- fix non-fips mingw build (patch by Kalev Lember)

- add IPV6 fix for DTLS
2009-12-15 18:12:29 +00:00 · 2009-12-15 18:12:29 +00:00 · e8799f082e
commit e8799f082e
parent 30ef066514
3 changed files with 328 additions and 2 deletions
--- a/openssl-1.0.0-beta4-dtls-ipv6.patch
+++ b/openssl-1.0.0-beta4-dtls-ipv6.patch
@ -0,0 +1,219 @@
+diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c
+--- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6	2009-11-09 15:09:53.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/bio/b_sock.c	2009-11-23 08:50:45.000000000 +0100
+@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr)
+ 	if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
+ 		{
+ 		OPENSSL_assert(sa.len.s<=sizeof(sa.from));
+-		sa.len.i = (unsigned int)sa.len.s;
+		sa.len.i = (int)sa.len.s;
+		/* use sa.len.i from this point */
+ 		}
+ 	if (ret == INVALID_SOCKET)
+ 		{
+diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c
+--- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6	2009-10-15 19:41:44.000000000 +0200
+++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c	2009-11-23 08:50:45.000000000 +0100
+@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp=
+ 
+ typedef struct bio_dgram_data_st
+ 	{
+	union {
+		struct sockaddr sa;
+		struct sockaddr_in sa_in;
+ #if OPENSSL_USE_IPV6
+-	struct sockaddr_storage peer;
+-#else
+-	struct sockaddr_in peer;
+		struct sockaddr_in6 sa_in6;
+ #endif
+	} peer;
+ 	unsigned int connected;
+ 	unsigned int _errno;
+ 	unsigned int mtu;
+@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out,
+ 	int ret=0;
+ 	bio_dgram_data *data = (bio_dgram_data *)b->ptr;
+ 
+	struct	{
+	/*
+	 * See commentary in b_sock.c. <appro>
+	 */
+	union	{ size_t s; int i; } len;
+	union	{
+		struct sockaddr sa;
+		struct sockaddr_in sa_in;
+ #if OPENSSL_USE_IPV6
+-	struct sockaddr_storage peer;
+-#else
+-	struct sockaddr_in peer;
+		struct sockaddr_in6 sa_in6;
+ #endif
+-	int peerlen = sizeof(peer);
+		} peer;
+	} sa;
+
+	sa.len.s=0;
+	sa.len.i=sizeof(sa.peer);
+ 
+ 	if (out != NULL)
+ 		{
+ 		clear_socket_error();
+-		memset(&peer, 0x00, peerlen);
+-		/* Last arg in recvfrom is signed on some platforms and
+-		 * unsigned on others. It is of type socklen_t on some
+-		 * but this is not universal. Cast to (void *) to avoid
+-		 * compiler warnings.
+-		 */
+		memset(&sa.peer, 0x00, sizeof(sa.peer));
+ 		dgram_adjust_rcv_timeout(b);
+-		ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen);
+		ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len);
+		if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
+			{
+			OPENSSL_assert(sa.len.s<=sizeof(sa.peer));
+			sa.len.i = (int)sa.len.s;
+			}
+ 		dgram_reset_rcv_timeout(b);
+ 
+ 		if ( ! data->connected  && ret >= 0)
+-			BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer);
+			BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer);
+ 
+ 		BIO_clear_retry_flags(b);
+ 		if (ret < 0)
+@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha
+ 	if ( data->connected )
+ 		ret=writesocket(b->num,in,inl);
+ 	else
+-#if OPENSSL_USE_IPV6
+-		if (data->peer.ss_family == AF_INET)
+ #if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+-			ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+		ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer));
+ #else
+-			ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+-#endif
+-		else
+-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+-			ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
+-#else
+-			ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
+-#endif
+-#else
+-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
+-		ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+-#else
+-		ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+-#endif
+		ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer));
+ #endif
+ 
+ 	BIO_clear_retry_flags(b);
+@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd, 
+ 		else
+ 			{
+ #endif
+			switch (to->sa_family)
+				{
+				case AF_INET:
+					memcpy(&data->peer,to,sizeof(data->peer.sa_in));
+					break;
+ #if OPENSSL_USE_IPV6
+-			memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
+-#else
+-			memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
+-#endif
+				case AF_INET6:
+					memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
+					break;
+#endif
+				default:
+					memcpy(&data->peer,to,sizeof(data->peer.sa));
+					break;
+				}
+ #if 0
+ 			}
+ #endif
+@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd, 
+ 		if ( to != NULL)
+ 			{
+ 			data->connected = 1;
+			switch (to->sa_family)
+				{
+				case AF_INET:
+					memcpy(&data->peer,to,sizeof(data->peer.sa_in));
+					break;
+ #if OPENSSL_USE_IPV6
+-			memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
+-#else
+-			memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
+-#endif
+				case AF_INET6:
+					memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
+					break;
+#endif
+				default:
+					memcpy(&data->peer,to,sizeof(data->peer.sa));
+					break;
+				}
+ 			}
+ 		else
+ 			{
+ 			data->connected = 0;
+-#if OPENSSL_USE_IPV6
+-			memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage));
+-#else
+-			memset(&(data->peer), 0x00, sizeof(struct sockaddr_in));
+-#endif
+			memset(&(data->peer), 0x00, sizeof(data->peer));
+ 			}
+ 		break;
+ 	case BIO_CTRL_DGRAM_GET_PEER:
+ 		to = (struct sockaddr *) ptr;
+-
+		switch (to->sa_family)
+			{
+			case AF_INET:
+				memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in)));
+				break;
+ #if OPENSSL_USE_IPV6
+-		memcpy(to, &(data->peer), sizeof(struct sockaddr_storage));
+-		ret = sizeof(struct sockaddr_storage);
+-#else
+-		memcpy(to, &(data->peer), sizeof(struct sockaddr_in));
+-		ret = sizeof(struct sockaddr_in);
+-#endif
+			case AF_INET6:
+				memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6)));
+				break;
+#endif
+			default:
+				memcpy(to,&data->peer,(ret=sizeof(data->peer.sa)));
+				break;
+			}
+ 		break;
+ 	case BIO_CTRL_DGRAM_SET_PEER:
+ 		to = (struct sockaddr *) ptr;
+-
+		switch (to->sa_family)
+			{
+			case AF_INET:
+				memcpy(&data->peer,to,sizeof(data->peer.sa_in));
+				break;
+ #if OPENSSL_USE_IPV6
+-		memcpy(&(data->peer), to, sizeof(struct sockaddr_storage));
+-#else
+-		memcpy(&(data->peer), to, sizeof(struct sockaddr_in));
+-#endif
+			case AF_INET6:
+				memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
+				break;
+#endif
+			default:
+				memcpy(&data->peer,to,sizeof(data->peer.sa));
+				break;
+			}
+ 		break;
+ 	case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
+ 		memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));
--- a/openssl-1.0.0-beta4-reneg-err.patch
+++ b/openssl-1.0.0-beta4-reneg-err.patch
@ -0,0 +1,93 @@
+Better error reporting for unsafe renegotiation.
+diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
+--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err	2009-11-09 19:45:42.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/ssl_err.c	2009-11-20 17:56:57.000000000 +0100
+@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),	"SSL_load_client_CA_file"},
+ {ERR_FUNC(SSL_F_SSL_NEW),	"SSL_new"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT),	"SSL_PARSE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT),	"SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT),	"SSL_PARSE_SERVERHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PEEK),	"SSL_peek"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT),	"SSL_PREPARE_CLIENTHELLO_TLSEXT"},
+ {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT),	"SSL_PREPARE_SERVERHELLO_TLSEXT"},
+@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
+ {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
+ {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
+ {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
+diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
+--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err	2009-11-12 15:17:29.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/ssl.h	2009-11-20 17:56:57.000000000 +0100
+@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
+ #define SSL_F_SSL_NEW					 186
+ #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT	 300
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT		 302
+ #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT	 301
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT		 303
+ #define SSL_F_SSL_PEEK					 270
+ #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT		 281
+ #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT		 282
+@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 253
+ #define SSL_R_UNKNOWN_SSL_VERSION			 254
+ #define SSL_R_UNKNOWN_STATE				 255
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED	 338
+ #define SSL_R_UNSUPPORTED_CIPHER			 256
+ #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257
+ #define SSL_R_UNSUPPORTED_DIGEST_TYPE			 326
+diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
+--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err	2009-11-12 15:17:29.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/s23_srvr.c	2009-11-20 17:57:23.000000000 +0100
+@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
+ 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ 		goto err;
+ #else
+		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+			{
+			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+			goto err;
+			}
+ 		/* we are talking sslv2 */
+ 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
+ 		 * sslv2 stuff. */
+diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
+--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err	2009-11-18 14:04:19.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/t1_lib.c	2009-11-20 17:56:57.000000000 +0100
+@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ 			{
+ 			/* We should always see one extension: the renegotiate extension */
+ 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+			SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ 			return 0;
+ 			}
+ 		return 1;
+@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+  	if (s->new_session && !renegotiate_seen
+  		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+  		{
+		SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+  		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+  		return 0;
+  		}
+@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 			{
+ 			/* We should always see one extension: the renegotiate extension */
+ 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+			SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ 			return 0;
+ 			}
+ #endif
+@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ 		{
+ 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+		SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ 		return 0;
+ 		}
+ #endif
--- a/openssl.spec
+++ b/openssl.spec
@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0
-Release: 0.13.%{beta}%{?dist}
+Release: 0.16.%{beta}%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-%{beta}-usa.tar.bz2
@ -66,6 +66,8 @@ Patch60: openssl-1.0.0-beta4-reneg.patch
 # This one is not backported but has to be applied after reneg patch
 Patch61: openssl-1.0.0-beta4-client-reneg.patch
 Patch62: openssl-1.0.0-beta4-backports.patch
+Patch63: openssl-1.0.0-beta4-reneg-err.patch
+Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch

 License: OpenSSL
 Group: System Environment/Libraries
@ -148,6 +150,8 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch60 -p1 -b .reneg
 %patch61 -p1 -b .client-reneg
 %patch62 -p1 -b .backports
+%patch63 -p1 -b .reneg-err
+%patch64 -p1 -b .dtls-ipv6

 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@ -181,7 +185,7 @@ sslarch=linux-alpha-gcc
 sslarch="linux-generic32 -DB_ENDIAN"
 %endif
 %ifarch s390x
-sslarch="linux-generic64 -DB_ENDIAN"
+sslarch="linux-s390x"
 %endif
 %ifarch %{arm} sh3 sh4
 sslarch=linux-generic32
@ -396,6 +400,16 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig

 %changelog
+* Mon Nov 23 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.16.beta4
+- fix non-fips mingw build (patch by Kalev Lember)
+- add IPV6 fix for DTLS
+
+* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.15.beta4
+- add better error reporting for the unsafe renegotiation
+
+* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.14.beta4
+- fix build on s390x
+
 * Wed Nov 18 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.13.beta4
 - disable enforcement of the renegotiation extension on the client (#537962)
 - add fixes from the current upstream snapshot