
|
|
||||||
+ }
|
|
||||||
data+=size;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (!renegotiate_seen
|
|
||||||
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
|
||||||
+ {
|
|
||||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (!s->hit && tlsext_servername == 1)
|
|
||||||
{
|
|
||||||
if (s->tlsext_hostname)
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
||||||
We have to keep the beta status on 3 as some applications (OpenSSH) incorrectly insist
|
|
||||||
on having the same beta status of OpenSSL library as they were built against.
|
|
||||||
diff -up openssl-1.0.0-beta4/crypto/opensslv.h.version openssl-1.0.0-beta4/crypto/opensslv.h
|
|
||||||
--- openssl-1.0.0-beta4/crypto/opensslv.h.version 2009-11-12 15:17:28.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta4/crypto/opensslv.h 2009-11-13 12:39:08.000000000 +0100
|
|
||||||
@@ -25,7 +25,7 @@
|
|
||||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
|
||||||
* major minor fix final patch/beta)
|
|
||||||
*/
|
|
||||||
-#define OPENSSL_VERSION_NUMBER 0x10000004L
|
|
||||||
+#define OPENSSL_VERSION_NUMBER 0x10000003L
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips-beta4 10 Nov 2009"
|
|
||||||
#else
|
|
||||||
|
|
@ -1,16 +1,16 @@
|
||||||
diff -up openssl-1.0.0-beta3/ssl/ssl.h.cipher-change openssl-1.0.0-beta3/ssl/ssl.h
|
diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
|
||||||
--- openssl-1.0.0-beta3/ssl/ssl.h.cipher-change 2009-08-05 18:22:45.000000000 +0200
|
--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100
|
||||||
+++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-05 18:27:32.000000000 +0200
|
+++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100
|
||||||
@@ -511,7 +511,7 @@ typedef struct ssl_session_st
|
@@ -513,7 +513,7 @@ typedef struct ssl_session_st
|
||||||
|
|
||||||
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
|
|
||||||
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
|
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
|
||||||
|
/* Allow initial connection to servers that don't support RI */
|
||||||
|
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
|
||||||
-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
|
-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
|
||||||
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
|
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
|
||||||
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
|
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
|
||||||
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
|
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
|
||||||
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
|
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
|
||||||
@@ -528,7 +528,7 @@ typedef struct ssl_session_st
|
@@ -530,7 +530,7 @@ typedef struct ssl_session_st
|
||||||
|
|
||||||
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
|
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
|
||||||
* This used to be 0x000FFFFFL before 0.9.7. */
|
* This used to be 0x000FFFFFL before 0.9.7. */
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
|
diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
|
||||||
--- openssl-1.0.0-beta4/Configure.enginesdir 2009-11-12 12:17:59.000000000 +0100
|
--- openssl-1.0.0-beta5/Configure.enginesdir 2010-01-20 18:07:05.000000000 +0100
|
||||||
+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:19:45.000000000 +0100
|
+++ openssl-1.0.0-beta5/Configure 2010-01-20 18:10:48.000000000 +0100
|
||||||
@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
|
@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
|
||||||
my $prefix="";
|
my $prefix="";
|
||||||
my $libdir="";
|
my $libdir="";
|
||||||
|
|
@ -20,7 +20,7 @@ diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
|
||||||
elsif (/^--install.prefix=(.*)$/)
|
elsif (/^--install.prefix=(.*)$/)
|
||||||
{
|
{
|
||||||
$install_prefix=$1;
|
$install_prefix=$1;
|
||||||
@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
||||||
|
|
||||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||||
|
|
@ -29,18 +29,18 @@ diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
|
||||||
|
|
||||||
print "IsMK1MF=$IsMK1MF\n";
|
print "IsMK1MF=$IsMK1MF\n";
|
||||||
|
|
||||||
@@ -1676,7 +1681,7 @@ while (<IN>)
|
@@ -1673,7 +1678,7 @@ while (<IN>)
|
||||||
# $foo is to become "$prefix/lib$multilib/engines";
|
}
|
||||||
# as Makefile.org and engines/Makefile are adapted for
|
elsif (/^#define\s+ENGINESDIR/)
|
||||||
# $multilib suffix.
|
{
|
||||||
- my $foo = "$prefix/lib/engines";
|
- my $foo = "$prefix/$libdir/engines";
|
||||||
+ my $foo = "$enginesdir";
|
+ my $foo = "$enginesdir";
|
||||||
$foo =~ s/\\/\\\\/g;
|
$foo =~ s/\\/\\\\/g;
|
||||||
print OUT "#define ENGINESDIR \"$foo\"\n";
|
print OUT "#define ENGINESDIR \"$foo\"\n";
|
||||||
}
|
}
|
||||||
diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile
|
diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile
|
||||||
--- openssl-1.0.0-beta4/engines/Makefile.enginesdir 2009-11-10 02:52:52.000000000 +0100
|
--- openssl-1.0.0-beta5/engines/Makefile.enginesdir 2010-01-16 21:06:09.000000000 +0100
|
||||||
+++ openssl-1.0.0-beta4/engines/Makefile 2009-11-12 12:23:06.000000000 +0100
|
+++ openssl-1.0.0-beta5/engines/Makefile 2010-01-20 18:07:05.000000000 +0100
|
||||||
@@ -124,7 +124,7 @@ install:
|
@@ -124,7 +124,7 @@ install:
|
||||||
sfx=".so"; \
|
sfx=".so"; \
|
||||||
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_apps.h
|
diff -up openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta5/apps/s_apps.h
|
||||||
--- openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
--- openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
|
||||||
+++ openssl-1.0.0-beta3/apps/s_apps.h 2009-08-05 21:29:58.000000000 +0200
|
+++ openssl-1.0.0-beta5/apps/s_apps.h 2010-02-03 09:43:49.000000000 +0100
|
||||||
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
|
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
|
||||||
#define PORT_STR "4433"
|
#define PORT_STR "4433"
|
||||||
#define PROTOCOL "tcp"
|
#define PROTOCOL "tcp"
|
||||||
|
|
@ -23,10 +23,10 @@ diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_
|
||||||
|
|
||||||
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||||
int argi, long argl, long ret);
|
int argi, long argl, long ret);
|
||||||
diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/s_client.c
|
diff -up openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps openssl-1.0.0-beta5/apps/s_client.c
|
||||||
--- openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
--- openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
|
||||||
+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 22:33:44.000000000 +0200
|
+++ openssl-1.0.0-beta5/apps/s_client.c 2010-02-03 09:43:49.000000000 +0100
|
||||||
@@ -388,7 +388,7 @@ int MAIN(int argc, char **argv)
|
@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
|
||||||
int cbuf_len,cbuf_off;
|
int cbuf_len,cbuf_off;
|
||||||
int sbuf_len,sbuf_off;
|
int sbuf_len,sbuf_off;
|
||||||
fd_set readfds,writefds;
|
fd_set readfds,writefds;
|
||||||
|
|
@ -35,7 +35,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
int full_log=1;
|
int full_log=1;
|
||||||
char *host=SSL_HOST_NAME;
|
char *host=SSL_HOST_NAME;
|
||||||
char *cert_file=NULL,*key_file=NULL;
|
char *cert_file=NULL,*key_file=NULL;
|
||||||
@@ -486,13 +486,12 @@ int MAIN(int argc, char **argv)
|
@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
|
||||||
else if (strcmp(*argv,"-port") == 0)
|
else if (strcmp(*argv,"-port") == 0)
|
||||||
{
|
{
|
||||||
if (--argc < 1) goto bad;
|
if (--argc < 1) goto bad;
|
||||||
|
|
@ -51,7 +51,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
else if (strcmp(*argv,"-verify") == 0)
|
else if (strcmp(*argv,"-verify") == 0)
|
||||||
@@ -956,7 +955,7 @@ bad:
|
@@ -967,7 +966,7 @@ bad:
|
||||||
|
|
||||||
re_start:
|
re_start:
|
||||||
|
|
||||||
|
|
@ -60,10 +60,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
{
|
{
|
||||||
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
|
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
|
||||||
SHUTDOWN(s);
|
SHUTDOWN(s);
|
||||||
diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/s_server.c
|
diff -up openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps openssl-1.0.0-beta5/apps/s_server.c
|
||||||
--- openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
--- openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
|
||||||
+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 21:29:58.000000000 +0200
|
+++ openssl-1.0.0-beta5/apps/s_server.c 2010-02-03 09:43:49.000000000 +0100
|
||||||
@@ -837,7 +837,7 @@ int MAIN(int argc, char *argv[])
|
@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
|
||||||
{
|
{
|
||||||
X509_VERIFY_PARAM *vpm = NULL;
|
X509_VERIFY_PARAM *vpm = NULL;
|
||||||
int badarg = 0;
|
int badarg = 0;
|
||||||
|
|
@ -72,7 +72,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
char *CApath=NULL,*CAfile=NULL;
|
char *CApath=NULL,*CAfile=NULL;
|
||||||
unsigned char *context = NULL;
|
unsigned char *context = NULL;
|
||||||
char *dhfile = NULL;
|
char *dhfile = NULL;
|
||||||
@@ -907,8 +907,7 @@ int MAIN(int argc, char *argv[])
|
@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
|
||||||
(strcmp(*argv,"-accept") == 0))
|
(strcmp(*argv,"-accept") == 0))
|
||||||
{
|
{
|
||||||
if (--argc < 1) goto bad;
|
if (--argc < 1) goto bad;
|
||||||
|
|
@ -82,7 +82,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
}
|
}
|
||||||
else if (strcmp(*argv,"-verify") == 0)
|
else if (strcmp(*argv,"-verify") == 0)
|
||||||
{
|
{
|
||||||
@@ -1685,9 +1684,9 @@ bad:
|
@@ -1700,9 +1699,9 @@ bad:
|
||||||
BIO_printf(bio_s_out,"ACCEPT\n");
|
BIO_printf(bio_s_out,"ACCEPT\n");
|
||||||
(void)BIO_flush(bio_s_out);
|
(void)BIO_flush(bio_s_out);
|
||||||
if (www)
|
if (www)
|
||||||
|
|
@ -94,10 +94,10 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
print_stats(bio_s_out,ctx);
|
print_stats(bio_s_out,ctx);
|
||||||
ret=0;
|
ret=0;
|
||||||
end:
|
end:
|
||||||
diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/s_socket.c
|
diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/s_socket.c
|
||||||
--- openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps 2008-11-12 04:57:47.000000000 +0100
|
--- openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps 2009-08-26 13:21:50.000000000 +0200
|
||||||
+++ openssl-1.0.0-beta3/apps/s_socket.c 2009-08-05 21:29:58.000000000 +0200
|
+++ openssl-1.0.0-beta5/apps/s_socket.c 2010-02-03 10:00:30.000000000 +0100
|
||||||
@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha
|
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
|
||||||
static void ssl_sock_cleanup(void);
|
static void ssl_sock_cleanup(void);
|
||||||
#endif
|
#endif
|
||||||
static int ssl_sock_init(void);
|
static int ssl_sock_init(void);
|
||||||
|
|
@ -108,7 +108,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
static int do_accept(int acc_sock, int *sock, char **host);
|
static int do_accept(int acc_sock, int *sock, char **host);
|
||||||
static int host_ip(char *str, unsigned char ip[4]);
|
static int host_ip(char *str, unsigned char ip[4]);
|
||||||
|
|
||||||
@@ -228,58 +226,70 @@ static int ssl_sock_init(void)
|
@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
|
||||||
return(1);
|
return(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -217,7 +217,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
{
|
{
|
||||||
int sock;
|
int sock;
|
||||||
char *name = NULL;
|
char *name = NULL;
|
||||||
@@ -317,33 +327,38 @@ int do_server(int port, int type, int *r
|
@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -277,7 +277,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
#if defined SOL_SOCKET && defined SO_REUSEADDR
|
#if defined SOL_SOCKET && defined SO_REUSEADDR
|
||||||
{
|
{
|
||||||
int j = 1;
|
int j = 1;
|
||||||
@@ -351,36 +366,39 @@ static int init_server_long(int *sock, i
|
@@ -357,36 +372,39 @@ static int init_server_long(int *sock, i
|
||||||
(void *) &j, sizeof j);
|
(void *) &j, sizeof j);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -337,11 +337,10 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
int len;
|
int len;
|
||||||
/* struct linger ling; */
|
/* struct linger ling; */
|
||||||
|
|
||||||
@@ -425,137 +443,62 @@ redoit:
|
@@ -432,136 +450,58 @@ redoit:
|
||||||
if (i < 0) { perror("keepalive"); return(0); }
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
- if (host == NULL) goto end;
|
if (host == NULL) goto end;
|
||||||
-#ifndef BIT_FIELD_LIMITS
|
-#ifndef BIT_FIELD_LIMITS
|
||||||
- /* I should use WSAAsyncGetHostByName() under windows */
|
- /* I should use WSAAsyncGetHostByName() under windows */
|
||||||
- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
|
- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
|
||||||
|
|
@ -351,50 +350,44 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||||
- sizeof(struct in_addr),AF_INET);
|
- sizeof(struct in_addr),AF_INET);
|
||||||
-#endif
|
-#endif
|
||||||
- if (h1 == NULL)
|
- if (h1 == NULL)
|
||||||
+ if (host == NULL)
|
+
|
||||||
{
|
|
||||||
- BIO_printf(bio_err,"bad gethostbyaddr\n");
|
|
||||||
- *host=NULL;
|
|
||||||
- /* return(0); */
|
|
||||||
- }
|
|
||||||
- else
|
|
||||||
- {
|
|
||||||
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
|
|
||||||
- {
|
|
||||||
- perror("OPENSSL_malloc");
|
|
||||||
+ *sock=ret;
|
|
||||||
return(0);
|
|
||||||
}
|
|
||||||
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
|
|
||||||
|
|
||||||
- h2=GetHostByName(*host);
|
|
||||||
- if (h2 == NULL)
|
|
||||||
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
|
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
|
||||||
+ buffer, sizeof(buffer),
|
+ buffer, sizeof(buffer),
|
||||||
+ NULL, 0, 0))
|
+ NULL, 0, 0))
|
||||||
{
|
{
|
||||||
- BIO_printf(bio_err,"gethostbyname failure\n");
|
- BIO_printf(bio_err,"bad gethostbyaddr\n");
|
||||||
+ BIO_printf(bio_err,"getnameinfo failed\n");
|
+ BIO_printf(bio_err,"getnameinfo failed\n");
|
||||||
+ *host=NULL;
|
*host=NULL;
|
||||||
|
/* return(0); */
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
|
||||||
|
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
|
||||||
|
{
|
||||||
|
perror("OPENSSL_malloc");
|
||||||
return(0);
|
return(0);
|
||||||
}
|
}
|
||||||
|
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
|
||||||
|
-
|
||||||
|
- h2=GetHostByName(*host);
|
||||||
|
- if (h2 == NULL)
|
||||||
|
- {
|
||||||
|
- BIO_printf(bio_err,"gethostbyname failure\n");
|
||||||
|
- return(0);
|
||||||
|
- }
|
||||||
- i=0;
|
- i=0;
|
||||||
- if (h2->h_addrtype != AF_INET)
|
- if (h2->h_addrtype != AF_INET)
|
||||||
+ else
|
- {
|
||||||
{
|
|
||||||
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
|
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
|
||||||
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
|
- return(0);
|
||||||
+ {
|
|
||||||
+ perror("OPENSSL_malloc");
|
|
||||||
return(0);
|
|
||||||
}
|
|
||||||
- }
|
- }
|
||||||
-end:
|
|
||||||
+ strcpy(*host, buffer);
|
+ strcpy(*host, buffer);
|
||||||
|
}
|
||||||
|
end:
|
||||||
*sock=ret;
|
*sock=ret;
|
||||||
return(1);
|
return(1);
|
||||||
}
|
}
|
||||||
+ }
|
|
||||||
|
|
||||||
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
||||||
- short *port_ptr)
|
- short *port_ptr)
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
|
diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
|
||||||
--- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100
|
--- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100
|
||||||
+++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100
|
+++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100
|
||||||
@@ -5,6 +5,31 @@
|
@@ -5,6 +5,35 @@
|
||||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||||
All rights reserved.
|
All rights reserved.
|
||||||
|
|
||||||
|
|
@ -15,9 +15,15 @@ diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
|
||||||
+
|
+
|
||||||
+ This version also contains a few differences from the upstream code
|
+ This version also contains a few differences from the upstream code
|
||||||
+ some of which are:
|
+ some of which are:
|
||||||
+ * The FIPS integrity verification check is implemented differently
|
+ * There are added changes forward ported from the upstream OpenSSL
|
||||||
+ from the upstream FIPS validated OpenSSL module. It verifies
|
+ 0.9.8 FIPS branch however the FIPS integrity verification check
|
||||||
+ HMAC-SHA256 checksum of the whole libcrypto shared library.
|
+ is implemented differently from the upstream FIPS validated OpenSSL
|
||||||
|
+ module. It verifies HMAC-SHA256 checksum of the whole shared
|
||||||
|
+ libraries. For this reason the changes are ported to files in the
|
||||||
|
+ crypto directory and not in a separate fips subdirectory. Also
|
||||||
|
+ note that the FIPS integrity verification check requires unmodified
|
||||||
|
+ libcrypto and libssl shared library files which means that it will
|
||||||
|
+ fail if these files are modified for example by prelink.
|
||||||
+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
|
+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
|
||||||
+ tries to initialize the FIPS mode if it is set to 1 aborting if the
|
+ tries to initialize the FIPS mode if it is set to 1 aborting if the
|
||||||
+ FIPS mode could not be initialized. It is also possible to force the
|
+ FIPS mode could not be initialized. It is also possible to force the
|
||||||
|
|
@ -27,8 +33,6 @@ diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README
|
||||||
+ will not automatically load the built in compression method ZLIB
|
+ will not automatically load the built in compression method ZLIB
|
||||||
+ when initialized. Applications can still explicitely ask for ZLIB
|
+ when initialized. Applications can still explicitely ask for ZLIB
|
||||||
+ compression method.
|
+ compression method.
|
||||||
+ * There is added a support for EAP-FAST through TLS extension. This code
|
|
||||||
+ is backported from OpenSSL upstream development branch.
|
|
||||||
+
|
+
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
-----------
|
-----------
|
||||||
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,13 @@
|
||||||
|
diff -up openssl-1.0.0/crypto/opensslv.h.version openssl-1.0.0/crypto/opensslv.h
|
||||||
|
--- openssl-1.0.0/crypto/opensslv.h.version 2010-03-30 10:59:26.000000000 +0200
|
||||||
|
+++ openssl-1.0.0/crypto/opensslv.h 2010-03-30 11:00:52.000000000 +0200
|
||||||
|
@@ -25,7 +25,8 @@
|
||||||
|
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||||
|
* major minor fix final patch/beta)
|
||||||
|
*/
|
||||||
|
-#define OPENSSL_VERSION_NUMBER 0x1000000fL
|
||||||
|
+/* we have to keep the version number to not break the abi */
|
||||||
|
+#define OPENSSL_VERSION_NUMBER 0x10000003L
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0-fips 29 Mar 2010"
|
||||||
|
#else
|
||||||
72
openssl.spec
72
openssl.spec
|
|
@ -11,8 +11,6 @@
|
||||||
# 1.0.0 soversion = 10
|
# 1.0.0 soversion = 10
|
||||||
%define soversion 10
|
%define soversion 10
|
||||||
|
|
||||||
%define beta beta4
|
|
||||||
|
|
||||||
# Number of threads to spawn when testing some threading fixes.
|
# Number of threads to spawn when testing some threading fixes.
|
||||||
%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
|
%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
|
||||||
|
|
||||||
|
|
@ -23,10 +21,10 @@
|
||||||
Summary: A general purpose cryptography library with TLS implementation
|
Summary: A general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.0
|
Version: 1.0.0
|
||||||
Release: 0.16.%{beta}%{?dist}
|
Release: 1%{?dist}
|
||||||
# We remove certain patented algorithms from the openssl source tarball
|
# We remove certain patented algorithms from the openssl source tarball
|
||||||
# with the hobble-openssl script which is included below.
|
# with the hobble-openssl script which is included below.
|
||||||
Source: openssl-%{version}-%{beta}-usa.tar.bz2
|
Source: openssl-%{version}-usa.tar.bz2
|
||||||
Source1: hobble-openssl
|
Source1: hobble-openssl
|
||||||
Source2: Makefile.certificate
|
Source2: Makefile.certificate
|
||||||
Source6: make-dummy-cert
|
Source6: make-dummy-cert
|
||||||
|
|
@ -38,36 +36,30 @@ Source11: README.FIPS
|
||||||
Patch0: openssl-1.0.0-beta4-redhat.patch
|
Patch0: openssl-1.0.0-beta4-redhat.patch
|
||||||
Patch1: openssl-1.0.0-beta3-defaults.patch
|
Patch1: openssl-1.0.0-beta3-defaults.patch
|
||||||
Patch3: openssl-1.0.0-beta3-soversion.patch
|
Patch3: openssl-1.0.0-beta3-soversion.patch
|
||||||
Patch4: openssl-1.0.0-beta4-enginesdir.patch
|
Patch4: openssl-1.0.0-beta5-enginesdir.patch
|
||||||
Patch5: openssl-0.9.8a-no-rpath.patch
|
Patch5: openssl-0.9.8a-no-rpath.patch
|
||||||
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
||||||
# Bug fixes
|
# Bug fixes
|
||||||
Patch23: openssl-1.0.0-beta4-default-paths.patch
|
Patch23: openssl-1.0.0-beta4-default-paths.patch
|
||||||
Patch24: openssl-1.0.0-beta4-binutils.patch
|
Patch24: openssl-0.9.8j-bad-mime.patch
|
||||||
# Functionality changes
|
# Functionality changes
|
||||||
Patch32: openssl-0.9.8g-ia64.patch
|
Patch32: openssl-0.9.8g-ia64.patch
|
||||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||||
Patch34: openssl-0.9.6-x509.patch
|
Patch34: openssl-0.9.6-x509.patch
|
||||||
Patch35: openssl-0.9.8j-version-add-engines.patch
|
Patch35: openssl-0.9.8j-version-add-engines.patch
|
||||||
Patch38: openssl-1.0.0-beta3-cipher-change.patch
|
Patch38: openssl-1.0.0-beta5-cipher-change.patch
|
||||||
Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
|
Patch39: openssl-1.0.0-beta5-ipv6-apps.patch
|
||||||
Patch40: openssl-1.0.0-beta4-fips.patch
|
Patch40: openssl-1.0.0-fips.patch
|
||||||
Patch41: openssl-1.0.0-beta3-fipscheck.patch
|
Patch41: openssl-1.0.0-beta3-fipscheck.patch
|
||||||
Patch43: openssl-1.0.0-beta3-fipsmode.patch
|
Patch43: openssl-1.0.0-beta3-fipsmode.patch
|
||||||
Patch44: openssl-1.0.0-beta3-fipsrng.patch
|
Patch44: openssl-1.0.0-beta3-fipsrng.patch
|
||||||
Patch45: openssl-0.9.8j-env-nozlib.patch
|
Patch45: openssl-0.9.8j-env-nozlib.patch
|
||||||
Patch47: openssl-0.9.8j-readme-warning.patch
|
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
||||||
Patch48: openssl-0.9.8j-bad-mime.patch
|
|
||||||
Patch49: openssl-1.0.0-beta4-algo-doc.patch
|
Patch49: openssl-1.0.0-beta4-algo-doc.patch
|
||||||
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
|
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
|
||||||
Patch51: openssl-1.0.0-beta4-version.patch
|
Patch51: openssl-1.0.0-version.patch
|
||||||
|
Patch52: openssl-1.0.0-beta4-aesni.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch60: openssl-1.0.0-beta4-reneg.patch
|
|
||||||
# This one is not backported but has to be applied after reneg patch
|
|
||||||
Patch61: openssl-1.0.0-beta4-client-reneg.patch
|
|
||||||
Patch62: openssl-1.0.0-beta4-backports.patch
|
|
||||||
Patch63: openssl-1.0.0-beta4-reneg-err.patch
|
|
||||||
Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch
|
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
|
|
@ -117,7 +109,7 @@ package provides Perl scripts for converting certificates and keys
|
||||||
from other formats to the formats used by the OpenSSL toolkit.
|
from other formats to the formats used by the OpenSSL toolkit.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{version}-%{beta}
|
%setup -q -n %{name}-%{version}
|
||||||
|
|
||||||
%{SOURCE1} > /dev/null
|
%{SOURCE1} > /dev/null
|
||||||
%patch0 -p1 -b .redhat
|
%patch0 -p1 -b .redhat
|
||||||
|
|
@ -128,7 +120,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||||
%patch6 -p1 -b .use-localhost
|
%patch6 -p1 -b .use-localhost
|
||||||
|
|
||||||
%patch23 -p1 -b .default-paths
|
%patch23 -p1 -b .default-paths
|
||||||
%patch24 -p1 -b .binutils
|
%patch24 -p1 -b .bad-mime
|
||||||
|
|
||||||
%patch32 -p1 -b .ia64
|
%patch32 -p1 -b .ia64
|
||||||
%patch33 -p1 -b .ca-dir
|
%patch33 -p1 -b .ca-dir
|
||||||
|
|
@ -142,16 +134,10 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||||
%patch44 -p1 -b .fipsrng
|
%patch44 -p1 -b .fipsrng
|
||||||
%patch45 -p1 -b .env-nozlib
|
%patch45 -p1 -b .env-nozlib
|
||||||
%patch47 -p1 -b .warning
|
%patch47 -p1 -b .warning
|
||||||
%patch48 -p1 -b .bad-mime
|
|
||||||
%patch49 -p1 -b .algo-doc
|
%patch49 -p1 -b .algo-doc
|
||||||
%patch50 -p1 -b .dtls1-abi
|
%patch50 -p1 -b .dtls1-abi
|
||||||
%patch51 -p1 -b .version
|
%patch51 -p1 -b .version
|
||||||
|
%patch52 -p1 -b .aesni
|
||||||
%patch60 -p1 -b .reneg
|
|
||||||
%patch61 -p1 -b .client-reneg
|
|
||||||
%patch62 -p1 -b .backports
|
|
||||||
%patch63 -p1 -b .reneg-err
|
|
||||||
%patch64 -p1 -b .dtls-ipv6
|
|
||||||
|
|
||||||
# Modify the various perl scripts to reference perl in the right location.
|
# Modify the various perl scripts to reference perl in the right location.
|
||||||
perl util/perlpath.pl `dirname %{__perl}`
|
perl util/perlpath.pl `dirname %{__perl}`
|
||||||
|
|
@ -250,12 +236,9 @@ make -C test apps tests
|
||||||
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl}
|
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl}
|
||||||
make INSTALL_PREFIX=$RPM_BUILD_ROOT install
|
make INSTALL_PREFIX=$RPM_BUILD_ROOT install
|
||||||
make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs
|
make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs
|
||||||
# OpenSSL install doesn't use correct _libdir on 64 bit archs
|
mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl
|
||||||
[ "%{_libdir}" != /usr/lib ] && mv $RPM_BUILD_ROOT/usr/lib/lib*.so.%{soversion} $RPM_BUILD_ROOT%{_libdir}/
|
|
||||||
mv $RPM_BUILD_ROOT/usr/lib/engines $RPM_BUILD_ROOT%{_libdir}/openssl
|
|
||||||
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/
|
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/
|
||||||
rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man
|
rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man
|
||||||
mv $RPM_BUILD_ROOT/usr/lib/* $RPM_BUILD_ROOT%{_libdir}/ || :
|
|
||||||
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
||||||
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
||||||
chmod 755 ${lib}
|
chmod 755 ${lib}
|
||||||
|
|
@ -400,6 +383,33 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||||
%postun -p /sbin/ldconfig
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 30 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-1
|
||||||
|
- update to final 1.0.0 upstream release
|
||||||
|
|
||||||
|
* Tue Feb 16 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.22.beta5
|
||||||
|
- make TLS work in the FIPS mode
|
||||||
|
|
||||||
|
* Fri Feb 12 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.21.beta5
|
||||||
|
- gracefully handle zero length in assembler implementations of
|
||||||
|
OPENSSL_cleanse (#564029)
|
||||||
|
- do not fail in s_server if client hostname not resolvable (#561260)
|
||||||
|
|
||||||
|
* Wed Jan 20 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.20.beta5
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Thu Jan 14 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.19.beta4
|
||||||
|
- fix CVE-2009-4355 - leak in applications incorrectly calling
|
||||||
|
CRYPTO_free_all_ex_data() before application exit (#546707)
|
||||||
|
- upstream fix for future TLS protocol version handling
|
||||||
|
|
||||||
|
* Wed Jan 13 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.18.beta4
|
||||||
|
- add support for Intel AES-NI
|
||||||
|
|
||||||
|
* Thu Jan 7 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.17.beta4
|
||||||
|
- upstream fix compression handling on session resumption
|
||||||
|
- various null checks and other small fixes from upstream
|
||||||
|
- upstream changes for the renegotiation info according to the latest draft
|
||||||
|
|
||||||
* Mon Nov 23 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.16.beta4
|
* Mon Nov 23 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.16.beta4
|
||||||
- fix non-fips mingw build (patch by Kalev Lember)
|
- fix non-fips mingw build (patch by Kalev Lember)
|
||||||
- add IPV6 fix for DTLS
|
- add IPV6 fix for DTLS
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue