backports from upstream CVS

fix segfault when /dev/urandom is not available (#809586)
2012-04-05 19:56:49 +02:00 · 2012-04-05 19:56:49 +02:00 · d7587a26b6
commit d7587a26b6
parent 0f0ab24176
3 changed files with 236 additions and 2 deletions
--- a/openssl-1.0.1-backport.patch
+++ b/openssl-1.0.1-backport.patch
@ -0,0 +1,226 @@
+diff -up openssl-1.0.1/apps/s_client.c.backport openssl-1.0.1/apps/s_client.c
+--- openssl-1.0.1/apps/s_client.c.backport	2012-03-14 21:15:04.736897459 +0100
+++ openssl-1.0.1/apps/s_client.c	2012-04-05 19:48:40.469998965 +0200
+@@ -622,13 +622,7 @@ int MAIN(int argc, char **argv)
+ 	SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
+ #endif
+ 
+-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+ 	meth=SSLv23_client_method();
+-#elif !defined(OPENSSL_NO_SSL3)
+-	meth=SSLv3_client_method();
+-#elif !defined(OPENSSL_NO_SSL2)
+-	meth=SSLv2_client_method();
+-#endif
+ 
+ 	apps_startup();
+ 	c_Pause=0;
+diff -up openssl-1.0.1/apps/s_server.c.backport openssl-1.0.1/apps/s_server.c
+--- openssl-1.0.1/apps/s_server.c.backport	2012-03-14 21:15:04.690896516 +0100
+++ openssl-1.0.1/apps/s_server.c	2012-04-05 19:48:40.474999072 +0200
+@@ -969,17 +969,7 @@ int MAIN(int argc, char *argv[])
+ 	char *srpuserseed = NULL;
+ 	char *srp_verifier_file = NULL;
+ #endif
+-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+ 	meth=SSLv23_server_method();
+-#elif !defined(OPENSSL_NO_SSL3)
+-	meth=SSLv3_server_method();
+-#elif !defined(OPENSSL_NO_SSL2)
+-	meth=SSLv2_server_method();
+-#elif !defined(OPENSSL_NO_TLS1)
+-	meth=TLSv1_server_method();
+-#else
+-  /*  #error no SSL version enabled */
+-#endif
+ 
+ 	local_argc=argc;
+ 	local_argv=argv;
+diff -up openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport openssl-1.0.1/crypto/aes/asm/aes-armv4.pl
+--- openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport	2012-03-14 21:15:04.777898297 +0100
+++ openssl-1.0.1/crypto/aes/asm/aes-armv4.pl	2012-04-05 19:51:35.555528155 +0200
+@@ -408,6 +408,7 @@ _armv4_AES_encrypt:
+ .type   private_AES_set_encrypt_key,%function
+ .align	5
+ private_AES_set_encrypt_key:
+_armv4_AES_set_encrypt_key:
+ 	sub	r3,pc,#8		@ AES_set_encrypt_key
+ 	teq	r0,#0
+ 	moveq	r0,#-1
+@@ -425,7 +426,7 @@ private_AES_set_encrypt_key:
+ 	bne	.Labrt
+ 
+ .Lok:	stmdb   sp!,{r4-r12,lr}
+-	sub	$tbl,r3,#private_AES_set_encrypt_key-AES_Te-1024	@ Te4
+	sub	$tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024	@ Te4
+ 
+ 	mov	$rounds,r0		@ inp
+ 	mov	lr,r1			@ bits
+@@ -685,7 +686,7 @@ private_AES_set_encrypt_key:
+ .align	5
+ private_AES_set_decrypt_key:
+ 	str	lr,[sp,#-4]!            @ push lr
+-	bl	private_AES_set_encrypt_key
+	bl	_armv4_AES_set_encrypt_key
+ 	teq	r0,#0
+ 	ldrne	lr,[sp],#4              @ pop lr
+ 	bne	.Labrt
+diff -up openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport openssl-1.0.1/crypto/aes/asm/aes-s390x.pl
+--- openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport	2012-03-14 21:15:04.782898400 +0100
+++ openssl-1.0.1/crypto/aes/asm/aes-s390x.pl	2012-04-05 19:50:41.290593267 +0200
+@@ -783,6 +783,7 @@ $code.=<<___;
+ .type	private_AES_set_encrypt_key,\@function
+ .align	16
+ private_AES_set_encrypt_key:
+_s390x_AES_set_encrypt_key:
+ 	lghi	$t0,0
+ 	cl${g}r	$inp,$t0
+ 	je	.Lminus1
+@@ -1068,7 +1069,7 @@ $code.=<<___;
+ private_AES_set_decrypt_key:
+ 	st${g}	$key,4*$SIZE_T($sp)	# I rely on AES_set_encrypt_key to
+ 	st${g}	$ra,14*$SIZE_T($sp)	# save non-volatile registers!
+-	bras	$ra,AES_set_encrypt_key
+	bras	$ra,_s390x_AES_set_encrypt_key
+ 	l${g}	$key,4*$SIZE_T($sp)
+ 	l${g}	$ra,14*$SIZE_T($sp)
+ 	ltgr	%r2,%r2
+diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl
+--- openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport	2012-03-14 21:15:04.777898297 +0100
+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl	2012-04-05 19:48:22.036603157 +0200
+@@ -263,7 +263,7 @@ _vpaes_decrypt_core:
+ 	pshufb  %xmm2,  %xmm4	# 4 = sbou
+ 	pxor	%xmm0,  %xmm4	# 4 = sb1u + k
+ 	movdqa	0x70(%r10), %xmm0	# 0 : sbot
+-	movdqa	.Lk_sr-.Lk_dsbd(%r11), %xmm2
+	movdqa	-0x160(%r11), %xmm2	# .Lk_sr-.Lk_dsbd=-0x160
+ 	pshufb  %xmm3,	%xmm0	# 0 = sb1t
+ 	pxor	%xmm4,	%xmm0	# 0 = A
+ 	pshufb	%xmm2,	%xmm0
+@@ -869,6 +869,8 @@ ${PREFIX}_cbc_encrypt:
+ ___
+ ($len,$key)=($key,$len);
+ $code.=<<___;
+	sub	\$16,$len
+	jc	.Lcbc_abort
+ ___
+ $code.=<<___ if ($win64);
+ 	lea	-0xb8(%rsp),%rsp
+@@ -887,7 +889,6 @@ ___
+ $code.=<<___;
+ 	movdqu	($ivp),%xmm6		# load IV
+ 	sub	$inp,$out
+-	sub	\$16,$len
+ 	call	_vpaes_preheat
+ 	cmp	\$0,${enc}d
+ 	je	.Lcbc_dec_loop
+@@ -932,6 +933,7 @@ $code.=<<___ if ($win64);
+ .Lcbc_epilogue:
+ ___
+ $code.=<<___;
+.Lcbc_abort:
+ 	ret
+ .size	${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
+ ___
+diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl
+--- openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport	2012-03-14 21:15:04.775898257 +0100
+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl	2012-04-05 19:48:22.036603157 +0200
+@@ -843,6 +843,8 @@ $k_dsbo=0x2c0;		# decryption sbox final
+ 	&mov	($out,&wparam(1));		# out
+ 	&mov	($round,&wparam(2));		# len
+ 	&mov	($key,&wparam(3));		# key
+	&sub	($round,16);
+	&jc	(&label("cbc_abort"));
+ 	&lea	($base,&DWP(-56,"esp"));
+ 	&mov	($const,&wparam(4));		# ivp
+ 	&and	($base,-16);
+@@ -853,7 +855,6 @@ $k_dsbo=0x2c0;		# decryption sbox final
+ 	&mov	(&DWP(48,"esp"),$base);
+ 
+ 	&mov	(&DWP(0,"esp"),$out);		# save out
+-	&sub	($round,16);
+ 	&mov	(&DWP(4,"esp"),$key)		# save key
+ 	&mov	(&DWP(8,"esp"),$const);		# save ivp
+ 	&mov	($out,$round);			# $out works as $len
+@@ -896,6 +897,7 @@ $k_dsbo=0x2c0;		# decryption sbox final
+ 	&mov	($base,&DWP(8,"esp"));		# restore ivp
+ 	&mov	("esp",&DWP(48,"esp"));
+ 	&movdqu	(&QWP(0,$base),"xmm1");		# write IV
+&set_label("cbc_abort");
+ &function_end("${PREFIX}_cbc_encrypt");
+ 
+ &asm_finish();
+diff -up openssl-1.0.1/crypto/evp/p5_crpt.c.backport openssl-1.0.1/crypto/evp/p5_crpt.c
+--- openssl-1.0.1/crypto/evp/p5_crpt.c.backport	2011-06-03 22:52:57.000000000 +0200
+++ openssl-1.0.1/crypto/evp/p5_crpt.c	2012-04-05 19:49:01.512450795 +0200
+@@ -138,5 +138,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *c
+ 	OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
+ 	rv = 1;
+ 	err:
+	EVP_MD_CTX_cleanup(&ctx);
+ 	return rv;
+ }
+diff -up openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport openssl-1.0.1/crypto/pkcs7/pk7_doit.c
+--- openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport	2012-03-12 17:27:50.000000000 +0100
+++ openssl-1.0.1/crypto/pkcs7/pk7_doit.c	2012-04-05 19:49:40.591289911 +0200
+@@ -430,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ 	STACK_OF(X509_ALGOR) *md_sk=NULL;
+ 	STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
+ 	PKCS7_RECIP_INFO *ri=NULL;
+       unsigned char *ek = NULL, *tkey = NULL;
+       int eklen = 0, tkeylen = 0;
+ 
+ 	i=OBJ_obj2nid(p7->type);
+ 	p7->state=PKCS7_S_HEADER;
+@@ -507,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ 		int max;
+ 		X509_OBJECT ret;
+ #endif
+-		unsigned char *ek = NULL, *tkey = NULL;
+-		int eklen, tkeylen;
+ 
+ 		if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
+ 			{
+@@ -609,11 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ 			{
+ 			OPENSSL_cleanse(ek,eklen);
+ 			OPENSSL_free(ek);
+                       ek = NULL;
+ 			}
+ 		if (tkey)
+ 			{
+ 			OPENSSL_cleanse(tkey,tkeylen);
+ 			OPENSSL_free(tkey);
+                       tkey = NULL;
+ 			}
+ 
+ 		if (out == NULL)
+@@ -656,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ 	if (0)
+ 		{
+ err:
+               if (ek)
+                       {
+                       OPENSSL_cleanse(ek,eklen);
+                       OPENSSL_free(ek);
+                       }
+               if (tkey)
+                       {
+                       OPENSSL_cleanse(tkey,tkeylen);
+                       OPENSSL_free(tkey);
+                       }
+ 		if (out != NULL) BIO_free_all(out);
+ 		if (btmp != NULL) BIO_free_all(btmp);
+ 		if (etmp != NULL) BIO_free_all(etmp);
+diff -up openssl-1.0.1/ssl/d1_srvr.c.backport openssl-1.0.1/ssl/d1_srvr.c
+--- openssl-1.0.1/ssl/d1_srvr.c.backport	2012-03-06 14:24:16.000000000 +0100
+++ openssl-1.0.1/ssl/d1_srvr.c	2012-04-05 19:47:36.812632091 +0200
+@@ -920,7 +920,7 @@ int dtls1_send_server_hello(SSL *s)
+ 		p=s->s3->server_random;
+ 		Time=(unsigned long)time(NULL);			/* Time */
+ 		l2n(Time,p);
+-		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
+ 		/* Do the message type and length last */
+ 		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
+ 
--- a/openssl-1.0.1-beta3-fips.patch
+++ b/openssl-1.0.1-beta3-fips.patch
@ -11341,7 +11341,7 @@ diff -up openssl-1.0.1-beta3/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1-bet
 diff -up openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c
 --- openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c.fips	2012-02-29 10:33:02.794294898 +0100
 +++ openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c	2012-02-29 10:33:02.794294898 +0100
-@@ -0,0 +1,576 @@
+@@ -0,0 +1,578 @@
 +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 + * project.
 + */
@ -11501,6 +11501,8 @@ diff -up openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1-beta
 +		return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
 +	rv = dctx->get_entropy(dctx, &tout, entropy + bl,
 +				min_len + bl, max_len + bl);
+	if (tout == NULL)
+		return 0;
 +	*pout = tout + bl;
 +	if (rv < (min_len + bl) || (rv % bl))
 +		return 0;
--- a/openssl.spec
+++ b/openssl.spec
@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -64,6 +64,7 @@ Patch63: openssl-1.0.0d-xmpp-starttls.patch
 Patch65: openssl-1.0.0e-chil-fixes.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.1-beta2-padlock64.patch
+Patch82: openssl-1.0.1-backport.patch

 License: OpenSSL
 Group: System Environment/Libraries
@ -161,6 +162,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch65 -p1 -b .chil

 %patch81 -p1 -b .padlock64
+%patch82 -p1 -b .backport
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`

@ -415,6 +417,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig

 %changelog
+* Thu Apr  5 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-2
+- backports from upstream CVS
+- fix segfault when /dev/urandom is not available (#809586)
+
 * Wed Mar 14 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-1
 - new upstream release