forked from rpms/openssl
- update to new upstream version, no soname bump needed
- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used so the compatibility with unfixed clients is not broken. The protocol extension is also not final.
This commit is contained in:
parent
e0fe963bd1
commit
aabbc9ad89
@ -1 +1 @@
|
||||
openssl-1.0.0-beta3-usa.tar.bz2
|
||||
openssl-1.0.0-beta4-usa.tar.bz2
|
||||
|
@ -1,24 +0,0 @@
|
||||
|
||||
This patch fixes a violation of the C aliasing rules that can cause
|
||||
miscompilation with some compiler versions.
|
||||
|
||||
--- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig 2006-10-30 18:21:35.000000000 +0100
|
||||
+++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c 2006-10-30 18:21:37.000000000 +0100
|
||||
@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co
|
||||
static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
|
||||
{
|
||||
void *ptr;
|
||||
- DSO_FUNC_TYPE sym, *tsym = &sym;
|
||||
+ DSO_FUNC_TYPE sym;
|
||||
|
||||
if((dso == NULL) || (symname == NULL))
|
||||
{
|
||||
@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO
|
||||
DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
|
||||
return(NULL);
|
||||
}
|
||||
- *(void **)(tsym) = dlsym(ptr, symname);
|
||||
+ sym = dlsym(ptr, symname);
|
||||
if(sym == NULL)
|
||||
{
|
||||
DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
|
@ -1,36 +0,0 @@
|
||||
diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
|
||||
--- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100
|
||||
+++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100
|
||||
@@ -34,7 +34,7 @@ default_ca = CA_default # The default c
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
-dir = ./demoCA # Where everything is kept
|
||||
+dir = /etc/pki/CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
|
||||
--- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200
|
||||
+++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100
|
||||
@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG"
|
||||
VERIFY="$OPENSSL verify"
|
||||
X509="$OPENSSL x509"
|
||||
|
||||
-CATOP=./demoCA
|
||||
+CATOP=/etc/pki/CA
|
||||
CAKEY=./cakey.pem
|
||||
CAREQ=./careq.pem
|
||||
CACERT=./cacert.pem
|
||||
diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
|
||||
--- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200
|
||||
+++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100
|
||||
@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
|
||||
$X509="$openssl x509";
|
||||
$PKCS12="$openssl pkcs12";
|
||||
|
||||
-$CATOP="./demoCA";
|
||||
+$CATOP="/etc/pki/CA";
|
||||
$CAKEY="cakey.pem";
|
||||
$CAREQ="careq.pem";
|
||||
$CACERT="cacert.pem";
|
@ -1,12 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl.rounds openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl
|
||||
--- openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl.rounds 2009-09-15 12:09:08.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/crypto/camellia/asm/cmll-x86_64.pl 2009-09-15 12:09:48.000000000 +0200
|
||||
@@ -656,7 +656,7 @@ Camellia_cbc_encrypt:
|
||||
mov %rsi,$out # out argument
|
||||
mov %r8,%rbx # ivp argument
|
||||
mov %rcx,$key # key argument
|
||||
- mov 272(%rcx),$keyend # grandRounds
|
||||
+ mov 272(%rcx),${keyend}d # grandRounds
|
||||
|
||||
mov %r8,$_ivp
|
||||
mov %rbp,$_rsp
|
@ -1,36 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod
|
||||
--- openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod.const 2009-02-14 22:49:37.000000000 +0100
|
||||
+++ openssl-1.0.0-beta3/doc/ssl/SSL_CIPHER_get_name.pod 2009-08-22 16:15:32.000000000 +0200
|
||||
@@ -11,7 +11,7 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits
|
||||
const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
|
||||
int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
|
||||
char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
|
||||
- char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size);
|
||||
+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
diff -up openssl-1.0.0-beta3/ssl/ssl_ciph.c.const openssl-1.0.0-beta3/ssl/ssl_ciph.c
|
||||
--- openssl-1.0.0-beta3/ssl/ssl_ciph.c.const 2009-08-22 15:56:12.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/ssl/ssl_ciph.c 2009-08-22 15:56:12.000000000 +0200
|
||||
@@ -1458,7 +1458,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
return(cipherstack);
|
||||
}
|
||||
|
||||
-char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
|
||||
+char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
{
|
||||
int is_export,pkl,kl;
|
||||
const char *ver,*exp_str;
|
||||
diff -up openssl-1.0.0-beta3/ssl/ssl.h.const openssl-1.0.0-beta3/ssl/ssl.h
|
||||
--- openssl-1.0.0-beta3/ssl/ssl.h.const 2009-08-22 15:56:11.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/ssl/ssl.h 2009-08-22 15:56:12.000000000 +0200
|
||||
@@ -1638,7 +1638,7 @@ long SSL_get_default_timeout(const SSL *
|
||||
|
||||
int SSL_library_init(void );
|
||||
|
||||
-char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size);
|
||||
+char *SSL_CIPHER_description(const SSL_CIPHER *,char *buf,int size);
|
||||
STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
|
||||
|
||||
SSL *SSL_dup(SSL *ssl);
|
@ -1,27 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/apps/tsget.curl openssl-1.0.0-beta3/apps/tsget
|
||||
--- openssl-1.0.0-beta3/apps/tsget.curl 2006-02-13 00:11:21.000000000 +0100
|
||||
+++ openssl-1.0.0-beta3/apps/tsget 2009-08-21 15:37:24.000000000 +0200
|
||||
@@ -7,7 +7,7 @@ use strict;
|
||||
use IO::Handle;
|
||||
use Getopt::Std;
|
||||
use File::Basename;
|
||||
-use WWW::Curl::easy;
|
||||
+use WWW::Curl::Easy;
|
||||
|
||||
use vars qw(%options);
|
||||
|
||||
@@ -37,7 +37,7 @@ sub create_curl {
|
||||
my $url = shift;
|
||||
|
||||
# Create Curl object.
|
||||
- my $curl = WWW::Curl::easy::new();
|
||||
+ my $curl = WWW::Curl::Easy::new();
|
||||
|
||||
# Error-handling related options.
|
||||
$curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
|
||||
@@ -192,4 +192,4 @@ REQUEST: foreach (@ARGV) {
|
||||
STDERR->printflush(", $output written.\n") if $options{v};
|
||||
}
|
||||
$curl->cleanup();
|
||||
-WWW::Curl::easy::global_cleanup();
|
||||
+WWW::Curl::Easy::global_cleanup();
|
@ -1,11 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c.dss1 openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c
|
||||
--- openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c.dss1 2008-11-05 19:38:56.000000000 +0100
|
||||
+++ openssl-1.0.0-beta3/crypto/dsa/dsa_pmeth.c 2009-08-31 12:53:47.000000000 +0200
|
||||
@@ -186,6 +186,7 @@ static int pkey_dsa_ctrl(EVP_PKEY_CTX *c
|
||||
|
||||
case EVP_PKEY_CTRL_MD:
|
||||
if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
|
||||
+ EVP_MD_type((const EVP_MD *)p2) != NID_dsa &&
|
||||
EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
|
||||
EVP_MD_type((const EVP_MD *)p2) != NID_sha256)
|
||||
{
|
@ -1,28 +0,0 @@
|
||||
Index: openssl/ssl/d1_clnt.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/d1_clnt.c,v
|
||||
rcsdiff -q -kk '-r1.16.2.10' '-r1.16.2.11' -u '/v/openssl/cvs/openssl/ssl/d1_clnt.c,v' 2>/dev/null
|
||||
--- openssl/ssl/d1_clnt.c 2009/07/15 11:32:57 1.16.2.10
|
||||
+++ openssl/ssl/d1_clnt.c 2009/07/24 11:52:32 1.16.2.11
|
||||
@@ -223,6 +223,8 @@
|
||||
s->init_num=0;
|
||||
/* mark client_random uninitialized */
|
||||
memset(s->s3->client_random,0,sizeof(s->s3->client_random));
|
||||
+ s->d1->send_cookie = 0;
|
||||
+ s->hit = 0;
|
||||
break;
|
||||
|
||||
case SSL3_ST_CW_CLNT_HELLO_A:
|
||||
Index: openssl/ssl/d1_pkt.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v
|
||||
rcsdiff -q -kk '-r1.27.2.13' '-r1.27.2.14' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null
|
||||
--- openssl/ssl/d1_pkt.c 2009/07/13 11:44:04 1.27.2.13
|
||||
+++ openssl/ssl/d1_pkt.c 2009/07/24 11:52:32 1.27.2.14
|
||||
@@ -775,7 +775,7 @@
|
||||
/* Check for timeout */
|
||||
if (dtls1_is_timer_expired(s))
|
||||
{
|
||||
- if (dtls1_read_failed(s, -1) > 0);
|
||||
+ if (dtls1_read_failed(s, -1) > 0)
|
||||
goto start;
|
||||
}
|
||||
|
@ -1,52 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/Configure.enginesdir openssl-1.0.0-beta3/Configure
|
||||
--- openssl-1.0.0-beta3/Configure.enginesdir 2009-08-10 19:46:32.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Configure 2009-08-10 19:46:32.000000000 +0200
|
||||
@@ -616,6 +616,7 @@ my $idx_multilib = $idx++;
|
||||
|
||||
my $prefix="";
|
||||
my $openssldir="";
|
||||
+my $enginesdir="";
|
||||
my $exe_ext="";
|
||||
my $install_prefix="";
|
||||
my $cross_compile_prefix="";
|
||||
@@ -820,6 +821,10 @@ PROCESS_ARGS:
|
||||
{
|
||||
$openssldir=$1;
|
||||
}
|
||||
+ elsif (/^--enginesdir=(.*)$/)
|
||||
+ {
|
||||
+ $enginesdir=$1;
|
||||
+ }
|
||||
elsif (/^--install.prefix=(.*)$/)
|
||||
{
|
||||
$install_prefix=$1;
|
||||
@@ -1037,7 +1042,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
||||
|
||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||
-
|
||||
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
|
||||
|
||||
print "IsMK1MF=$IsMK1MF\n";
|
||||
|
||||
@@ -1645,7 +1650,7 @@ while (<IN>)
|
||||
# $foo is to become "$prefix/lib$multilib/engines";
|
||||
# as Makefile.org and engines/Makefile are adapted for
|
||||
# $multilib suffix.
|
||||
- my $foo = "$prefix/lib/engines";
|
||||
+ my $foo = "$enginesdir";
|
||||
$foo =~ s/\\/\\\\/g;
|
||||
print OUT "#define ENGINESDIR \"$foo\"\n";
|
||||
}
|
||||
diff -up openssl-1.0.0-beta3/engines/Makefile.enginesdir openssl-1.0.0-beta3/engines/Makefile
|
||||
--- openssl-1.0.0-beta3/engines/Makefile.enginesdir 2009-06-14 04:37:22.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/engines/Makefile 2009-08-10 19:46:48.000000000 +0200
|
||||
@@ -123,7 +123,7 @@ install:
|
||||
sfx=".so"; \
|
||||
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
||||
fi; \
|
||||
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
||||
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx ); \
|
||||
done; \
|
||||
fi
|
@ -222,7 +222,7 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
|
||||
#ifndef OPENSSL_NO_DES
|
||||
EVP_add_cipher(EVP_des_cbc());
|
||||
EVP_add_cipher(EVP_des_ede3_cbc());
|
||||
@@ -115,6 +121,38 @@ int SSL_library_init(void)
|
||||
@@ -115,6 +121,40 @@ int SSL_library_init(void)
|
||||
EVP_add_digest(EVP_sha());
|
||||
EVP_add_digest(EVP_dss());
|
||||
#endif
|
||||
@ -241,6 +241,8 @@ diff -up openssl-1.0.0-beta3/ssl/ssl_algs.c.fipsmode openssl-1.0.0-beta3/ssl/ssl
|
||||
+#ifndef OPENSSL_NO_MD5
|
||||
+ /* needed even in the FIPS mode for TLS MAC */
|
||||
+ EVP_add_digest(EVP_md5());
|
||||
+ EVP_add_digest_alias(SN_md5,"ssl2-md5");
|
||||
+ EVP_add_digest_alias(SN_md5,"ssl3-md5");
|
||||
+#endif
|
||||
+#ifndef OPENSSL_NO_SHA
|
||||
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
|
||||
|
@ -1,12 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/Makefile.org.krb5 openssl-1.0.0-beta3/Makefile.org
|
||||
--- openssl-1.0.0-beta3/Makefile.org.krb5 2009-04-23 18:12:09.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:01:16.000000000 +0200
|
||||
@@ -299,7 +299,7 @@ build-shared: do_$(SHLIB_TARGET) link-sh
|
||||
|
||||
do_$(SHLIB_TARGET):
|
||||
@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
|
||||
- if [ "$(SHLIBDIRS)" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
||||
+ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
||||
libs="$(LIBKRB5) $$libs"; \
|
||||
fi; \
|
||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
@ -1,253 +0,0 @@
|
||||
Index: openssl/crypto/asn1/a_set.c
|
||||
RCS File: /v/openssl/cvs/openssl/crypto/asn1/a_set.c,v
|
||||
rcsdiff -q -kk '-r1.20' '-r1.20.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/a_set.c,v' 2>/dev/null
|
||||
--- openssl/crypto/asn1/a_set.c 2009/01/01 18:30:50 1.20
|
||||
+++ openssl/crypto/asn1/a_set.c 2009/07/27 21:21:25 1.20.2.1
|
||||
@@ -85,7 +85,7 @@
|
||||
}
|
||||
|
||||
/* int is_set: if TRUE, then sort the contents (i.e. it isn't a SEQUENCE) */
|
||||
-int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
|
||||
+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
|
||||
i2d_of_void *i2d, int ex_tag, int ex_class,
|
||||
int is_set)
|
||||
{
|
||||
@@ -97,8 +97,8 @@
|
||||
int totSize;
|
||||
|
||||
if (a == NULL) return(0);
|
||||
- for (i=sk_BLOCK_num(a)-1; i>=0; i--)
|
||||
- ret+=i2d(sk_BLOCK_value(a,i),NULL);
|
||||
+ for (i=sk_OPENSSL_BLOCK_num(a)-1; i>=0; i--)
|
||||
+ ret+=i2d(sk_OPENSSL_BLOCK_value(a,i),NULL);
|
||||
r=ASN1_object_size(1,ret,ex_tag);
|
||||
if (pp == NULL) return(r);
|
||||
|
||||
@@ -109,10 +109,10 @@
|
||||
/* And then again by Ben */
|
||||
/* And again by Steve */
|
||||
|
||||
- if(!is_set || (sk_BLOCK_num(a) < 2))
|
||||
+ if(!is_set || (sk_OPENSSL_BLOCK_num(a) < 2))
|
||||
{
|
||||
- for (i=0; i<sk_BLOCK_num(a); i++)
|
||||
- i2d(sk_BLOCK_value(a,i),&p);
|
||||
+ for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
|
||||
+ i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
|
||||
|
||||
*pp=p;
|
||||
return(r);
|
||||
@@ -120,17 +120,17 @@
|
||||
|
||||
pStart = p; /* Catch the beg of Setblobs*/
|
||||
/* In this array we will store the SET blobs */
|
||||
- rgSetBlob = OPENSSL_malloc(sk_BLOCK_num(a) * sizeof(MYBLOB));
|
||||
+ rgSetBlob = OPENSSL_malloc(sk_OPENSSL_BLOCK_num(a) * sizeof(MYBLOB));
|
||||
if (rgSetBlob == NULL)
|
||||
{
|
||||
ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
|
||||
return(0);
|
||||
}
|
||||
|
||||
- for (i=0; i<sk_BLOCK_num(a); i++)
|
||||
+ for (i=0; i<sk_OPENSSL_BLOCK_num(a); i++)
|
||||
{
|
||||
rgSetBlob[i].pbData = p; /* catch each set encode blob */
|
||||
- i2d(sk_BLOCK_value(a,i),&p);
|
||||
+ i2d(sk_OPENSSL_BLOCK_value(a,i),&p);
|
||||
rgSetBlob[i].cbData = p - rgSetBlob[i].pbData; /* Length of this
|
||||
SetBlob
|
||||
*/
|
||||
@@ -140,7 +140,7 @@
|
||||
|
||||
/* Now we have to sort the blobs. I am using a simple algo.
|
||||
*Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
|
||||
- qsort( rgSetBlob, sk_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
|
||||
+ qsort( rgSetBlob, sk_OPENSSL_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp);
|
||||
if (!(pTempMem = OPENSSL_malloc(totSize)))
|
||||
{
|
||||
ASN1err(ASN1_F_I2D_ASN1_SET,ERR_R_MALLOC_FAILURE);
|
||||
@@ -149,7 +149,7 @@
|
||||
|
||||
/* Copy to temp mem */
|
||||
p = pTempMem;
|
||||
- for(i=0; i<sk_BLOCK_num(a); ++i)
|
||||
+ for(i=0; i<sk_OPENSSL_BLOCK_num(a); ++i)
|
||||
{
|
||||
memcpy(p, rgSetBlob[i].pbData, rgSetBlob[i].cbData);
|
||||
p += rgSetBlob[i].cbData;
|
||||
@@ -163,17 +163,18 @@
|
||||
return(r);
|
||||
}
|
||||
|
||||
-STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
|
||||
+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
|
||||
+ const unsigned char **pp,
|
||||
long length, d2i_of_void *d2i,
|
||||
- void (*free_func)(BLOCK), int ex_tag,
|
||||
+ void (*free_func)(OPENSSL_BLOCK), int ex_tag,
|
||||
int ex_class)
|
||||
{
|
||||
ASN1_const_CTX c;
|
||||
- STACK_OF(BLOCK) *ret=NULL;
|
||||
+ STACK_OF(OPENSSL_BLOCK) *ret=NULL;
|
||||
|
||||
if ((a == NULL) || ((*a) == NULL))
|
||||
{
|
||||
- if ((ret=sk_BLOCK_new_null()) == NULL)
|
||||
+ if ((ret=sk_OPENSSL_BLOCK_new_null()) == NULL)
|
||||
{
|
||||
ASN1err(ASN1_F_D2I_ASN1_SET,ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
@@ -221,7 +222,7 @@
|
||||
asn1_add_error(*pp,(int)(c.p- *pp));
|
||||
goto err;
|
||||
}
|
||||
- if (!sk_BLOCK_push(ret,s)) goto err;
|
||||
+ if (!sk_OPENSSL_BLOCK_push(ret,s)) goto err;
|
||||
}
|
||||
if (a != NULL) (*a)=ret;
|
||||
*pp=c.p;
|
||||
@@ -230,9 +231,9 @@
|
||||
if ((ret != NULL) && ((a == NULL) || (*a != ret)))
|
||||
{
|
||||
if (free_func != NULL)
|
||||
- sk_BLOCK_pop_free(ret,free_func);
|
||||
+ sk_OPENSSL_BLOCK_pop_free(ret,free_func);
|
||||
else
|
||||
- sk_BLOCK_free(ret);
|
||||
+ sk_OPENSSL_BLOCK_free(ret);
|
||||
}
|
||||
return(NULL);
|
||||
}
|
||||
Index: openssl/crypto/asn1/asn1.h
|
||||
RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn1.h,v
|
||||
rcsdiff -q -kk '-r1.166.2.3' '-r1.166.2.4' -u '/v/openssl/cvs/openssl/crypto/asn1/asn1.h,v' 2>/dev/null
|
||||
--- openssl/crypto/asn1/asn1.h 2009/07/24 11:15:55 1.166.2.3
|
||||
+++ openssl/crypto/asn1/asn1.h 2009/07/27 21:21:25 1.166.2.4
|
||||
@@ -887,12 +887,13 @@
|
||||
ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
|
||||
int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
|
||||
|
||||
-int i2d_ASN1_SET(STACK_OF(BLOCK) *a, unsigned char **pp,
|
||||
+int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
|
||||
i2d_of_void *i2d, int ex_tag, int ex_class,
|
||||
int is_set);
|
||||
-STACK_OF(BLOCK) *d2i_ASN1_SET(STACK_OF(BLOCK) **a, const unsigned char **pp,
|
||||
+STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a,
|
||||
+ const unsigned char **pp,
|
||||
long length, d2i_of_void *d2i,
|
||||
- void (*free_func)(BLOCK), int ex_tag,
|
||||
+ void (*free_func)(OPENSSL_BLOCK), int ex_tag,
|
||||
int ex_class);
|
||||
|
||||
#ifndef OPENSSL_NO_BIO
|
||||
@@ -1045,9 +1046,9 @@
|
||||
int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num,
|
||||
unsigned char *data, int max_len);
|
||||
|
||||
-STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
|
||||
- d2i_of_void *d2i, void (*free_func)(BLOCK));
|
||||
-unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
|
||||
+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
|
||||
+ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK));
|
||||
+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
|
||||
unsigned char **buf, int *len );
|
||||
void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i);
|
||||
void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it);
|
||||
Index: openssl/crypto/asn1/asn_pack.c
|
||||
RCS File: /v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v
|
||||
rcsdiff -q -kk '-r1.19' '-r1.19.2.1' -u '/v/openssl/cvs/openssl/crypto/asn1/asn_pack.c,v' 2>/dev/null
|
||||
--- openssl/crypto/asn1/asn_pack.c 2008/11/12 03:57:49 1.19
|
||||
+++ openssl/crypto/asn1/asn_pack.c 2009/07/27 21:21:25 1.19.2.1
|
||||
@@ -66,10 +66,10 @@
|
||||
|
||||
/* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
|
||||
|
||||
-STACK_OF(BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
|
||||
- d2i_of_void *d2i, void (*free_func)(BLOCK))
|
||||
+STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len,
|
||||
+ d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK))
|
||||
{
|
||||
- STACK_OF(BLOCK) *sk;
|
||||
+ STACK_OF(OPENSSL_BLOCK) *sk;
|
||||
const unsigned char *pbuf;
|
||||
pbuf = buf;
|
||||
if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func,
|
||||
@@ -82,7 +82,7 @@
|
||||
* OPENSSL_malloc'ed buffer
|
||||
*/
|
||||
|
||||
-unsigned char *ASN1_seq_pack(STACK_OF(BLOCK) *safes, i2d_of_void *i2d,
|
||||
+unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d,
|
||||
unsigned char **buf, int *len)
|
||||
{
|
||||
int safelen;
|
||||
Index: openssl/crypto/stack/safestack.h
|
||||
RCS File: /v/openssl/cvs/openssl/crypto/stack/safestack.h,v
|
||||
rcsdiff -q -kk '-r1.72.2.4' '-r1.72.2.5' -u '/v/openssl/cvs/openssl/crypto/stack/safestack.h,v' 2>/dev/null
|
||||
--- openssl/crypto/stack/safestack.h 2009/07/27 21:08:50 1.72.2.4
|
||||
+++ openssl/crypto/stack/safestack.h 2009/07/27 21:21:25 1.72.2.5
|
||||
@@ -128,8 +128,8 @@
|
||||
* nul-terminated. These should also be distinguished from "normal"
|
||||
* stacks. */
|
||||
|
||||
-typedef void *BLOCK;
|
||||
-DECLARE_SPECIAL_STACK_OF(BLOCK, void)
|
||||
+typedef void *OPENSSL_BLOCK;
|
||||
+DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
|
||||
|
||||
/* SKM_sk_... stack macros are internal to safestack.h:
|
||||
* never use them directly, use sk_<type>_... instead */
|
||||
@@ -2055,29 +2055,29 @@
|
||||
#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
|
||||
|
||||
|
||||
-#define sk_BLOCK_new(cmp) ((STACK_OF(BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
|
||||
-#define sk_BLOCK_new_null() ((STACK_OF(BLOCK) *)sk_new_null())
|
||||
-#define sk_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_value(st, i) ((BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(BLOCK), st), i))
|
||||
-#define sk_BLOCK_num(st) SKM_sk_num(BLOCK, st)
|
||||
-#define sk_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_FREE_FUNC2(BLOCK, free_func))
|
||||
-#define sk_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val), i)
|
||||
-#define sk_BLOCK_free(st) SKM_sk_free(BLOCK, st)
|
||||
-#define sk_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), i, CHECKED_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_zero(st) SKM_sk_zero(BLOCK, (st))
|
||||
-#define sk_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
|
||||
-#define sk_BLOCK_delete(st, i) SKM_sk_delete(BLOCK, (st), (i))
|
||||
-#define sk_BLOCK_delete_ptr(st, ptr) (BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_PTR_OF(void, ptr))
|
||||
-#define sk_BLOCK_set_cmp_func(st, cmp) \
|
||||
+#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
|
||||
+#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
|
||||
+#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_value(st, i) ((OPENSSL_BLOCK)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i))
|
||||
+#define sk_OPENSSL_BLOCK_num(st) SKM_sk_num(OPENSSL_BLOCK, st)
|
||||
+#define sk_OPENSSL_BLOCK_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_FREE_FUNC2(OPENSSL_BLOCK, free_func))
|
||||
+#define sk_OPENSSL_BLOCK_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val), i)
|
||||
+#define sk_OPENSSL_BLOCK_free(st) SKM_sk_free(OPENSSL_BLOCK, st)
|
||||
+#define sk_OPENSSL_BLOCK_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), i, CHECKED_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_zero(st) SKM_sk_zero(OPENSSL_BLOCK, (st))
|
||||
+#define sk_OPENSSL_BLOCK_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_CONST_PTR_OF(void, val))
|
||||
+#define sk_OPENSSL_BLOCK_delete(st, i) SKM_sk_delete(OPENSSL_BLOCK, (st), (i))
|
||||
+#define sk_OPENSSL_BLOCK_delete_ptr(st, ptr) (OPENSSL_BLOCK *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, ptr))
|
||||
+#define sk_OPENSSL_BLOCK_set_cmp_func(st, cmp) \
|
||||
((int (*)(const void * const *,const void * const *)) \
|
||||
- sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
|
||||
-#define sk_BLOCK_dup(st) SKM_sk_dup(BLOCK, st)
|
||||
-#define sk_BLOCK_shift(st) SKM_sk_shift(BLOCK, (st))
|
||||
-#define sk_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(BLOCK), st))
|
||||
-#define sk_BLOCK_sort(st) SKM_sk_sort(BLOCK, (st))
|
||||
-#define sk_BLOCK_is_sorted(st) SKM_sk_is_sorted(BLOCK, (st))
|
||||
+ sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_SK_CMP_FUNC(void, cmp)))
|
||||
+#define sk_OPENSSL_BLOCK_dup(st) SKM_sk_dup(OPENSSL_BLOCK, st)
|
||||
+#define sk_OPENSSL_BLOCK_shift(st) SKM_sk_shift(OPENSSL_BLOCK, (st))
|
||||
+#define sk_OPENSSL_BLOCK_pop(st) (void *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st))
|
||||
+#define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st))
|
||||
+#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
|
||||
|
||||
|
||||
#define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
|
File diff suppressed because it is too large
Load Diff
@ -1,31 +0,0 @@
|
||||
diff -up openssl-1.0.0-beta3/ssl/ssl_lib.c.ctx-free openssl-1.0.0-beta3/ssl/ssl_lib.c
|
||||
--- openssl-1.0.0-beta3/ssl/ssl_lib.c.ctx-free 2009-10-08 20:44:26.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/ssl/ssl_lib.c 2009-10-16 11:56:53.000000000 +0200
|
||||
@@ -556,7 +556,6 @@ void SSL_free(SSL *s)
|
||||
if (s->cert != NULL) ssl_cert_free(s->cert);
|
||||
/* Free up if allocated */
|
||||
|
||||
- if (s->ctx) SSL_CTX_free(s->ctx);
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
if (s->tlsext_hostname)
|
||||
OPENSSL_free(s->tlsext_hostname);
|
||||
@@ -580,6 +579,8 @@ void SSL_free(SSL *s)
|
||||
|
||||
if (s->method != NULL) s->method->ssl_free(s);
|
||||
|
||||
+ if (s->ctx) SSL_CTX_free(s->ctx);
|
||||
+
|
||||
#ifndef OPENSSL_NO_KRB5
|
||||
if (s->kssl_ctx != NULL)
|
||||
kssl_ctx_free(s->kssl_ctx);
|
||||
diff -up openssl-1.0.0-beta3/ssl/s3_lib.c.hbuf-clear openssl-1.0.0-beta3/ssl/s3_lib.c
|
||||
--- openssl-1.0.0-beta3/ssl/s3_lib.c.hbuf-clear 2009-05-28 20:10:47.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/ssl/s3_lib.c 2009-10-16 09:50:24.000000000 +0200
|
||||
@@ -2211,6 +2211,7 @@ void ssl3_clear(SSL *s)
|
||||
wlen = s->s3->wbuf.len;
|
||||
if (s->s3->handshake_buffer) {
|
||||
BIO_free(s->s3->handshake_buffer);
|
||||
+ s->s3->handshake_buffer = NULL;
|
||||
}
|
||||
if (s->s3->handshake_dgst) {
|
||||
ssl3_free_digest_list(s);
|
@ -1,27 +0,0 @@
|
||||
Index: openssl/ssl/ssl_asn1.c
|
||||
RCS File: /v/openssl/cvs/openssl/ssl/ssl_asn1.c,v
|
||||
rcsdiff -q -kk '-r1.36.2.2' '-r1.36.2.3' -u '/v/openssl/cvs/openssl/ssl/ssl_asn1.c,v' 2>/dev/null
|
||||
--- openssl/ssl/ssl_asn1.c 2009/08/05 15:29:14 1.36.2.2
|
||||
+++ openssl/ssl/ssl_asn1.c 2009/09/02 13:20:22 1.36.2.3
|
||||
@@ -413,8 +413,8 @@
|
||||
}
|
||||
else
|
||||
{
|
||||
- SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_UNKNOWN_SSL_VERSION);
|
||||
- return(NULL);
|
||||
+ c.error=SSL_R_UNKNOWN_SSL_VERSION;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
ret->cipher=NULL;
|
||||
@@ -505,8 +505,8 @@
|
||||
{
|
||||
if (os.length > SSL_MAX_SID_CTX_LENGTH)
|
||||
{
|
||||
- ret->sid_ctx_length=os.length;
|
||||
- SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
|
||||
+ c.error=SSL_R_BAD_LENGTH;
|
||||
+ goto err;
|
||||
}
|
||||
else
|
||||
{
|
@ -1,6 +1,6 @@
|
||||
diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod
|
||||
--- openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc 2004-05-20 23:39:50.000000000 +0200
|
||||
+++ openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod 2009-06-30 12:04:47.000000000 +0200
|
||||
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
|
||||
--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc 2009-10-16 17:29:34.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod 2009-11-12 14:13:21.000000000 +0100
|
||||
@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
|
||||
EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
|
||||
EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
|
||||
@ -45,8 +45,8 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
|
||||
+signature algorithm is RSA in each case.
|
||||
|
||||
EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
|
||||
algorithms but using DSS (DSA) for the signature algorithm.
|
||||
@@ -156,7 +163,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
|
||||
algorithms but using DSS (DSA) for the signature algorithm. Note: there is
|
||||
@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
|
||||
EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
|
||||
size in bytes.
|
||||
|
||||
@ -56,9 +56,9 @@ diff -up openssl-0.9.8k/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-0.9.8k/do
|
||||
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
|
||||
corresponding EVP_MD structures.
|
||||
|
||||
diff -up openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod
|
||||
--- openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
|
||||
+++ openssl-0.9.8k/doc/crypto/EVP_EncryptInit.pod 2009-06-30 12:04:47.000000000 +0200
|
||||
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
|
||||
--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod 2009-11-12 14:11:03.000000000 +0100
|
||||
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
|
||||
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
||||
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
36
openssl-1.0.0-beta4-ca-dir.patch
Normal file
36
openssl-1.0.0-beta4-ca-dir.patch
Normal file
@ -0,0 +1,36 @@
|
||||
diff -up openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir openssl-1.0.0-beta4/apps/CA.pl.in
|
||||
--- openssl-1.0.0-beta4/apps/CA.pl.in.ca-dir 2006-04-28 02:30:49.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/apps/CA.pl.in 2009-11-12 12:33:13.000000000 +0100
|
||||
@@ -53,7 +53,7 @@ $VERIFY="$openssl verify";
|
||||
$X509="$openssl x509";
|
||||
$PKCS12="$openssl pkcs12";
|
||||
|
||||
-$CATOP="./demoCA";
|
||||
+$CATOP="/etc/pki/CA";
|
||||
$CAKEY="cakey.pem";
|
||||
$CAREQ="careq.pem";
|
||||
$CACERT="cacert.pem";
|
||||
diff -up openssl-1.0.0-beta4/apps/CA.sh.ca-dir openssl-1.0.0-beta4/apps/CA.sh
|
||||
--- openssl-1.0.0-beta4/apps/CA.sh.ca-dir 2009-10-15 19:27:47.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/apps/CA.sh 2009-11-12 12:35:14.000000000 +0100
|
||||
@@ -68,7 +68,7 @@ VERIFY="$OPENSSL verify"
|
||||
X509="$OPENSSL x509"
|
||||
PKCS12="openssl pkcs12"
|
||||
|
||||
-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
|
||||
+if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
|
||||
CAKEY=./cakey.pem
|
||||
CAREQ=./careq.pem
|
||||
CACERT=./cacert.pem
|
||||
diff -up openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir openssl-1.0.0-beta4/apps/openssl.cnf
|
||||
--- openssl-1.0.0-beta4/apps/openssl.cnf.ca-dir 2009-11-12 12:33:13.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/apps/openssl.cnf 2009-11-12 12:33:13.000000000 +0100
|
||||
@@ -39,7 +39,7 @@ default_ca = CA_default # The default c
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
-dir = ./demoCA # Where everything is kept
|
||||
+dir = /etc/pki/CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
@ -1,7 +1,7 @@
|
||||
diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/apps/s_client.c
|
||||
--- openssl-1.0.0-beta3/apps/s_client.c.default-paths 2009-06-30 18:10:24.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 18:17:52.000000000 +0200
|
||||
@@ -888,12 +888,13 @@ bad:
|
||||
diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c
|
||||
--- openssl-1.0.0-beta4/apps/s_client.c.default-paths 2009-08-12 15:21:26.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 12:26:32.000000000 +0100
|
||||
@@ -889,12 +889,13 @@ bad:
|
||||
if (!set_cert_key_stuff(ctx,cert,key))
|
||||
goto end;
|
||||
|
||||
@ -19,10 +19,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.default-paths openssl-1.0.0-beta3/a
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/apps/s_server.c
|
||||
--- openssl-1.0.0-beta3/apps/s_server.c.default-paths 2009-06-30 18:10:24.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 18:18:40.000000000 +0200
|
||||
@@ -1403,12 +1403,13 @@ bad:
|
||||
diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c
|
||||
--- openssl-1.0.0-beta4/apps/s_server.c.default-paths 2009-10-28 18:49:37.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 12:31:23.000000000 +0100
|
||||
@@ -1408,12 +1408,13 @@ bad:
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -40,8 +40,8 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
|
||||
}
|
||||
if (vpm)
|
||||
SSL_CTX_set1_param(ctx, vpm);
|
||||
@@ -1457,8 +1458,11 @@ bad:
|
||||
|
||||
@@ -1465,8 +1466,11 @@ bad:
|
||||
else
|
||||
SSL_CTX_sess_set_cache_size(ctx2,128);
|
||||
|
||||
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
|
||||
@ -54,9 +54,9 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.default-paths openssl-1.0.0-beta3/a
|
||||
{
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
diff -up openssl-1.0.0-beta3/apps/s_time.c.default-paths openssl-1.0.0-beta3/apps/s_time.c
|
||||
--- openssl-1.0.0-beta3/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_time.c 2009-08-05 18:00:35.000000000 +0200
|
||||
diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c
|
||||
--- openssl-1.0.0-beta4/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/apps/s_time.c 2009-11-12 12:26:32.000000000 +0100
|
||||
@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv)
|
||||
|
||||
SSL_load_error_strings();
|
25
openssl-1.0.0-beta4-dtls1-abi.patch
Normal file
25
openssl-1.0.0-beta4-dtls1-abi.patch
Normal file
@ -0,0 +1,25 @@
|
||||
Adding struct member is ABI breaker however as the structure is always allocated by
|
||||
the library calls we just move it to the end and it should be reasonably safe.
|
||||
diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
|
||||
--- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi 2009-11-12 14:34:37.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/dtls1.h 2009-11-12 14:47:57.000000000 +0100
|
||||
@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
|
||||
*/
|
||||
record_pqueue buffered_app_data;
|
||||
|
||||
- /* Is set when listening for new connections with dtls1_listen() */
|
||||
- unsigned int listen;
|
||||
-
|
||||
unsigned int mtu; /* max DTLS packet size */
|
||||
|
||||
struct hm_header_st w_msg_hdr;
|
||||
@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
|
||||
unsigned int retransmitting;
|
||||
unsigned int change_cipher_spec_ok;
|
||||
|
||||
+ /* Is set when listening for new connections with dtls1_listen() */
|
||||
+ unsigned int listen;
|
||||
+
|
||||
} DTLS1_STATE;
|
||||
|
||||
typedef struct dtls1_record_data_st
|
52
openssl-1.0.0-beta4-enginesdir.patch
Normal file
52
openssl-1.0.0-beta4-enginesdir.patch
Normal file
@ -0,0 +1,52 @@
|
||||
diff -up openssl-1.0.0-beta4/Configure.enginesdir openssl-1.0.0-beta4/Configure
|
||||
--- openssl-1.0.0-beta4/Configure.enginesdir 2009-11-12 12:17:59.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:19:45.000000000 +0100
|
||||
@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
|
||||
my $prefix="";
|
||||
my $libdir="";
|
||||
my $openssldir="";
|
||||
+my $enginesdir="";
|
||||
my $exe_ext="";
|
||||
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
|
||||
my $cross_compile_prefix="";
|
||||
@@ -833,6 +834,10 @@ PROCESS_ARGS:
|
||||
{
|
||||
$openssldir=$1;
|
||||
}
|
||||
+ elsif (/^--enginesdir=(.*)$/)
|
||||
+ {
|
||||
+ $enginesdir=$1;
|
||||
+ }
|
||||
elsif (/^--install.prefix=(.*)$/)
|
||||
{
|
||||
$install_prefix=$1;
|
||||
@@ -1055,7 +1060,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
||||
|
||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||
-
|
||||
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
|
||||
|
||||
print "IsMK1MF=$IsMK1MF\n";
|
||||
|
||||
@@ -1676,7 +1681,7 @@ while (<IN>)
|
||||
# $foo is to become "$prefix/lib$multilib/engines";
|
||||
# as Makefile.org and engines/Makefile are adapted for
|
||||
# $multilib suffix.
|
||||
- my $foo = "$prefix/lib/engines";
|
||||
+ my $foo = "$enginesdir";
|
||||
$foo =~ s/\\/\\\\/g;
|
||||
print OUT "#define ENGINESDIR \"$foo\"\n";
|
||||
}
|
||||
diff -up openssl-1.0.0-beta4/engines/Makefile.enginesdir openssl-1.0.0-beta4/engines/Makefile
|
||||
--- openssl-1.0.0-beta4/engines/Makefile.enginesdir 2009-11-10 02:52:52.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/engines/Makefile 2009-11-12 12:23:06.000000000 +0100
|
||||
@@ -124,7 +124,7 @@ install:
|
||||
sfx=".so"; \
|
||||
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
||||
fi; \
|
||||
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
||||
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
|
||||
done; \
|
||||
fi
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
|
||||
--- openssl-1.0.0-beta3/Configure.redhat 2009-07-08 10:50:52.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/Configure 2009-08-04 22:46:59.000000000 +0200
|
||||
@@ -331,32 +331,32 @@ my %table=(
|
||||
diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
|
||||
--- openssl-1.0.0-beta4/Configure.redhat 2009-11-09 15:11:13.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:15:27.000000000 +0100
|
||||
@@ -336,32 +336,32 @@ my %table=(
|
||||
####
|
||||
# *-generic* is endian-neutral target, but ./config is free to
|
||||
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
||||
@ -27,9 +27,9 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
|
||||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
-"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
#### SPARC Linux setups
|
||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||
@ -46,7 +46,7 @@ diff -up openssl-1.0.0-beta3/Configure.redhat openssl-1.0.0-beta3/Configure
|
||||
#### Alpha Linux with GNU C and Compaq C setups
|
||||
# Special notes:
|
||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
||||
@@ -370,8 +370,8 @@ my %table=(
|
||||
@@ -375,8 +375,8 @@ my %table=(
|
||||
#
|
||||
# <appro@fy.chalmers.se>
|
||||
#
|
237
openssl-1.0.0-beta4-reneg.patch
Normal file
237
openssl-1.0.0-beta4-reneg.patch
Normal file
@ -0,0 +1,237 @@
|
||||
diff -up openssl-1.0.0-beta4/apps/s_cb.c.reneg openssl-1.0.0-beta4/apps/s_cb.c
|
||||
--- openssl-1.0.0-beta4/apps/s_cb.c.reneg 2009-10-15 20:48:47.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/apps/s_cb.c 2009-11-12 15:02:30.000000000 +0100
|
||||
@@ -669,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c
|
||||
extname = "server ticket";
|
||||
break;
|
||||
|
||||
+ case TLSEXT_TYPE_renegotiate:
|
||||
+ extname = "renegotiate";
|
||||
+ break;
|
||||
+
|
||||
#ifdef TLSEXT_TYPE_opaque_prf_input
|
||||
case TLSEXT_TYPE_opaque_prf_input:
|
||||
extname = "opaque PRF input";
|
||||
diff -up openssl-1.0.0-beta4/apps/s_client.c.reneg openssl-1.0.0-beta4/apps/s_client.c
|
||||
--- openssl-1.0.0-beta4/apps/s_client.c.reneg 2009-11-12 14:57:48.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 15:01:48.000000000 +0100
|
||||
@@ -343,6 +343,7 @@ static void sc_usage(void)
|
||||
BIO_printf(bio_err," -status - request certificate status from server\n");
|
||||
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
||||
#endif
|
||||
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
@@ -657,6 +658,8 @@ int MAIN(int argc, char **argv)
|
||||
#endif
|
||||
else if (strcmp(*argv,"-serverpref") == 0)
|
||||
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
|
||||
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
||||
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
||||
else if (strcmp(*argv,"-cipher") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
diff -up openssl-1.0.0-beta4/apps/s_server.c.reneg openssl-1.0.0-beta4/apps/s_server.c
|
||||
--- openssl-1.0.0-beta4/apps/s_server.c.reneg 2009-11-12 14:57:48.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 15:01:48.000000000 +0100
|
||||
@@ -491,6 +491,7 @@ static void sv_usage(void)
|
||||
BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2);
|
||||
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
|
||||
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
||||
+ BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -1013,6 +1014,8 @@ int MAIN(int argc, char *argv[])
|
||||
verify_return_error = 1;
|
||||
else if (strcmp(*argv,"-serverpref") == 0)
|
||||
{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
|
||||
+ else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
||||
+ off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
||||
else if (strcmp(*argv,"-cipher") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
diff -up openssl-1.0.0-beta4/ssl/tls1.h.reneg openssl-1.0.0-beta4/ssl/tls1.h
|
||||
--- openssl-1.0.0-beta4/ssl/tls1.h.reneg 2009-11-12 14:57:47.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/tls1.h 2009-11-12 15:02:30.000000000 +0100
|
||||
@@ -201,6 +201,9 @@ extern "C" {
|
||||
# define TLSEXT_TYPE_opaque_prf_input ?? */
|
||||
#endif
|
||||
|
||||
+/* Temporary extension type */
|
||||
+#define TLSEXT_TYPE_renegotiate 0xff01
|
||||
+
|
||||
/* NameType value from RFC 3546 */
|
||||
#define TLSEXT_NAMETYPE_host_name 0
|
||||
/* status request value from RFC 3546 */
|
||||
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg openssl-1.0.0-beta4/ssl/t1_lib.c
|
||||
--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg 2009-11-08 15:36:32.000000000 +0100
|
||||
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-12 15:02:30.000000000 +0100
|
||||
@@ -315,6 +315,30 @@ unsigned char *ssl_add_clienthello_tlsex
|
||||
ret+=size_str;
|
||||
}
|
||||
|
||||
+ /* Add the renegotiation option: TODOEKR switch */
|
||||
+ {
|
||||
+ int el;
|
||||
+
|
||||
+ if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0))
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ if((limit - p - 4 - el) < 0) return NULL;
|
||||
+
|
||||
+ s2n(TLSEXT_TYPE_renegotiate,ret);
|
||||
+ s2n(el,ret);
|
||||
+
|
||||
+ if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el))
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ret += el;
|
||||
+ }
|
||||
+
|
||||
#ifndef OPENSSL_NO_EC
|
||||
if (s->tlsext_ecpointformatlist != NULL)
|
||||
{
|
||||
@@ -490,6 +514,31 @@ unsigned char *ssl_add_serverhello_tlsex
|
||||
s2n(TLSEXT_TYPE_server_name,ret);
|
||||
s2n(0,ret);
|
||||
}
|
||||
+
|
||||
+ if(s->s3->send_connection_binding)
|
||||
+ {
|
||||
+ int el;
|
||||
+
|
||||
+ if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0))
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ if((limit - p - 4 - el) < 0) return NULL;
|
||||
+
|
||||
+ s2n(TLSEXT_TYPE_renegotiate,ret);
|
||||
+ s2n(el,ret);
|
||||
+
|
||||
+ if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el))
|
||||
+ {
|
||||
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ret += el;
|
||||
+ }
|
||||
+
|
||||
#ifndef OPENSSL_NO_EC
|
||||
if (s->tlsext_ecpointformatlist != NULL)
|
||||
{
|
||||
@@ -574,11 +623,23 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
unsigned short size;
|
||||
unsigned short len;
|
||||
unsigned char *data = *p;
|
||||
+ int renegotiate_seen = 0;
|
||||
+
|
||||
s->servername_done = 0;
|
||||
s->tlsext_status_type = -1;
|
||||
+ s->s3->send_connection_binding = 0;
|
||||
|
||||
if (data >= (d+n-2))
|
||||
+ {
|
||||
+ if (s->new_session
|
||||
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
+ {
|
||||
+ /* We should always see one extension: the renegotiate extension */
|
||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ return 0;
|
||||
+ }
|
||||
return 1;
|
||||
+ }
|
||||
n2s(data,len);
|
||||
|
||||
if (data > (d+n-len))
|
||||
@@ -790,6 +851,12 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
+ else if (type == TLSEXT_TYPE_renegotiate)
|
||||
+ {
|
||||
+ if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
|
||||
+ return 0;
|
||||
+ renegotiate_seen = 1;
|
||||
+ }
|
||||
else if (type == TLSEXT_TYPE_status_request
|
||||
&& s->ctx->tlsext_status_cb)
|
||||
{
|
||||
@@ -894,6 +961,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||
/* session ticket processed earlier */
|
||||
data+=size;
|
||||
}
|
||||
+
|
||||
+ if (s->new_session && !renegotiate_seen
|
||||
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
+ {
|
||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
|
||||
*p = data;
|
||||
return 1;
|
||||
@@ -905,11 +980,22 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
unsigned short size;
|
||||
unsigned short len;
|
||||
unsigned char *data = *p;
|
||||
-
|
||||
int tlsext_servername = 0;
|
||||
+ int renegotiate_seen = 0;
|
||||
|
||||
if (data >= (d+n-2))
|
||||
+ {
|
||||
+ /* Because the client does not see any renegotiation during an
|
||||
+ attack, we must enforce this on all server hellos, even the
|
||||
+ first */
|
||||
+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
+ {
|
||||
+ /* We should always see one extension: the renegotiate extension */
|
||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ return 0;
|
||||
+ }
|
||||
return 1;
|
||||
+ }
|
||||
|
||||
n2s(data,len);
|
||||
|
||||
@@ -1025,7 +1111,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
/* Set flag to expect CertificateStatus message */
|
||||
s->tlsext_status_expected = 1;
|
||||
}
|
||||
-
|
||||
+ else if (type == TLSEXT_TYPE_renegotiate)
|
||||
+ {
|
||||
+ if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
|
||||
+ return 0;
|
||||
+ renegotiate_seen = 1;
|
||||
+ }
|
||||
data+=size;
|
||||
}
|
||||
|
||||
@@ -1035,6 +1126,13 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (!renegotiate_seen
|
||||
+ && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
+ {
|
||||
+ *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (!s->hit && tlsext_servername == 1)
|
||||
{
|
||||
if (s->tlsext_hostname)
|
50
openssl.spec
50
openssl.spec
@ -11,7 +11,7 @@
|
||||
# 1.0.0 soversion = 10
|
||||
%define soversion 10
|
||||
|
||||
%define beta beta3
|
||||
%define beta beta4
|
||||
|
||||
# Number of threads to spawn when testing some threading fixes.
|
||||
%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
|
||||
@ -23,7 +23,7 @@
|
||||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.0
|
||||
Release: 0.10.%{beta}%{?dist}
|
||||
Release: 0.11.%{beta}%{?dist}
|
||||
# We remove certain patented algorithms from the openssl source tarball
|
||||
# with the hobble-openssl script which is included below.
|
||||
Source: openssl-%{version}-%{beta}-usa.tar.bz2
|
||||
@ -35,41 +35,32 @@ Source9: opensslconf-new.h
|
||||
Source10: opensslconf-new-warning.h
|
||||
Source11: README.FIPS
|
||||
# Build changes
|
||||
Patch0: openssl-1.0.0-beta3-redhat.patch
|
||||
Patch0: openssl-1.0.0-beta4-redhat.patch
|
||||
Patch1: openssl-1.0.0-beta3-defaults.patch
|
||||
Patch2: openssl-1.0.0-beta3-krb5.patch
|
||||
Patch3: openssl-1.0.0-beta3-soversion.patch
|
||||
Patch4: openssl-1.0.0-beta3-enginesdir.patch
|
||||
Patch4: openssl-1.0.0-beta4-enginesdir.patch
|
||||
Patch5: openssl-0.9.8a-no-rpath.patch
|
||||
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
||||
# Bug fixes
|
||||
Patch21: openssl-0.9.8b-aliasing-bug.patch
|
||||
Patch23: openssl-1.0.0-beta3-default-paths.patch
|
||||
Patch23: openssl-1.0.0-beta4-default-paths.patch
|
||||
# Functionality changes
|
||||
Patch32: openssl-0.9.8g-ia64.patch
|
||||
Patch33: openssl-0.9.8j-ca-dir.patch
|
||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||
Patch34: openssl-0.9.6-x509.patch
|
||||
Patch35: openssl-0.9.8j-version-add-engines.patch
|
||||
Patch38: openssl-1.0.0-beta3-cipher-change.patch
|
||||
Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
|
||||
Patch40: openssl-1.0.0-beta3-fips.patch
|
||||
Patch40: openssl-1.0.0-beta4-fips.patch
|
||||
Patch41: openssl-1.0.0-beta3-fipscheck.patch
|
||||
Patch43: openssl-1.0.0-beta3-fipsmode.patch
|
||||
Patch44: openssl-1.0.0-beta3-fipsrng.patch
|
||||
Patch45: openssl-0.9.8j-env-nozlib.patch
|
||||
Patch47: openssl-0.9.8j-readme-warning.patch
|
||||
Patch48: openssl-0.9.8j-bad-mime.patch
|
||||
Patch49: openssl-0.9.8k-algo-doc.patch
|
||||
Patch50: openssl-1.0.0-beta3-curl.patch
|
||||
Patch51: openssl-1.0.0-beta3-const.patch
|
||||
Patch52: openssl-1.0.0-beta3-dss1.patch
|
||||
Patch49: openssl-1.0.0-beta4-algo-doc.patch
|
||||
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch60: openssl-1.0.0-beta3-namingstr.patch
|
||||
Patch61: openssl-1.0.0-beta3-namingblk.patch
|
||||
Patch62: openssl-1.0.0-beta3-camellia-rounds.patch
|
||||
Patch63: openssl-1.0.0-beta3-dtls1-fix.patch
|
||||
Patch64: openssl-1.0.0-beta3-ssl-session.patch
|
||||
Patch65: openssl-1.0.0-beta3-ssl-free.patch
|
||||
Patch60: openssl-1.0.0-beta4-reneg.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -124,14 +115,11 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||
%{SOURCE1} > /dev/null
|
||||
%patch0 -p1 -b .redhat
|
||||
%patch1 -p1 -b .defaults
|
||||
# Fix link line for libssl (bug #111154).
|
||||
%patch2 -p1 -b .krb5
|
||||
%patch3 -p1 -b .soversion
|
||||
%patch4 -p1 -b .enginesdir
|
||||
%patch5 -p1 -b .no-rpath
|
||||
%patch6 -p1 -b .use-localhost
|
||||
|
||||
%patch21 -p1 -b .aliasing-bug
|
||||
%patch23 -p1 -b .default-paths
|
||||
|
||||
%patch32 -p1 -b .ia64
|
||||
@ -148,15 +136,9 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||
%patch47 -p1 -b .warning
|
||||
%patch48 -p1 -b .bad-mime
|
||||
%patch49 -p1 -b .algo-doc
|
||||
%patch50 -p1 -b .curl
|
||||
%patch51 -p1 -b .const
|
||||
%patch52 -p1 -b .dss1
|
||||
%patch60 -p1 -b .namingstr
|
||||
%patch61 -p1 -b .namingblk
|
||||
%patch62 -p1 -b .cmll-rounds
|
||||
%patch63 -p1 -b .dtls1-fix
|
||||
%patch64 -p1 -b .ssl-session
|
||||
%patch65 -p1 -b .ssl-free
|
||||
%patch50 -p1 -b .dtls1-abi
|
||||
|
||||
%patch60 -p1 -b .reneg
|
||||
|
||||
# Modify the various perl scripts to reference perl in the right location.
|
||||
perl util/perlpath.pl `dirname %{__perl}`
|
||||
@ -405,6 +387,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Nov 12 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.11.beta4
|
||||
- update to new upstream version, no soname bump needed
|
||||
- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
|
||||
so the compatibility with unfixed clients is not broken. The
|
||||
protocol extension is also not final.
|
||||
|
||||
* Fri Oct 16 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.10.beta3
|
||||
- fix use of freed memory if SSL_CTX_free() is called before
|
||||
SSL_free() (#521342)
|
||||
|
Loading…
Reference in New Issue
Block a user