forked from rpms/openssl
- add better error reporting for the unsafe renegotiation
This commit is contained in:
parent
359f84cd81
commit
c9026def03
93
openssl-1.0.0-beta4-reneg-err.patch
Normal file
93
openssl-1.0.0-beta4-reneg-err.patch
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
Better error reporting for unsafe renegotiation.
|
||||||
|
diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
|
||||||
|
--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100
|
||||||
|
+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100
|
||||||
|
@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
||||||
|
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
|
||||||
|
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
|
||||||
|
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
|
||||||
|
@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
||||||
|
{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
|
||||||
|
{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
|
||||||
|
{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
|
||||||
|
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
|
||||||
|
{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
|
||||||
|
{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
|
||||||
|
{ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
|
||||||
|
diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
|
||||||
|
--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100
|
||||||
|
+++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100
|
||||||
|
@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
|
||||||
|
#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
|
||||||
|
#define SSL_F_SSL_NEW 186
|
||||||
|
#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
|
||||||
|
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
|
||||||
|
#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
|
||||||
|
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
|
||||||
|
#define SSL_F_SSL_PEEK 270
|
||||||
|
#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
|
||||||
|
#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
|
||||||
|
@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
|
||||||
|
#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
|
||||||
|
#define SSL_R_UNKNOWN_SSL_VERSION 254
|
||||||
|
#define SSL_R_UNKNOWN_STATE 255
|
||||||
|
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
|
||||||
|
#define SSL_R_UNSUPPORTED_CIPHER 256
|
||||||
|
#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
|
||||||
|
#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
|
||||||
|
diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
|
||||||
|
--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100
|
||||||
|
+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100
|
||||||
|
@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
|
||||||
|
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
|
||||||
|
goto err;
|
||||||
|
#else
|
||||||
|
+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||||
|
+ {
|
||||||
|
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
/* we are talking sslv2 */
|
||||||
|
/* we need to clean up the SSLv3/TLSv1 setup and put in the
|
||||||
|
* sslv2 stuff. */
|
||||||
|
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
|
||||||
|
--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100
|
||||||
|
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100
|
||||||
|
@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||||
|
{
|
||||||
|
/* We should always see one extension: the renegotiate extension */
|
||||||
|
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||||
|
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
||||||
|
if (s->new_session && !renegotiate_seen
|
||||||
|
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||||
|
{
|
||||||
|
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||||
|
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||||
|
{
|
||||||
|
/* We should always see one extension: the renegotiate extension */
|
||||||
|
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||||
|
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
||||||
|
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||||
|
{
|
||||||
|
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
|
||||||
|
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
@ -23,7 +23,7 @@
|
|||||||
Summary: A general purpose cryptography library with TLS implementation
|
Summary: A general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.0
|
Version: 1.0.0
|
||||||
Release: 0.14.%{beta}%{?dist}
|
Release: 0.15.%{beta}%{?dist}
|
||||||
# We remove certain patented algorithms from the openssl source tarball
|
# We remove certain patented algorithms from the openssl source tarball
|
||||||
# with the hobble-openssl script which is included below.
|
# with the hobble-openssl script which is included below.
|
||||||
Source: openssl-%{version}-%{beta}-usa.tar.bz2
|
Source: openssl-%{version}-%{beta}-usa.tar.bz2
|
||||||
@ -66,6 +66,7 @@ Patch60: openssl-1.0.0-beta4-reneg.patch
|
|||||||
# This one is not backported but has to be applied after reneg patch
|
# This one is not backported but has to be applied after reneg patch
|
||||||
Patch61: openssl-1.0.0-beta4-client-reneg.patch
|
Patch61: openssl-1.0.0-beta4-client-reneg.patch
|
||||||
Patch62: openssl-1.0.0-beta4-backports.patch
|
Patch62: openssl-1.0.0-beta4-backports.patch
|
||||||
|
Patch63: openssl-1.0.0-beta4-reneg-err.patch
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -148,6 +149,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||||||
%patch60 -p1 -b .reneg
|
%patch60 -p1 -b .reneg
|
||||||
%patch61 -p1 -b .client-reneg
|
%patch61 -p1 -b .client-reneg
|
||||||
%patch62 -p1 -b .backports
|
%patch62 -p1 -b .backports
|
||||||
|
%patch63 -p1 -b .reneg-err
|
||||||
|
|
||||||
# Modify the various perl scripts to reference perl in the right location.
|
# Modify the various perl scripts to reference perl in the right location.
|
||||||
perl util/perlpath.pl `dirname %{__perl}`
|
perl util/perlpath.pl `dirname %{__perl}`
|
||||||
@ -396,6 +398,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun -p /sbin/ldconfig
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.15.beta4
|
||||||
|
- add better error reporting for the unsafe renegotiation
|
||||||
|
|
||||||
* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.14.beta4
|
* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.14.beta4
|
||||||
- fix build on s390x
|
- fix build on s390x
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user