forked from rpms/openssl
- gracefully handle zero length in assembler implementations of
OPENSSL_cleanse (#564029) - do not fail in s_server if client hostname not resolvable (#561260)
This commit is contained in:
parent
ae5568515b
commit
bffe20438c
109
openssl-1.0.0-beta5-cleanse.patch
Normal file
109
openssl-1.0.0-beta5-cleanse.patch
Normal file
@ -0,0 +1,109 @@
|
||||
Gracefully handle zero length in assembler implementations of OPENSSL_cleanse.
|
||||
diff -up openssl-1.0.0-beta5/crypto/ia64cpuid.S.cleanse openssl-1.0.0-beta5/crypto/ia64cpuid.S
|
||||
--- openssl-1.0.0-beta5/crypto/ia64cpuid.S.cleanse 2007-07-27 20:03:27.000000000 +0200
|
||||
+++ openssl-1.0.0-beta5/crypto/ia64cpuid.S 2010-02-12 18:13:52.000000000 +0100
|
||||
@@ -130,9 +130,11 @@ OPENSSL_wipe_cpu:
|
||||
.global OPENSSL_cleanse#
|
||||
.proc OPENSSL_cleanse#
|
||||
OPENSSL_cleanse:
|
||||
+{ .mib; cmp.eq p6,p0=0,r33 // len==0
|
||||
#if defined(_HPUX_SOURCE) && !defined(_LP64)
|
||||
-{ .mmi; addp4 r32=0,r32 };;
|
||||
+ addp4 r32=0,r32
|
||||
#endif
|
||||
+(p6) br.ret.spnt b0 };;
|
||||
{ .mib; and r2=7,r32
|
||||
cmp.leu p6,p0=15,r33 // len>=15
|
||||
(p6) br.cond.dptk .Lot };;
|
||||
diff -up openssl-1.0.0-beta5/crypto/perlasm/ppc-xlate.pl.cleanse openssl-1.0.0-beta5/crypto/perlasm/ppc-xlate.pl
|
||||
--- openssl-1.0.0-beta5/crypto/perlasm/ppc-xlate.pl.cleanse 2008-01-13 23:01:29.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/crypto/perlasm/ppc-xlate.pl 2010-02-12 18:13:52.000000000 +0100
|
||||
@@ -101,6 +101,13 @@ my $bnelr = sub {
|
||||
" .long ".sprintf "0x%x",19<<26|$bo<<21|2<<16|16<<1 :
|
||||
" bclr $bo,2";
|
||||
};
|
||||
+my $beqlr = sub {
|
||||
+ my $f = shift;
|
||||
+ my $bo = $f=~/-/ ? 12+2 : 12; # optional "not to be taken" hint
|
||||
+ ($flavour =~ /linux/) ? # GNU as doesn't allow most recent hints
|
||||
+ " .long ".sprintf "0x%X",19<<26|$bo<<21|2<<16|16<<1 :
|
||||
+ " bclr $bo,2";
|
||||
+};
|
||||
# GNU assembler can't handle extrdi rA,rS,16,48, or when sum of last two
|
||||
# arguments is 64, with "operand out of range" error.
|
||||
my $extrdi = sub {
|
||||
diff -up openssl-1.0.0-beta5/crypto/ppccpuid.pl.cleanse openssl-1.0.0-beta5/crypto/ppccpuid.pl
|
||||
--- openssl-1.0.0-beta5/crypto/ppccpuid.pl.cleanse 2008-09-12 16:45:53.000000000 +0200
|
||||
+++ openssl-1.0.0-beta5/crypto/ppccpuid.pl 2010-02-12 18:13:52.000000000 +0100
|
||||
@@ -67,6 +67,8 @@ Loop: lwarx r5,0,r3
|
||||
$CMPLI r4,7
|
||||
li r0,0
|
||||
bge Lot
|
||||
+ $CMPLI r4,0
|
||||
+ beqlr-
|
||||
Little: mtctr r4
|
||||
stb r0,0(r3)
|
||||
addi r3,r3,1
|
||||
diff -up openssl-1.0.0-beta5/crypto/sparccpuid.S.cleanse openssl-1.0.0-beta5/crypto/sparccpuid.S
|
||||
--- openssl-1.0.0-beta5/crypto/sparccpuid.S.cleanse 2007-05-19 19:26:48.000000000 +0200
|
||||
+++ openssl-1.0.0-beta5/crypto/sparccpuid.S 2010-02-12 18:13:52.000000000 +0100
|
||||
@@ -242,6 +242,10 @@ OPENSSL_cleanse:
|
||||
#else
|
||||
bgu .Lot
|
||||
#endif
|
||||
+ cmp %o1,0
|
||||
+ bne .Little
|
||||
+ nop
|
||||
+ retl
|
||||
nop
|
||||
|
||||
.Little:
|
||||
diff -up openssl-1.0.0-beta5/crypto/s390xcpuid.S.cleanse openssl-1.0.0-beta5/crypto/s390xcpuid.S
|
||||
--- openssl-1.0.0-beta5/crypto/s390xcpuid.S.cleanse 2010-01-19 22:40:56.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/crypto/s390xcpuid.S 2010-02-12 18:13:52.000000000 +0100
|
||||
@@ -62,6 +62,8 @@ OPENSSL_cleanse:
|
||||
lghi %r0,0
|
||||
clgr %r3,%r4
|
||||
jh .Lot
|
||||
+ clgr %r3,%r0
|
||||
+ bcr 8,%r14
|
||||
.Little:
|
||||
stc %r0,0(%r2)
|
||||
la %r2,1(%r2)
|
||||
diff -up openssl-1.0.0-beta5/crypto/x86cpuid.pl.cleanse openssl-1.0.0-beta5/crypto/x86cpuid.pl
|
||||
--- openssl-1.0.0-beta5/crypto/x86cpuid.pl.cleanse 2009-05-14 20:25:29.000000000 +0200
|
||||
+++ openssl-1.0.0-beta5/crypto/x86cpuid.pl 2010-02-12 18:13:52.000000000 +0100
|
||||
@@ -279,11 +279,14 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
|
||||
&xor ("eax","eax");
|
||||
&cmp ("ecx",7);
|
||||
&jae (&label("lot"));
|
||||
+ &cmp ("ecx",0);
|
||||
+ &je (&label("ret"));
|
||||
&set_label("little");
|
||||
&mov (&BP(0,"edx"),"al");
|
||||
&sub ("ecx",1);
|
||||
&lea ("edx",&DWP(1,"edx"));
|
||||
&jnz (&label("little"));
|
||||
+&set_label("ret");
|
||||
&ret ();
|
||||
|
||||
&set_label("lot",16);
|
||||
diff -up openssl-1.0.0-beta5/crypto/x86_64cpuid.pl.cleanse openssl-1.0.0-beta5/crypto/x86_64cpuid.pl
|
||||
--- openssl-1.0.0-beta5/crypto/x86_64cpuid.pl.cleanse 2009-05-14 20:25:29.000000000 +0200
|
||||
+++ openssl-1.0.0-beta5/crypto/x86_64cpuid.pl 2010-02-12 18:13:52.000000000 +0100
|
||||
@@ -145,12 +145,14 @@ OPENSSL_cleanse:
|
||||
xor %rax,%rax
|
||||
cmp \$15,$arg2
|
||||
jae .Lot
|
||||
+ cmp \$0,$arg2
|
||||
+ je .Lret
|
||||
.Little:
|
||||
mov %al,($arg1)
|
||||
sub \$1,$arg2
|
||||
lea 1($arg1),$arg1
|
||||
jnz .Little
|
||||
- ret
|
||||
+.Lret: ret
|
||||
.align 16
|
||||
.Lot:
|
||||
test \$7,$arg1
|
@ -1,6 +1,6 @@
|
||||
diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_apps.h
|
||||
--- openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_apps.h 2009-08-05 21:29:58.000000000 +0200
|
||||
diff -up openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta5/apps/s_apps.h
|
||||
--- openssl-1.0.0-beta5/apps/s_apps.h.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/apps/s_apps.h 2010-02-03 09:43:49.000000000 +0100
|
||||
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
|
||||
#define PORT_STR "4433"
|
||||
#define PROTOCOL "tcp"
|
||||
@ -23,10 +23,10 @@ diff -up openssl-1.0.0-beta3/apps/s_apps.h.ipv6-apps openssl-1.0.0-beta3/apps/s_
|
||||
|
||||
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret);
|
||||
diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/s_client.c
|
||||
--- openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_client.c 2009-08-05 22:33:44.000000000 +0200
|
||||
@@ -388,7 +388,7 @@ int MAIN(int argc, char **argv)
|
||||
diff -up openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps openssl-1.0.0-beta5/apps/s_client.c
|
||||
--- openssl-1.0.0-beta5/apps/s_client.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/apps/s_client.c 2010-02-03 09:43:49.000000000 +0100
|
||||
@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
|
||||
int cbuf_len,cbuf_off;
|
||||
int sbuf_len,sbuf_off;
|
||||
fd_set readfds,writefds;
|
||||
@ -35,7 +35,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
int full_log=1;
|
||||
char *host=SSL_HOST_NAME;
|
||||
char *cert_file=NULL,*key_file=NULL;
|
||||
@@ -486,13 +486,12 @@ int MAIN(int argc, char **argv)
|
||||
@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
|
||||
else if (strcmp(*argv,"-port") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
@ -51,7 +51,7 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
goto bad;
|
||||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
@@ -956,7 +955,7 @@ bad:
|
||||
@@ -967,7 +966,7 @@ bad:
|
||||
|
||||
re_start:
|
||||
|
||||
@ -60,10 +60,10 @@ diff -up openssl-1.0.0-beta3/apps/s_client.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
{
|
||||
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
|
||||
SHUTDOWN(s);
|
||||
diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/s_server.c
|
||||
--- openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps 2009-08-05 21:29:58.000000000 +0200
|
||||
+++ openssl-1.0.0-beta3/apps/s_server.c 2009-08-05 21:29:58.000000000 +0200
|
||||
@@ -837,7 +837,7 @@ int MAIN(int argc, char *argv[])
|
||||
diff -up openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps openssl-1.0.0-beta5/apps/s_server.c
|
||||
--- openssl-1.0.0-beta5/apps/s_server.c.ipv6-apps 2010-02-03 09:43:49.000000000 +0100
|
||||
+++ openssl-1.0.0-beta5/apps/s_server.c 2010-02-03 09:43:49.000000000 +0100
|
||||
@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
|
||||
{
|
||||
X509_VERIFY_PARAM *vpm = NULL;
|
||||
int badarg = 0;
|
||||
@ -72,7 +72,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
char *CApath=NULL,*CAfile=NULL;
|
||||
unsigned char *context = NULL;
|
||||
char *dhfile = NULL;
|
||||
@@ -907,8 +907,7 @@ int MAIN(int argc, char *argv[])
|
||||
@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
|
||||
(strcmp(*argv,"-accept") == 0))
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
@ -82,7 +82,7 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
}
|
||||
else if (strcmp(*argv,"-verify") == 0)
|
||||
{
|
||||
@@ -1685,9 +1684,9 @@ bad:
|
||||
@@ -1700,9 +1699,9 @@ bad:
|
||||
BIO_printf(bio_s_out,"ACCEPT\n");
|
||||
(void)BIO_flush(bio_s_out);
|
||||
if (www)
|
||||
@ -94,10 +94,10 @@ diff -up openssl-1.0.0-beta3/apps/s_server.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
print_stats(bio_s_out,ctx);
|
||||
ret=0;
|
||||
end:
|
||||
diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/s_socket.c
|
||||
--- openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps 2008-11-12 04:57:47.000000000 +0100
|
||||
+++ openssl-1.0.0-beta3/apps/s_socket.c 2009-08-05 21:29:58.000000000 +0200
|
||||
@@ -96,9 +96,7 @@ static struct hostent *GetHostByName(cha
|
||||
diff -up openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta5/apps/s_socket.c
|
||||
--- openssl-1.0.0-beta5/apps/s_socket.c.ipv6-apps 2009-08-26 13:21:50.000000000 +0200
|
||||
+++ openssl-1.0.0-beta5/apps/s_socket.c 2010-02-03 10:00:30.000000000 +0100
|
||||
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
|
||||
static void ssl_sock_cleanup(void);
|
||||
#endif
|
||||
static int ssl_sock_init(void);
|
||||
@ -108,7 +108,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
static int do_accept(int acc_sock, int *sock, char **host);
|
||||
static int host_ip(char *str, unsigned char ip[4]);
|
||||
|
||||
@@ -228,58 +226,70 @@ static int ssl_sock_init(void)
|
||||
@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
|
||||
return(1);
|
||||
}
|
||||
|
||||
@ -217,7 +217,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
{
|
||||
int sock;
|
||||
char *name = NULL;
|
||||
@@ -317,33 +327,38 @@ int do_server(int port, int type, int *r
|
||||
@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
|
||||
}
|
||||
}
|
||||
|
||||
@ -277,7 +277,7 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
#if defined SOL_SOCKET && defined SO_REUSEADDR
|
||||
{
|
||||
int j = 1;
|
||||
@@ -351,36 +366,39 @@ static int init_server_long(int *sock, i
|
||||
@@ -357,36 +372,39 @@ static int init_server_long(int *sock, i
|
||||
(void *) &j, sizeof j);
|
||||
}
|
||||
#endif
|
||||
@ -337,11 +337,10 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
int len;
|
||||
/* struct linger ling; */
|
||||
|
||||
@@ -425,137 +443,62 @@ redoit:
|
||||
if (i < 0) { perror("keepalive"); return(0); }
|
||||
@@ -432,136 +450,58 @@ redoit:
|
||||
*/
|
||||
|
||||
- if (host == NULL) goto end;
|
||||
if (host == NULL) goto end;
|
||||
-#ifndef BIT_FIELD_LIMITS
|
||||
- /* I should use WSAAsyncGetHostByName() under windows */
|
||||
- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
|
||||
@ -351,50 +350,44 @@ diff -up openssl-1.0.0-beta3/apps/s_socket.c.ipv6-apps openssl-1.0.0-beta3/apps/
|
||||
- sizeof(struct in_addr),AF_INET);
|
||||
-#endif
|
||||
- if (h1 == NULL)
|
||||
+ if (host == NULL)
|
||||
{
|
||||
- BIO_printf(bio_err,"bad gethostbyaddr\n");
|
||||
- *host=NULL;
|
||||
- /* return(0); */
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
|
||||
- {
|
||||
- perror("OPENSSL_malloc");
|
||||
+ *sock=ret;
|
||||
return(0);
|
||||
}
|
||||
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
|
||||
|
||||
- h2=GetHostByName(*host);
|
||||
- if (h2 == NULL)
|
||||
+
|
||||
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
|
||||
+ buffer, sizeof(buffer),
|
||||
+ NULL, 0, 0))
|
||||
{
|
||||
- BIO_printf(bio_err,"gethostbyname failure\n");
|
||||
- BIO_printf(bio_err,"bad gethostbyaddr\n");
|
||||
+ BIO_printf(bio_err,"getnameinfo failed\n");
|
||||
+ *host=NULL;
|
||||
*host=NULL;
|
||||
/* return(0); */
|
||||
}
|
||||
else
|
||||
{
|
||||
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
|
||||
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
|
||||
{
|
||||
perror("OPENSSL_malloc");
|
||||
return(0);
|
||||
}
|
||||
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
|
||||
-
|
||||
- h2=GetHostByName(*host);
|
||||
- if (h2 == NULL)
|
||||
- {
|
||||
- BIO_printf(bio_err,"gethostbyname failure\n");
|
||||
- return(0);
|
||||
- }
|
||||
- i=0;
|
||||
- if (h2->h_addrtype != AF_INET)
|
||||
+ else
|
||||
{
|
||||
- {
|
||||
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
|
||||
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
|
||||
+ {
|
||||
+ perror("OPENSSL_malloc");
|
||||
return(0);
|
||||
}
|
||||
- return(0);
|
||||
- }
|
||||
-end:
|
||||
+ strcpy(*host, buffer);
|
||||
}
|
||||
end:
|
||||
*sock=ret;
|
||||
return(1);
|
||||
}
|
||||
+ }
|
||||
|
||||
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
||||
- short *port_ptr)
|
11
openssl.spec
11
openssl.spec
@ -23,7 +23,7 @@
|
||||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.0
|
||||
Release: 0.20.%{beta}%{?dist}
|
||||
Release: 0.21.%{beta}%{?dist}
|
||||
# We remove certain patented algorithms from the openssl source tarball
|
||||
# with the hobble-openssl script which is included below.
|
||||
Source: openssl-%{version}-%{beta}-usa.tar.bz2
|
||||
@ -50,7 +50,7 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||
Patch34: openssl-0.9.6-x509.patch
|
||||
Patch35: openssl-0.9.8j-version-add-engines.patch
|
||||
Patch38: openssl-1.0.0-beta5-cipher-change.patch
|
||||
Patch39: openssl-1.0.0-beta3-ipv6-apps.patch
|
||||
Patch39: openssl-1.0.0-beta5-ipv6-apps.patch
|
||||
Patch40: openssl-1.0.0-beta5-fips.patch
|
||||
Patch41: openssl-1.0.0-beta3-fipscheck.patch
|
||||
Patch43: openssl-1.0.0-beta3-fipsmode.patch
|
||||
@ -62,6 +62,7 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
|
||||
Patch51: openssl-1.0.0-beta5-version.patch
|
||||
Patch52: openssl-1.0.0-beta4-aesni.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch53: openssl-1.0.0-beta5-cleanse.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -140,6 +141,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||
%patch50 -p1 -b .dtls1-abi
|
||||
%patch51 -p1 -b .version
|
||||
%patch52 -p1 -b .aesni
|
||||
%patch53 -p1 -b .cleanse
|
||||
|
||||
# Modify the various perl scripts to reference perl in the right location.
|
||||
perl util/perlpath.pl `dirname %{__perl}`
|
||||
@ -385,6 +387,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Fri Feb 12 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.21.beta5
|
||||
- gracefully handle zero length in assembler implementations of
|
||||
OPENSSL_cleanse (#564029)
|
||||
- do not fail in s_server if client hostname not resolvable (#561260)
|
||||
|
||||
* Wed Jan 20 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.20.beta5
|
||||
- new upstream release
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user