diff --git a/openssl-1.0.1-backport.patch b/openssl-1.0.1-backport.patch new file mode 100644 index 0000000..baaf40f --- /dev/null +++ b/openssl-1.0.1-backport.patch @@ -0,0 +1,226 @@ +diff -up openssl-1.0.1/apps/s_client.c.backport openssl-1.0.1/apps/s_client.c +--- openssl-1.0.1/apps/s_client.c.backport 2012-03-14 21:15:04.736897459 +0100 ++++ openssl-1.0.1/apps/s_client.c 2012-04-05 19:48:40.469998965 +0200 +@@ -622,13 +622,7 @@ int MAIN(int argc, char **argv) + SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024}; + #endif + +-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) + meth=SSLv23_client_method(); +-#elif !defined(OPENSSL_NO_SSL3) +- meth=SSLv3_client_method(); +-#elif !defined(OPENSSL_NO_SSL2) +- meth=SSLv2_client_method(); +-#endif + + apps_startup(); + c_Pause=0; +diff -up openssl-1.0.1/apps/s_server.c.backport openssl-1.0.1/apps/s_server.c +--- openssl-1.0.1/apps/s_server.c.backport 2012-03-14 21:15:04.690896516 +0100 ++++ openssl-1.0.1/apps/s_server.c 2012-04-05 19:48:40.474999072 +0200 +@@ -969,17 +969,7 @@ int MAIN(int argc, char *argv[]) + char *srpuserseed = NULL; + char *srp_verifier_file = NULL; + #endif +-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) + meth=SSLv23_server_method(); +-#elif !defined(OPENSSL_NO_SSL3) +- meth=SSLv3_server_method(); +-#elif !defined(OPENSSL_NO_SSL2) +- meth=SSLv2_server_method(); +-#elif !defined(OPENSSL_NO_TLS1) +- meth=TLSv1_server_method(); +-#else +- /* #error no SSL version enabled */ +-#endif + + local_argc=argc; + local_argv=argv; +diff -up openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport openssl-1.0.1/crypto/aes/asm/aes-armv4.pl +--- openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport 2012-03-14 21:15:04.777898297 +0100 ++++ openssl-1.0.1/crypto/aes/asm/aes-armv4.pl 2012-04-05 19:51:35.555528155 +0200 +@@ -408,6 +408,7 @@ _armv4_AES_encrypt: + .type private_AES_set_encrypt_key,%function + .align 5 + private_AES_set_encrypt_key: ++_armv4_AES_set_encrypt_key: + sub r3,pc,#8 @ AES_set_encrypt_key + teq r0,#0 + moveq r0,#-1 +@@ -425,7 +426,7 @@ private_AES_set_encrypt_key: + bne .Labrt + + .Lok: stmdb sp!,{r4-r12,lr} +- sub $tbl,r3,#private_AES_set_encrypt_key-AES_Te-1024 @ Te4 ++ sub $tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4 + + mov $rounds,r0 @ inp + mov lr,r1 @ bits +@@ -685,7 +686,7 @@ private_AES_set_encrypt_key: + .align 5 + private_AES_set_decrypt_key: + str lr,[sp,#-4]! @ push lr +- bl private_AES_set_encrypt_key ++ bl _armv4_AES_set_encrypt_key + teq r0,#0 + ldrne lr,[sp],#4 @ pop lr + bne .Labrt +diff -up openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport openssl-1.0.1/crypto/aes/asm/aes-s390x.pl +--- openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport 2012-03-14 21:15:04.782898400 +0100 ++++ openssl-1.0.1/crypto/aes/asm/aes-s390x.pl 2012-04-05 19:50:41.290593267 +0200 +@@ -783,6 +783,7 @@ $code.=<<___; + .type private_AES_set_encrypt_key,\@function + .align 16 + private_AES_set_encrypt_key: ++_s390x_AES_set_encrypt_key: + lghi $t0,0 + cl${g}r $inp,$t0 + je .Lminus1 +@@ -1068,7 +1069,7 @@ $code.=<<___; + private_AES_set_decrypt_key: + st${g} $key,4*$SIZE_T($sp) # I rely on AES_set_encrypt_key to + st${g} $ra,14*$SIZE_T($sp) # save non-volatile registers! +- bras $ra,AES_set_encrypt_key ++ bras $ra,_s390x_AES_set_encrypt_key + l${g} $key,4*$SIZE_T($sp) + l${g} $ra,14*$SIZE_T($sp) + ltgr %r2,%r2 +diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl +--- openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport 2012-03-14 21:15:04.777898297 +0100 ++++ openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl 2012-04-05 19:48:22.036603157 +0200 +@@ -263,7 +263,7 @@ _vpaes_decrypt_core: + pshufb %xmm2, %xmm4 # 4 = sbou + pxor %xmm0, %xmm4 # 4 = sb1u + k + movdqa 0x70(%r10), %xmm0 # 0 : sbot +- movdqa .Lk_sr-.Lk_dsbd(%r11), %xmm2 ++ movdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160 + pshufb %xmm3, %xmm0 # 0 = sb1t + pxor %xmm4, %xmm0 # 0 = A + pshufb %xmm2, %xmm0 +@@ -869,6 +869,8 @@ ${PREFIX}_cbc_encrypt: + ___ + ($len,$key)=($key,$len); + $code.=<<___; ++ sub \$16,$len ++ jc .Lcbc_abort + ___ + $code.=<<___ if ($win64); + lea -0xb8(%rsp),%rsp +@@ -887,7 +889,6 @@ ___ + $code.=<<___; + movdqu ($ivp),%xmm6 # load IV + sub $inp,$out +- sub \$16,$len + call _vpaes_preheat + cmp \$0,${enc}d + je .Lcbc_dec_loop +@@ -932,6 +933,7 @@ $code.=<<___ if ($win64); + .Lcbc_epilogue: + ___ + $code.=<<___; ++.Lcbc_abort: + ret + .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt + ___ +diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl +--- openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport 2012-03-14 21:15:04.775898257 +0100 ++++ openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl 2012-04-05 19:48:22.036603157 +0200 +@@ -843,6 +843,8 @@ $k_dsbo=0x2c0; # decryption sbox final + &mov ($out,&wparam(1)); # out + &mov ($round,&wparam(2)); # len + &mov ($key,&wparam(3)); # key ++ &sub ($round,16); ++ &jc (&label("cbc_abort")); + &lea ($base,&DWP(-56,"esp")); + &mov ($const,&wparam(4)); # ivp + &and ($base,-16); +@@ -853,7 +855,6 @@ $k_dsbo=0x2c0; # decryption sbox final + &mov (&DWP(48,"esp"),$base); + + &mov (&DWP(0,"esp"),$out); # save out +- &sub ($round,16); + &mov (&DWP(4,"esp"),$key) # save key + &mov (&DWP(8,"esp"),$const); # save ivp + &mov ($out,$round); # $out works as $len +@@ -896,6 +897,7 @@ $k_dsbo=0x2c0; # decryption sbox final + &mov ($base,&DWP(8,"esp")); # restore ivp + &mov ("esp",&DWP(48,"esp")); + &movdqu (&QWP(0,$base),"xmm1"); # write IV ++&set_label("cbc_abort"); + &function_end("${PREFIX}_cbc_encrypt"); + + &asm_finish(); +diff -up openssl-1.0.1/crypto/evp/p5_crpt.c.backport openssl-1.0.1/crypto/evp/p5_crpt.c +--- openssl-1.0.1/crypto/evp/p5_crpt.c.backport 2011-06-03 22:52:57.000000000 +0200 ++++ openssl-1.0.1/crypto/evp/p5_crpt.c 2012-04-05 19:49:01.512450795 +0200 +@@ -138,5 +138,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *c + OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); + rv = 1; + err: ++ EVP_MD_CTX_cleanup(&ctx); + return rv; + } +diff -up openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport openssl-1.0.1/crypto/pkcs7/pk7_doit.c +--- openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport 2012-03-12 17:27:50.000000000 +0100 ++++ openssl-1.0.1/crypto/pkcs7/pk7_doit.c 2012-04-05 19:49:40.591289911 +0200 +@@ -430,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + STACK_OF(X509_ALGOR) *md_sk=NULL; + STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; + PKCS7_RECIP_INFO *ri=NULL; ++ unsigned char *ek = NULL, *tkey = NULL; ++ int eklen = 0, tkeylen = 0; + + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; +@@ -507,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + int max; + X509_OBJECT ret; + #endif +- unsigned char *ek = NULL, *tkey = NULL; +- int eklen, tkeylen; + + if ((etmp=BIO_new(BIO_f_cipher())) == NULL) + { +@@ -609,11 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + { + OPENSSL_cleanse(ek,eklen); + OPENSSL_free(ek); ++ ek = NULL; + } + if (tkey) + { + OPENSSL_cleanse(tkey,tkeylen); + OPENSSL_free(tkey); ++ tkey = NULL; + } + + if (out == NULL) +@@ -656,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + if (0) + { + err: ++ if (ek) ++ { ++ OPENSSL_cleanse(ek,eklen); ++ OPENSSL_free(ek); ++ } ++ if (tkey) ++ { ++ OPENSSL_cleanse(tkey,tkeylen); ++ OPENSSL_free(tkey); ++ } + if (out != NULL) BIO_free_all(out); + if (btmp != NULL) BIO_free_all(btmp); + if (etmp != NULL) BIO_free_all(etmp); +diff -up openssl-1.0.1/ssl/d1_srvr.c.backport openssl-1.0.1/ssl/d1_srvr.c +--- openssl-1.0.1/ssl/d1_srvr.c.backport 2012-03-06 14:24:16.000000000 +0100 ++++ openssl-1.0.1/ssl/d1_srvr.c 2012-04-05 19:47:36.812632091 +0200 +@@ -920,7 +920,7 @@ int dtls1_send_server_hello(SSL *s) + p=s->s3->server_random; + Time=(unsigned long)time(NULL); /* Time */ + l2n(Time,p); +- RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); ++ RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4); + /* Do the message type and length last */ + d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); + diff --git a/openssl-1.0.1-beta3-fips.patch b/openssl-1.0.1-beta3-fips.patch index 5308c04..f2bb340 100644 --- a/openssl-1.0.1-beta3-fips.patch +++ b/openssl-1.0.1-beta3-fips.patch @@ -11341,7 +11341,7 @@ diff -up openssl-1.0.1-beta3/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1-bet diff -up openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c --- openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c.fips 2012-02-29 10:33:02.794294898 +0100 +++ openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c 2012-02-29 10:33:02.794294898 +0100 -@@ -0,0 +1,576 @@ +@@ -0,0 +1,578 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ @@ -11501,6 +11501,8 @@ diff -up openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1-beta + return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); + rv = dctx->get_entropy(dctx, &tout, entropy + bl, + min_len + bl, max_len + bl); ++ if (tout == NULL) ++ return 0; + *pout = tout + bl; + if (rv < (min_len + bl) || (rv % bl)) + return 0; diff --git a/openssl.spec b/openssl.spec index e1f17d5..67d5f7a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -64,6 +64,7 @@ Patch63: openssl-1.0.0d-xmpp-starttls.patch Patch65: openssl-1.0.0e-chil-fixes.patch # Backported fixes including security fixes Patch81: openssl-1.0.1-beta2-padlock64.patch +Patch82: openssl-1.0.1-backport.patch License: OpenSSL Group: System Environment/Libraries @@ -161,6 +162,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch65 -p1 -b .chil %patch81 -p1 -b .padlock64 +%patch82 -p1 -b .backport # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -415,6 +417,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Thu Apr 5 2012 Tomas Mraz 1.0.1-2 +- backports from upstream CVS +- fix segfault when /dev/urandom is not available (#809586) + * Wed Mar 14 2012 Tomas Mraz 1.0.1-1 - new upstream release