new upstream version fixing CVE-2012-2110
This commit is contained in:
parent
d46b44c249
commit
e8c18345a4
1
.gitignore
vendored
1
.gitignore
vendored
@ -8,3 +8,4 @@ openssl-1.0.0a-usa.tar.bz2
|
||||
/openssl-1.0.1-beta2-usa.tar.xz
|
||||
/openssl-1.0.1-beta3-usa.tar.xz
|
||||
/openssl-1.0.1-usa.tar.xz
|
||||
/openssl-1.0.1a-usa.tar.xz
|
||||
|
@ -1,226 +0,0 @@
|
||||
diff -up openssl-1.0.1/apps/s_client.c.backport openssl-1.0.1/apps/s_client.c
|
||||
--- openssl-1.0.1/apps/s_client.c.backport 2012-03-14 21:15:04.736897459 +0100
|
||||
+++ openssl-1.0.1/apps/s_client.c 2012-04-05 19:48:40.469998965 +0200
|
||||
@@ -622,13 +622,7 @@ int MAIN(int argc, char **argv)
|
||||
SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
|
||||
#endif
|
||||
|
||||
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
|
||||
meth=SSLv23_client_method();
|
||||
-#elif !defined(OPENSSL_NO_SSL3)
|
||||
- meth=SSLv3_client_method();
|
||||
-#elif !defined(OPENSSL_NO_SSL2)
|
||||
- meth=SSLv2_client_method();
|
||||
-#endif
|
||||
|
||||
apps_startup();
|
||||
c_Pause=0;
|
||||
diff -up openssl-1.0.1/apps/s_server.c.backport openssl-1.0.1/apps/s_server.c
|
||||
--- openssl-1.0.1/apps/s_server.c.backport 2012-03-14 21:15:04.690896516 +0100
|
||||
+++ openssl-1.0.1/apps/s_server.c 2012-04-05 19:48:40.474999072 +0200
|
||||
@@ -969,17 +969,7 @@ int MAIN(int argc, char *argv[])
|
||||
char *srpuserseed = NULL;
|
||||
char *srp_verifier_file = NULL;
|
||||
#endif
|
||||
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
|
||||
meth=SSLv23_server_method();
|
||||
-#elif !defined(OPENSSL_NO_SSL3)
|
||||
- meth=SSLv3_server_method();
|
||||
-#elif !defined(OPENSSL_NO_SSL2)
|
||||
- meth=SSLv2_server_method();
|
||||
-#elif !defined(OPENSSL_NO_TLS1)
|
||||
- meth=TLSv1_server_method();
|
||||
-#else
|
||||
- /* #error no SSL version enabled */
|
||||
-#endif
|
||||
|
||||
local_argc=argc;
|
||||
local_argv=argv;
|
||||
diff -up openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport openssl-1.0.1/crypto/aes/asm/aes-armv4.pl
|
||||
--- openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport 2012-03-14 21:15:04.777898297 +0100
|
||||
+++ openssl-1.0.1/crypto/aes/asm/aes-armv4.pl 2012-04-05 19:51:35.555528155 +0200
|
||||
@@ -408,6 +408,7 @@ _armv4_AES_encrypt:
|
||||
.type private_AES_set_encrypt_key,%function
|
||||
.align 5
|
||||
private_AES_set_encrypt_key:
|
||||
+_armv4_AES_set_encrypt_key:
|
||||
sub r3,pc,#8 @ AES_set_encrypt_key
|
||||
teq r0,#0
|
||||
moveq r0,#-1
|
||||
@@ -425,7 +426,7 @@ private_AES_set_encrypt_key:
|
||||
bne .Labrt
|
||||
|
||||
.Lok: stmdb sp!,{r4-r12,lr}
|
||||
- sub $tbl,r3,#private_AES_set_encrypt_key-AES_Te-1024 @ Te4
|
||||
+ sub $tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4
|
||||
|
||||
mov $rounds,r0 @ inp
|
||||
mov lr,r1 @ bits
|
||||
@@ -685,7 +686,7 @@ private_AES_set_encrypt_key:
|
||||
.align 5
|
||||
private_AES_set_decrypt_key:
|
||||
str lr,[sp,#-4]! @ push lr
|
||||
- bl private_AES_set_encrypt_key
|
||||
+ bl _armv4_AES_set_encrypt_key
|
||||
teq r0,#0
|
||||
ldrne lr,[sp],#4 @ pop lr
|
||||
bne .Labrt
|
||||
diff -up openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport openssl-1.0.1/crypto/aes/asm/aes-s390x.pl
|
||||
--- openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport 2012-03-14 21:15:04.782898400 +0100
|
||||
+++ openssl-1.0.1/crypto/aes/asm/aes-s390x.pl 2012-04-05 19:50:41.290593267 +0200
|
||||
@@ -783,6 +783,7 @@ $code.=<<___;
|
||||
.type private_AES_set_encrypt_key,\@function
|
||||
.align 16
|
||||
private_AES_set_encrypt_key:
|
||||
+_s390x_AES_set_encrypt_key:
|
||||
lghi $t0,0
|
||||
cl${g}r $inp,$t0
|
||||
je .Lminus1
|
||||
@@ -1068,7 +1069,7 @@ $code.=<<___;
|
||||
private_AES_set_decrypt_key:
|
||||
st${g} $key,4*$SIZE_T($sp) # I rely on AES_set_encrypt_key to
|
||||
st${g} $ra,14*$SIZE_T($sp) # save non-volatile registers!
|
||||
- bras $ra,AES_set_encrypt_key
|
||||
+ bras $ra,_s390x_AES_set_encrypt_key
|
||||
l${g} $key,4*$SIZE_T($sp)
|
||||
l${g} $ra,14*$SIZE_T($sp)
|
||||
ltgr %r2,%r2
|
||||
diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl
|
||||
--- openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport 2012-03-14 21:15:04.777898297 +0100
|
||||
+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl 2012-04-05 19:48:22.036603157 +0200
|
||||
@@ -263,7 +263,7 @@ _vpaes_decrypt_core:
|
||||
pshufb %xmm2, %xmm4 # 4 = sbou
|
||||
pxor %xmm0, %xmm4 # 4 = sb1u + k
|
||||
movdqa 0x70(%r10), %xmm0 # 0 : sbot
|
||||
- movdqa .Lk_sr-.Lk_dsbd(%r11), %xmm2
|
||||
+ movdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160
|
||||
pshufb %xmm3, %xmm0 # 0 = sb1t
|
||||
pxor %xmm4, %xmm0 # 0 = A
|
||||
pshufb %xmm2, %xmm0
|
||||
@@ -869,6 +869,8 @@ ${PREFIX}_cbc_encrypt:
|
||||
___
|
||||
($len,$key)=($key,$len);
|
||||
$code.=<<___;
|
||||
+ sub \$16,$len
|
||||
+ jc .Lcbc_abort
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0xb8(%rsp),%rsp
|
||||
@@ -887,7 +889,6 @@ ___
|
||||
$code.=<<___;
|
||||
movdqu ($ivp),%xmm6 # load IV
|
||||
sub $inp,$out
|
||||
- sub \$16,$len
|
||||
call _vpaes_preheat
|
||||
cmp \$0,${enc}d
|
||||
je .Lcbc_dec_loop
|
||||
@@ -932,6 +933,7 @@ $code.=<<___ if ($win64);
|
||||
.Lcbc_epilogue:
|
||||
___
|
||||
$code.=<<___;
|
||||
+.Lcbc_abort:
|
||||
ret
|
||||
.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
|
||||
___
|
||||
diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl
|
||||
--- openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport 2012-03-14 21:15:04.775898257 +0100
|
||||
+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl 2012-04-05 19:48:22.036603157 +0200
|
||||
@@ -843,6 +843,8 @@ $k_dsbo=0x2c0; # decryption sbox final
|
||||
&mov ($out,&wparam(1)); # out
|
||||
&mov ($round,&wparam(2)); # len
|
||||
&mov ($key,&wparam(3)); # key
|
||||
+ &sub ($round,16);
|
||||
+ &jc (&label("cbc_abort"));
|
||||
&lea ($base,&DWP(-56,"esp"));
|
||||
&mov ($const,&wparam(4)); # ivp
|
||||
&and ($base,-16);
|
||||
@@ -853,7 +855,6 @@ $k_dsbo=0x2c0; # decryption sbox final
|
||||
&mov (&DWP(48,"esp"),$base);
|
||||
|
||||
&mov (&DWP(0,"esp"),$out); # save out
|
||||
- &sub ($round,16);
|
||||
&mov (&DWP(4,"esp"),$key) # save key
|
||||
&mov (&DWP(8,"esp"),$const); # save ivp
|
||||
&mov ($out,$round); # $out works as $len
|
||||
@@ -896,6 +897,7 @@ $k_dsbo=0x2c0; # decryption sbox final
|
||||
&mov ($base,&DWP(8,"esp")); # restore ivp
|
||||
&mov ("esp",&DWP(48,"esp"));
|
||||
&movdqu (&QWP(0,$base),"xmm1"); # write IV
|
||||
+&set_label("cbc_abort");
|
||||
&function_end("${PREFIX}_cbc_encrypt");
|
||||
|
||||
&asm_finish();
|
||||
diff -up openssl-1.0.1/crypto/evp/p5_crpt.c.backport openssl-1.0.1/crypto/evp/p5_crpt.c
|
||||
--- openssl-1.0.1/crypto/evp/p5_crpt.c.backport 2011-06-03 22:52:57.000000000 +0200
|
||||
+++ openssl-1.0.1/crypto/evp/p5_crpt.c 2012-04-05 19:49:01.512450795 +0200
|
||||
@@ -138,5 +138,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *c
|
||||
OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
|
||||
rv = 1;
|
||||
err:
|
||||
+ EVP_MD_CTX_cleanup(&ctx);
|
||||
return rv;
|
||||
}
|
||||
diff -up openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport openssl-1.0.1/crypto/pkcs7/pk7_doit.c
|
||||
--- openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport 2012-03-12 17:27:50.000000000 +0100
|
||||
+++ openssl-1.0.1/crypto/pkcs7/pk7_doit.c 2012-04-05 19:49:40.591289911 +0200
|
||||
@@ -430,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||
STACK_OF(X509_ALGOR) *md_sk=NULL;
|
||||
STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
|
||||
PKCS7_RECIP_INFO *ri=NULL;
|
||||
+ unsigned char *ek = NULL, *tkey = NULL;
|
||||
+ int eklen = 0, tkeylen = 0;
|
||||
|
||||
i=OBJ_obj2nid(p7->type);
|
||||
p7->state=PKCS7_S_HEADER;
|
||||
@@ -507,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||
int max;
|
||||
X509_OBJECT ret;
|
||||
#endif
|
||||
- unsigned char *ek = NULL, *tkey = NULL;
|
||||
- int eklen, tkeylen;
|
||||
|
||||
if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
|
||||
{
|
||||
@@ -609,11 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||
{
|
||||
OPENSSL_cleanse(ek,eklen);
|
||||
OPENSSL_free(ek);
|
||||
+ ek = NULL;
|
||||
}
|
||||
if (tkey)
|
||||
{
|
||||
OPENSSL_cleanse(tkey,tkeylen);
|
||||
OPENSSL_free(tkey);
|
||||
+ tkey = NULL;
|
||||
}
|
||||
|
||||
if (out == NULL)
|
||||
@@ -656,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||
if (0)
|
||||
{
|
||||
err:
|
||||
+ if (ek)
|
||||
+ {
|
||||
+ OPENSSL_cleanse(ek,eklen);
|
||||
+ OPENSSL_free(ek);
|
||||
+ }
|
||||
+ if (tkey)
|
||||
+ {
|
||||
+ OPENSSL_cleanse(tkey,tkeylen);
|
||||
+ OPENSSL_free(tkey);
|
||||
+ }
|
||||
if (out != NULL) BIO_free_all(out);
|
||||
if (btmp != NULL) BIO_free_all(btmp);
|
||||
if (etmp != NULL) BIO_free_all(etmp);
|
||||
diff -up openssl-1.0.1/ssl/d1_srvr.c.backport openssl-1.0.1/ssl/d1_srvr.c
|
||||
--- openssl-1.0.1/ssl/d1_srvr.c.backport 2012-03-06 14:24:16.000000000 +0100
|
||||
+++ openssl-1.0.1/ssl/d1_srvr.c 2012-04-05 19:47:36.812632091 +0200
|
||||
@@ -920,7 +920,7 @@ int dtls1_send_server_hello(SSL *s)
|
||||
p=s->s3->server_random;
|
||||
Time=(unsigned long)time(NULL); /* Time */
|
||||
l2n(Time,p);
|
||||
- RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
|
||||
+ RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
|
||||
/* Do the message type and length last */
|
||||
d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
|
||||
|
@ -1,26 +0,0 @@
|
||||
diff -up openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl.s390xbuild openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl
|
||||
--- openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl.s390xbuild 2012-02-29 17:40:30.000000000 +0100
|
||||
+++ openssl-1.0.1-beta3/crypto/rc4/asm/rc4-s390x.pl 2012-02-29 20:03:39.642182906 +0100
|
||||
@@ -171,10 +171,10 @@ $ikey="%r7";
|
||||
$iinp="%r8";
|
||||
|
||||
$code.=<<___;
|
||||
-.globl RC4_set_key
|
||||
-.type RC4_set_key,\@function
|
||||
+.globl private_RC4_set_key
|
||||
+.type private_RC4_set_key,\@function
|
||||
.align 64
|
||||
-RC4_set_key:
|
||||
+private_RC4_set_key:
|
||||
stm${g} %r6,%r8,6*$SIZE_T($sp)
|
||||
lhi $cnt,256
|
||||
la $idx,0(%r0)
|
||||
@@ -210,7 +210,7 @@ RC4_set_key:
|
||||
.Ldone:
|
||||
lm${g} %r6,%r8,6*$SIZE_T($sp)
|
||||
br $rp
|
||||
-.size RC4_set_key,.-RC4_set_key
|
||||
+.size private_RC4_set_key,.-private_RC4_set_key
|
||||
|
||||
___
|
||||
}
|
@ -1,28 +1,7 @@
|
||||
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
|
||||
--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc 2009-10-16 17:29:34.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod 2009-11-12 14:13:21.000000000 +0100
|
||||
@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
|
||||
EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
|
||||
EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
|
||||
EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
|
||||
-EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
|
||||
+EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224,
|
||||
+EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
|
||||
EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
|
||||
EVP digest routines
|
||||
|
||||
@@ -51,6 +52,10 @@ EVP digest routines
|
||||
const EVP_MD *EVP_md5(void);
|
||||
const EVP_MD *EVP_sha(void);
|
||||
const EVP_MD *EVP_sha1(void);
|
||||
+ const EVP_MD *EVP_sha224(void);
|
||||
+ const EVP_MD *EVP_sha256(void);
|
||||
+ const EVP_MD *EVP_sha384(void);
|
||||
+ const EVP_MD *EVP_sha512(void);
|
||||
const EVP_MD *EVP_dss(void);
|
||||
const EVP_MD *EVP_dss1(void);
|
||||
const EVP_MD *EVP_mdc2(void);
|
||||
@@ -70,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
|
||||
diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
|
||||
--- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc 2012-04-11 00:28:22.000000000 +0200
|
||||
+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod 2012-04-20 09:14:01.865167011 +0200
|
||||
@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
|
||||
|
||||
EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
|
||||
B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
|
||||
@ -31,22 +10,7 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
|
||||
If B<impl> is NULL then the default implementation of digest B<type> is used.
|
||||
|
||||
EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
|
||||
@@ -127,9 +132,11 @@ with this digest. For example EVP_sha1()
|
||||
return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
|
||||
algorithms may not be retained in future versions of OpenSSL.
|
||||
|
||||
-EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
|
||||
-return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
|
||||
-algorithms respectively. The associated signature algorithm is RSA in each case.
|
||||
+EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
|
||||
+EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160()
|
||||
+return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384,
|
||||
+SHA512, MDC2 and RIPEMD160 digest algorithms respectively. The associated
|
||||
+signature algorithm is RSA in each case.
|
||||
|
||||
EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
|
||||
algorithms but using DSS (DSA) for the signature algorithm. Note: there is
|
||||
@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
|
||||
@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
|
||||
EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
|
||||
size in bytes.
|
||||
|
||||
@ -56,9 +20,9 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
|
||||
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
|
||||
corresponding EVP_MD structures.
|
||||
|
||||
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
|
||||
--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
|
||||
+++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod 2009-11-12 14:11:03.000000000 +0100
|
||||
diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
|
||||
--- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
|
||||
+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod 2012-04-20 09:10:59.114736465 +0200
|
||||
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
|
||||
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
||||
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
41
openssl-1.0.1a-backport.patch
Normal file
41
openssl-1.0.1a-backport.patch
Normal file
@ -0,0 +1,41 @@
|
||||
diff -up openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c.backport openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c
|
||||
--- openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c.backport 2012-04-18 19:51:33.000000000 +0200
|
||||
+++ openssl-1.0.1a/crypto/evp/e_rc4_hmac_md5.c 2012-04-20 09:20:29.411861130 +0200
|
||||
@@ -121,6 +121,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
|
||||
md5_off = MD5_CBLOCK-key->md.num,
|
||||
blocks;
|
||||
unsigned int l;
|
||||
+ extern unsigned int OPENSSL_ia32cap_P[];
|
||||
#endif
|
||||
size_t plen = key->payload_length;
|
||||
|
||||
@@ -132,7 +133,8 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
|
||||
/* cipher has to "fall behind" */
|
||||
if (rc4_off>md5_off) md5_off+=MD5_CBLOCK;
|
||||
|
||||
- if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK)) {
|
||||
+ if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK) &&
|
||||
+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
|
||||
MD5_Update(&key->md,in,md5_off);
|
||||
RC4(&key->ks,rc4_off,in,out);
|
||||
|
||||
@@ -172,7 +174,8 @@ static int rc4_hmac_md5_cipher(EVP_CIPHE
|
||||
if (md5_off>rc4_off) rc4_off += 2*MD5_CBLOCK;
|
||||
else rc4_off += MD5_CBLOCK;
|
||||
|
||||
- if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK)) {
|
||||
+ if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK) &&
|
||||
+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
|
||||
RC4(&key->ks,rc4_off,in,out);
|
||||
MD5_Update(&key->md,out,md5_off);
|
||||
|
||||
@@ -289,8 +292,6 @@ static EVP_CIPHER r4_hmac_md5_cipher=
|
||||
|
||||
const EVP_CIPHER *EVP_rc4_hmac_md5(void)
|
||||
{
|
||||
- extern unsigned int OPENSSL_ia32cap_P[];
|
||||
- /* RC4_CHAR flag ------------vvvvv */
|
||||
- return(OPENSSL_ia32cap_P[0]&(1<<20) ? NULL : &r4_hmac_md5_cipher);
|
||||
+ return(&r4_hmac_md5_cipher);
|
||||
}
|
||||
#endif
|
File diff suppressed because it is too large
Load Diff
16
openssl.spec
16
openssl.spec
@ -20,8 +20,8 @@
|
||||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.1
|
||||
Release: 3%{?dist}
|
||||
Version: 1.0.1a
|
||||
Release: 1%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -43,7 +43,6 @@ Patch6: openssl-0.9.8b-test-use-localhost.patch
|
||||
Patch7: openssl-1.0.0-timezone.patch
|
||||
# Bug fixes
|
||||
Patch23: openssl-1.0.0-beta4-default-paths.patch
|
||||
Patch24: openssl-1.0.1-beta3-s390xbuild.patch
|
||||
# Functionality changes
|
||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||
Patch34: openssl-0.9.6-x509.patch
|
||||
@ -51,10 +50,10 @@ Patch35: openssl-0.9.8j-version-add-engines.patch
|
||||
Patch36: openssl-1.0.0e-doc-noeof.patch
|
||||
Patch38: openssl-1.0.1-beta2-ssl-op-all.patch
|
||||
Patch39: openssl-1.0.1-beta2-ipv6-apps.patch
|
||||
Patch40: openssl-1.0.1-beta3-fips.patch
|
||||
Patch40: openssl-1.0.1a-fips.patch
|
||||
Patch45: openssl-0.9.8j-env-nozlib.patch
|
||||
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
||||
Patch49: openssl-1.0.0-beta4-algo-doc.patch
|
||||
Patch49: openssl-1.0.1a-algo-doc.patch
|
||||
Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
|
||||
Patch51: openssl-1.0.1-version.patch
|
||||
Patch56: openssl-1.0.0c-rsa-x931.patch
|
||||
@ -65,7 +64,7 @@ Patch65: openssl-1.0.0e-chil-fixes.patch
|
||||
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
||||
Patch82: openssl-1.0.1-backport.patch
|
||||
Patch82: openssl-1.0.1a-backport.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -142,7 +141,6 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||
%patch7 -p1 -b .timezone
|
||||
|
||||
%patch23 -p1 -b .default-paths
|
||||
%patch24 -p1 -b .s390xbuild
|
||||
|
||||
%patch33 -p1 -b .ca-dir
|
||||
%patch34 -p1 -b .x509
|
||||
@ -165,6 +163,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
||||
|
||||
%patch81 -p1 -b .padlock64
|
||||
%patch82 -p1 -b .backport
|
||||
|
||||
# Modify the various perl scripts to reference perl in the right location.
|
||||
perl util/perlpath.pl `dirname %{__perl}`
|
||||
|
||||
@ -419,6 +418,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Fri Apr 20 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1a-1
|
||||
- new upstream version fixing CVE-2012-2110
|
||||
|
||||
* Wed Apr 11 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-3
|
||||
- add Kerberos 5 libraries to pkgconfig for static linking (#807050)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user