- gracefully handle zero length in assembler implementations of

OPENSSL_cleanse (#564029) - do not fail in s_server if client hostname not resolvable (#561260)
2010-02-12 17:20:50 +00:00 · 2010-02-12 17:20:50 +00:00 · bffe20438c
parent ae5568515b
commit bffe20438c
3 changed files with 167 additions and 58 deletions
--- a/openssl-1.0.0-beta5-cleanse.patch
+++ b/openssl-1.0.0-beta5-cleanse.patch
@ -0,0 +1,109 @@
+Gracefully handle zero length in assembler implementations of OPENSSL_cleanse.
+diff -up openssl-1.0.0-beta5/crypto/ia64cpuid.S.cleanse openssl-1.0.0-beta5/crypto/ia64cpuid.S
+--- openssl-1.0.0-beta5/crypto/ia64cpuid.S.cleanse	2007-07-27 20:03:27.000000000 +0200
+++ openssl-1.0.0-beta5/crypto/ia64cpuid.S	2010-02-12 18:13:52.000000000 +0100
+@@ -130,9 +130,11 @@ OPENSSL_wipe_cpu:
+ .global	OPENSSL_cleanse#
+ .proc	OPENSSL_cleanse#
+ OPENSSL_cleanse:
+{ .mib;	cmp.eq		p6,p0=0,r33	    // len==0
+ #if defined(_HPUX_SOURCE) && !defined(_LP64)
+-{ .mmi;	addp4		r32=0,r32	};;
+	addp4		r32=0,r32
+ #endif
+(p6)	br.ret.spnt	b0		};;
+ { .mib;	and		r2=7,r32
+ 	cmp.leu		p6,p0=15,r33	    // len>=15
+ (p6)	br.cond.dptk	.Lot		};;
+diff -up openssl-1.0.0-beta5/crypto/perlasm/ppc-xlate.pl.cleanse openssl-1.0.0-beta5/crypto/perlasm/ppc-xlate.pl
+--- openssl-1.0.0-beta5/crypto/perlasm/ppc-xlate.pl.cleanse	2008-01-13 23:01:29.000000000 +0100
+++ openssl-1.0.0-beta5/crypto/perlasm/ppc-xlate.pl	2010-02-12 18:13:52.000000000 +0100
+@@ -101,6 +101,13 @@ my $bnelr = sub {
+ 	"	.long	".sprintf "0x%x",19<<26|$bo<<21|2<<16|16<<1 :
+ 	"	bclr	$bo,2";
+ };
+my $beqlr = sub {
+    my $f = shift;
+    my $bo = $f=~/-/ ? 12+2 : 12;	# optional "not to be taken" hint
+    ($flavour =~ /linux/) ?		# GNU as doesn't allow most recent hints
+	"	.long	".sprintf "0x%X",19<<26|$bo<<21|2<<16|16<<1 :
+	"	bclr	$bo,2";
+};
+ # GNU assembler can't handle extrdi rA,rS,16,48, or when sum of last two
+ # arguments is 64, with "operand out of range" error.
+ my $extrdi = sub {
+diff -up openssl-1.0.0-beta5/crypto/ppccpuid.pl.cleanse openssl-1.0.0-beta5/crypto/ppccpuid.pl
+--- openssl-1.0.0-beta5/crypto/ppccpuid.pl.cleanse	2008-09-12 16:45:53.000000000 +0200
+++ openssl-1.0.0-beta5/crypto/ppccpuid.pl	2010-02-12 18:13:52.000000000 +0100
+@@ -67,6 +67,8 @@ Loop:	lwarx	r5,0,r3
+ 	$CMPLI	r4,7
+ 	li	r0,0
+ 	bge	Lot
+	$CMPLI	r4,0
+	beqlr-
+ Little:	mtctr	r4
+ 	stb	r0,0(r3)
+ 	addi	r3,r3,1
+diff -up openssl-1.0.0-beta5/crypto/sparccpuid.S.cleanse openssl-1.0.0-beta5/crypto/sparccpuid.S
+--- openssl-1.0.0-beta5/crypto/sparccpuid.S.cleanse	2007-05-19 19:26:48.000000000 +0200
+++ openssl-1.0.0-beta5/crypto/sparccpuid.S	2010-02-12 18:13:52.000000000 +0100
+@@ -242,6 +242,10 @@ OPENSSL_cleanse:
+ #else
+ 	bgu	.Lot
+ #endif
+	cmp	%o1,0
+	bne	.Little
+	nop
+	retl
+ 	nop
+ 
+ .Little:
+diff -up openssl-1.0.0-beta5/crypto/s390xcpuid.S.cleanse openssl-1.0.0-beta5/crypto/s390xcpuid.S
+--- openssl-1.0.0-beta5/crypto/s390xcpuid.S.cleanse	2010-01-19 22:40:56.000000000 +0100
+++ openssl-1.0.0-beta5/crypto/s390xcpuid.S	2010-02-12 18:13:52.000000000 +0100
+@@ -62,6 +62,8 @@ OPENSSL_cleanse:
+ 	lghi	%r0,0
+ 	clgr	%r3,%r4
+ 	jh	.Lot
+	clgr	%r3,%r0
+	bcr	8,%r14
+ .Little:
+ 	stc	%r0,0(%r2)
+ 	la	%r2,1(%r2)
+diff -up openssl-1.0.0-beta5/crypto/x86cpuid.pl.cleanse openssl-1.0.0-beta5/crypto/x86cpuid.pl
+--- openssl-1.0.0-beta5/crypto/x86cpuid.pl.cleanse	2009-05-14 20:25:29.000000000 +0200
+++ openssl-1.0.0-beta5/crypto/x86cpuid.pl	2010-02-12 18:13:52.000000000 +0100
+@@ -279,11 +279,14 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
+ 	&xor	("eax","eax");
+ 	&cmp	("ecx",7);
+ 	&jae	(&label("lot"));
+	&cmp	("ecx",0);
+	&je	(&label("ret"));
+ &set_label("little");
+ 	&mov	(&BP(0,"edx"),"al");
+ 	&sub	("ecx",1);
+ 	&lea	("edx",&DWP(1,"edx"));
+ 	&jnz	(&label("little"));
+&set_label("ret");
+ 	&ret	();
+ 
+ &set_label("lot",16);
+diff -up openssl-1.0.0-beta5/crypto/x86_64cpuid.pl.cleanse openssl-1.0.0-beta5/crypto/x86_64cpuid.pl
+--- openssl-1.0.0-beta5/crypto/x86_64cpuid.pl.cleanse	2009-05-14 20:25:29.000000000 +0200
+++ openssl-1.0.0-beta5/crypto/x86_64cpuid.pl	2010-02-12 18:13:52.000000000 +0100
+@@ -145,12 +145,14 @@ OPENSSL_cleanse:
+ 	xor	%rax,%rax
+ 	cmp	\$15,$arg2
+ 	jae	.Lot
+	cmp	\$0,$arg2
+	je	.Lret
+ .Little:
+ 	mov	%al,($arg1)
+ 	sub	\$1,$arg2
+ 	lea	1($arg1),$arg1
+ 	jnz	.Little
+-	ret
+.Lret:	ret
+ .align	16
+ .Lot:
+ 	test	\$7,$arg1
--- a/openssl-1.0.0-beta5-ipv6-apps.patch
+++ b/openssl-1.0.0-beta5-ipv6-apps.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_apps.h
--- openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps	2009-08-05 21:29:58.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_apps.h	2009-08-05 21:29:58.000000000 +0200
+diff -up openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta5/apps/s_apps.h
+--- openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps	2010-02-03 09:43:49.000000000 +0100
+++ openssl-1.0.0-beta5/apps/s_apps.h	2010-02-03 09:43:49.000000000 +0100
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
 #define PORT_STR        "4433"
 #define PROTOCOL        "tcp"
@ -23,10 +23,10 @@ diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_
 
 long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
 				   int argi, long argl, long ret);
-diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/s_client.c
--- openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps	2009-08-05 21:29:58.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_client.c	2009-08-05 22:33:44.000000000 +0200
-@@ -388,7 +388,7 @@ int MAIN(int argc, char **argv)
+diff -up openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps openssl-1.0.0-beta5/apps/s_client.c
+--- openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps	2010-02-03 09:43:49.000000000 +0100
+++ openssl-1.0.0-beta5/apps/s_client.c	2010-02-03 09:43:49.000000000 +0100
+@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
 	int cbuf_len,cbuf_off;
 	int sbuf_len,sbuf_off;
 	fd_set readfds,writefds;
@ -35,7 +35,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
 	int full_log=1;
 	char *host=SSL_HOST_NAME;
 	char *cert_file=NULL,*key_file=NULL;
-@@ -486,13 +486,12 @@ int MAIN(int argc, char **argv)
+@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
 		else if	(strcmp(*argv,"-port") == 0)
 			{
 			if (--argc < 1) goto bad;
@ -51,7 +51,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
 				goto bad;
 			}
 		else if	(strcmp(*argv,"-verify") == 0)
-@@ -956,7 +955,7 @@ bad:
+@@ -967,7 +966,7 @@ bad:
 
 re_start:
 
@ -60,10 +60,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
 		{
 		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
 		SHUTDOWN(s);
-diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/s_server.c
--- openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps	2009-08-05 21:29:58.000000000 +0200
-+++ openssl-1.0.0-beta3/apps/s_server.c	2009-08-05 21:29:58.000000000 +0200
-@@ -837,7 +837,7 @@ int MAIN(int argc, char *argv[])
+diff -up openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps openssl-1.0.0-beta5/apps/s_server.c
+--- openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps	2010-02-03 09:43:49.000000000 +0100
+++ openssl-1.0.0-beta5/apps/s_server.c	2010-02-03 09:43:49.000000000 +0100
+@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
 	{
 	X509_VERIFY_PARAM *vpm = NULL;
 	int badarg = 0;
@ -72,7 +72,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
 	char *CApath=NULL,*CAfile=NULL;
 	unsigned char *context = NULL;
 	char *dhfile = NULL;
-@@ -907,8 +907,7 @@ int MAIN(int argc, char *argv[])
+@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
 			 (strcmp(*argv,"-accept") == 0))
 			{
 			if (--argc < 1) goto bad;
@ -82,7 +82,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
 			}
 		else if	(strcmp(*argv,"-verify") == 0)
 			{
-@@ -1685,9 +1684,9 @@ bad:
+@@ -1700,9 +1699,9 @@ bad:
 	BIO_printf(bio_s_out,"ACCEPT\n");
 	(void)BIO_flush(bio_s_out);
 	if (www)
@ -94,10 +94,10 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
 	print_stats(bio_s_out,ctx);
 	ret=0;
 end:
-diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/s_socket.c
--- openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps	2008-11-12 04:57:47.000000000 +0100
-+++ openssl-1.0.0-beta3/apps/s_socket.c	2009-08-05 21:29:58.000000000 +0200
-@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha
+diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/s_socket.c
+--- openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps	2009-08-26 13:21:50.000000000 +0200
+++ openssl-1.0.0-beta5/apps/s_socket.c	2010-02-03 10:00:30.000000000 +0100
+@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
 static void ssl_sock_cleanup(void);
 #endif
 static int ssl_sock_init(void);
@ -108,7 +108,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
 static int do_accept(int acc_sock, int *sock, char **host);
 static int host_ip(char *str, unsigned char ip[4]);
 
-@@ -228,58 +226,70 @@ static int ssl_sock_init(void)
+@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
 	return(1);
 	}
 
@ -217,7 +217,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
 	{
 	int sock;
 	char *name = NULL;
-@@ -317,33 +327,38 @@ int do_server(int port, int type, int *r
+@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
 		}
 	}
 
@ -277,7 +277,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
 #if defined SOL_SOCKET && defined SO_REUSEADDR
 		{
 		int j = 1;
-@@ -351,36 +366,39 @@ static int init_server_long(int *sock, i
+@@ -357,36 +372,39 @@ static int init_server_long(int *sock, i
 			   (void *) &j, sizeof j);
 		}
 #endif
@ -337,11 +337,10 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
 	int len;
 /*	struct linger ling; */
 
-@@ -425,137 +443,62 @@ redoit:
- 	if (i < 0) { perror("keepalive"); return(0); }
+@@ -432,136 +450,58 @@ redoit:
 */
 
-	if (host == NULL) goto end;
+ 	if (host == NULL) goto end;
 -#ifndef BIT_FIELD_LIMITS
 -	/* I should use WSAAsyncGetHostByName() under windows */
 -	h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
@ -351,50 +350,44 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
 -		sizeof(struct in_addr),AF_INET);
 -#endif
 -	if (h1 == NULL)
-+	if (host == NULL)
- 		{
-		BIO_printf(bio_err,"bad gethostbyaddr\n");
-		*host=NULL;
-		/* return(0); */
-		}
-	else
-		{
-		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
-			{
-			perror("OPENSSL_malloc");
-+		*sock=ret;
- 			return(0);
- 			}
-		BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
- 
-		h2=GetHostByName(*host);
-		if (h2 == NULL)
+
 +	if (getnameinfo((struct sockaddr *)&from, sizeof(from),
 +		buffer, sizeof(buffer),
 +		NULL, 0, 0))
- 			{
-			BIO_printf(bio_err,"gethostbyname failure\n");
+ 		{
+-		BIO_printf(bio_err,"bad gethostbyaddr\n");
 +		BIO_printf(bio_err,"getnameinfo failed\n");
-+		*host=NULL;
+ 		*host=NULL;
+ 		/* return(0); */
+ 		}
+ 	else
+ 		{
+-		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
+		if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
+ 			{
+ 			perror("OPENSSL_malloc");
 			return(0);
 			}
+-		BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
+-
+-		h2=GetHostByName(*host);
+-		if (h2 == NULL)
+-			{
+-			BIO_printf(bio_err,"gethostbyname failure\n");
+-			return(0);
+-			}
 -		i=0;
 -		if (h2->h_addrtype != AF_INET)
-+	else
- 			{
+-			{
 -			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
-+		if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
-+			{
-+			perror("OPENSSL_malloc");
- 			return(0);
- 			}
-		}
-end:
+-			return(0);
+-			}
 +		strcpy(*host, buffer);
+ 		}
+ end:
 	*sock=ret;
 	return(1);
 	}
-+	}
 
 -int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
 -	     short *port_ptr)
--- a/openssl.spec
+++ b/openssl.spec
@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0
-Release: 0.20.%{beta}%{?dist}
+Release: 0.21.%{beta}%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-%{beta}-usa.tar.bz2
@ -50,7 +50,7 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
 Patch34: openssl-0.9.6-x509.patch
 Patch35: openssl-0.9.8j-version-add-engines.patch
 Patch38: openssl-1.0.0-beta5-cipher-change.patch
-Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
+Patch39: openssl-1.0.0-beta5-ipv6-apps.patch
 Patch40: openssl-1.0.0-beta5-fips.patch
 Patch41: openssl-1.0.0-beta3-fipscheck.patch
 Patch43: openssl-1.0.0-beta3-fipsmode.patch
@ -62,6 +62,7 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
 Patch51: openssl-1.0.0-beta5-version.patch
 Patch52: openssl-1.0.0-beta4-aesni.patch
 # Backported fixes including security fixes
+Patch53: openssl-1.0.0-beta5-cleanse.patch

 License: OpenSSL
 Group: System Environment/Libraries
@ -140,6 +141,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch50 -p1 -b .dtls1-abi
 %patch51 -p1 -b .version
 %patch52 -p1 -b .aesni
+%patch53 -p1 -b .cleanse

 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@ -385,6 +387,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig

 %changelog
+* Fri Feb 12 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.21.beta5
+- gracefully handle zero length in assembler implementations of
+  OPENSSL_cleanse (#564029)
+- do not fail in s_server if client hostname not resolvable (#561260)
+
 * Wed Jan 20 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.20.beta5
 - new upstream release