From d8cd5c45d88855f1e70f4c206fc7a57a5838ca7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Thu, 13 Dec 2007 17:16:43 +0000 Subject: [PATCH] - set default paths when no explicit paths are set (#418771) - do not add tls extensions to client hello for SSLv3 (#422081) --- openssl-0.9.8g-default-paths.patch | 77 ++++++++++++++++++++++++++++++ openssl-0.9.8g-no-extssl.patch | 17 +++++++ openssl.spec | 10 +++- 3 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 openssl-0.9.8g-default-paths.patch create mode 100644 openssl-0.9.8g-no-extssl.patch diff --git a/openssl-0.9.8g-default-paths.patch b/openssl-0.9.8g-default-paths.patch new file mode 100644 index 0000000..23fa4e1 --- /dev/null +++ b/openssl-0.9.8g-default-paths.patch @@ -0,0 +1,77 @@ +diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c +--- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100 ++++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100 +@@ -1077,12 +1077,13 @@ bad: + } + #endif + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + store = SSL_CTX_get_cert_store(ctx); + X509_STORE_set_flags(store, vflags); +@@ -1132,8 +1133,11 @@ bad: + + SSL_CTX_sess_set_cache_size(ctx2,128); + +- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx2))) ++ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx2)) + { + ERR_print_errors(bio_err); + } +diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c +--- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100 ++++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100 +@@ -673,12 +673,13 @@ bad: + if (!set_cert_key_stuff(ctx,cert,key)) + goto end; + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + store = SSL_CTX_get_cert_store(ctx); +diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c +--- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100 ++++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100 +@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv) + + SSL_load_error_strings(); + +- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(tm_ctx))) ++ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + if (tm_cipher == NULL) diff --git a/openssl-0.9.8g-no-extssl.patch b/openssl-0.9.8g-no-extssl.patch new file mode 100644 index 0000000..2f0407a --- /dev/null +++ b/openssl-0.9.8g-no-extssl.patch @@ -0,0 +1,17 @@ +Skip adding tls extensions to client hello when protocol version is +not TLS. +diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c +--- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200 ++++ openssl-0.9.8g/ssl/t1_lib.c 2007-12-13 17:22:10.000000000 +0100 +@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION) ++ { ++ return ret; ++ } ++ + ret+=2; + + if (ret>=limit) return NULL; /* this really never occurs, but ... */ diff --git a/openssl.spec b/openssl.spec index 62340ca..cc00ae0 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: The OpenSSL toolkit Name: openssl Version: 0.9.8g -Release: 2%{?dist} +Release: 3%{?dist} Source: openssl-%{version}-usa.tar.bz2 Source1: hobble-openssl Source2: Makefile.certificate @@ -44,6 +44,8 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch # Bug fixes Patch21: openssl-0.9.8b-aliasing-bug.patch Patch22: openssl-0.9.8b-x509-name-cmp.patch +Patch23: openssl-0.9.8g-default-paths.patch +Patch24: openssl-0.9.8g-no-extssl.patch # Functionality changes Patch32: openssl-0.9.7-beta6-ia64.patch Patch33: openssl-0.9.7f-ca-dir.patch @@ -106,6 +108,8 @@ from other formats to the formats used by the OpenSSL toolkit. %patch21 -p1 -b .aliasing-bug %patch22 -p1 -b .name-cmp +%patch23 -p1 -b .default-paths +%patch24 -p1 -b .no-extssl %patch32 -p1 -b .ia64 #patch33 is applied after make test @@ -356,6 +360,10 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint %postun -p /sbin/ldconfig %changelog +* Thu Dec 13 2007 Tomas Mraz 0.9.8g-3 +- set default paths when no explicit paths are set (#418771) +- do not add tls extensions to client hello for SSLv3 (#422081) + * Tue Dec 4 2007 Tomas Mraz 0.9.8g-2 - enable some new crypto algorithms and features - add some more important bug fixes from openssl CVS