forked from rpms/openssl
- disable enforcement of the renegotiation extension on the client
(#537962) - add fixes from the current upstream snapshot
This commit is contained in:
parent
982ac6e5f9
commit
5b761f5986
45
openssl-1.0.0-beta4-backports.patch
Normal file
45
openssl-1.0.0-beta4-backports.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c
|
||||||
|
--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100
|
||||||
|
+++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100
|
||||||
|
@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK
|
||||||
|
}
|
||||||
|
else ret= *a;
|
||||||
|
|
||||||
|
- ret->save_type=type;
|
||||||
|
- ret->type=EVP_PKEY_type(type);
|
||||||
|
- switch (ret->type)
|
||||||
|
+ if (!EVP_PKEY_set_type(ret, type))
|
||||||
|
+ {
|
||||||
|
+ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ switch (EVP_PKEY_id(ret))
|
||||||
|
{
|
||||||
|
#ifndef OPENSSL_NO_RSA
|
||||||
|
case EVP_PKEY_RSA:
|
||||||
|
diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c
|
||||||
|
--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200
|
||||||
|
+++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100
|
||||||
|
@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey,
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
/* If we have an ENGINE release it */
|
||||||
|
if (pkey->engine)
|
||||||
|
+ {
|
||||||
|
ENGINE_finish(pkey->engine);
|
||||||
|
+ pkey->engine = NULL;
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
if (str)
|
||||||
|
diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c
|
||||||
|
--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100
|
||||||
|
+++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100
|
||||||
|
@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm,
|
||||||
|
offset= -offset;
|
||||||
|
}
|
||||||
|
atm.type=ctm->type;
|
||||||
|
+ atm.flags = 0;
|
||||||
|
atm.length=sizeof(buff2);
|
||||||
|
atm.data=(unsigned char *)buff2;
|
||||||
|
|
35
openssl-1.0.0-beta4-client-reneg.patch
Normal file
35
openssl-1.0.0-beta4-client-reneg.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
Do not enforce the renegotiation extension on the client - too many broken servers remain.
|
||||||
|
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
|
||||||
|
--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg 2009-11-12 15:17:29.000000000 +0100
|
||||||
|
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-18 14:04:19.000000000 +0100
|
||||||
|
@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||||
|
|
||||||
|
if (data >= (d+n-2))
|
||||||
|
{
|
||||||
|
+#if 0
|
||||||
|
/* Because the client does not see any renegotiation during an
|
||||||
|
attack, we must enforce this on all server hellos, even the
|
||||||
|
first */
|
||||||
|
@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||||
|
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
if (!renegotiate_seen
|
||||||
|
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||||
|
{
|
||||||
|
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
if (!s->hit && tlsext_servername == 1)
|
||||||
|
{
|
11
openssl.spec
11
openssl.spec
@ -23,7 +23,7 @@
|
|||||||
Summary: A general purpose cryptography library with TLS implementation
|
Summary: A general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.0
|
Version: 1.0.0
|
||||||
Release: 0.12.%{beta}%{?dist}
|
Release: 0.13.%{beta}%{?dist}
|
||||||
# We remove certain patented algorithms from the openssl source tarball
|
# We remove certain patented algorithms from the openssl source tarball
|
||||||
# with the hobble-openssl script which is included below.
|
# with the hobble-openssl script which is included below.
|
||||||
Source: openssl-%{version}-%{beta}-usa.tar.bz2
|
Source: openssl-%{version}-%{beta}-usa.tar.bz2
|
||||||
@ -63,6 +63,9 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
|
|||||||
Patch51: openssl-1.0.0-beta4-version.patch
|
Patch51: openssl-1.0.0-beta4-version.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch60: openssl-1.0.0-beta4-reneg.patch
|
Patch60: openssl-1.0.0-beta4-reneg.patch
|
||||||
|
# This one is not backported but has to be applied after reneg patch
|
||||||
|
Patch61: openssl-1.0.0-beta4-client-reneg.patch
|
||||||
|
Patch62: openssl-1.0.0-beta4-backports.patch
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -143,6 +146,8 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||||||
%patch51 -p1 -b .version
|
%patch51 -p1 -b .version
|
||||||
|
|
||||||
%patch60 -p1 -b .reneg
|
%patch60 -p1 -b .reneg
|
||||||
|
%patch61 -p1 -b .client-reneg
|
||||||
|
%patch62 -p1 -b .backports
|
||||||
|
|
||||||
# Modify the various perl scripts to reference perl in the right location.
|
# Modify the various perl scripts to reference perl in the right location.
|
||||||
perl util/perlpath.pl `dirname %{__perl}`
|
perl util/perlpath.pl `dirname %{__perl}`
|
||||||
@ -391,6 +396,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun -p /sbin/ldconfig
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 18 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.13.beta4
|
||||||
|
- disable enforcement of the renegotiation extension on the client (#537962)
|
||||||
|
- add fixes from the current upstream snapshot
|
||||||
|
|
||||||
* Fri Nov 13 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.12.beta4
|
* Fri Nov 13 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.12.beta4
|
||||||
- keep the beta status in version number at 3 so we do not have to rebuild
|
- keep the beta status in version number at 3 so we do not have to rebuild
|
||||||
openssh and possibly other dependencies with too strict version check
|
openssh and possibly other dependencies with too strict version check
|
||||||
|
Loading…
Reference in New Issue
Block a user