- fix non-fips mingw build (patch by Kalev Lember)

- add IPV6 fix for DTLS

openssl-1.0.0-beta4-dtls-ipv6.patch

@@ -0,0 +1,219 @@
+diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c
+--- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6	2009-11-09 15:09:53.000000000 +0100
++++ openssl-1.0.0-beta4/crypto/bio/b_sock.c	2009-11-23 08:50:45.000000000 +0100
+@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr)
+ 	if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
+ 		{
+ 		OPENSSL_assert(sa.len.s<=sizeof(sa.from));
+-		sa.len.i = (unsigned int)sa.len.s;
++		sa.len.i = (int)sa.len.s;
++		/* use sa.len.i from this point */
+ 		}
+ 	if (ret == INVALID_SOCKET)
+ 		{
+diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c
+--- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6	2009-10-15 19:41:44.000000000 +0200
++++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c	2009-11-23 08:50:45.000000000 +0100
+@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp=
+ 
+ typedef struct bio_dgram_data_st
+ 	{
++	union {
++		struct sockaddr sa;
++		struct sockaddr_in sa_in;
+ #if OPENSSL_USE_IPV6
+-	struct sockaddr_storage peer;
+-#else
+-	struct sockaddr_in peer;
++		struct sockaddr_in6 sa_in6;
+ #endif
++	} peer;
+ 	unsigned int connected;
+ 	unsigned int _errno;
+ 	unsigned int mtu;
+@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out,
+ 	int ret=0;
+ 	bio_dgram_data *data = (bio_dgram_data *)b->ptr;
+ 
++	struct	{
++	/*
++	 * See commentary in b_sock.c. <appro>
++	 */
++	union	{ size_t s; int i; } len;
++	union	{
++		struct sockaddr sa;
++		struct sockaddr_in sa_in;
+ #if OPENSSL_USE_IPV6
+-	struct sockaddr_storage peer;
+-#else
+-	struct sockaddr_in peer;
++		struct sockaddr_in6 sa_in6;
+ #endif
+-	int peerlen = sizeof(peer);
++		} peer;
++	} sa;
++
++	sa.len.s=0;
++	sa.len.i=sizeof(sa.peer);
+ 
+ 	if (out != NULL)
+ 		{
+ 		clear_socket_error();
+-		memset(&peer, 0x00, peerlen);
+-		/* Last arg in recvfrom is signed on some platforms and
+-		 * unsigned on others. It is of type socklen_t on some
+-		 * but this is not universal. Cast to (void *) to avoid
+-		 * compiler warnings.
+-		 */
++		memset(&sa.peer, 0x00, sizeof(sa.peer));
+ 		dgram_adjust_rcv_timeout(b);
+-		ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen);
++		ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len);
++		if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
++			{
++			OPENSSL_assert(sa.len.s<=sizeof(sa.peer));
++			sa.len.i = (int)sa.len.s;
++			}
+ 		dgram_reset_rcv_timeout(b);
+ 
+ 		if ( ! data->connected  && ret >= 0)
+-			BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer);
++			BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer);
+ 
+ 		BIO_clear_retry_flags(b);
+ 		if (ret < 0)
+@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha
+ 	if ( data->connected )
+ 		ret=writesocket(b->num,in,inl);
+ 	else
+-#if OPENSSL_USE_IPV6
+-		if (data->peer.ss_family == AF_INET)
+ #if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+-			ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
++		ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer));
+ #else
+-			ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+-#endif
+-		else
+-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+-			ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
+-#else
+-			ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
+-#endif
+-#else
+-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+-		ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+-#else
+-		ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+-#endif
++		ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer));
+ #endif
+ 
+ 	BIO_clear_retry_flags(b);
+@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd, 
+ 		else
+ 			{
+ #endif
++			switch (to->sa_family)
++				{
++				case AF_INET:
++					memcpy(&data->peer,to,sizeof(data->peer.sa_in));
++					break;
+ #if OPENSSL_USE_IPV6
+-			memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
+-#else
+-			memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
+-#endif
++				case AF_INET6:
++					memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
++					break;
++#endif
++				default:
++					memcpy(&data->peer,to,sizeof(data->peer.sa));
++					break;
++				}
+ #if 0
+ 			}
+ #endif
+@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd, 
+ 		if ( to != NULL)
+ 			{
+ 			data->connected = 1;
++			switch (to->sa_family)
++				{
++				case AF_INET:
++					memcpy(&data->peer,to,sizeof(data->peer.sa_in));
++					break;
+ #if OPENSSL_USE_IPV6
+-			memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
+-#else
+-			memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
+-#endif
++				case AF_INET6:
++					memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
++					break;
++#endif
++				default:
++					memcpy(&data->peer,to,sizeof(data->peer.sa));
++					break;
++				}
+ 			}
+ 		else
+ 			{
+ 			data->connected = 0;
+-#if OPENSSL_USE_IPV6
+-			memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage));
+-#else
+-			memset(&(data->peer), 0x00, sizeof(struct sockaddr_in));
+-#endif
++			memset(&(data->peer), 0x00, sizeof(data->peer));
+ 			}
+ 		break;
+ 	case BIO_CTRL_DGRAM_GET_PEER:
+ 		to = (struct sockaddr *) ptr;
+-
++		switch (to->sa_family)
++			{
++			case AF_INET:
++				memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in)));
++				break;
+ #if OPENSSL_USE_IPV6
+-		memcpy(to, &(data->peer), sizeof(struct sockaddr_storage));
+-		ret = sizeof(struct sockaddr_storage);
+-#else
+-		memcpy(to, &(data->peer), sizeof(struct sockaddr_in));
+-		ret = sizeof(struct sockaddr_in);
+-#endif
++			case AF_INET6:
++				memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6)));
++				break;
++#endif
++			default:
++				memcpy(to,&data->peer,(ret=sizeof(data->peer.sa)));
++				break;
++			}
+ 		break;
+ 	case BIO_CTRL_DGRAM_SET_PEER:
+ 		to = (struct sockaddr *) ptr;
+-
++		switch (to->sa_family)
++			{
++			case AF_INET:
++				memcpy(&data->peer,to,sizeof(data->peer.sa_in));
++				break;
+ #if OPENSSL_USE_IPV6
+-		memcpy(&(data->peer), to, sizeof(struct sockaddr_storage));
+-#else
+-		memcpy(&(data->peer), to, sizeof(struct sockaddr_in));
+-#endif
++			case AF_INET6:
++				memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
++				break;
++#endif
++			default:
++				memcpy(&data->peer,to,sizeof(data->peer.sa));
++				break;
++			}
+ 		break;
+ 	case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
+ 		memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));

openssl-1.0.0-beta4-reneg-err.patch

@@ -0,0 +1,93 @@
+Better error reporting for unsafe renegotiation.
+diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
+--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err	2009-11-09 19:45:42.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl_err.c	2009-11-20 17:56:57.000000000 +0100
+@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),	"SSL_load_client_CA_file"},
+ {ERR_FUNC(SSL_F_SSL_NEW),	"SSL_new"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
++{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT),	"SSL_PARSE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
++{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT),	"SSL_PARSE_SERVERHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PEEK),	"SSL_peek"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT),	"SSL_PREPARE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT),	"SSL_PREPARE_SERVERHELLO_TLSEXT"},
+@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
+ {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
+ {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
++{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
+diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
+--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err	2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/ssl.h	2009-11-20 17:56:57.000000000 +0100
+@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
+ #define SSL_F_SSL_NEW					 186
+ #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT	 300
++#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT		 302
+ #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT	 301
++#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT		 303
+ #define SSL_F_SSL_PEEK					 270
+ #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT		 281
+ #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT		 282
+@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 253
+ #define SSL_R_UNKNOWN_SSL_VERSION			 254
+ #define SSL_R_UNKNOWN_STATE				 255
++#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED	 338
+ #define SSL_R_UNSUPPORTED_CIPHER			 256
+ #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257
+ #define SSL_R_UNSUPPORTED_DIGEST_TYPE			 326
+diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
+--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err	2009-11-12 15:17:29.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/s23_srvr.c	2009-11-20 17:57:23.000000000 +0100
+@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
+ 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ 		goto err;
+ #else
++		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
++			{
++			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
++			goto err;
++			}
+ 		/* we are talking sslv2 */
+ 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
+ 		 * sslv2 stuff. */
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err	2009-11-18 14:04:19.000000000 +0100
++++ openssl-1.0.0-beta4/ssl/t1_lib.c	2009-11-20 17:56:57.000000000 +0100
+@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 			{
+ 			/* We should always see one extension: the renegotiate extension */
+ 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++			SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ 			return 0;
+ 			}
+ 		return 1;
+@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+  	if (s->new_session && !renegotiate_seen
+  		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+  		{
++		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+  		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+  		return 0;
+  		}
+@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 			{
+ 			/* We should always see one extension: the renegotiate extension */
+ 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++			SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ 			return 0;
+ 			}
+ #endif
+@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ 		{
+ 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
++		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ 		return 0;
+ 		}
+ #endif

openssl.spec

@@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0
-Release: 0.13.%{beta}%{?dist}
+Release: 0.16.%{beta}%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -66,6 +66,8 @@ Patch60: openssl-1.0.0-beta4-reneg.patch
 # This one is not backported but has to be applied after reneg patch
 Patch61: openssl-1.0.0-beta4-client-reneg.patch
 Patch62: openssl-1.0.0-beta4-backports.patch
+Patch63: openssl-1.0.0-beta4-reneg-err.patch
+Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -148,6 +150,8 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch60 -p1 -b .reneg
 %patch61 -p1 -b .client-reneg
 %patch62 -p1 -b .backports
+%patch63 -p1 -b .reneg-err
+%patch64 -p1 -b .dtls-ipv6
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -181,7 +185,7 @@ sslarch=linux-alpha-gcc
 sslarch="linux-generic32 -DB_ENDIAN"
 %endif
 %ifarch s390x
-sslarch="linux-generic64 -DB_ENDIAN"
+sslarch="linux-s390x"
 %endif
 %ifarch %{arm} sh3 sh4
 sslarch=linux-generic32
@@ -396,6 +400,16 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig
 
 %changelog
+* Mon Nov 23 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.16.beta4
+- fix non-fips mingw build (patch by Kalev Lember)
+- add IPV6 fix for DTLS
+
+* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.15.beta4
+- add better error reporting for the unsafe renegotiation
+
+* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.14.beta4
+- fix build on s390x
+
 * Wed Nov 18 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.13.beta4
 - disable enforcement of the renegotiation extension on the client (#537962)
 - add fixes from the current upstream snapshot