new upstream version fixing CVE-2012-2110
This commit is contained in:
parent
d46b44c249
commit
e8c18345a4
1
.gitignore
vendored
1
.gitignore
vendored
@ -8,3 +8,4 @@ openssl-1.0.0a-usa.tar.bz2
|
|||||||
/openssl-1.0.1-beta2-usa.tar.xz
|
/openssl-1.0.1-beta2-usa.tar.xz
|
||||||
/openssl-1.0.1-beta3-usa.tar.xz
|
/openssl-1.0.1-beta3-usa.tar.xz
|
||||||
/openssl-1.0.1-usa.tar.xz
|
/openssl-1.0.1-usa.tar.xz
|
||||||
|
/openssl-1.0.1a-usa.tar.xz
|
||||||
|
@ -1,226 +0,0 @@
|
|||||||
diff -up openssl-1.0.1/apps/s_client.c.backport openssl-1.0.1/apps/s_client.c
|
|
||||||
--- openssl-1.0.1/apps/s_client.c.backport 2012-03-14 21:15:04.736897459 +0100
|
|
||||||
+++ openssl-1.0.1/apps/s_client.c 2012-04-05 19:48:40.469998965 +0200
|
|
||||||
@@ -622,13 +622,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
|
|
||||||
meth=SSLv23_client_method();
|
|
||||||
-#elif !defined(OPENSSL_NO_SSL3)
|
|
||||||
- meth=SSLv3_client_method();
|
|
||||||
-#elif !defined(OPENSSL_NO_SSL2)
|
|
||||||
- meth=SSLv2_client_method();
|
|
||||||
-#endif
|
|
||||||
|
|
||||||
apps_startup();
|
|
||||||
c_Pause=0;
|
|
||||||
diff -up openssl-1.0.1/apps/s_server.c.backport openssl-1.0.1/apps/s_server.c
|
|
||||||
--- openssl-1.0.1/apps/s_server.c.backport 2012-03-14 21:15:04.690896516 +0100
|
|
||||||
+++ openssl-1.0.1/apps/s_server.c 2012-04-05 19:48:40.474999072 +0200
|
|
||||||
@@ -969,17 +969,7 @@ int MAIN(int argc, char *argv[])
|
|
||||||
char *srpuserseed = NULL;
|
|
||||||
char *srp_verifier_file = NULL;
|
|
||||||
#endif
|
|
||||||
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
|
|
||||||
meth=SSLv23_server_method();
|
|
||||||
-#elif !defined(OPENSSL_NO_SSL3)
|
|
||||||
- meth=SSLv3_server_method();
|
|
||||||
-#elif !defined(OPENSSL_NO_SSL2)
|
|
||||||
- meth=SSLv2_server_method();
|
|
||||||
-#elif !defined(OPENSSL_NO_TLS1)
|
|
||||||
- meth=TLSv1_server_method();
|
|
||||||
-#else
|
|
||||||
- /* #error no SSL version enabled */
|
|
||||||
-#endif
|
|
||||||
|
|
||||||
local_argc=argc;
|
|
||||||
local_argv=argv;
|
|
||||||
diff -up openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport openssl-1.0.1/crypto/aes/asm/aes-armv4.pl
|
|
||||||
--- openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport 2012-03-14 21:15:04.777898297 +0100
|
|
||||||
+++ openssl-1.0.1/crypto/aes/asm/aes-armv4.pl 2012-04-05 19:51:35.555528155 +0200
|
|
||||||
@@ -408,6 +408,7 @@ _armv4_AES_encrypt:
|
|
||||||
.type private_AES_set_encrypt_key,%function
|
|
||||||
.align 5
|
|
||||||
private_AES_set_encrypt_key:
|
|
||||||
+_armv4_AES_set_encrypt_key:
|
|
||||||
sub r3,pc,#8 @ AES_set_encrypt_key
|
|
||||||
teq r0,#0
|
|
||||||
moveq r0,#-1
|
|
||||||
@@ -425,7 +426,7 @@ private_AES_set_encrypt_key:
|
|
||||||
bne .Labrt
|
|
||||||
|
|
||||||
.Lok: stmdb sp!,{r4-r12,lr}
|
|
||||||
- sub $tbl,r3,#private_AES_set_encrypt_key-AES_Te-1024 @ Te4
|
|
||||||
+ sub $tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4
|
|
||||||
|
|
||||||
mov $rounds,r0 @ inp
|
|
||||||
mov lr,r1 @ bits
|
|
||||||
@@ -685,7 +686,7 @@ private_AES_set_encrypt_key:
|
|
||||||
.align 5
|
|
||||||
private_AES_set_decrypt_key:
|
|
||||||
str lr,[sp,#-4]! @ push lr
|
|
||||||
- bl private_AES_set_encrypt_key
|
|
||||||
+ bl _armv4_AES_set_encrypt_key
|
|
||||||
teq r0,#0
|
|
||||||
ldrne lr,[sp],#4 @ pop lr
|
|
||||||
bne .Labrt
|
|
||||||
diff -up openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport openssl-1.0.1/crypto/aes/asm/aes-s390x.pl
|
|
||||||
--- openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport 2012-03-14 21:15:04.782898400 +0100
|
|
||||||
+++ openssl-1.0.1/crypto/aes/asm/aes-s390x.pl 2012-04-05 19:50:41.290593267 +0200
|
|
||||||
@@ -783,6 +783,7 @@ $code.=<<___;
|
|
||||||
.type private_AES_set_encrypt_key,\@function
|
|
||||||
.align 16
|
|
||||||
private_AES_set_encrypt_key:
|
|
||||||
+_s390x_AES_set_encrypt_key:
|
|
||||||
lghi $t0,0
|
|
||||||
cl${g}r $inp,$t0
|
|
||||||
je .Lminus1
|
|
||||||
@@ -1068,7 +1069,7 @@ $code.=<<___;
|
|
||||||
private_AES_set_decrypt_key:
|
|
||||||
st${g} $key,4*$SIZE_T($sp) # I rely on AES_set_encrypt_key to
|
|
||||||
st${g} $ra,14*$SIZE_T($sp) # save non-volatile registers!
|
|
||||||
- bras $ra,AES_set_encrypt_key
|
|
||||||
+ bras $ra,_s390x_AES_set_encrypt_key
|
|
||||||
l${g} $key,4*$SIZE_T($sp)
|
|
||||||
l${g} $ra,14*$SIZE_T($sp)
|
|
||||||
ltgr %r2,%r2
|
|
||||||
diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl
|
|
||||||
--- openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport 2012-03-14 21:15:04.777898297 +0100
|
|
||||||
+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl 2012-04-05 19:48:22.036603157 +0200
|
|
||||||
@@ -263,7 +263,7 @@ _vpaes_decrypt_core:
|
|
||||||
pshufb %xmm2, %xmm4 # 4 = sbou
|
|
||||||
pxor %xmm0, %xmm4 # 4 = sb1u + k
|
|
||||||
movdqa 0x70(%r10), %xmm0 # 0 : sbot
|
|
||||||
- movdqa .Lk_sr-.Lk_dsbd(%r11), %xmm2
|
|
||||||
+ movdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160
|
|
||||||
pshufb %xmm3, %xmm0 # 0 = sb1t
|
|
||||||
pxor %xmm4, %xmm0 # 0 = A
|
|
||||||
pshufb %xmm2, %xmm0
|
|
||||||
@@ -869,6 +869,8 @@ ${PREFIX}_cbc_encrypt:
|
|
||||||
___
|
|
||||||
($len,$key)=($key,$len);
|
|
||||||
$code.=<<___;
|
|
||||||
+ sub \$16,$len
|
|
||||||
+ jc .Lcbc_abort
|
|
||||||
___
|
|
||||||
$code.=<<___ if ($win64);
|
|
||||||
lea -0xb8(%rsp),%rsp
|
|
||||||
@@ -887,7 +889,6 @@ ___
|
|
||||||
$code.=<<___;
|
|
||||||
movdqu ($ivp),%xmm6 # load IV
|
|
||||||
sub $inp,$out
|
|
||||||
- sub \$16,$len
|
|
||||||
call _vpaes_preheat
|
|
||||||
cmp \$0,${enc}d
|
|
||||||
je .Lcbc_dec_loop
|
|
||||||
@@ -932,6 +933,7 @@ $code.=<<___ if ($win64);
|
|
||||||
.Lcbc_epilogue:
|
|
||||||
___
|
|
||||||
$code.=<<___;
|
|
||||||
+.Lcbc_abort:
|
|
||||||
ret
|
|
||||||
.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
|
|
||||||
___
|
|
||||||
diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl
|
|
||||||
--- openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport 2012-03-14 21:15:04.775898257 +0100
|
|
||||||
+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl 2012-04-05 19:48:22.036603157 +0200
|
|
||||||
@@ -843,6 +843,8 @@ $k_dsbo=0x2c0; # decryption sbox final
|
|
||||||
&mov ($out,&wparam(1)); # out
|
|
||||||
&mov ($round,&wparam(2)); # len
|
|
||||||
&mov ($key,&wparam(3)); # key
|
|
||||||
+ &sub ($round,16);
|
|
||||||
+ &jc (&label("cbc_abort"));
|
|
||||||
&lea ($base,&DWP(-56,"esp"));
|
|
||||||
&mov ($const,&wparam(4)); # ivp
|
|
||||||
&and ($base,-16);
|
|
||||||
@@ -853,7 +855,6 @@ $k_dsbo=0x2c0; # decryption sbox final
|
|
||||||
&mov (&DWP(48,"esp"),$base);
|
|
||||||
|
|
||||||
&mov (&DWP(0,"esp"),$out); # save out
|
|
||||||
- &sub ($round,16);
|
|
||||||
&mov (&DWP(4,"esp"),$key) # save key
|
|
||||||
&mov (&DWP(8,"esp"),$const); # save ivp
|
|
||||||
&mov ($out,$round); # $out works as $len
|
|
||||||
@@ -896,6 +897,7 @@ $k_dsbo=0x2c0; # decryption sbox final
|
|
||||||
&mov ($base,&DWP(8,"esp")); # restore ivp
|
|
||||||
&mov ("esp",&DWP(48,"esp"));
|
|
||||||
&movdqu (&QWP(0,$base),"xmm1"); # write IV
|
|
||||||
+&set_label("cbc_abort");
|
|
||||||
&function_end("${PREFIX}_cbc_encrypt");
|
|
||||||
|
|
||||||
&asm_finish();
|
|
||||||
diff -up openssl-1.0.1/crypto/evp/p5_crpt.c.backport openssl-1.0.1/crypto/evp/p5_crpt.c
|
|
||||||
--- openssl-1.0.1/crypto/evp/p5_crpt.c.backport 2011-06-03 22:52:57.000000000 +0200
|
|
||||||
+++ openssl-1.0.1/crypto/evp/p5_crpt.c 2012-04-05 19:49:01.512450795 +0200
|
|
||||||
@@ -138,5 +138,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *c
|
|
||||||
OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
|
|
||||||
rv = 1;
|
|
||||||
err:
|
|
||||||
+ EVP_MD_CTX_cleanup(&ctx);
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
diff -up openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport openssl-1.0.1/crypto/pkcs7/pk7_doit.c
|
|
||||||
--- openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport 2012-03-12 17:27:50.000000000 +0100
|
|
||||||
+++ openssl-1.0.1/crypto/pkcs7/pk7_doit.c 2012-04-05 19:49:40.591289911 +0200
|
|
||||||
@@ -430,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
|
||||||
STACK_OF(X509_ALGOR) *md_sk=NULL;
|
|
||||||
STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
|
|
||||||
PKCS7_RECIP_INFO *ri=NULL;
|
|
||||||
+ unsigned char *ek = NULL, *tkey = NULL;
|
|
||||||
+ int eklen = 0, tkeylen = 0;
|
|
||||||
|
|
||||||
i=OBJ_obj2nid(p7->type);
|
|
||||||
p7->state=PKCS7_S_HEADER;
|
|
||||||
@@ -507,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
|
||||||
int max;
|
|
||||||
X509_OBJECT ret;
|
|
||||||
#endif
|
|
||||||
- unsigned char *ek = NULL, *tkey = NULL;
|
|
||||||
- int eklen, tkeylen;
|
|
||||||
|
|
||||||
if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
|
|
||||||
{
|
|
||||||
@@ -609,11 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
|
||||||
{
|
|
||||||
OPENSSL_cleanse(ek,eklen);
|
|
||||||
OPENSSL_free(ek);
|
|
||||||
+ ek = NULL;
|
|
||||||
}
|
|
||||||
if (tkey)
|
|
||||||
{
|
|
||||||
OPENSSL_cleanse(tkey,tkeylen);
|
|
||||||
OPENSSL_free(tkey);
|
|
||||||
+ tkey = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (out == NULL)
|
|
||||||
@@ -656,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
|
||||||
if (0)
|
|
||||||
{
|
|
||||||
err:
|
|
||||||
+ if (ek)
|
|
||||||
+ {
|
|
||||||
+ OPENSSL_cleanse(ek,eklen);
|
|
||||||
+ OPENSSL_free(ek);
|
|
||||||
+ }
|
|
||||||
+ if (tkey)
|
|
||||||
+ {
|
|
||||||
+ OPENSSL_cleanse(tkey,tkeylen);
|
|
||||||
+ OPENSSL_free(tkey);
|
|
||||||
+ }
|
|
||||||
if (out != NULL) BIO_free_all(out);
|
|
||||||
if (btmp != NULL) BIO_free_all(btmp);
|
|
||||||
if (etmp != NULL) BIO_free_all(etmp);
|
|
||||||
diff -up openssl-1.0.1/ssl/d1_srvr.c.backport openssl-1.0.1/ssl/d1_srvr.c
|
|
||||||
--- openssl-1.0.1/ssl/d1_srvr.c.backport 2012-03-06 14:24:16.000000000 +0100
|
|
||||||
+++ openssl-1.0.1/ssl/d1_srvr.c 2012-04-05 19:47:36.812632091 +0200
|
|
||||||
@@ -920,7 +920,7 @@ int dtls1_send_server_hello(SSL *s)
|
|
||||||
p=s->s3->server_random;
|
|
||||||
Time=(unsigned long)time(NULL); /* Time */
|
|
||||||
l2n(Time,p);
|
|
||||||
- RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
|
|
||||||
+ RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
|
|
||||||
/* Do the message type and length last */
|
|
||||||
d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
diff -up openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl.s390xbuild openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl
|
|
||||||
--- openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl.s390xbuild 2012-02-29 17:40:30.000000000 +0100
|
|
||||||
+++ openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl 2012-02-29 20:03:39.642182906 +0100
|
|
||||||
@@ -171,10 +171,10 @@ $ikey="%r7";
|
|
||||||
$iinp="%r8";
|
|
||||||
|
|
||||||
$code.=<<___;
|
|
||||||
-.globl RC4_set_key
|
|
||||||
-.type RC4_set_key,\@function
|
|
||||||
+.globl private_RC4_set_key
|
|
||||||
+.type private_RC4_set_key,\@function
|
|
||||||
.align 64
|
|
||||||
-RC4_set_key:
|
|
||||||
+private_RC4_set_key:
|
|
||||||
stm${g} %r6,%r8,6*$SIZE_T($sp)
|
|
||||||
lhi $cnt,256
|
|
||||||
la $idx,0(%r0)
|
|
||||||
@@ -210,7 +210,7 @@ RC4_set_key:
|
|
||||||
.Ldone:
|
|
||||||
lm${g} %r6,%r8,6*$SIZE_T($sp)
|
|
||||||
br $rp
|
|
||||||
-.size RC4_set_key,.-RC4_set_key
|
|
||||||
+.size private_RC4_set_key,.-private_RC4_set_key
|
|
||||||
|
|
||||||
___
|
|
||||||
}
|
|
@ -1,28 +1,7 @@
|
|||||||
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
|
diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
|
||||||
--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc 2009-10-16 17:29:34.000000000 +0200
|
--- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc 2012-04-11 00:28:22.000000000 +0200
|
||||||
+++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod 2009-11-12 14:13:21.000000000 +0100
|
+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod 2012-04-20 09:14:01.865167011 +0200
|
||||||
@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
|
@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
|
||||||
EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
|
|
||||||
EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
|
|
||||||
EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
|
|
||||||
-EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
|
|
||||||
+EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224,
|
|
||||||
+EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
|
|
||||||
EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
|
|
||||||
EVP digest routines
|
|
||||||
|
|
||||||
@@ -51,6 +52,10 @@ EVP digest routines
|
|
||||||
const EVP_MD *EVP_md5(void);
|
|
||||||
const EVP_MD *EVP_sha(void);
|
|
||||||
const EVP_MD *EVP_sha1(void);
|
|
||||||
+ const EVP_MD *EVP_sha224(void);
|
|
||||||
+ const EVP_MD *EVP_sha256(void);
|
|
||||||
+ const EVP_MD *EVP_sha384(void);
|
|
||||||
+ const EVP_MD *EVP_sha512(void);
|
|
||||||
const EVP_MD *EVP_dss(void);
|
|
||||||
const EVP_MD *EVP_dss1(void);
|
|
||||||
const EVP_MD *EVP_mdc2(void);
|
|
||||||
@@ -70,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
|
|
||||||
|
|
||||||
EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
|
EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
|
||||||
B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
|
B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
|
||||||
@ -31,22 +10,7 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
|
|||||||
If B<impl> is NULL then the default implementation of digest B<type> is used.
|
If B<impl> is NULL then the default implementation of digest B<type> is used.
|
||||||
|
|
||||||
EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
|
EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
|
||||||
@@ -127,9 +132,11 @@ with this digest. For example EVP_sha1()
|
@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
|
||||||
return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
|
|
||||||
algorithms may not be retained in future versions of OpenSSL.
|
|
||||||
|
|
||||||
-EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
|
|
||||||
-return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
|
|
||||||
-algorithms respectively. The associated signature algorithm is RSA in each case.
|
|
||||||
+EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
|
|
||||||
+EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160()
|
|
||||||
+return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384,
|
|
||||||
+SHA512, MDC2 and RIPEMD160 digest algorithms respectively. The associated
|
|
||||||
+signature algorithm is RSA in each case.
|
|
||||||
|
|
||||||
EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
|
|
||||||
algorithms but using DSS (DSA) for the signature algorithm. Note: there is
|
|
||||||
@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
|
|
||||||
EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
|
EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
|
||||||
size in bytes.
|
size in bytes.
|
||||||
|
|
||||||
@ -56,9 +20,9 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
|
|||||||
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
|
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
|
||||||
corresponding EVP_MD structures.
|
corresponding EVP_MD structures.
|
||||||
|
|
||||||
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
|
diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
|
||||||
--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
|
--- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
|
||||||
+++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod 2009-11-12 14:11:03.000000000 +0100
|
+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod 2012-04-20 09:10:59.114736465 +0200
|
||||||
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
|
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
|
||||||
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
||||||
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
41
openssl-1.0.1a-backport.patch
Normal file
41
openssl-1.0.1a-backport.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
diff -up openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c.backport openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c
|
||||||
|
--- openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c.backport 2012-04-18 19:51:33.000000000 +0200
|
||||||
|
+++ openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c 2012-04-20 09:20:29.411861130 +0200
|
||||||
|
@@ -121,6 +121,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
|
||||||
|
md5_off = MD5_CBLOCK-key->md.num,
|
||||||
|
blocks;
|
||||||
|
unsigned int l;
|
||||||
|
+ extern unsigned int OPENSSL_ia32cap_P[];
|
||||||
|
#endif
|
||||||
|
size_t plen = key->payload_length;
|
||||||
|
|
||||||
|
@@ -132,7 +133,8 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
|
||||||
|
/* cipher has to "fall behind" */
|
||||||
|
if (rc4_off>md5_off) md5_off+=MD5_CBLOCK;
|
||||||
|
|
||||||
|
- if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK)) {
|
||||||
|
+ if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK) &&
|
||||||
|
+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
|
||||||
|
MD5_Update(&key->md,in,md5_off);
|
||||||
|
RC4(&key->ks,rc4_off,in,out);
|
||||||
|
|
||||||
|
@@ -172,7 +174,8 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
|
||||||
|
if (md5_off>rc4_off) rc4_off += 2*MD5_CBLOCK;
|
||||||
|
else rc4_off += MD5_CBLOCK;
|
||||||
|
|
||||||
|
- if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK)) {
|
||||||
|
+ if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK) &&
|
||||||
|
+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
|
||||||
|
RC4(&key->ks,rc4_off,in,out);
|
||||||
|
MD5_Update(&key->md,out,md5_off);
|
||||||
|
|
||||||
|
@@ -289,8 +292,6 @@ static EVP_CIPHER r4_hmac_md5_cipher=
|
||||||
|
|
||||||
|
const EVP_CIPHER *EVP_rc4_hmac_md5(void)
|
||||||
|
{
|
||||||
|
- extern unsigned int OPENSSL_ia32cap_P[];
|
||||||
|
- /* RC4_CHAR flag ------------vvvvv */
|
||||||
|
- return(OPENSSL_ia32cap_P[0]&(1<<20) ? NULL : &r4_hmac_md5_cipher);
|
||||||
|
+ return(&r4_hmac_md5_cipher);
|
||||||
|
}
|
||||||
|
#endif
|
File diff suppressed because it is too large
Load Diff
16
openssl.spec
16
openssl.spec
@ -20,8 +20,8 @@
|
|||||||
|
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1
|
Version: 1.0.1a
|
||||||
Release: 3%{?dist}
|
Release: 1%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -43,7 +43,6 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch
|
|||||||
Patch7: openssl-1.0.0-timezone.patch
|
Patch7: openssl-1.0.0-timezone.patch
|
||||||
# Bug fixes
|
# Bug fixes
|
||||||
Patch23: openssl-1.0.0-beta4-default-paths.patch
|
Patch23: openssl-1.0.0-beta4-default-paths.patch
|
||||||
Patch24: openssl-1.0.1-beta3-s390xbuild.patch
|
|
||||||
# Functionality changes
|
# Functionality changes
|
||||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||||
Patch34: openssl-0.9.6-x509.patch
|
Patch34: openssl-0.9.6-x509.patch
|
||||||
@ -51,10 +50,10 @@ Patch35: openssl-0.9.8j-version-add-engines.patch
|
|||||||
Patch36: openssl-1.0.0e-doc-noeof.patch
|
Patch36: openssl-1.0.0e-doc-noeof.patch
|
||||||
Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
|
Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
|
||||||
Patch39: openssl-1.0.1-beta2-ipv6-apps.patch
|
Patch39: openssl-1.0.1-beta2-ipv6-apps.patch
|
||||||
Patch40: openssl-1.0.1-beta3-fips.patch
|
Patch40: openssl-1.0.1a-fips.patch
|
||||||
Patch45: openssl-0.9.8j-env-nozlib.patch
|
Patch45: openssl-0.9.8j-env-nozlib.patch
|
||||||
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
||||||
Patch49: openssl-1.0.0-beta4-algo-doc.patch
|
Patch49: openssl-1.0.1a-algo-doc.patch
|
||||||
Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
|
Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
|
||||||
Patch51: openssl-1.0.1-version.patch
|
Patch51: openssl-1.0.1-version.patch
|
||||||
Patch56: openssl-1.0.0c-rsa-x931.patch
|
Patch56: openssl-1.0.0c-rsa-x931.patch
|
||||||
@ -65,7 +64,7 @@ Patch65: openssl-1.0.0e-chil-fixes.patch
|
|||||||
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
|
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
||||||
Patch82: openssl-1.0.1-backport.patch
|
Patch82: openssl-1.0.1a-backport.patch
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -142,7 +141,6 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||||||
%patch7 -p1 -b .timezone
|
%patch7 -p1 -b .timezone
|
||||||
|
|
||||||
%patch23 -p1 -b .default-paths
|
%patch23 -p1 -b .default-paths
|
||||||
%patch24 -p1 -b .s390xbuild
|
|
||||||
|
|
||||||
%patch33 -p1 -b .ca-dir
|
%patch33 -p1 -b .ca-dir
|
||||||
%patch34 -p1 -b .x509
|
%patch34 -p1 -b .x509
|
||||||
@ -165,6 +163,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||||||
|
|
||||||
%patch81 -p1 -b .padlock64
|
%patch81 -p1 -b .padlock64
|
||||||
%patch82 -p1 -b .backport
|
%patch82 -p1 -b .backport
|
||||||
|
|
||||||
# Modify the various perl scripts to reference perl in the right location.
|
# Modify the various perl scripts to reference perl in the right location.
|
||||||
perl util/perlpath.pl `dirname %{__perl}`
|
perl util/perlpath.pl `dirname %{__perl}`
|
||||||
|
|
||||||
@ -419,6 +418,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 20 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1a-1
|
||||||
|
- new upstream version fixing CVE-2012-2110
|
||||||
|
|
||||||
* Wed Apr 11 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-3
|
* Wed Apr 11 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-3
|
||||||
- add Kerberos 5 libraries to pkgconfig for static linking (#807050)
|
- add Kerberos 5 libraries to pkgconfig for static linking (#807050)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user