forked from rpms/openssl
parent
d8e7bfc73b
commit
12aab15a03
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c
|
diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c
|
||||||
--- openssl-1.0.1c/apps/cms.c.backports2 2012-01-05 14:46:27.000000000 +0100
|
--- openssl-1.0.1c/apps/cms.c.backports2 2012-01-05 14:46:27.000000000 +0100
|
||||||
+++ openssl-1.0.1c/apps/cms.c 2012-09-07 10:34:42.000000000 +0200
|
+++ openssl-1.0.1c/apps/cms.c 2012-11-14 20:27:50.240211707 +0100
|
||||||
@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv)
|
@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv)
|
||||||
else if (!strcmp(*args,"-camellia256"))
|
else if (!strcmp(*args,"-camellia256"))
|
||||||
cipher = EVP_camellia_256_cbc();
|
cipher = EVP_camellia_256_cbc();
|
||||||
@ -19,9 +19,20 @@ diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c
|
|||||||
|
|
||||||
if (secret_key)
|
if (secret_key)
|
||||||
{
|
{
|
||||||
|
diff -up openssl-1.0.1c/crypto/asn1/a_strex.c.backports2 openssl-1.0.1c/crypto/asn1/a_strex.c
|
||||||
|
--- openssl-1.0.1c/crypto/asn1/a_strex.c.backports2 2011-01-03 02:30:58.000000000 +0100
|
||||||
|
+++ openssl-1.0.1c/crypto/asn1/a_strex.c 2012-11-20 22:13:05.722766980 +0100
|
||||||
|
@@ -567,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char **
|
||||||
|
if(mbflag == -1) return -1;
|
||||||
|
mbflag |= MBSTRING_FLAG;
|
||||||
|
stmp.data = NULL;
|
||||||
|
+ stmp.length = 0;
|
||||||
|
ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
|
||||||
|
if(ret < 0) return ret;
|
||||||
|
*out = stmp.data;
|
||||||
diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/bn_lcl.h
|
diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/bn_lcl.h
|
||||||
--- openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 2012-09-06 17:25:22.000000000 +0200
|
--- openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 2012-11-14 20:27:49.696199811 +0100
|
||||||
+++ openssl-1.0.1c/crypto/bn/bn_lcl.h 2012-09-07 10:22:43.000000000 +0200
|
+++ openssl-1.0.1c/crypto/bn/bn_lcl.h 2012-11-14 20:27:50.240211707 +0100
|
||||||
@@ -282,16 +282,23 @@ extern "C" {
|
@@ -282,16 +282,23 @@ extern "C" {
|
||||||
# endif
|
# endif
|
||||||
# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
|
# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
|
||||||
@ -48,9 +59,30 @@ diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/b
|
|||||||
# endif
|
# endif
|
||||||
# endif /* cpu */
|
# endif /* cpu */
|
||||||
#endif /* OPENSSL_NO_ASM */
|
#endif /* OPENSSL_NO_ASM */
|
||||||
|
diff -up openssl-1.0.1c/crypto/evp/e_aes.c.backports2 openssl-1.0.1c/crypto/evp/e_aes.c
|
||||||
|
--- openssl-1.0.1c/crypto/evp/e_aes.c.backports2 2012-11-14 20:27:50.238211664 +0100
|
||||||
|
+++ openssl-1.0.1c/crypto/evp/e_aes.c 2012-11-20 22:10:06.350891703 +0100
|
||||||
|
@@ -968,8 +968,6 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
|
||||||
|
|
||||||
|
if (!gctx->iv_set)
|
||||||
|
return -1;
|
||||||
|
- if (!ctx->encrypt && gctx->taglen < 0)
|
||||||
|
- return -1;
|
||||||
|
if (in)
|
||||||
|
{
|
||||||
|
if (out == NULL)
|
||||||
|
@@ -1011,6 +1009,8 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
|
||||||
|
{
|
||||||
|
if (!ctx->encrypt)
|
||||||
|
{
|
||||||
|
+ if (gctx->taglen < 0)
|
||||||
|
+ return -1;
|
||||||
|
if (CRYPTO_gcm128_finish(&gctx->gcm,
|
||||||
|
ctx->buf, gctx->taglen) != 0)
|
||||||
|
return -1;
|
||||||
diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/modes/gcm128.c
|
diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/modes/gcm128.c
|
||||||
--- openssl-1.0.1c/crypto/modes/gcm128.c.backports2 2012-01-25 18:56:24.000000000 +0100
|
--- openssl-1.0.1c/crypto/modes/gcm128.c.backports2 2012-01-25 18:56:24.000000000 +0100
|
||||||
+++ openssl-1.0.1c/crypto/modes/gcm128.c 2012-09-07 10:24:56.000000000 +0200
|
+++ openssl-1.0.1c/crypto/modes/gcm128.c 2012-11-14 20:27:50.241211729 +0100
|
||||||
@@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT
|
@@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT
|
||||||
void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
|
void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
|
||||||
#endif
|
#endif
|
||||||
@ -60,9 +92,57 @@ diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/m
|
|||||||
GCM_MUL(ctx,Xi);
|
GCM_MUL(ctx,Xi);
|
||||||
|
|
||||||
if (is_endian.little) {
|
if (is_endian.little) {
|
||||||
|
diff -up openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl.backports2 openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl
|
||||||
|
--- openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl.backports2 2012-11-14 20:27:50.293212866 +0100
|
||||||
|
+++ openssl-1.0.1c/crypto/sha/asm/sha1-armv4-large.pl 2012-11-20 22:20:15.015041719 +0100
|
||||||
|
@@ -177,6 +177,7 @@ for($i=0;$i<5;$i++) {
|
||||||
|
$code.=<<___;
|
||||||
|
teq $Xi,sp
|
||||||
|
bne .L_00_15 @ [((11+4)*5+2)*3]
|
||||||
|
+ sub sp,sp,#25*4
|
||||||
|
___
|
||||||
|
&BODY_00_15(@V); unshift(@V,pop(@V));
|
||||||
|
&BODY_16_19(@V); unshift(@V,pop(@V));
|
||||||
|
@@ -186,7 +187,6 @@ ___
|
||||||
|
$code.=<<___;
|
||||||
|
|
||||||
|
ldr $K,.LK_20_39 @ [+15+16*4]
|
||||||
|
- sub sp,sp,#25*4
|
||||||
|
cmn sp,#0 @ [+3], clear carry to denote 20_39
|
||||||
|
.L_20_39_or_60_79:
|
||||||
|
___
|
||||||
|
diff -up openssl-1.0.1c/ssl/s3_srvr.c.backports2 openssl-1.0.1c/ssl/s3_srvr.c
|
||||||
|
--- openssl-1.0.1c/ssl/s3_srvr.c.backports2 2012-04-15 19:23:41.000000000 +0200
|
||||||
|
+++ openssl-1.0.1c/ssl/s3_srvr.c 2012-11-20 22:23:21.684755182 +0100
|
||||||
|
@@ -1181,7 +1181,7 @@ int ssl3_get_client_hello(SSL *s)
|
||||||
|
goto f_err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (ssl_check_clienthello_tlsext(s) <= 0) {
|
||||||
|
+ if (ssl_check_clienthello_tlsext_early(s) <= 0) {
|
||||||
|
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
@@ -1403,6 +1403,16 @@ int ssl3_get_client_hello(SSL *s)
|
||||||
|
* s->tmp.new_cipher - the new cipher to use.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+ /* Handles TLS extensions that we couldn't check earlier */
|
||||||
|
+ if (s->version >= SSL3_VERSION)
|
||||||
|
+ {
|
||||||
|
+ if (ssl_check_clienthello_tlsext_late(s) <= 0)
|
||||||
|
+ {
|
||||||
|
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (ret < 0) ret=1;
|
||||||
|
if (0)
|
||||||
|
{
|
||||||
diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c
|
diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c
|
||||||
--- openssl-1.0.1c/ssl/ssl_cert.c.backports2 2011-05-11 15:37:52.000000000 +0200
|
--- openssl-1.0.1c/ssl/ssl_cert.c.backports2 2011-05-11 15:37:52.000000000 +0200
|
||||||
+++ openssl-1.0.1c/ssl/ssl_cert.c 2012-09-07 10:33:54.000000000 +0200
|
+++ openssl-1.0.1c/ssl/ssl_cert.c 2012-11-14 20:27:50.241211729 +0100
|
||||||
@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT
|
@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT
|
||||||
{
|
{
|
||||||
/* Set digest values to defaults */
|
/* Set digest values to defaults */
|
||||||
@ -80,10 +160,212 @@ diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
diff -up openssl-1.0.1c/ssl/ssl_lib.c.backports2 openssl-1.0.1c/ssl/ssl_lib.c
|
||||||
|
--- openssl-1.0.1c/ssl/ssl_lib.c.backports2 2012-01-05 11:22:39.000000000 +0100
|
||||||
|
+++ openssl-1.0.1c/ssl/ssl_lib.c 2012-11-20 22:25:29.243509755 +0100
|
||||||
|
@@ -2287,7 +2287,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* THIS NEEDS CLEANING UP */
|
||||||
|
-X509 *ssl_get_server_send_cert(SSL *s)
|
||||||
|
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
|
||||||
|
{
|
||||||
|
unsigned long alg_k,alg_a;
|
||||||
|
CERT *c;
|
||||||
|
@@ -2345,9 +2345,17 @@ X509 *ssl_get_server_send_cert(SSL *s)
|
||||||
|
SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
|
||||||
|
return(NULL);
|
||||||
|
}
|
||||||
|
- if (c->pkeys[i].x509 == NULL) return(NULL);
|
||||||
|
|
||||||
|
- return(c->pkeys[i].x509);
|
||||||
|
+ return c->pkeys + i;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+X509 *ssl_get_server_send_cert(const SSL *s)
|
||||||
|
+ {
|
||||||
|
+ CERT_PKEY *cpk;
|
||||||
|
+ cpk = ssl_get_server_send_pkey(s);
|
||||||
|
+ if (!cpk)
|
||||||
|
+ return NULL;
|
||||||
|
+ return cpk->x509;
|
||||||
|
}
|
||||||
|
|
||||||
|
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
|
||||||
|
@@ -2780,7 +2788,9 @@ void ssl_clear_cipher_ctx(SSL *s)
|
||||||
|
/* Fix this function so that it takes an optional type parameter */
|
||||||
|
X509 *SSL_get_certificate(const SSL *s)
|
||||||
|
{
|
||||||
|
- if (s->cert != NULL)
|
||||||
|
+ if (s->server)
|
||||||
|
+ return(ssl_get_server_send_cert(s));
|
||||||
|
+ else if (s->cert != NULL)
|
||||||
|
return(s->cert->key->x509);
|
||||||
|
else
|
||||||
|
return(NULL);
|
||||||
|
diff -up openssl-1.0.1c/ssl/ssl_locl.h.backports2 openssl-1.0.1c/ssl/ssl_locl.h
|
||||||
|
--- openssl-1.0.1c/ssl/ssl_locl.h.backports2 2012-11-14 20:27:50.056207682 +0100
|
||||||
|
+++ openssl-1.0.1c/ssl/ssl_locl.h 2012-11-20 22:25:29.244509777 +0100
|
||||||
|
@@ -814,7 +814,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_O
|
||||||
|
int ssl_undefined_function(SSL *s);
|
||||||
|
int ssl_undefined_void_function(void);
|
||||||
|
int ssl_undefined_const_function(const SSL *s);
|
||||||
|
-X509 *ssl_get_server_send_cert(SSL *);
|
||||||
|
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
|
||||||
|
+X509 *ssl_get_server_send_cert(const SSL *);
|
||||||
|
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
|
||||||
|
int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
|
||||||
|
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
|
||||||
|
@@ -1065,7 +1066,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||||
|
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
|
||||||
|
int ssl_prepare_clienthello_tlsext(SSL *s);
|
||||||
|
int ssl_prepare_serverhello_tlsext(SSL *s);
|
||||||
|
-int ssl_check_clienthello_tlsext(SSL *s);
|
||||||
|
+int ssl_check_clienthello_tlsext_early(SSL *s);
|
||||||
|
+int ssl_check_clienthello_tlsext_late(SSL *s);
|
||||||
|
int ssl_check_serverhello_tlsext(SSL *s);
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_HEARTBEATS
|
||||||
diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c
|
diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c
|
||||||
--- openssl-1.0.1c/ssl/t1_lib.c.backports2 2012-03-21 22:32:57.000000000 +0100
|
--- openssl-1.0.1c/ssl/t1_lib.c.backports2 2012-03-21 22:32:57.000000000 +0100
|
||||||
+++ openssl-1.0.1c/ssl/t1_lib.c 2012-09-07 10:33:54.000000000 +0200
|
+++ openssl-1.0.1c/ssl/t1_lib.c 2012-11-20 22:25:29.244509777 +0100
|
||||||
@@ -2414,7 +2414,7 @@ int tls1_process_sigalgs(SSL *s, const u
|
@@ -1763,7 +1763,7 @@ int ssl_prepare_serverhello_tlsext(SSL *
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int ssl_check_clienthello_tlsext(SSL *s)
|
||||||
|
+int ssl_check_clienthello_tlsext_early(SSL *s)
|
||||||
|
{
|
||||||
|
int ret=SSL_TLSEXT_ERR_NOACK;
|
||||||
|
int al = SSL_AD_UNRECOGNIZED_NAME;
|
||||||
|
@@ -1782,42 +1782,12 @@ int ssl_check_clienthello_tlsext(SSL *s)
|
||||||
|
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
|
||||||
|
ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
|
||||||
|
|
||||||
|
- /* If status request then ask callback what to do.
|
||||||
|
- * Note: this must be called after servername callbacks in case
|
||||||
|
- * the certificate has changed.
|
||||||
|
- */
|
||||||
|
- if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
|
||||||
|
- {
|
||||||
|
- int r;
|
||||||
|
- r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
|
||||||
|
- switch (r)
|
||||||
|
- {
|
||||||
|
- /* We don't want to send a status request response */
|
||||||
|
- case SSL_TLSEXT_ERR_NOACK:
|
||||||
|
- s->tlsext_status_expected = 0;
|
||||||
|
- break;
|
||||||
|
- /* status request response should be sent */
|
||||||
|
- case SSL_TLSEXT_ERR_OK:
|
||||||
|
- if (s->tlsext_ocsp_resp)
|
||||||
|
- s->tlsext_status_expected = 1;
|
||||||
|
- else
|
||||||
|
- s->tlsext_status_expected = 0;
|
||||||
|
- break;
|
||||||
|
- /* something bad happened */
|
||||||
|
- case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||||
|
- ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||||
|
- al = SSL_AD_INTERNAL_ERROR;
|
||||||
|
- goto err;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- s->tlsext_status_expected = 0;
|
||||||
|
-
|
||||||
|
#ifdef TLSEXT_TYPE_opaque_prf_input
|
||||||
|
{
|
||||||
|
/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
|
||||||
|
* but we might be sending an alert in response to the client hello,
|
||||||
|
- * so this has to happen here in ssl_check_clienthello_tlsext(). */
|
||||||
|
+ * so this has to happen here in
|
||||||
|
+ * ssl_check_clienthello_tlsext_early(). */
|
||||||
|
|
||||||
|
int r = 1;
|
||||||
|
|
||||||
|
@@ -1869,8 +1839,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-#endif
|
||||||
|
err:
|
||||||
|
+#endif
|
||||||
|
switch (ret)
|
||||||
|
{
|
||||||
|
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||||
|
@@ -1888,6 +1858,71 @@ int ssl_check_clienthello_tlsext(SSL *s)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+int ssl_check_clienthello_tlsext_late(SSL *s)
|
||||||
|
+ {
|
||||||
|
+ int ret = SSL_TLSEXT_ERR_OK;
|
||||||
|
+ int al;
|
||||||
|
+
|
||||||
|
+ /* If status request then ask callback what to do.
|
||||||
|
+ * Note: this must be called after servername callbacks in case
|
||||||
|
+ * the certificate has changed, and must be called after the cipher
|
||||||
|
+ * has been chosen because this may influence which certificate is sent
|
||||||
|
+ */
|
||||||
|
+ if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
|
||||||
|
+ {
|
||||||
|
+ int r;
|
||||||
|
+ CERT_PKEY *certpkey;
|
||||||
|
+ certpkey = ssl_get_server_send_pkey(s);
|
||||||
|
+ /* If no certificate can't return certificate status */
|
||||||
|
+ if (certpkey == NULL)
|
||||||
|
+ {
|
||||||
|
+ s->tlsext_status_expected = 0;
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ /* Set current certificate to one we will use so
|
||||||
|
+ * SSL_get_certificate et al can pick it up.
|
||||||
|
+ */
|
||||||
|
+ s->cert->key = certpkey;
|
||||||
|
+ r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
|
||||||
|
+ switch (r)
|
||||||
|
+ {
|
||||||
|
+ /* We don't want to send a status request response */
|
||||||
|
+ case SSL_TLSEXT_ERR_NOACK:
|
||||||
|
+ s->tlsext_status_expected = 0;
|
||||||
|
+ break;
|
||||||
|
+ /* status request response should be sent */
|
||||||
|
+ case SSL_TLSEXT_ERR_OK:
|
||||||
|
+ if (s->tlsext_ocsp_resp)
|
||||||
|
+ s->tlsext_status_expected = 1;
|
||||||
|
+ else
|
||||||
|
+ s->tlsext_status_expected = 0;
|
||||||
|
+ break;
|
||||||
|
+ /* something bad happened */
|
||||||
|
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||||
|
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||||
|
+ al = SSL_AD_INTERNAL_ERROR;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ s->tlsext_status_expected = 0;
|
||||||
|
+
|
||||||
|
+ err:
|
||||||
|
+ switch (ret)
|
||||||
|
+ {
|
||||||
|
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||||
|
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
+ case SSL_TLSEXT_ERR_ALERT_WARNING:
|
||||||
|
+ ssl3_send_alert(s,SSL3_AL_WARNING,al);
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
+ default:
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
int ssl_check_serverhello_tlsext(SSL *s)
|
||||||
|
{
|
||||||
|
int ret=SSL_TLSEXT_ERR_NOACK;
|
||||||
|
@@ -2414,7 +2449,7 @@ int tls1_process_sigalgs(SSL *s, const u
|
||||||
*/
|
*/
|
||||||
#ifndef OPENSSL_NO_DSA
|
#ifndef OPENSSL_NO_DSA
|
||||||
if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
|
if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
|
||||||
@ -92,7 +374,7 @@ diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c
|
|||||||
#endif
|
#endif
|
||||||
#ifndef OPENSSL_NO_RSA
|
#ifndef OPENSSL_NO_RSA
|
||||||
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
|
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
|
||||||
@@ -2425,7 +2425,7 @@ int tls1_process_sigalgs(SSL *s, const u
|
@@ -2425,7 +2460,7 @@ int tls1_process_sigalgs(SSL *s, const u
|
||||||
#endif
|
#endif
|
||||||
#ifndef OPENSSL_NO_ECDSA
|
#ifndef OPENSSL_NO_ECDSA
|
||||||
if (!c->pkeys[SSL_PKEY_ECC].digest)
|
if (!c->pkeys[SSL_PKEY_ECC].digest)
|
||||||
|
@ -945,7 +945,7 @@ diff -up openssl-1.0.1c/crypto/dsa/dsa_key.c.fips openssl-1.0.1c/crypto/dsa/dsa_
|
|||||||
+ unsigned char tbs[] = "DSA Pairwise Check Data";
|
+ unsigned char tbs[] = "DSA Pairwise Check Data";
|
||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+
|
+
|
||||||
+ if ((pk=EVP_PKEY_new()) != NULL)
|
+ if ((pk=EVP_PKEY_new()) == NULL)
|
||||||
+ goto err;
|
+ goto err;
|
||||||
+
|
+
|
||||||
+ EVP_PKEY_set1_DSA(pk, dsa);
|
+ EVP_PKEY_set1_DSA(pk, dsa);
|
||||||
|
@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
|
|||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1c
|
Version: 1.0.1c
|
||||||
# Do not forget to bump SHLIB_VERSION on version upgrades
|
# Do not forget to bump SHLIB_VERSION on version upgrades
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -431,6 +431,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 20 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-9
|
||||||
|
- more fixes from upstream CVS
|
||||||
|
- fix DSA key pairwise check (#878597)
|
||||||
|
|
||||||
* Thu Nov 15 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-8
|
* Thu Nov 15 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-8
|
||||||
- use 1024 bit DH parameters in s_server as 512 bit is not allowed
|
- use 1024 bit DH parameters in s_server as 512 bit is not allowed
|
||||||
in FIPS mode and it is quite weak anyway
|
in FIPS mode and it is quite weak anyway
|
||||||
|
Loading…
Reference in New Issue
Block a user