diff --git a/openssl-0.9.8b-block-padding.patch b/openssl-0.9.8b-block-padding.patch new file mode 100644 index 0000000..4dac9cd --- /dev/null +++ b/openssl-0.9.8b-block-padding.patch @@ -0,0 +1,22 @@ +openssl/ssl/t1_enc.c 1.35.2.1 -> 1.35.2.2 + +--- openssl/ssl/t1_enc.c 2005/09/30 23:38:20 1.35.2.1 ++++ openssl/ssl/t1_enc.c 2006/05/07 12:27:48 1.35.2.2 +@@ -628,7 +628,15 @@ + { + ii=i=rec->data[l-1]; /* padding_length */ + i++; +- if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) ++ /* NB: if compression is in operation the first packet ++ * may not be of even length so the padding bug check ++ * cannot be performed. This bug workaround has been ++ * around since SSLeay so hopefully it is either fixed ++ * now or no buggy implementation supports compression ++ * [steve] ++ */ ++ if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) ++ && !s->expand) + { + /* First packet is even in size, so check */ + if ((memcmp(s->s3->read_sequence, + diff --git a/openssl-0.9.8b-pkcs12-fix.patch b/openssl-0.9.8b-pkcs12-fix.patch new file mode 100644 index 0000000..59f7ae2 --- /dev/null +++ b/openssl-0.9.8b-pkcs12-fix.patch @@ -0,0 +1,49 @@ +openssl/crypto/pkcs12/p12_mutl.c 1.23.2.1 -> 1.23.2.2 + +--- openssl/crypto/pkcs12/p12_mutl.c 2005/06/30 11:34:27 1.23.2.1 ++++ openssl/crypto/pkcs12/p12_mutl.c 2006/05/17 18:20:27 1.23.2.2 +@@ -69,7 +69,7 @@ + { + const EVP_MD *md_type; + HMAC_CTX hmac; +- unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt; ++ unsigned char key[EVP_MAX_MD_SIZE], *salt; + int saltlen, iter; + + if (!PKCS7_type_is_data(p12->authsafes)) +@@ -88,12 +88,12 @@ + return 0; + } + if(!PKCS12_key_gen (pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter, +- PKCS12_MAC_KEY_LENGTH, key, md_type)) { ++ EVP_MD_size(md_type), key, md_type)) { + PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR); + return 0; + } + HMAC_CTX_init(&hmac); +- HMAC_Init_ex(&hmac, key, PKCS12_MAC_KEY_LENGTH, md_type, NULL); ++ HMAC_Init_ex(&hmac, key, EVP_MD_size(md_type), md_type, NULL); + HMAC_Update(&hmac, p12->authsafes->d.data->data, + p12->authsafes->d.data->length); + HMAC_Final(&hmac, mac, maclen); +openssl/apps/pkcs12.c 1.79.2.1 -> 1.79.2.2 + +--- openssl/apps/pkcs12.c 2005/05/31 17:31:50 1.79.2.1 ++++ openssl/apps/pkcs12.c 2006/05/17 18:25:59 1.79.2.2 +@@ -825,12 +825,14 @@ + PBEPARAM *pbe; + const unsigned char *p; + p = alg->parameter->value.sequence->data; +- pbe = d2i_PBEPARAM (NULL, &p, alg->parameter->value.sequence->length); ++ pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length); ++ if (!pbe) ++ return 1; + BIO_printf (bio_err, "%s, Iteration %ld\n", + OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), + ASN1_INTEGER_get(pbe->iter)); + PBEPARAM_free (pbe); +- return 0; ++ return 1; + } + + /* Load all certificates from a given file */ diff --git a/openssl.spec b/openssl.spec index 26d9334..11b20d9 100644 --- a/openssl.spec +++ b/openssl.spec @@ -20,10 +20,10 @@ %define libicaversion 1.3.6-rc3 -Summary: The OpenSSL toolkit. +Summary: The OpenSSL toolkit Name: openssl Version: 0.9.8b -Release: 1 +Release: 2 Source: openssl-%{version}-usa.tar.bz2 Source1: hobble-openssl Source2: Makefile.certificate @@ -57,15 +57,16 @@ Patch33: openssl-0.9.7f-ca-dir.patch Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.7-beta5-version-add-engines.patch Patch36: openssl-0.9.8a-use-poll.patch -Patch37: openssl-0.9.8a-no-builtin-comp.patch Patch38: openssl-0.9.8a-reuse-cipher-change.patch # Backported fixes including security fixes +Patch51: openssl-0.9.8b-block-padding.patch +Patch52: openssl-0.9.8b-pkcs12-fix.patch License: BSDish Group: System Environment/Libraries URL: http://www.openssl.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-root -BuildPreReq: mktemp, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp +BuildRequires: mktemp, krb5-devel, perl, sed, zlib-devel, /usr/bin/cmp Requires: mktemp %description @@ -75,7 +76,7 @@ libraries which provide various cryptographic algorithms and protocols. %package devel -Summary: Files for development of applications which will use OpenSSL. +Summary: Files for development of applications which will use OpenSSL Group: Development/Libraries Requires: %{name} = %{version}-%{release}, krb5-devel, zlib-devel @@ -86,7 +87,7 @@ applications which support various cryptographic algorithms and protocols. %package perl -Summary: Perl scripts provided with OpenSSL. +Summary: Perl scripts provided with OpenSSL Group: Applications/Internet Requires: perl Requires: %{name} = %{version}-%{release} @@ -125,9 +126,11 @@ popd %patch34 -p1 -b .x509 %patch35 -p1 -b .version-add-engines %patch36 -p1 -b .use-poll -%patch37 -p1 -b .no-builtin-comp %patch38 -p1 -b .cipher-change +%patch51 -p1 -b .block-padding +%patch52 -p1 -b .pkcs12-fix + # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -211,6 +214,7 @@ popd # Install OpenSSL. install -d $RPM_BUILD_ROOT/{%{_lib},%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl} make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared +# OpenSSL install doesn't use correct _libdir mv $RPM_BUILD_ROOT/usr/lib/lib*.so.%{soversion} $RPM_BUILD_ROOT/%{_lib}/ mv $RPM_BUILD_ROOT/usr/lib/engines $RPM_BUILD_ROOT/%{_libdir}/openssl mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/ @@ -227,8 +231,8 @@ done # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs -install -m644 $RPM_SOURCE_DIR/Makefile.certificate $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile -install -m644 $RPM_SOURCE_DIR/make-dummy-cert $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert +install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile +install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert # Make sure we actually include the headers we built against. for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do @@ -390,6 +394,11 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libssl.so.%{soversion} %postun -p /sbin/ldconfig %changelog +* Mon Jun 5 2006 Tomas Mraz - 0.9.8b-2 +- fixed a few rpmlint warnings +- better fix for #173399 from upstream +- upstream fix for pkcs12 + * Thu May 11 2006 Tomas Mraz - 0.9.8b-1 - upgrade to new version, stays ABI compatible - there is no more linux/config.h (it was empty anyway)