minor upstream release 1.0.2e fixing moderate severity security issues

- enable fast assembler implementation for NIST P-256 and P-521
  elliptic curves (#1164210)
- filter out unwanted link options from the .pc files (#1257836)
This commit is contained in:
Tomas Mraz 2015-12-04 14:13:59 +01:00
parent a83e4d7c4a
commit 4240ecaa1b
7 changed files with 377 additions and 391 deletions

1
.gitignore vendored
View File

@ -25,3 +25,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.2a-hobbled.tar.xz /openssl-1.0.2a-hobbled.tar.xz
/openssl-1.0.2c-hobbled.tar.xz /openssl-1.0.2c-hobbled.tar.xz
/openssl-1.0.2d-hobbled.tar.xz /openssl-1.0.2d-hobbled.tar.xz
/openssl-1.0.2e-hobbled.tar.xz

View File

@ -1,17 +0,0 @@
diff -up openssl-1.0.2d/crypto/aes/asm/aesni-sha256-x86_64.pl.sigill openssl-1.0.2d/crypto/aes/asm/aesni-sha256-x86_64.pl
--- openssl-1.0.2d/crypto/aes/asm/aesni-sha256-x86_64.pl.sigill 2015-07-09 16:51:25.000000000 +0200
+++ openssl-1.0.2d/crypto/aes/asm/aesni-sha256-x86_64.pl 2015-11-16 17:43:52.554826505 +0100
@@ -139,11 +139,8 @@ $code.=<<___ if ($avx>1);
je ${func}_avx2
___
$code.=<<___;
- and \$`1<<30`,%eax # mask "Intel CPU" bit
- and \$`1<<28|1<<9`,%r10d # mask AVX+SSSE3 bits
- or %eax,%r10d
- cmp \$`1<<28|1<<9|1<<30`,%r10d
- je ${func}_avx
+ and \$`1<<28`,%r10d # check for AVX
+ jnz ${func}_avx
ud2
___
}

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure
--- openssl-1.0.2c/Configure.rpmbuild 2015-06-12 16:51:21.000000000 +0200 --- openssl-1.0.2e/Configure.rpmbuild 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2c/Configure 2015-06-15 17:22:52.598496680 +0200 +++ openssl-1.0.2e/Configure 2015-12-04 13:20:22.996835604 +0100
@@ -365,8 +365,8 @@ my %table=( @@ -365,8 +365,8 @@ my %table=(
#### ####
# *-generic* is endian-neutral target, but ./config is free to # *-generic* is endian-neutral target, but ./config is free to
@ -12,7 +12,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
####################################################################### #######################################################################
# Note that -march is not among compiler options in below linux-armv4 # Note that -march is not among compiler options in below linux-armv4
@@ -395,30 +395,30 @@ my %table=( @@ -395,31 +395,31 @@ my %table=(
# #
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
# #
@ -48,6 +48,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
@ -55,7 +56,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
#### So called "highgprs" target for z/Architecture CPUs #### So called "highgprs" target for z/Architecture CPUs
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
# /proc/cpuinfo. The idea is to preserve most significant bits of # /proc/cpuinfo. The idea is to preserve most significant bits of
@@ -436,12 +436,12 @@ my %table=( @@ -437,12 +437,12 @@ my %table=(
#### SPARC Linux setups #### SPARC Linux setups
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
# assisted with debugging of following two configs. # assisted with debugging of following two configs.
@ -71,7 +72,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
#### Alpha Linux with GNU C and Compaq C setups #### Alpha Linux with GNU C and Compaq C setups
# Special notes: # Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
@@ -1764,7 +1764,7 @@ while (<IN>) @@ -1767,7 +1767,7 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{ {
my $sotmp = $1; my $sotmp = $1;
@ -80,9 +81,9 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
} }
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{ {
diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org
--- openssl-1.0.2c/Makefile.org.rpmbuild 2015-06-12 16:51:21.000000000 +0200 --- openssl-1.0.2e/Makefile.org.rpmbuild 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2c/Makefile.org 2015-06-15 17:19:14.874510995 +0200 +++ openssl-1.0.2e/Makefile.org 2015-12-04 13:18:44.913538616 +0100
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= @@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR= SHLIB_MAJOR=
SHLIB_MINOR= SHLIB_MINOR=
@ -91,7 +92,7 @@ diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
PLATFORM=dist PLATFORM=dist
OPTIONS= OPTIONS=
CONFIGURE_ARGS= CONFIGURE_ARGS=
@@ -338,10 +339,9 @@ clean-shared: @@ -341,10 +342,9 @@ clean-shared:
link-shared: link-shared:
@ set -e; for i in $(SHLIBDIRS); do \ @ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
@ -103,7 +104,7 @@ diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
done done
build-shared: do_$(SHLIB_TARGET) link-shared build-shared: do_$(SHLIB_TARGET) link-shared
@@ -352,7 +352,7 @@ do_$(SHLIB_TARGET): @@ -355,7 +355,7 @@ do_$(SHLIB_TARGET):
libs="$(LIBKRB5) $$libs"; \ libs="$(LIBKRB5) $$libs"; \
fi; \ fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \

View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2a/crypto/evp/c_allc.c.wrap openssl-1.0.2a/crypto/evp/c_allc.c diff -up openssl-1.0.2e/crypto/evp/c_allc.c.wrap openssl-1.0.2e/crypto/evp/c_allc.c
--- openssl-1.0.2a/crypto/evp/c_allc.c.wrap 2015-04-22 15:41:32.147488107 +0200 --- openssl-1.0.2e/crypto/evp/c_allc.c.wrap 2015-12-04 13:33:42.118550036 +0100
+++ openssl-1.0.2a/crypto/evp/c_allc.c 2015-04-22 15:47:25.486946239 +0200 +++ openssl-1.0.2e/crypto/evp/c_allc.c 2015-12-04 13:33:42.190551722 +0100
@@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void) @@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_128_xts()); EVP_add_cipher(EVP_aes_128_xts());
EVP_add_cipher(EVP_aes_128_ccm()); EVP_add_cipher(EVP_aes_128_ccm());
@ -57,9 +57,9 @@ diff -up openssl-1.0.2a/crypto/evp/c_allc.c.wrap openssl-1.0.2a/crypto/evp/c_all
EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
# endif # endif
diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.c diff -up openssl-1.0.2e/crypto/evp/e_aes.c.wrap openssl-1.0.2e/crypto/evp/e_aes.c
--- openssl-1.0.2a/crypto/evp/e_aes.c.wrap 2015-04-22 15:41:32.148488131 +0200 --- openssl-1.0.2e/crypto/evp/e_aes.c.wrap 2015-12-04 13:33:42.119550059 +0100
+++ openssl-1.0.2a/crypto/evp/e_aes.c 2015-04-22 15:52:21.809039506 +0200 +++ openssl-1.0.2e/crypto/evp/e_aes.c 2015-12-04 13:33:42.190551722 +0100
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/* ==================================================================== /* ====================================================================
- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. - * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
@ -67,7 +67,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@@ -1952,7 +1952,7 @@ static int aes_wrap_init_key(EVP_CIPHER_ @@ -1953,7 +1953,7 @@ static int aes_wrap_init_key(EVP_CIPHER_
wctx->iv = NULL; wctx->iv = NULL;
} }
if (iv) { if (iv) {
@ -76,7 +76,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.
wctx->iv = ctx->iv; wctx->iv = ctx->iv;
} }
return 1; return 1;
@@ -1963,30 +1963,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT @@ -1964,30 +1964,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
{ {
EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
size_t rv; size_t rv;
@ -142,7 +142,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
@@ -2031,3 +2058,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void) @@ -2032,3 +2059,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
{ {
return &aes_256_wrap; return &aes_256_wrap;
} }
@ -188,10 +188,10 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.
+{ +{
+ return &aes_256_wrap_pad; + return &aes_256_wrap_pad;
+} +}
diff -up openssl-1.0.2a/crypto/evp/e_des3.c.wrap openssl-1.0.2a/crypto/evp/e_des3.c diff -up openssl-1.0.2e/crypto/evp/e_des3.c.wrap openssl-1.0.2e/crypto/evp/e_des3.c
--- openssl-1.0.2a/crypto/evp/e_des3.c.wrap 2015-04-22 15:41:40.301683300 +0200 --- openssl-1.0.2e/crypto/evp/e_des3.c.wrap 2015-12-04 13:33:42.119550059 +0100
+++ openssl-1.0.2a/crypto/evp/e_des3.c 2015-04-22 15:53:39.529899964 +0200 +++ openssl-1.0.2e/crypto/evp/e_des3.c 2015-12-04 13:33:42.191551745 +0100
@@ -473,7 +473,7 @@ static const EVP_CIPHER des3_wrap = { @@ -474,7 +474,7 @@ static const EVP_CIPHER des3_wrap = {
NID_id_smime_alg_CMS3DESwrap, NID_id_smime_alg_CMS3DESwrap,
8, 24, 0, 8, 24, 0,
EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
@ -200,10 +200,10 @@ diff -up openssl-1.0.2a/crypto/evp/e_des3.c.wrap openssl-1.0.2a/crypto/evp/e_des
des_ede3_init_key, des_ede3_wrap_cipher, des_ede3_init_key, des_ede3_wrap_cipher,
NULL, NULL,
sizeof(DES_EDE_KEY), sizeof(DES_EDE_KEY),
diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h diff -up openssl-1.0.2e/crypto/evp/evp.h.wrap openssl-1.0.2e/crypto/evp/evp.h
--- openssl-1.0.2a/crypto/evp/evp.h.wrap 2015-04-22 19:30:57.000000000 +0200 --- openssl-1.0.2e/crypto/evp/evp.h.wrap 2015-12-04 13:33:42.120550083 +0100
+++ openssl-1.0.2a/crypto/evp/evp.h 2015-04-22 19:51:06.352832516 +0200 +++ openssl-1.0.2e/crypto/evp/evp.h 2015-12-04 13:33:42.191551745 +0100
@@ -832,6 +832,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void); @@ -834,6 +834,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void);
const EVP_CIPHER *EVP_aes_128_gcm(void); const EVP_CIPHER *EVP_aes_128_gcm(void);
const EVP_CIPHER *EVP_aes_128_xts(void); const EVP_CIPHER *EVP_aes_128_xts(void);
const EVP_CIPHER *EVP_aes_128_wrap(void); const EVP_CIPHER *EVP_aes_128_wrap(void);
@ -211,7 +211,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h
const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_ecb(void);
const EVP_CIPHER *EVP_aes_192_cbc(void); const EVP_CIPHER *EVP_aes_192_cbc(void);
const EVP_CIPHER *EVP_aes_192_cfb1(void); const EVP_CIPHER *EVP_aes_192_cfb1(void);
@@ -843,6 +844,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void); @@ -845,6 +846,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void);
const EVP_CIPHER *EVP_aes_192_ccm(void); const EVP_CIPHER *EVP_aes_192_ccm(void);
const EVP_CIPHER *EVP_aes_192_gcm(void); const EVP_CIPHER *EVP_aes_192_gcm(void);
const EVP_CIPHER *EVP_aes_192_wrap(void); const EVP_CIPHER *EVP_aes_192_wrap(void);
@ -219,7 +219,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h
const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_ecb(void);
const EVP_CIPHER *EVP_aes_256_cbc(void); const EVP_CIPHER *EVP_aes_256_cbc(void);
const EVP_CIPHER *EVP_aes_256_cfb1(void); const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -855,6 +857,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void); @@ -857,6 +859,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void);
const EVP_CIPHER *EVP_aes_256_gcm(void); const EVP_CIPHER *EVP_aes_256_gcm(void);
const EVP_CIPHER *EVP_aes_256_xts(void); const EVP_CIPHER *EVP_aes_256_xts(void);
const EVP_CIPHER *EVP_aes_256_wrap(void); const EVP_CIPHER *EVP_aes_256_wrap(void);
@ -227,9 +227,9 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void); const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void); const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void);
diff -up openssl-1.0.2a/crypto/evp/evptests.txt.wrap openssl-1.0.2a/crypto/evp/evptests.txt diff -up openssl-1.0.2e/crypto/evp/evptests.txt.wrap openssl-1.0.2e/crypto/evp/evptests.txt
--- openssl-1.0.2a/crypto/evp/evptests.txt.wrap 2015-04-22 15:41:47.194848307 +0200 --- openssl-1.0.2e/crypto/evp/evptests.txt.wrap 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2a/crypto/evp/evptests.txt 2015-04-22 16:01:08.174540977 +0200 +++ openssl-1.0.2e/crypto/evp/evptests.txt 2015-12-04 13:33:42.191551745 +0100
@@ -399,3 +399,7 @@ id-aes256-wrap:000102030405060708090A0B0 @@ -399,3 +399,7 @@ id-aes256-wrap:000102030405060708090A0B0
id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2 id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2
id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1 id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1
@ -238,9 +238,9 @@ diff -up openssl-1.0.2a/crypto/evp/evptests.txt.wrap openssl-1.0.2a/crypto/evp/e
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a +id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f +id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f
+ +
diff -up openssl-1.0.2a/crypto/modes/modes.h.wrap openssl-1.0.2a/crypto/modes/modes.h diff -up openssl-1.0.2e/crypto/modes/modes.h.wrap openssl-1.0.2e/crypto/modes/modes.h
--- openssl-1.0.2a/crypto/modes/modes.h.wrap 2015-04-22 15:41:49.228896997 +0200 --- openssl-1.0.2e/crypto/modes/modes.h.wrap 2015-12-04 13:33:41.770541886 +0100
+++ openssl-1.0.2a/crypto/modes/modes.h 2015-04-22 16:03:40.724152855 +0200 +++ openssl-1.0.2e/crypto/modes/modes.h 2015-12-04 13:33:42.191551745 +0100
@@ -157,6 +157,12 @@ size_t CRYPTO_128_unwrap(void *key, cons @@ -157,6 +157,12 @@ size_t CRYPTO_128_unwrap(void *key, cons
unsigned char *out, unsigned char *out,
const unsigned char *in, size_t inlen, const unsigned char *in, size_t inlen,
@ -254,9 +254,9 @@ diff -up openssl-1.0.2a/crypto/modes/modes.h.wrap openssl-1.0.2a/crypto/modes/mo
#ifdef __cplusplus #ifdef __cplusplus
} }
diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/wrap128.c diff -up openssl-1.0.2e/crypto/modes/wrap128.c.wrap openssl-1.0.2e/crypto/modes/wrap128.c
--- openssl-1.0.2a/crypto/modes/wrap128.c.wrap 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2e/crypto/modes/wrap128.c.wrap 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2a/crypto/modes/wrap128.c 2015-04-22 16:06:16.798848197 +0200 +++ openssl-1.0.2e/crypto/modes/wrap128.c 2015-12-04 13:37:51.486366984 +0100
@@ -2,6 +2,7 @@ @@ -2,6 +2,7 @@
/* /*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@ -312,7 +312,7 @@ diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/
size_t CRYPTO_128_wrap(void *key, const unsigned char *iv, size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
unsigned char *out, unsigned char *out,
const unsigned char *in, size_t inlen, const unsigned char *in, size_t inlen,
@@ -72,11 +98,11 @@ size_t CRYPTO_128_wrap(void *key, const @@ -72,7 +98,7 @@ size_t CRYPTO_128_wrap(void *key, const
{ {
unsigned char *A, B[16], *R; unsigned char *A, B[16], *R;
size_t i, j, t; size_t i, j, t;
@ -321,11 +321,6 @@ diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/
return 0; return 0;
A = B; A = B;
t = 1; t = 1;
- memcpy(out + 8, in, inlen);
+ memmove(out + 8, in, inlen);
if (!iv)
iv = default_iv;
@@ -100,7 +126,23 @@ size_t CRYPTO_128_wrap(void *key, const @@ -100,7 +126,23 @@ size_t CRYPTO_128_wrap(void *key, const
return inlen + 8; return inlen + 8;
} }
@ -351,15 +346,6 @@ diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/
unsigned char *out, unsigned char *out,
const unsigned char *in, size_t inlen, const unsigned char *in, size_t inlen,
block128_f block) block128_f block)
@@ -113,7 +155,7 @@ size_t CRYPTO_128_unwrap(void *key, cons
A = B;
t = 6 * (inlen >> 3);
memcpy(A, in, 8);
- memcpy(out, in + 8, inlen);
+ memmove(out, in + 8, inlen);
for (j = 0; j < 6; j++) {
R = out + inlen - 8;
for (i = 0; i < inlen; i += 8, t--, R -= 8) {
@@ -128,11 +170,190 @@ size_t CRYPTO_128_unwrap(void *key, cons @@ -128,11 +170,190 @@ size_t CRYPTO_128_unwrap(void *key, cons
memcpy(R, B + 8, 8); memcpy(R, B + 8, 8);
} }

View File

@ -22,8 +22,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.2d Version: 1.0.2e
Release: 3%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -40,7 +40,7 @@ Source11: README.FIPS
Source12: ec_curve.c Source12: ec_curve.c
Source13: ectest.c Source13: ectest.c
# Build changes # Build changes
Patch1: openssl-1.0.2c-rpmbuild.patch Patch1: openssl-1.0.2e-rpmbuild.patch
Patch2: openssl-1.0.2a-defaults.patch Patch2: openssl-1.0.2a-defaults.patch
Patch4: openssl-1.0.2a-enginesdir.patch Patch4: openssl-1.0.2a-enginesdir.patch
Patch5: openssl-1.0.2a-no-rpath.patch Patch5: openssl-1.0.2a-no-rpath.patch
@ -56,7 +56,7 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-1.0.2a-x509.patch Patch34: openssl-1.0.2a-x509.patch
Patch35: openssl-1.0.2a-version-add-engines.patch Patch35: openssl-1.0.2a-version-add-engines.patch
Patch39: openssl-1.0.2a-ipv6-apps.patch Patch39: openssl-1.0.2a-ipv6-apps.patch
Patch40: openssl-1.0.2c-fips.patch Patch40: openssl-1.0.2e-fips.patch
Patch45: openssl-1.0.2a-env-zlib.patch Patch45: openssl-1.0.2a-env-zlib.patch
Patch47: openssl-1.0.2a-readme-warning.patch Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch Patch49: openssl-1.0.1i-algo-doc.patch
@ -83,10 +83,9 @@ Patch92: openssl-1.0.2a-system-cipherlist.patch
Patch93: openssl-1.0.2a-disable-sslv2v3.patch Patch93: openssl-1.0.2a-disable-sslv2v3.patch
Patch94: openssl-1.0.2d-secp256k1.patch Patch94: openssl-1.0.2d-secp256k1.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch80: openssl-1.0.2a-wrap-pad.patch Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch Patch81: openssl-1.0.2a-padlock64.patch
Patch82: openssl-1.0.2c-trusted-first-doc.patch Patch82: openssl-1.0.2c-trusted-first-doc.patch
Patch83: openssl-1.0.2d-amd-sigill.patch
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries
@ -208,7 +207,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch80 -p1 -b .wrap %patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64 %patch81 -p1 -b .padlock64
%patch82 -p1 -b .trusted-first %patch82 -p1 -b .trusted-first
%patch83 -p1 -b .sigill
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -270,7 +268,8 @@ sslarch="linux-ppc64le"
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \ enable-cms enable-md2 enable-ec_nistp_64_gcc_128 \
no-mdc2 no-rc5 no-ec2m no-gost no-srp \
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \ --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips} --with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}
@ -288,6 +287,11 @@ make rehash
# Overwrite FIPS README # Overwrite FIPS README
cp -f %{SOURCE11} . cp -f %{SOURCE11} .
# Clean up the .pc files
for i in libcrypto.pc libssl.pc openssl.pc ; do
sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
done
%check %check
# Verify that what was compiled actually works. # Verify that what was compiled actually works.
@ -479,6 +483,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Fri Dec 4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2e-1
- minor upstream release 1.0.2e fixing moderate severity security issues
- enable fast assembler implementation for NIST P-256 and P-521
elliptic curves (#1164210)
- filter out unwanted link options from the .pc files (#1257836)
* Mon Nov 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2d-3 * Mon Nov 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2d-3
- fix sigill on some AMD CPUs (#1278194) - fix sigill on some AMD CPUs (#1278194)

View File

@ -1 +1 @@
e777c33ca529b963d5457a21cb11d6c3 openssl-1.0.2d-hobbled.tar.xz 882f4ac893554b8fe2817085de6f92d9 openssl-1.0.2e-hobbled.tar.xz