From 03d2622327dff9b00ed2a7c9c371abd8c8f7a677 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Fri, 4 Jun 2010 14:16:25 +0000 Subject: [PATCH] - oops wrong patch removed --- openssl-1.0.0-dtls1-backports.patch | 53 ----------------------------- openssl-1.0.0-name-hash.patch | 22 ++++++++++++ 2 files changed, 22 insertions(+), 53 deletions(-) delete mode 100644 openssl-1.0.0-dtls1-backports.patch create mode 100644 openssl-1.0.0-name-hash.patch diff --git a/openssl-1.0.0-dtls1-backports.patch b/openssl-1.0.0-dtls1-backports.patch deleted file mode 100644 index 99518cd..0000000 --- a/openssl-1.0.0-dtls1-backports.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up openssl-1.0.0/ssl/d1_lib.c.dtls1 openssl-1.0.0/ssl/d1_lib.c ---- openssl-1.0.0/ssl/d1_lib.c.dtls1 2009-12-08 12:38:17.000000000 +0100 -+++ openssl-1.0.0/ssl/d1_lib.c 2010-04-09 16:29:49.000000000 +0200 -@@ -283,6 +283,16 @@ struct timeval* dtls1_get_timeout(SSL *s - timeleft->tv_usec += 1000000; - } - -+ /* If remaining time is less than 15 ms, set it to 0 -+ * to prevent issues because of small devergences with -+ * socket timeouts. -+ */ -+ if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) -+ { -+ memset(timeleft, 0, sizeof(struct timeval)); -+ } -+ -+ - return timeleft; - } - -diff -up openssl-1.0.0/ssl/d1_pkt.c.dtls1 openssl-1.0.0/ssl/d1_pkt.c ---- openssl-1.0.0/ssl/d1_pkt.c.dtls1 2009-10-04 18:52:35.000000000 +0200 -+++ openssl-1.0.0/ssl/d1_pkt.c 2010-04-09 16:30:49.000000000 +0200 -@@ -667,14 +667,14 @@ again: - if (rr->length == 0) goto again; - - /* If this record is from the next epoch (either HM or ALERT), -- * buffer it since it cannot be processed at this time. Records -- * from the next epoch are marked as received even though they -- * are not processed, so as to prevent any potential resource -- * DoS attack */ -+ * and a handshake is currently in progress, buffer it since it -+ * cannot be processed at this time. */ - if (is_next_epoch) - { -- dtls1_record_bitmap_update(s, bitmap); -- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); -+ if (SSL_in_init(s) || s->in_handshake) -+ { -+ dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); -+ } - rr->length = 0; - s->packet_length = 0; - goto again; -@@ -809,7 +809,7 @@ start: - * buffer the application data for later processing rather - * than dropping the connection. - */ -- dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0); -+ dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num); - rr->length = 0; - goto start; - } diff --git a/openssl-1.0.0-name-hash.patch b/openssl-1.0.0-name-hash.patch new file mode 100644 index 0000000..9098c0a --- /dev/null +++ b/openssl-1.0.0-name-hash.patch @@ -0,0 +1,22 @@ +diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c +--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash 2010-01-12 18:27:10.000000000 +0100 ++++ openssl-1.0.0/crypto/x509/x509_cmp.c 2010-04-06 16:44:52.000000000 +0200 +@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA + { + unsigned long ret=0; + unsigned char md[16]; ++ EVP_MD_CTX ctx; + + /* Make sure X509_NAME structure contains valid cached encoding */ + i2d_X509_NAME(x,NULL); +- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); ++ ++ EVP_MD_CTX_init(&ctx); ++ EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); ++ EVP_DigestInit_ex(&ctx, EVP_md5(), NULL) ++ && EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length) ++ && EVP_DigestFinal_ex(&ctx, md, NULL); ++ EVP_MD_CTX_cleanup(&ctx); + + ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| + ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)