From 5b761f5986c741b330e72b190d10343e72b8278c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Wed, 18 Nov 2009 13:14:13 +0000 Subject: [PATCH] - disable enforcement of the renegotiation extension on the client (#537962) - add fixes from the current upstream snapshot --- openssl-1.0.0-beta4-backports.patch | 45 ++++++++++++++++++++++++++ openssl-1.0.0-beta4-client-reneg.patch | 35 ++++++++++++++++++++ openssl.spec | 11 ++++++- 3 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 openssl-1.0.0-beta4-backports.patch create mode 100644 openssl-1.0.0-beta4-client-reneg.patch diff --git a/openssl-1.0.0-beta4-backports.patch b/openssl-1.0.0-beta4-backports.patch new file mode 100644 index 0000000..ad4c7e4 --- /dev/null +++ b/openssl-1.0.0-beta4-backports.patch @@ -0,0 +1,45 @@ +diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c +--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports 2008-11-12 04:57:49.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c 2009-11-18 14:11:14.000000000 +0100 +@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK + } + else ret= *a; + +- ret->save_type=type; +- ret->type=EVP_PKEY_type(type); +- switch (ret->type) ++ if (!EVP_PKEY_set_type(ret, type)) ++ { ++ ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB); ++ goto err; ++ } ++ ++ switch (EVP_PKEY_id(ret)) + { + #ifndef OPENSSL_NO_RSA + case EVP_PKEY_RSA: +diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c +--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports 2006-07-04 22:27:44.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/evp/p_lib.c 2009-11-18 14:11:26.000000000 +0100 +@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey, + #ifndef OPENSSL_NO_ENGINE + /* If we have an ENGINE release it */ + if (pkey->engine) ++ { + ENGINE_finish(pkey->engine); ++ pkey->engine = NULL; ++ } + #endif + } + if (str) +diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c +--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports 2009-10-31 20:21:47.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c 2009-11-18 14:11:31.000000000 +0100 +@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, + offset= -offset; + } + atm.type=ctm->type; ++ atm.flags = 0; + atm.length=sizeof(buff2); + atm.data=(unsigned char *)buff2; + diff --git a/openssl-1.0.0-beta4-client-reneg.patch b/openssl-1.0.0-beta4-client-reneg.patch new file mode 100644 index 0000000..11b9ab7 --- /dev/null +++ b/openssl-1.0.0-beta4-client-reneg.patch @@ -0,0 +1,35 @@ +Do not enforce the renegotiation extension on the client - too many broken servers remain. +diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c +--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg 2009-11-12 15:17:29.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-18 14:04:19.000000000 +0100 +@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + + if (data >= (d+n-2)) + { ++#if 0 + /* Because the client does not see any renegotiation during an + attack, we must enforce this on all server hellos, even the + first */ +@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ + return 0; + } ++#endif + return 1; + } + +@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, + return 0; + } + ++#if 0 + if (!renegotiate_seen + && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ + return 0; + } ++#endif + + if (!s->hit && tlsext_servername == 1) + { diff --git a/openssl.spec b/openssl.spec index 62d1c52..8f1d2ba 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.0 -Release: 0.12.%{beta}%{?dist} +Release: 0.13.%{beta}%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-%{beta}-usa.tar.bz2 @@ -63,6 +63,9 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch Patch51: openssl-1.0.0-beta4-version.patch # Backported fixes including security fixes Patch60: openssl-1.0.0-beta4-reneg.patch +# This one is not backported but has to be applied after reneg patch +Patch61: openssl-1.0.0-beta4-client-reneg.patch +Patch62: openssl-1.0.0-beta4-backports.patch License: OpenSSL Group: System Environment/Libraries @@ -143,6 +146,8 @@ from other formats to the formats used by the OpenSSL toolkit. %patch51 -p1 -b .version %patch60 -p1 -b .reneg +%patch61 -p1 -b .client-reneg +%patch62 -p1 -b .backports # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -391,6 +396,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Wed Nov 18 2009 Tomas Mraz 1.0.0-0.13.beta4 +- disable enforcement of the renegotiation extension on the client (#537962) +- add fixes from the current upstream snapshot + * Fri Nov 13 2009 Tomas Mraz 1.0.0-0.12.beta4 - keep the beta status in version number at 3 so we do not have to rebuild openssh and possibly other dependencies with too strict version check