7 Feb
2016
7 Feb
'16
15:24
Hello community, here is the log from the commit of package openssl.4598 for openSUSE:13.2:Update checked in at 2016-02-07 16:24:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/openssl.4598 (Old) and /work/SRC/openSUSE:13.2:Update/.openssl.4598.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssl.4598" Changes: -------- New Changes file: --- /dev/null 2016-01-27 19:41:03.648095915 +0100 +++ /work/SRC/openSUSE:13.2:Update/.openssl.4598.new/openssl.changes 2016-02-07 16:24:17.000000000 +0100 @@ -0,0 +1,2014 @@ +------------------------------------------------------------------- +Thu Jan 28 14:24:36 UTC 2016 - vcizek@suse.com + +- fix CVE-2015-3197 (boo#963415) + * SSLv2 doesn't block disabled ciphers + * add openssl-CVE-2015-3197.patch + +------------------------------------------------------------------- +Thu Dec 3 16:51:26 UTC 2015 - vcizek@suse.com + +- security fixes: + * Certificate verify crash with missing PSS parameter + (CVE-2015-3194) (bsc#957815) + * X509_ATTRIBUTE memory leak (CVE-2015-3195) (bsc#957812) + * Race condition handling PSK identify hint (CVE-2015-3196) + (bsc#957813) + * added patches: + openssl-CVE-2015-3194.patch + openssl-CVE-2015-3195.patch + openssl-CVE-2015-3196.patch + +------------------------------------------------------------------- +Fri Jun 12 12:01:06 UTC 2015 - vcizek@suse.com + +- CVE-2015-4000 (boo#931698) + * The Logjam Attack / weakdh.org + * reject connections with DH parameters shorter than 768 bits + * generates 2048-bit DH parameters by default +- CVE-2015-1788 (boo#934487) + * Malformed ECParameters causes infinite loop +- CVE-2015-1789 (boo#934489) + * Exploitable out-of-bounds read in X509_cmp_time +- CVE-2015-1790 (boo#934491) + * PKCS7 crash with missing EnvelopedContent +- CVE-2015-1792 (boo#934493) + * CMS verify infinite loop with unknown hash function +- CVE-2015-1791 (boo#933911) + * race condition in NewSessionTicket +- CVE-2015-3216 (boo#933898) + * Crash in ssleay_rand_bytes due to locking regression + * modified openssl-1.0.1e-new-fips-reqs.patch. +- newly added patches: + * 0001-s_server-Use-2048-bit-DH-parameters-by-default.patch + * 0002-dhparam-set-the-default-to-2048-bits.patch + * 0003-dhparam-fix-documentation.patch + * 0004-Update-documentation-with-Diffie-Hellman-best-practi.patch + * 0005-client-reject-handshakes-with-DH-parameters-768-bits.patch + * openssl-CVE-2015-1788.patch + * openssl-CVE-2015-1789.patch + * openssl-CVE-2015-1790.patch + * openssl-CVE-2015-1791.patch + * openssl-CVE-2015-1792.patch + +------------------------------------------------------------------- +Mon Mar 16 17:49:12 UTC 2015 - vcizek@suse.com + +- security update: + * CVE-2015-0209 (bnc#919648) + - Fix a failure to NULL a pointer freed on error + * CVE-2015-0286 (bnc#922496) + - Segmentation fault in ASN1_TYPE_cmp + * CVE-2015-0287 (bnc#922499) + - ASN.1 structure reuse memory corruption + * CVE-2015-0288 x509: (bnc#920236) + - added missing public key is not NULL check + * CVE-2015-0289 (bnc#922500) + - PKCS7 NULL pointer dereferences + * CVE-2015-0293 (bnc#922488) + - Fix reachable assert in SSLv2 servers + * added patches: + openssl-CVE-2015-0209.patch + openssl-CVE-2015-0286.patch + openssl-CVE-2015-0287.patch + openssl-CVE-2015-0288.patch + openssl-CVE-2015-0289.patch + openssl-CVE-2015-0293.patch + +------------------------------------------------------------------- +Thu Jan 8 17:49:44 UTC 2015 - crrodriguez@opensuse.org + +- Upgrade to 1.0.1k + bsc#912294 CVE-2014-3571: Fix DTLS segmentation fault in dtls1_get_record. + bsc#912292 CVE-2015-0206: Fix DTLS memory leak in dtls1_buffer_record. + bsc#911399 CVE-2014-3569: Fix issue where no-ssl3 configuration sets method to NULL. + bsc#912015 CVE-2014-3572: Abort handshake if server key exchange + message is omitted for ephemeral ECDH ciphersuites. + bsc#912014 CVE-2015-0204: Remove non-export ephemeral RSA code on client and server. + bsc#912293 CVE-2015-0205: Fixed issue where DH client certificates are accepted without verification. + bsc#912018 CVE-2014-8275: Fix various certificate fingerprint issues. + bsc#912296 CVE-2014-3570: Correct Bignum squaring. + and other bugfixes. +- refresh patches + +------------------------------------------------------------------- +Thu Nov 13 07:21:48 UTC 2014 - kai.koehne@theqtcompany.com + +- openssl-1.0.1i-noec2m-fix.patch: Fix handshake failures when connecting + to some openssl servers. With no-ec2m, openssl advertises EC curves + it doesn't support, leading to handshake errors with some servers + (bnc#905037). + +------------------------------------------------------------------- +Fri Nov 7 22:09:27 UTC 2014 - brian@aljex.com + +- openSUSE < 11.2 doesn't have accept4() + +------------------------------------------------------------------- +Tue Oct 21 19:58:31 UTC 2014 - crrodriguez@opensuse.org + +- openSSL 1.0.1j +* Fix SRTP Memory Leak (CVE-2014-3513) +* Session Ticket Memory Leak (CVE-2014-3567) +* Add SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) +* Build option no-ssl3 is incomplete (CVE-2014-3568) + +------------------------------------------------------------------- +Thu Aug 21 15:05:43 UTC 2014 - meissner@suse.com + +- openssl.keyring: the 1.0.1i release was done by + Matt CaswellUK 0E604491 + +------------------------------------------------------------------- +Thu Aug 14 10:27:07 UTC 2014 - vcizek@suse.com + +- rename README.SuSE (old spelling) to README.SUSE (bnc#889013) + +------------------------------------------------------------------- +Wed Aug 13 17:43:21 UTC 2014 - vcizek@suse.com + +- update to 1.0.1i + * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the + SRP code can be overrun an internal buffer. Add sanity check that + g, A, B < N to SRP code. + (CVE-2014-3512) + * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate + TLS 1.0 instead of higher protocol versions when the ClientHello message + is badly fragmented. This allows a man-in-the-middle attacker to force a + downgrade to TLS 1.0 even if both the server and the client support a + higher protocol version, by modifying the client's TLS records. + (CVE-2014-3511) + * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject + to a denial of service attack. A malicious server can crash the client + with a null pointer dereference (read) by specifying an anonymous (EC)DH + ciphersuite and sending carefully crafted handshake messages. + (CVE-2014-3510) + * By sending carefully crafted DTLS packets an attacker could cause openssl + to leak memory. This can be exploited through a Denial of Service attack. + (CVE-2014-3507) + * An attacker can force openssl to consume large amounts of memory whilst + processing DTLS handshake messages. This can be exploited through a + Denial of Service attack. + (CVE-2014-3506) + * An attacker can force an error condition which causes openssl to crash + whilst processing DTLS packets due to memory being freed twice. This + can be exploited through a Denial of Service attack. + (CVE-2014-3505) + * If a multithreaded client connects to a malicious server using a resumed + session and the server sends an ec point format extension it could write + up to 255 bytes to freed memory. + (CVE-2014-3509) + * A malicious server can crash an OpenSSL client with a null pointer + dereference (read) by specifying an SRP ciphersuite even though it was not + properly negotiated with the client. This can be exploited through a + Denial of Service attack. + (CVE-2014-5139) + * A flaw in OBJ_obj2txt may cause pretty printing functions such as + X509_name_oneline, X509_name_print_ex et al. to leak some information + from the stack. Applications may be affected if they echo pretty printing + output to the attacker. + (CVE-2014-3508) + * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) + for corner cases. (Certain input points at infinity could lead to + bogus results, with non-infinity inputs mapped to infinity too.) +- refreshed patches: + * openssl-1.0.1e-new-fips-reqs.patch + * 0005-libssl-Hide-library-private-symbols.patch + (thanks to Marcus Meissner) + +------------------------------------------------------------------- +Mon Jul 21 10:49:35 UTC 2014 - jengelh@inai.de + +- Move manpages around: *.1ssl should be in openssl + (e.g. ciphers(1ssl) is also referenced by openssl(1)), + and *.3ssl should be in openssl-doc. + +------------------------------------------------------------------- +Tue Jun 24 08:22:24 UTC 2014 - meissner@suse.com + +- recommend: ca-certificates-mozilla instead of openssl-certs + +------------------------------------------------------------------- +Thu Jun 5 14:37:19 UTC 2014 - meissner@suse.com + +- updated openssl to 1.0.1h (bnc#880891): + - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted + handshake can force the use of weak keying material in OpenSSL + SSL/TLS clients and servers. ++++ 1817 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.openssl.4598.new/openssl.changes New: ---- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch 0001-libcrypto-Hide-library-private-symbols.patch 0001-s_server-Use-2048-bit-DH-parameters-by-default.patch 0002-dhparam-set-the-default-to-2048-bits.patch 0003-dhparam-fix-documentation.patch 0004-Update-documentation-with-Diffie-Hellman-best-practi.patch 0005-client-reject-handshakes-with-DH-parameters-768-bits.patch 0005-libssl-Hide-library-private-symbols.patch README-FIPS.txt README.SUSE VIA_padlock_support_on_64systems.patch baselibs.conf bug610223.patch compression_methods_switch.patch merge_from_0.9.8k.patch openssl-1.0.0-c_rehash-compat.diff openssl-1.0.1c-default-paths.patch openssl-1.0.1c-ipv6-apps.patch openssl-1.0.1e-add-suse-default-cipher-header.patch openssl-1.0.1e-add-suse-default-cipher.patch openssl-1.0.1e-add-test-suse-default-cipher-suite.patch openssl-1.0.1e-fips-ctor.patch openssl-1.0.1e-fips-ec.patch openssl-1.0.1e-fips.patch openssl-1.0.1e-new-fips-reqs.patch openssl-1.0.1e-truststore.diff openssl-1.0.1k.tar.gz openssl-1.0.1k.tar.gz.asc openssl-CVE-2015-0209.patch openssl-CVE-2015-0286.patch openssl-CVE-2015-0287.patch openssl-CVE-2015-0288.patch openssl-CVE-2015-0289.patch openssl-CVE-2015-0293.patch openssl-CVE-2015-1788.patch openssl-CVE-2015-1789.patch openssl-CVE-2015-1790.patch openssl-CVE-2015-1791.patch openssl-CVE-2015-1792.patch openssl-CVE-2015-3194.patch openssl-CVE-2015-3195.patch openssl-CVE-2015-3196.patch openssl-CVE-2015-3197.patch openssl-fips-hidden.patch openssl-fix-pod-syntax.diff openssl-gcc-attributes.patch openssl-libssl-noweakciphers.patch openssl-no-egd.patch openssl-ocloexec.patch openssl-pkgconfig.patch openssl.changes openssl.keyring openssl.spec openssl.test ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ # # spec file for package openssl # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: openssl BuildRequires: bc BuildRequires: ed BuildRequires: pkg-config BuildRequires: zlib-devel %define ssletcdir %{_sysconfdir}/ssl #%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g") %define num_version 1.0.0 Provides: ssl # bug437293 %ifarch ppc64 Obsoletes: openssl-64bit %endif Version: 1.0.1k Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security Url: https://www.openssl.org/ Source: https://www.%{name}.org/source/%{name}-%{version}.tar.gz Source42: https://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc # https://www.openssl.org/about/ Source43: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/%name.keyring # to get mtime of file: Source1: openssl.changes Source2: baselibs.conf Source10: README.SUSE Source11: README-FIPS.txt Patch0: merge_from_0.9.8k.patch Patch1: openssl-1.0.0-c_rehash-compat.diff Patch2: bug610223.patch %if 0%{?suse_version} >= 1120 Patch3: openssl-ocloexec.patch %endif Patch4: VIA_padlock_support_on_64systems.patch # PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049 Patch5: openssl-fix-pod-syntax.diff Patch6: openssl-1.0.1e-truststore.diff Patch7: compression_methods_switch.patch Patch8: 0005-libssl-Hide-library-private-symbols.patch Patch9: openssl-1.0.1c-default-paths.patch Patch10: openssl-pkgconfig.patch # From Fedora openssl. Patch13: openssl-1.0.1c-ipv6-apps.patch Patch14: 0001-libcrypto-Hide-library-private-symbols.patch # FIPS patches: Patch15: openssl-1.0.1e-fips.patch Patch16: openssl-1.0.1e-fips-ec.patch Patch17: openssl-1.0.1e-fips-ctor.patch Patch18: openssl-1.0.1e-new-fips-reqs.patch Patch19: openssl-gcc-attributes.patch Patch21: openssl-libssl-noweakciphers.patch Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch Patch33: openssl-no-egd.patch Patch34: openssl-fips-hidden.patch Patch35: openssl-1.0.1e-add-suse-default-cipher.patch Patch36: openssl-1.0.1e-add-suse-default-cipher-header.patch Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch Patch52: openssl-CVE-2015-0209.patch Patch53: openssl-CVE-2015-0286.patch Patch54: openssl-CVE-2015-0287.patch Patch55: openssl-CVE-2015-0288.patch Patch56: openssl-CVE-2015-0289.patch Patch57: openssl-CVE-2015-0293.patch Patch59: openssl-CVE-2015-1788.patch Patch60: openssl-CVE-2015-1789.patch Patch61: openssl-CVE-2015-1790.patch Patch62: openssl-CVE-2015-1791.patch Patch63: openssl-CVE-2015-1792.patch # CVE-2015-4000 fixes (aka Longjam, weakdh.org) Patch64: 0001-s_server-Use-2048-bit-DH-parameters-by-default.patch Patch65: 0002-dhparam-set-the-default-to-2048-bits.patch Patch66: 0003-dhparam-fix-documentation.patch Patch67: 0004-Update-documentation-with-Diffie-Hellman-best-practi.patch Patch68: 0005-client-reject-handshakes-with-DH-parameters-768-bits.patch # EO CVE-2015-4000 Patch70: openssl-CVE-2015-3194.patch Patch71: openssl-CVE-2015-3195.patch Patch72: openssl-CVE-2015-3196.patch Patch73: openssl-CVE-2015-3197.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. Derivation and License OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get it and to use it for commercial and noncommercial purposes. %package -n libopenssl1_0_0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security Recommends: ca-certificates-mozilla # bug437293 %ifarch ppc64 Obsoletes: openssl-64bit %endif # %description -n libopenssl1_0_0 The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. Derivation and License OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get it and to use it for commercial and noncommercial purposes. %package -n libopenssl-devel Summary: Include Files and Libraries mandatory for Development License: OpenSSL Group: Development/Libraries/C and C++ Obsoletes: openssl-devel < %{version} Requires: %name = %version Requires: libopenssl1_0_0 = %{version} Requires: zlib-devel Provides: openssl-devel = %{version} # bug437293 %ifarch ppc64 Obsoletes: openssl-devel-64bit %endif # %description -n libopenssl-devel This package contains all necessary include files and libraries needed to develop applications that require these. %package -n libopenssl1_0_0-hmac Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries License: BSD-3-Clause Group: Productivity/Networking/Security Requires: libopenssl1_0_0 = %{version}-%{release} %description -n libopenssl1_0_0-hmac The FIPS compliant operation of the openssl shared libraries is NOT possible without the HMAC hashes contained in this package! %package doc Summary: Additional Package Documentation License: OpenSSL Group: Productivity/Networking/Security %if 0%{?suse_version} >= 1140 BuildArch: noarch %endif %description doc This package contains optional documentation provided in addition to this package's base documentation. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %if 0%{?suse_version} >= 1120 %patch3 %endif %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 %patch21 -p1 %patch26 -p1 %patch33 -p1 %patch34 -p1 %patch35 -p1 %patch36 -p1 %patch37 -p1 %patch52 -p1 %patch53 -p1 %patch54 -p1 %patch55 -p1 %patch56 -p1 %patch57 -p1 %patch59 -p1 %patch60 -p1 %patch61 -p1 %patch62 -p1 %patch63 -p1 %patch64 -p1 %patch65 -p1 %patch66 -p1 %patch67 -p1 %patch68 -p1 %patch70 -p1 %patch71 -p1 %patch72 -p1 %patch73 -p1 cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::' cat < = 1230 find -type f -name "*.c" -exec sed -i -e "s@getenv@secure_getenv@g" {} + %endif %ifarch armv5el armv5tel export MACHINE=armv5el %endif %ifarch armv6l armv6hl export MACHINE=armv6l %endif ./config --test-sanity # config_flags="threads shared no-rc5 no-idea \ fips \ %if 0%{suse_version} > 1310 no-ssl2 \ enable-rfc3779 \ %endif %ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif enable-camellia \ zlib \ no-ec2m \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ $RPM_OPT_FLAGS -O3 -std=gnu99 \ -Wa,--noexecstack \ -Wl,-z,relro,-z,now \ -fno-common \ -DTERMIO \ -DPURIFY \ -DSSL_FORBID_ENULL \ -D_GNU_SOURCE \ -DOPENSSL_NO_BUF_FREELISTS \ $(getconf LFS_CFLAGS) \ -Wall " # #%{!?do_profiling:%define do_profiling 0} #%if %do_profiling # # generate feedback # ./config $config_flags # make depend CC="gcc %cflags_profile_generate" # make CC="gcc %cflags_profile_generate" # LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate" # LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate" # LD_LIBRARY_PATH=`pwd` apps/openssl speed # make clean # # compile with feedback # # but not if it makes a cipher slower: # #find crypto/aes -name '*.da' | xargs -r rm # ./config $config_flags %cflags_profile_feedback # make depend # make # LD_LIBRARY_PATH=`pwd` make rehash # LD_LIBRARY_PATH=`pwd` make test #%else # OpenSSL relies on uname -m (not good). Thus that little sparc line. ./config \ %ifarch sparc64 linux64-sparcv9 \ %endif $config_flags make depend make LD_LIBRARY_PATH=`pwd` make rehash # for FIPS mode testing; the same hashes are being created later just before # the wrap-up of the files into the package. # These files are just there for the make test below... crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB="" %ifnarch armv4l LD_LIBRARY_PATH=`pwd` make test %endif #%endif # show settings make TABLE echo $RPM_OPT_FLAGS eval $(egrep PLATFORM='[[:alnum:]]' Makefile) grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE %install rm -rf $RPM_BUILD_ROOT make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install cp -a crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/ # ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private # ln -s %{ssletcdir}/openssl.cnf $RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf # # avoid file conflicts with man pages from other packages # pushd $RPM_BUILD_ROOT/%{_mandir} # some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check. # replace spaces by underscores #for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } for i in man?/*; do if test -L $i ; then LDEST=`readlink $i` rm -f $i ${i}ssl ln -sf ${LDEST}ssl ${i}ssl else mv $i ${i}ssl fi case "$i" in *.1) # these are the pages mentioned in openssl(1). They go into the main package. echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist;; *) # the rest goes into the openssl-doc package. echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist.doc;; esac done popd # # check wether some shared library has been installed # ls -l $RPM_BUILD_ROOT%{_libdir} test -f $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} test -f $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} test -L $RPM_BUILD_ROOT%{_libdir}/libssl.so test -L $RPM_BUILD_ROOT%{_libdir}/libcrypto.so # # see what we've got # cat > showciphers.c < #include int main(){ unsigned int i; SSL_CTX *ctx; SSL *ssl; SSL_METHOD *meth; meth = SSLv23_client_method(); SSLeay_add_ssl_algorithms(); ctx = SSL_CTX_new(meth); if (ctx == NULL) return 0; ssl = SSL_new(ctx); if (!ssl) return 0; for (i=0; ; i++) { int j, k; SSL_CIPHER *sc; sc = (meth->get_cipher)(i); if (!sc) break; k = SSL_CIPHER_get_bits(sc, &j); printf("%s\n", sc->name); } return 0; }; EOF gcc $RPM_OPT_FLAGS -I${RPM_BUILD_ROOT}%{_includedir} -c showciphers.c gcc -o showciphers showciphers.o -L${RPM_BUILD_ROOT}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=${RPM_BUILD_ROOT}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true cat AVAILABLE_CIPHERS # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} \; # the hmac hashes: # # this is a hack that re-defines the __os_install_post macro # for a simple reason: the macro strips the binaries and thereby # invalidates a HMAC that may have been created earlier. # solution: create the hashes _after_ the macro runs. # # this shows up earlier because otherwise the %expand of # the macro is too late. # remark: This is the same as running # openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs' %{expand:%%global __os_install_post {%__os_install_post $RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \ $RPM_BUILD_ROOT/%{_lib}/libssl.so.%{num_version} > \ $RPM_BUILD_ROOT/%{_lib}/.libssl.so.%{num_version}.hmac $RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \ $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{num_version} > \ $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{num_version}.hmac }} #process openssllib mkdir $RPM_BUILD_ROOT/%{_lib} mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/ mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/ mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/ cd $RPM_BUILD_ROOT%{_libdir}/ ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so for engine in 4758cca atalla nuron sureware ubsec cswift chil aep gmp capi; do rm %{buildroot}/%{_lib}/engines/lib$engine.so done %ifnarch %{ix86} x86_64 rm %{buildroot}/%{_lib}/engines/libpadlock.so %endif %clean if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %post -n libopenssl1_0_0 -p /sbin/ldconfig %postun -n libopenssl1_0_0 -p /sbin/ldconfig %files -n libopenssl1_0_0 %defattr(-, root, root) /%{_lib}/libssl.so.%{num_version} /%{_lib}/libcrypto.so.%{num_version} /%{_lib}/engines %files -n libopenssl1_0_0-hmac %defattr(-, root, root) /%{_lib}/.libssl.so.%{num_version}.hmac /%{_lib}/.libcrypto.so.%{num_version}.hmac %files -n libopenssl-devel %defattr(-, root, root) %{_includedir}/%{name}/ %{_includedir}/ssl %exclude %{_libdir}/libcrypto.a %exclude %{_libdir}/libssl.a %{_libdir}/libssl.so %{_libdir}/libcrypto.so %_libdir/pkgconfig/libcrypto.pc %_libdir/pkgconfig/libssl.pc %_libdir/pkgconfig/openssl.pc %files doc -f filelist.doc %defattr(-, root, root) %doc doc/* demos %doc showciphers.c %files -f filelist %defattr(-, root, root) %doc CHANGE* INSTAL* AVAILABLE_CIPHERS %doc LICENSE NEWS README README.SUSE README-FIPS.txt %dir %{ssletcdir} %config (noreplace) %{ssletcdir}/openssl.cnf %attr(700,root,root) %{ssletcdir}/private %dir %{_datadir}/ssl %{_datadir}/ssl/misc %{_bindir}/c_rehash %{_bindir}/fips_standalone_hmac %{_bindir}/%{name} %changelog ++++++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++++++ ++++ 835 lines (skipped) ++++++ 0001-libcrypto-Hide-library-private-symbols.patch ++++++ ++++ 771 lines (skipped) ++++++ 0001-s_server-Use-2048-bit-DH-parameters-by-default.patch ++++++ >From f1612746ec7580132f81fb81a23f6705e63d113b Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Tue, 12 May 2015 20:15:46 +0200 Subject: [PATCH 1/5] s_server: Use 2048-bit DH parameters by default. Reviewed-by: Rich Salz --- apps/s_server.c | 58 +++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 40 insertions(+), 18 deletions(-) Index: openssl-1.0.1i/apps/s_server.c =================================================================== --- openssl-1.0.1i.orig/apps/s_server.c 2015-06-12 13:12:46.438719292 +0200 +++ openssl-1.0.1i/apps/s_server.c 2015-06-12 13:16:33.563456375 +0200 @@ -214,7 +214,7 @@ static int generate_session_id(const SSL unsigned int *id_len); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); -static DH *get_dh512(void); +static DH *get_dh2048(void); #endif #ifdef MONOLITH @@ -222,28 +222,46 @@ static void s_server_init(void); #endif #ifndef OPENSSL_NO_DH -static unsigned char dh512_p[]={ - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, +static unsigned char dh2048_p[] = { + 0xF6,0x42,0x57,0xB7,0x08,0x7F,0x08,0x17,0x72,0xA2,0xBA,0xD6, + 0xA9,0x42,0xF3,0x05,0xE8,0xF9,0x53,0x11,0x39,0x4F,0xB6,0xF1, + 0x6E,0xB9,0x4B,0x38,0x20,0xDA,0x01,0xA7,0x56,0xA3,0x14,0xE9, + 0x8F,0x40,0x55,0xF3,0xD0,0x07,0xC6,0xCB,0x43,0xA9,0x94,0xAD, + 0xF7,0x4C,0x64,0x86,0x49,0xF8,0x0C,0x83,0xBD,0x65,0xE9,0x17, + 0xD4,0xA1,0xD3,0x50,0xF8,0xF5,0x59,0x5F,0xDC,0x76,0x52,0x4F, + 0x3D,0x3D,0x8D,0xDB,0xCE,0x99,0xE1,0x57,0x92,0x59,0xCD,0xFD, + 0xB8,0xAE,0x74,0x4F,0xC5,0xFC,0x76,0xBC,0x83,0xC5,0x47,0x30, + 0x61,0xCE,0x7C,0xC9,0x66,0xFF,0x15,0xF9,0xBB,0xFD,0x91,0x5E, + 0xC7,0x01,0xAA,0xD3,0x5B,0x9E,0x8D,0xA0,0xA5,0x72,0x3A,0xD4, + 0x1A,0xF0,0xBF,0x46,0x00,0x58,0x2B,0xE5,0xF4,0x88,0xFD,0x58, + 0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B, + 0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C, + 0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B, + 0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD, + 0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C, + 0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C, + 0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29, + 0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B, + 0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C, + 0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55, + 0xE9,0x32,0x0B,0x3B, }; -static unsigned char dh512_g[]={ +static unsigned char dh2048_g[] = { 0x02, }; -static DH *get_dh512(void) +DH *get_dh2048() { - DH *dh=NULL; + DH *dh; if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - return(NULL); - return(dh); + dh->p=BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + dh->g=BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (dh->p == NULL || dh->g == NULL) { + DH_free(dh); + return NULL; + } + return dh; } #endif @@ -1685,7 +1703,11 @@ bad: else { BIO_printf(bio_s_out,"Using default temp DH parameters\n"); - dh=get_dh512(); + dh = get_dh2048(); + if (dh == NULL) { + ERR_print_errors(bio_err); + goto end; + } } (void)BIO_flush(bio_s_out); ++++++ 0002-dhparam-set-the-default-to-2048-bits.patch ++++++ >From 8568170d774f02880eec6cad5512f555d0c83f65 Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Wed, 13 May 2015 11:57:55 +0200 Subject: [PATCH 2/5] dhparam: set the default to 2048 bits Reviewed-by: Matt Caswell Reviewed-by: Kurt Roeckx --- apps/dhparam.c | 4 ++-- apps/gendh.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) Index: openssl-1.0.1i/apps/dhparam.c =================================================================== --- openssl-1.0.1i.orig/apps/dhparam.c 2015-06-12 13:16:47.628625800 +0200 +++ openssl-1.0.1i/apps/dhparam.c 2015-06-12 13:17:23.851068922 +0200 @@ -130,7 +130,7 @@ #undef PROG #define PROG dhparam_main -#define DEFBITS 512 +#define DEFBITS 2048 /* -inform arg - input format - default PEM (DER or PEM) * -outform arg - output format - default PEM @@ -253,7 +253,7 @@ bad: BIO_printf(bio_err," -C Output C code\n"); BIO_printf(bio_err," -2 generate parameters using 2 as the generator value\n"); BIO_printf(bio_err," -5 generate parameters using 5 as the generator value\n"); - BIO_printf(bio_err," numbits number of bits in to generate (default 512)\n"); + BIO_printf(bio_err," numbits number of bits in to generate (default 2048)\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine e use engine e, possibly a hardware device.\n"); #endif Index: openssl-1.0.1i/apps/gendh.c =================================================================== --- openssl-1.0.1i.orig/apps/gendh.c 2015-06-12 13:16:47.629625812 +0200 +++ openssl-1.0.1i/apps/gendh.c 2015-06-12 13:17:54.615474034 +0200 @@ -78,7 +78,7 @@ #include #include -#define DEFBITS 512 +#define DEFBITS 2048 #undef PROG #define PROG gendh_main ++++++ 0003-dhparam-fix-documentation.patch ++++++ >From 3372aeed2ce056af9d577a0d79b34dd7f9b67dad Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Wed, 13 May 2015 12:05:41 +0200 Subject: [PATCH 3/5] dhparam: fix documentation The default bitlength is now 2048. Also clarify that either the number of bits or the generator must be present: $ openssl dhparam -2 and $ openssl dhparam 2048 generate parameters but $ openssl dhparam does not. Reviewed-by: Matt Caswell --- doc/apps/dhparam.pod | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod index 6e27cf5..1cd4c76 100644 --- a/doc/apps/dhparam.pod +++ b/doc/apps/dhparam.pod @@ -71,8 +71,10 @@ check if the parameters are valid primes and generator. =item B<-2>, B<-5> -The generator to use, either 2 or 5. 2 is the default. If present then the -input file is ignored and parameters are generated instead. +The generator to use, either 2 or 5. If present then the +input file is ignored and parameters are generated instead. If not +present but B is present, parameters are generated with the +default generator 2. =item B<-rand> I @@ -85,9 +87,10 @@ all others. =item I this option specifies that a parameter set should be generated of size -I . It must be the last option. If not present then a value of 512 -is used. If this option is present then the input file is ignored and -parameters are generated instead. +I . It must be the last option. If this option is present then +the input file is ignored and parameters are generated instead. If +this option is not present but a generator (B<-2> or B<-5>) is +present, parameters are generated with a default length of 2048 bits. =item B<-noout> -- 2.1.4 ++++++ 0004-Update-documentation-with-Diffie-Hellman-best-practi.patch ++++++ >From ff4de7dde90d15b366abe4664b904f22539969c9 Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Tue, 12 May 2015 16:10:05 +0200 Subject: [PATCH 4/5] Update documentation with Diffie-Hellman best practices. - Do not advise generation of DH parameters with dsaparam to save computation time. - Promote use of custom parameters more, and explicitly forbid use of built-in parameters weaker than 2048 bits. - Advise the callback to ignore - it is currently called with 1024 bits, but this value can and should be safely ignored by servers. Reviewed-by: Rich Salz --- doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 106 +++++++++++++------------------- 1 file changed, 43 insertions(+), 63 deletions(-) Index: openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod =================================================================== --- openssl-1.0.1k.orig/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod 2015-06-12 14:35:12.040428492 +0200 +++ openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod 2015-06-12 14:41:11.008088259 +0200 @@ -61,12 +61,12 @@ negotiation is being saved. If "strong" primes were used to generate the DH parameters, it is not strictly necessary to generate a new key for each handshake but it does improve forward -secrecy. If it is not assured, that "strong" primes were used (see especially -the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used -in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE -has an impact on the computer time needed during negotiation, but it is not -very large, so application authors/users should consider to always enable -this option. +secrecy. If it is not assured that "strong" primes were used, +SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup +attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the +computer time needed during negotiation, but it is not very large, so +application authors/users should consider always enabling this option. +The option is required to implement perfect forward secrecy (PFS). As generating DH parameters is extremely time consuming, an application should not generate the parameters on the fly but supply the parameters. @@ -74,82 +74,61 @@ DH parameters can be reused, as the actu the negotiation. The risk in reusing DH parameters is that an attacker may specialize on a very often used DH group. Applications should therefore generate their own DH parameters during the installation process using the -openssl L application. In order to reduce the computer -time needed for this generation, it is possible to use DSA parameters -instead (see L ), but in this case SSL_OP_SINGLE_DH_USE -is mandatory. +openssl L application. This application +guarantees that "strong" primes are used. -Application authors may compile in DH parameters. Files dh512.pem, -dh1024.pem, dh2048.pem, and dh4096.pem in the 'apps' directory of current +Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current version of the OpenSSL distribution contain the 'SKIP' DH parameters, which use safe primes and were generated verifiably pseudo-randomly. These files can be converted into C code using the B<-C> option of the -L application. -Authors may also generate their own set of parameters using -L , but a user may not be sure how the parameters were -generated. The generation of DH parameters during installation is therefore -recommended. +L application. Generation of custom DH +parameters during installation should still be preferred to stop an +attacker from specializing on a commonly used group. Files dh1024.pem +and dh512.pem contain old parameters that must not be used by +applications. An application may either directly specify the DH parameters or -can supply the DH parameters via a callback function. The callback approach -has the advantage, that the callback may supply DH parameters for different -key lengths. - -The B is called with the B needed and -the B information. The B flag is set, when the -ephemeral DH key exchange is performed with an export cipher. +can supply the DH parameters via a callback function. + +Previous versions of the callback used B and B +parameters to control parameter generation for export and non-export +cipher suites. Modern servers that do not support export ciphersuites +are advised to either use SSL_CTX_set_tmp_dh() in combination with +SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore +B and B and simply supply at least 2048-bit +parameters in the callback. =head1 EXAMPLES -Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling +Setup DH parameters with a key length of 2048 bits. (Error handling partly left out.) - ... - /* Set up ephemeral DH stuff */ - DH *dh_512 = NULL; - DH *dh_1024 = NULL; - FILE *paramfile; + Command-line parameter generation: + $ openssl dhparam -out dh_param_2048.pem 2048 - ... - /* "openssl dhparam -out dh_param_512.pem -2 512" */ - paramfile = fopen("dh_param_512.pem", "r"); + Code for setting up parameters during server initialization: + + SSL_CTX ctx = SSL_CTX_new(); + /* Set up ephemeral DH parameters. */ + DH *dh_2048 = NULL; + FILE *paramfile; + paramfile = fopen("dh_param_2048.pem", "r"); if (paramfile) { - dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); + dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); fclose(paramfile); + } else { + /* Error. */ } - /* "openssl dhparam -out dh_param_1024.pem -2 1024" */ - paramfile = fopen("dh_param_1024.pem", "r"); - if (paramfile) { - dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); - fclose(paramfile); + if (dh_2048 == NULL) { + /* Error. */ } ... - /* "openssl dhparam -C -2 512" etc... */ - DH *get_dh512() { ... } - DH *get_dh1024() { ... } - - DH *tmp_dh_callback(SSL *s, int is_export, int keylength) - { - DH *dh_tmp=NULL; - - switch (keylength) { - case 512: - if (!dh_512) - dh_512 = get_dh512(); - dh_tmp = dh_512; - break; - case 1024: - if (!dh_1024) - dh_1024 = get_dh1024(); - dh_tmp = dh_1024; - break; - default: - /* Generating a key on the fly is very costly, so use what is there */ - setup_dh_parameters_like_above(); - } - return(dh_tmp); + if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { + /* Error. */ } + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); + ... =head1 RETURN VALUES ++++++ 0005-client-reject-handshakes-with-DH-parameters-768-bits.patch ++++++ >From 63830384e90d9b36d2793d4891501ec024827433 Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Tue, 19 May 2015 12:05:22 +0200 Subject: [PATCH 5/5] client: reject handshakes with DH parameters < 768 bits. Since the client has no way of communicating her supported parameter range to the server, connections to servers that choose weak DH will simply fail. Reviewed-by: Kurt Roeckx --- CHANGES | 3 ++- ssl/s3_clnt.c | 22 ++++++++++++++++------ ssl/ssl.h | 1 + ssl/ssl_err.c | 1 + 4 files changed, 20 insertions(+), 7 deletions(-) Index: openssl-1.0.1k/CHANGES =================================================================== --- openssl-1.0.1k.orig/CHANGES 2015-01-08 15:03:40.000000000 +0100 +++ openssl-1.0.1k/CHANGES 2015-06-12 14:41:15.091141190 +0200 @@ -183,6 +183,9 @@ [Steve Henson] + *) Reject DH handshakes with parameters shorter than 768 bits. + [Kurt Roeckx and Emilia Kasper] + Changes between 1.0.1h and 1.0.1i [6 Aug 2014] *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the Index: openssl-1.0.1k/ssl/s3_clnt.c =================================================================== --- openssl-1.0.1k.orig/ssl/s3_clnt.c 2015-06-12 14:35:09.321393147 +0200 +++ openssl-1.0.1k/ssl/s3_clnt.c 2015-06-12 14:41:15.092141203 +0200 @@ -3425,26 +3425,34 @@ int ssl3_check_cert_and_algorithm(SSL *s } #endif #ifndef OPENSSL_NO_DH - if ((alg_k & SSL_kEDH) && - !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) - { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); + if ((alg_k & SSL_kEDH) && dh == NULL) { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR); goto f_err; - } - else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) + } + if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); goto f_err; } #ifndef OPENSSL_NO_DSA - else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) + if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH | EVP_PKS_DSA)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); goto f_err; } #endif -#endif + /* Check DHE only: static DH not implemented. */ + if (alg_k & SSL_kEDH) { + int dh_size = BN_num_bits(dh->p); + if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768) + || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL); + goto f_err; + } + } +#endif /* !OPENSSL_NO_DH */ + if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) { #ifndef OPENSSL_NO_RSA Index: openssl-1.0.1k/ssl/ssl.h =================================================================== --- openssl-1.0.1k.orig/ssl/ssl.h 2015-06-12 14:35:09.320393134 +0200 +++ openssl-1.0.1k/ssl/ssl.h 2015-06-12 14:41:15.092141203 +0200 @@ -2383,6 +2383,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_DATA_LENGTH_TOO_LONG 146 #define SSL_R_DECRYPTION_FAILED 147 #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281 +#define SSL_R_DH_KEY_TOO_SMALL 372 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 #define SSL_R_DIGEST_CHECK_FAILED 149 #define SSL_R_DTLS_MESSAGE_TOO_BIG 334 Index: openssl-1.0.1k/ssl/ssl_err.c =================================================================== --- openssl-1.0.1k.orig/ssl/ssl_err.c 2015-06-12 14:35:09.321393147 +0200 +++ openssl-1.0.1k/ssl/ssl_err.c 2015-06-12 14:41:15.092141203 +0200 @@ -363,6 +363,7 @@ static ERR_STRING_DATA SSL_str_reasons[] {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"}, {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"}, {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"}, +{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL), "dh key too small"}, {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"}, {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"}, {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"}, ++++++ 0005-libssl-Hide-library-private-symbols.patch ++++++ >From f33b5a4cb7da3947d06b74e6f6cd2f264faca170 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= Date: Sun, 20 Apr 2014 19:39:37 -0300 Subject: [PATCH] libssl: Hide library private symbols It hides all the library symbols that are not part of the public API/ABI when GCC 4 or later is used. --- ssl/d1_lib.c | 5 ++--- ssl/kssl_lcl.h | 9 +++++++++ ssl/s23_srvr.c | 4 ++-- ssl/s2_lib.c | 1 - ssl/s3_lib.c | 1 - ssl/ssl_lib.c | 1 - ssl/ssl_locl.h | 8 ++++++++ ssl/t1_lib.c | 6 ++---- 8 files changed, 23 insertions(+), 12 deletions(-) Index: openssl-1.0.1i/ssl/d1_lib.c =================================================================== --- openssl-1.0.1i.orig/ssl/d1_lib.c +++ openssl-1.0.1i/ssl/d1_lib.c @@ -67,8 +67,7 @@ #endif static void get_current_time(struct timeval *t); -const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT; -int dtls1_listen(SSL *s, struct sockaddr *client); +static int dtls1_listen(SSL *s, struct sockaddr *client); SSL3_ENC_METHOD DTLSv1_enc_data={ dtls1_enc, @@ -471,7 +470,7 @@ static void get_current_time(struct time #endif } -int dtls1_listen(SSL *s, struct sockaddr *client) +static int dtls1_listen(SSL *s, struct sockaddr *client) { int ret; Index: openssl-1.0.1i/ssl/kssl_lcl.h =================================================================== --- openssl-1.0.1i.orig/ssl/kssl_lcl.h +++ openssl-1.0.1i/ssl/kssl_lcl.h @@ -61,6 +61,10 @@ #include +#if defined(__GNUC__) && __GNUC__ >= 4 +#pragma GCC visibility push(hidden) +#endif + #ifndef OPENSSL_NO_KRB5 #ifdef __cplusplus @@ -84,4 +88,9 @@ int kssl_tgt_is_available(KSSL_CTX *kssl } #endif #endif /* OPENSSL_NO_KRB5 */ + +#if defined(__GNUC__) && __GNUC__ >= 4 +#pragma GCC visibility pop +#endif + #endif /* KSSL_LCL_H */ Index: openssl-1.0.1i/ssl/s23_srvr.c =================================================================== --- openssl-1.0.1i.orig/ssl/s23_srvr.c +++ openssl-1.0.1i/ssl/s23_srvr.c @@ -120,7 +120,7 @@ #endif static const SSL_METHOD *ssl23_get_server_method(int ver); -int ssl23_get_client_hello(SSL *s); +static int ssl23_get_client_hello(SSL *s); static const SSL_METHOD *ssl23_get_server_method(int ver) { #ifndef OPENSSL_NO_SSL2 @@ -235,7 +235,7 @@ end: } -int ssl23_get_client_hello(SSL *s) +static int ssl23_get_client_hello(SSL *s) { char buf_space[11]; /* Request this many bytes in initial read. * We can detect SSL 3.0/TLS 1.0 Client Hellos Index: openssl-1.0.1i/ssl/s2_lib.c =================================================================== --- openssl-1.0.1i.orig/ssl/s2_lib.c +++ openssl-1.0.1i/ssl/s2_lib.c @@ -116,7 +116,6 @@ #include #include -const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT; #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER)) Index: openssl-1.0.1i/ssl/s3_lib.c =================================================================== --- openssl-1.0.1i.orig/ssl/s3_lib.c +++ openssl-1.0.1i/ssl/s3_lib.c @@ -162,7 +162,6 @@ #include #endif -const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) Index: openssl-1.0.1i/ssl/ssl_lib.c =================================================================== --- openssl-1.0.1i.orig/ssl/ssl_lib.c +++ openssl-1.0.1i/ssl/ssl_lib.c @@ -160,7 +160,6 @@ #include #endif -const char *SSL_version_str=OPENSSL_VERSION_TEXT; SSL3_ENC_METHOD ssl3_undef_enc_method={ /* evil casts, but these functions are only called if there's a library bug */ Index: openssl-1.0.1i/ssl/ssl_locl.h =================================================================== --- openssl-1.0.1i.orig/ssl/ssl_locl.h +++ openssl-1.0.1i/ssl/ssl_locl.h @@ -165,6 +165,10 @@ #include #include +#if defined(__GNUC__) && __GNUC__ >= 4 +#pragma GCC visibility push(hidden) +#endif + #ifdef OPENSSL_BUILD_SHLIBSSL # undef OPENSSL_EXTERN # define OPENSSL_EXTERN OPENSSL_EXPORT @@ -1194,5 +1198,14 @@ int srp_verify_server_param(SSL *s, int #define tls1_process_heartbeat SSL_test_functions()->p_tls1_process_heartbeat #define dtls1_process_heartbeat SSL_test_functions()->p_dtls1_process_heartbeat +int private_tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, int seed2_len, + const void *seed3, int seed3_len, const void *seed4, int seed4_len, const void *seed5, int seed5_len, + const unsigned char *sec, int slen, unsigned char *out1, unsigned char *out2, int olen); + #endif + +#if defined(__GNUC__) && __GNUC__ >= 4 +#pragma GCC visibility pop +#endif + #endif Index: openssl-1.0.1i/ssl/t1_lib.c =================================================================== --- openssl-1.0.1i.orig/ssl/t1_lib.c +++ openssl-1.0.1i/ssl/t1_lib.c @@ -117,7 +117,6 @@ #include #include "ssl_locl.h" -const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; #ifndef OPENSSL_NO_TLSEXT static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, ++++++ README-FIPS.txt ++++++ README-FIPS.txt - Roman Drahtmueller , June 16 2012 NOTE: Finished the adjustment of DSO path and correct the version information for SLE 12. Still need to review about AES-NI optimization. Shawn Chang , Dec 7 2013. NOTE: Outdated currently for openSUSE Factory / SLE 12, needs review and adjustments. But basic settings still are the same. Marcus Meissner , 2013/Dec/03. * general information * FIPS-140-2 mode of operation * overview: openssl subpackages on SLES12 ============================================================================== * general information ============================================================================== Dear user of the SUSE Linux Enterprise Server, SLES12 comes with openssl of version 1.0.1e, a version upgrade from 0.9.8j that came with earlier revisions of SLES11-SP3. The new version has support for FIPS-140-2 mode of operation. FIPS is short for Federal Information Processing Standard. For more information on FIPS-140-2, please see http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf and more publications on the NIST website. The openssl shared libraries are used by numerous packages in the SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode, then the binary that links against the library at runtime makes use of FIPS-140-2 validated cryptography as defined in its cryptographic module. By consequence, a large number of packages can make a claim about using FIPS-140-2 validated cryptographical functions. Both the 64bit and the 32bit shared libraries are supported in FIPS-140-2 mode of operation. Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are supported and used, if the used CPU supports the AES-NI instructions. These assembler optimizations can deliver a substantial performance benefit. To check if your system's CPU(s) has (have) AES-NI support, have a look into the Linux kernel's /proc file /proc/cpuinfo - search it for the "aes" flag. AES-NI support can be disabled by setting the environment variable OPENSSL_DISABLE_AESNI before running binaries that link against openssl. The "openssl speed" command can give you an idea for the performance differences. The cryptographic module as defined for FIPS-140-2 is contained in the files /lib64/.libcrypto.so.1.0.0.hmac /lib64/.libssl.so.1.0.0.hmac /lib64/libcrypto.so.1.0.0 /lib64/libssl.so.1.0.0 for 64bit operation and /lib/.libcrypto.so.1.0.0.hmac /lib/.libssl.so.1.0.0.hmac /lib/libcrypto.so.1.0.0 /lib/libssl.so.1.0.0 for 32bit. The .hmac files contain a HMAC for the internal integrity checking. They are contained in the package libopenssl1_0_0-hmac, seperate from the libopenssl1_0_0 package. These hashes are produced as one of the last steps during the RPM build process. If the library starts up in FIPS mode, the .hmac files are read, and the checksum is verified against a new self-measurement of the library. Essentially, this means that the FIPS mode of operation is not possible without the .hmac files from the corresponding -hmac package installed. If the library starts up in non-FIPS mode, it checks if the .hmac files exist, and if so, it runs through the self-tests as if it operates in FIPS mode. This self-test in non-FIPS mode is formally mandatory and comes with a heavy CPU footprint. You can avoid this overhead by un-installing the libopenssl1_0_0-hmac package (with the consequence that FIPS mode of operation becomes unavailable). The openssl library operates in non-FIPS mode by default. * FIPS-140-2 mode of operation ============================================================================== The openssl library operates in non-FIPS mode by default. As noted above (* general information), the .hmac files for the integrity self-check of the openssl library are contained in their own package. Unfortunately, the self-test is mandatory even if the library runs in non-FIPS mode, causing a significant CPU consumption during openssl's initialization. You can avoid this overhead by de-installing the -hmac package if you do not need FIPS mode of operation. If you DO need to run binaries that are linked against the openssl cryptographic library that runs in FIPS mode, you MUST have the libopenssl1_0_0-hmac package installed. !!! If you enable FIPS mode of operation with the methods below, you MUST !!! have the libopenssl1_0_0-hmac package installed. Programs that runtime-link !!! against openssl will abort if the FIPS self-tests (including the !!! integrity check with the .hmac hashes) fail! There are three ways to switch the shared libraries listed above to FIPS-140-2 compliant mode: 1) Start your system with the kernel commandline option "fips=1". To change the configuration for your system on a permanent basis, please add the command line option to the corresponding line in the bootloader configuration, typically /boot/grub/menu.lst . You can check if the kernel has accepted the commandline option at boot by inspecting the content of the file /proc/sys/crypto/fips_enabled . Please note that the fips=1 kernel commandline option switches the kernel's crypto API to FIPS mode operation, too. As a consequence, some of the in-kernel cryptographical functions may become unavailable. As of the writing of this README-FIPS.txt, the kernel's crypto API in the SUSE Linux Enterprise Server was NOT FIPS-140-2 validated! 2) set the environment variable OPENSSL_FORCE_FIPS_MODE to "1": export OPENSSL_FORCE_FIPS_MODE=1 and run your application with this environment variable set. The FIPS-140-2 mode of operation is only given in the context of processes that have OPENSSL_FORCE_FIPS_MODE set, unless the global switch as in 1) above is active. 3) In your program, use the exported function int FIPS_mode_set(int onoff); to turn on FIPS-140-2 compliant mode. The library will conduct the mandatory self-tests and the integrity check that makes use of the .hmac files mentioned above. The function int FIPS_mode(void); can be used to check if the library operates in FIPS-140-2 compliant mode. It returns 1 in FIPS mode, 0 otherwise. Notes: - An easy way to verify if your openssl cryptography subsystem operates in FIPS-140-2 compliant mode is to look at the output of the openssl ciphers command. In FIPS-140-2 compliant mode, the output lists fewer algorythms. - The startup time of programs that initialize the openssl shared libraries in FIPS-140-2 compliant mode is considerably longer due to the self-tests that are being executed. On fast systems, the startup overhead can be in the range of 0.05-0.3s. The startup time is two orders of a magnitude smaller in non-FIPS mode. Please note that the self-test overhead only occurs during the initialization of the cryptographic module. There is no other performance impact of FIPS-140-2 compliant operation of the library. - The environment variable OPENSSL_FIPS can be set to force the /usr/bin/openssl binary to operate in FIPS-140-2 compliant mode: OPENSSL_FIPS=1 openssl ciphers The variable OPENSSL_FIPS has an effect on the openssl binary only. - Services and daemons that make use of the openssl shared libraries in FIPS-140-2 compliant mode need to be configured to use algorythms from the list of permissable algorythms. If an algorythm is requested by an application that is not allowed in FIPS-140-2 compliant mode, the application will terminate (abort(3)). Please see the FIPS-140-2 Security Policy document for the openssl FIPS module on the SUSE Linux Enterprise Server 11 SP1 from the SUSE website at http://www.suse.com/ or the NIST website at http://csrc.nist.gov/ for more details. - If you have any questions about the FIPS-140-2 compliant mode of openssl, please send email to security@suse.com. * overview: openssl subpackages on SLES12 ============================================================================== The openssl package consists of the following RPM package: openssl - manual pages - the /etc/ssl configuration directory - the /usr/bin/openssl program - /usr/bin/fips_standalone_hmac, the program used to reproduce the integrity HMAC that is contained in the package: libopenssl1_0_0 - files: /lib64/libcrypto.so.1.0.0 /lib64/libssl.so.1.0.0 /lib64/engines /lib64/engines/libcapi.so /lib64/engines/libgmp.so /lib64/engines/libgost.so /lib64/engines/libpadlock.so libopenssl1_0_0-hmac - files: /lib64/.libcrypto.so.1.0.0.hmac /lib64/.libssl.so.1.0.0.hmac libopenssl1_0_0-32bit - files as in package libopenssl1_0_0, but in /lib/. The .so libraries are for the 32bit compatibility mode of the openssl library. libopenssl1_0_0-hmac-32bit - files as in package libopenssl1_0_0-hmac, but in /lib/. libopenssl-devel - header files and static libraries for compiling applications with the openssl library. Please note that running binaries that are statically linked against openssl libraries is not supported in terms of FIPS-140-2 compliance. openssl-doc - more documentation and manual pages. openssl-debuginfo openssl-debugsource - packages that provide debugging symbols and debugging source code for running binaries (dynamically) linked against libopenssl1_0_0 in a debugger. openssl-certs - CA certificate collection in /etc/ssl/certs The openssl-certs package is not a subpackage of the openssl package, but it merely provides CA certificates where the openssl package finds them. ++++++ README.SUSE ++++++ Please note that the man pages for the openssl libraries and tools have been placed in a package on its own right: openssl-doc Please install the openssl-doc package if you need the man pages, HTML documentation or sample C programs. The C header files and static libraries have also been extracted, they can now be found in the openssl-devel package. Your SuSE Team. ++++++ VIA_padlock_support_on_64systems.patch ++++++ --- openssl-1.0.1k.orig/engines/e_padlock.c +++ openssl-1.0.1k/engines/e_padlock.c @@ -101,7 +101,10 @@ compiler choice is limited to GCC and Microsoft C. */ #undef COMPILE_HW_PADLOCK #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM) -# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \ +# if (defined(__GNUC__) && __GNUC__>=2 && \ + (defined(__i386__) || defined(__i386) || \ + defined(__x86_64__) || defined(__x86_64)) \ + ) || \ (defined(_MSC_VER) && defined(_M_IX86)) # define COMPILE_HW_PADLOCK # endif @@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da * ======================================================= */ #if defined(__GNUC__) && __GNUC__>=2 +#if defined(__i386__) || defined(__i386) /* * As for excessive "push %ebx"/"pop %ebx" found all over. * When generating position-independent code GCC won't let @@ -458,11 +462,136 @@ static inline void *name(size_t cnt, \ return iv; \ } + +#endif + +#elif defined(__x86_64__) || defined(__x86_64) + +/* Load supported features of the CPU to see if + the PadLock is available. */ + static int +padlock_available(void) +{ + char vendor_string[16]; + unsigned int eax, edx; + size_t scratch; + + /* Are we running on the Centaur (VIA) CPU? */ + eax = 0x00000000; + vendor_string[12] = 0; + asm volatile ( + "movq %%rbx,%1\n" + "cpuid\n" + "movl %%ebx,(%2)\n" + "movl %%edx,4(%2)\n" + "movl %%ecx,8(%2)\n" + "movq %1,%%rbx" + : "+a"(eax), "=&r"(scratch) : "r"(vendor_string) : "rcx", "rdx"); + if (strcmp(vendor_string, "CentaurHauls") != 0) + return 0; + + /* Check for Centaur Extended Feature Flags presence */ + eax = 0xC0000000; + asm volatile ("movq %%rbx,%1; cpuid; movq %1,%%rbx" + : "+a"(eax), "=&r"(scratch) : : "rcx", "rdx"); + if (eax < 0xC0000001) + return 0; + + /* Read the Centaur Extended Feature Flags */ + eax = 0xC0000001; + asm volatile ("movq %%rbx,%2; cpuid; movq %2,%%rbx" + : "+a"(eax), "=d"(edx), "=&r"(scratch) : : "rcx"); + + /* Fill up some flags */ + padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6)); + padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2)); + + return padlock_use_ace + padlock_use_rng; +} + +/* Force key reload from memory to the CPU microcode. + Loading EFLAGS from the stack clears EFLAGS[30] + which does the trick. */ + static inline void +padlock_reload_key(void) +{ + asm volatile ("pushfq; popfq"); +} + +#ifndef OPENSSL_NO_AES +/* + * This is heuristic key context tracing. At first one + * believes that one should use atomic swap instructions, + * but it's not actually necessary. Point is that if + * padlock_saved_context was changed by another thread + * after we've read it and before we compare it with cdata, + * our key *shall* be reloaded upon thread context switch + * and we are therefore set in either case... + */ + static inline void +padlock_verify_context(struct padlock_cipher_data *cdata) +{ + asm volatile ( + "pushfq\n" + " btl $30,(%%rsp)\n" + " jnc 1f\n" + " cmpq %2,%1\n" + " je 1f\n" + " popfq\n" + " subq $8,%%rsp\n" + "1: addq $8,%%rsp\n" + " movq %2,%0" + :"+m"(padlock_saved_context) + : "r"(padlock_saved_context), "r"(cdata) : "cc"); +} + +/* Template for padlock_xcrypt_* modes */ +/* BIG FAT WARNING: + * The offsets used with 'leal' instructions + * describe items of the 'padlock_cipher_data' + * structure. + */ +#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \ + static inline void *name(size_t cnt, \ + struct padlock_cipher_data *cdata, \ + void *out, const void *inp) \ +{ void *iv; \ + size_t scratch; \ + asm volatile ( "movq %%rbx,%4\n" \ + " leaq 16(%0),%%rdx\n" \ + " leaq 32(%0),%%rbx\n" \ + rep_xcrypt "\n" \ + " movq %4,%%rbx" \ + : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp), "=&r"(scratch) \ + : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \ + : "rdx", "cc", "memory"); \ + return iv; \ +} +#endif + +#endif /* cpu */ + +#ifndef OPENSSL_NO_AES + + /* Generate all functions with appropriate opcodes */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */ + +/* Our own htonl()/ntohl() */ +static inline void +padlock_bswapl(AES_KEY *ks) +{ + size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]); + unsigned int *key = ks->rd_key; + + while (i--) { + asm volatile ("bswapl %0" : "+r"(*key)); + key++; + } +} #endif /* The RNG call itself */ @@ -493,8 +622,8 @@ padlock_xstore(void *addr, unsigned int static inline unsigned char * padlock_memcpy(void *dst,const void *src,size_t n) { - long *d=dst; - const long *s=src; + size_t *d=dst; + const size_t *s=src; n /= sizeof(*d); do { *d++ = *s++; } while (--n); ++++++ baselibs.conf ++++++ libopenssl1_0_0 obsoletes "openssl- <= " libopenssl-devel requires -libopenssl- requires "libopenssl1_0_0- = " libopenssl1_0_0-hmac requires -libopenssl1_0_0 = requires "libopenssl1_0_0- = -%release" ++++++ bug610223.patch ++++++ Index: openssl-1.0.1g/Configure =================================================================== --- openssl-1.0.1g.orig/Configure +++ openssl-1.0.1g/Configure @@ -1804,7 +1804,8 @@ while ( ) } elsif (/^#define\s+ENGINESDIR/) { - my $foo = "$prefix/$libdir/engines"; + #my $foo = "$prefix/$libdir/engines"; + my $foo = "/$libdir/engines"; $foo =~ s/\\/\\\\/g; print OUT "#define ENGINESDIR \"$foo\"\n"; } ++++++ compression_methods_switch.patch ++++++ Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod =================================================================== --- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod +++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod @@ -41,6 +41,24 @@ of compression methods supported on a pe The OpenSSL library has the compression methods B and (when especially enabled during compilation) B available. +And, there is an environment variable to switch the compression +methods off and on. In default the compression is off to mitigate +the so called CRIME attack ( CVE-2012-4929). If you want to enable +compression again set OPENSSL_NO_DEFAULT_ZLIB to "no". + +The variable can be switched on and off at runtime; when this variable +is set "no" compression is enabled, otherwise no, for example: + +in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no' +or in C to call +int setenv(const char *name, const char *value, int overwrite); and +int unsetenv(const char *name); + +Note: This reverts the behavior of the variable as it was before! + +And pay attention that this freaure is temporary, it maybe changed by +the following updates. + =head1 WARNINGS Once the identities of the compression methods for the TLS protocol have Index: openssl-1.0.1e/ssl/ssl_ciph.c =================================================================== --- openssl-1.0.1e.orig/ssl/ssl_ciph.c +++ openssl-1.0.1e/ssl/ssl_ciph.c @@ -452,10 +452,16 @@ static void load_builtin_compressions(vo if (ssl_comp_methods == NULL) { SSL_COMP *comp = NULL; + const char *nodefaultzlib; MemCheck_off(); ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); - if (ssl_comp_methods != NULL) + + /* The default is "no" compression to avoid CRIME/BEAST */ + nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB"); + if ( ssl_comp_methods != NULL && + nodefaultzlib && + strncmp( nodefaultzlib, "no", 2) == 0) { comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); if (comp != NULL) ++++++ merge_from_0.9.8k.patch ++++++ Index: openssl-1.0.1g/Configure =================================================================== --- openssl-1.0.1g.orig/Configure +++ openssl-1.0.1g/Configure @@ -933,7 +933,7 @@ PROCESS_ARGS: } else { - die "target already defined - $target (offending arg: $_)\n" if ($target ne ""); + warn "target already defined - $target (offending arg: $_)\n" if ($target ne ""); $target=$_; } @@ -1206,7 +1206,7 @@ if ($target =~ /^mingw/ && `$cc --target my $no_shared_warn=0; my $no_user_cflags=0; -if ($flags ne "") { $cflags="$flags$cflags"; } +if ($flags ne "") { $cflags="$cflags $flags"; } else { $no_user_cflags=1; } # Kerberos settings. The flavor must be provided from outside, either through Index: openssl-1.0.1g/config =================================================================== --- openssl-1.0.1g.orig/config +++ openssl-1.0.1g/config @@ -573,7 +573,8 @@ case "$GUESSOS" in options="$options -arch%20${MACHINE}" OUT="iphoneos-cross" ;; alpha-*-linux2) - ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` + #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` + ISA=EV56 case ${ISA:-generic} in *[678]) OUT="linux-alpha+bwx-$CC" ;; *) OUT="linux-alpha-$CC" ;; @@ -593,7 +594,8 @@ case "$GUESSOS" in echo " You have about 5 seconds to press Ctrl-C to abort." (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 fi - OUT="linux-ppc" + # we have the target and force it here + OUT="linux-ppc64" ;; ppc-*-linux2) OUT="linux-ppc" ;; ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;; @@ -614,10 +616,10 @@ case "$GUESSOS" in sparc-*-linux2) KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo` case ${KARCH:-sun4} in - sun4u*) OUT="linux-sparcv9" ;; - sun4m) OUT="linux-sparcv8" ;; - sun4d) OUT="linux-sparcv8" ;; - *) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;; +# sun4u*) OUT="linux-sparcv9" ;; +# sun4m) OUT="linux-sparcv8" ;; +# sun4d) OUT="linux-sparcv8" ;; + *) OUT="linux-sparcv8" ;; esac ;; parisc*-*-linux2) # 64-bit builds under parisc64 linux are not supported and @@ -636,7 +638,11 @@ case "$GUESSOS" in # PA8500 -> 8000 (2.0) # PA8600 -> 8000 (2.0) - CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'` + # CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'` + # lets have CPUSCHEDULE for 1.1: + CPUSCHEDULE=7100LC + # we want to support 1.1 CPUs as well: + CPUARCH=1.1 # Finish Model transformations options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH" ++++++ openssl-1.0.0-c_rehash-compat.diff ++++++ >From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 21 Apr 2010 15:52:10 +0200 Subject: [PATCH] also create old hash for compatibility --- tools/c_rehash.in | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/tools/c_rehash.in b/tools/c_rehash.in index bfc4a69..f8d0ce1 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -83,6 +83,7 @@ sub hash_dir { next; } link_hash_cert($fname) if($cert); + link_hash_cert_old($fname) if($cert); link_hash_crl($fname) if($crl); } } @@ -116,8 +117,9 @@ sub check_file { sub link_hash_cert { my $fname = $_[0]; + my $hashopt = $_[1] || '-subject_hash'; $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`; + my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`; chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; @@ -147,6 +149,10 @@ sub link_hash_cert { $hashlist{$hash} = $fprint; } +sub link_hash_cert_old { + link_hash_cert($_[0], '-subject_hash_old'); +} + # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { -- 1.6.4.2 ++++++ openssl-1.0.1c-default-paths.patch ++++++ Index: openssl-1.0.1g/apps/s_client.c =================================================================== --- openssl-1.0.1g.orig/apps/s_client.c +++ openssl-1.0.1g/apps/s_client.c @@ -1174,12 +1174,19 @@ bad: if (!set_cert_key_stuff(ctx,cert,key)) goto end; - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) + if (CAfile == NULL && CApath == NULL) { - /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); - /* goto end; */ + if (!SSL_CTX_set_default_verify_paths(ctx)) + { + ERR_print_errors(bio_err); + } + } + else + { + if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) + { + ERR_print_errors(bio_err); + } } #ifndef OPENSSL_NO_TLSEXT Index: openssl-1.0.1g/apps/s_server.c =================================================================== --- openssl-1.0.1g.orig/apps/s_server.c +++ openssl-1.0.1g/apps/s_server.c @@ -1572,13 +1572,21 @@ bad: } #endif - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) + if (CAfile == NULL && CApath == NULL) { - /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ - ERR_print_errors(bio_err); - /* goto end; */ + if (!SSL_CTX_set_default_verify_paths(ctx)) + { + ERR_print_errors(bio_err); + } + } + else + { + if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) + { + ERR_print_errors(bio_err); + } } + if (vpm) SSL_CTX_set1_param(ctx, vpm); @@ -1629,8 +1637,11 @@ bad: else SSL_CTX_sess_set_cache_size(ctx2,128); - if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx2))) + if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) + { + ERR_print_errors(bio_err); + } + if (!SSL_CTX_set_default_verify_paths(ctx2)) { ERR_print_errors(bio_err); } Index: openssl-1.0.1g/apps/s_time.c =================================================================== --- openssl-1.0.1g.orig/apps/s_time.c +++ openssl-1.0.1g/apps/s_time.c @@ -373,12 +373,19 @@ int MAIN(int argc, char **argv) SSL_load_error_strings(); - if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(tm_ctx))) + if (CAfile == NULL && CApath == NULL) { - /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); - /* goto end; */ + if (!SSL_CTX_set_default_verify_paths(tm_ctx)) + { + ERR_print_errors(bio_err); + } + } + else + { + if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) + { + ERR_print_errors(bio_err); + } } if (tm_cipher == NULL) ++++++ openssl-1.0.1c-ipv6-apps.patch ++++++ Index: openssl-1.0.1h/apps/s_apps.h =================================================================== --- openssl-1.0.1h.orig/apps/s_apps.h +++ openssl-1.0.1h/apps/s_apps.h @@ -148,7 +148,7 @@ typedef fd_mask fd_set; #define PORT_STR "4433" #define PROTOCOL "tcp" -int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); +int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context); #ifdef HEADER_X509_H int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); #endif @@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok, int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); #endif -int init_client(int *sock, char *server, int port, int type); +int init_client(int *sock, char *server, char *port, int type); int should_retry(int i); -int extract_port(char *str, short *port_ptr); -int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); +int extract_host_port(char *str,char **host_ptr,char **port_ptr); long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret); Index: openssl-1.0.1h/apps/s_client.c =================================================================== --- openssl-1.0.1h.orig/apps/s_client.c +++ openssl-1.0.1h/apps/s_client.c @@ -567,7 +567,7 @@ int MAIN(int argc, char **argv) int cbuf_len,cbuf_off; int sbuf_len,sbuf_off; fd_set readfds,writefds; - short port=PORT; + char *port_str = PORT_STR; int full_log=1; char *host=SSL_HOST_NAME; char *cert_file=NULL,*key_file=NULL; @@ -668,13 +668,12 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-port") == 0) { if (--argc < 1) goto bad; - port=atoi(*(++argv)); - if (port == 0) goto bad; + port_str= *(++argv); } else if (strcmp(*argv,"-connect") == 0) { if (--argc < 1) goto bad; - if (!extract_host_port(*(++argv),&host,NULL,&port)) + if (!extract_host_port(*(++argv),&host,&port_str)) goto bad; } else if (strcmp(*argv,"-verify") == 0) @@ -1267,7 +1266,7 @@ bad: re_start: - if (init_client(&s,host,port,socket_type) == 0) + if (init_client(&s,host,port_str,socket_type) == 0) { BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); SHUTDOWN(s); Index: openssl-1.0.1h/apps/s_server.c =================================================================== --- openssl-1.0.1h.orig/apps/s_server.c +++ openssl-1.0.1h/apps/s_server.c @@ -933,7 +933,7 @@ int MAIN(int argc, char *argv[]) { X509_VERIFY_PARAM *vpm = NULL; int badarg = 0; - short port=PORT; + char *port_str = PORT_STR; char *CApath=NULL,*CAfile=NULL; unsigned char *context = NULL; char *dhfile = NULL; @@ -1004,8 +1004,7 @@ int MAIN(int argc, char *argv[]) (strcmp(*argv,"-accept") == 0)) { if (--argc < 1) goto bad; - if (!extract_port(*(++argv),&port)) - goto bad; + port_str= *(++argv); } else if (strcmp(*argv,"-verify") == 0) { @@ -1892,9 +1891,9 @@ bad: BIO_printf(bio_s_out,"ACCEPT\n"); (void)BIO_flush(bio_s_out); if (www) - do_server(port,socket_type,&accept_socket,www_body, context); + do_server(port_str,socket_type,&accept_socket,www_body, context); else - do_server(port,socket_type,&accept_socket,sv_body, context); + do_server(port_str,socket_type,&accept_socket,sv_body, context); print_stats(bio_s_out,ctx); ret=0; end: Index: openssl-1.0.1h/apps/s_socket.c =================================================================== --- openssl-1.0.1h.orig/apps/s_socket.c +++ openssl-1.0.1h/apps/s_socket.c @@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha static void ssl_sock_cleanup(void); #endif static int ssl_sock_init(void); -static int init_client_ip(int *sock,unsigned char ip[4], int port, int type); -static int init_server(int *sock, int port, int type); -static int init_server_long(int *sock, int port,char *ip, int type); +static int init_server(int *sock, char *port, int type); static int do_accept(int acc_sock, int *sock, char **host); static int host_ip(char *str, unsigned char ip[4]); @@ -234,57 +232,70 @@ static int ssl_sock_init(void) return(1); } -int init_client(int *sock, char *host, int port, int type) +int init_client(int *sock, char *host, char *port, int type) { - unsigned char ip[4]; - - memset(ip, '\0', sizeof ip); - if (!host_ip(host,&(ip[0]))) - return 0; - return init_client_ip(sock,ip,port,type); - } - -static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) - { - unsigned long addr; - struct sockaddr_in them; - int s,i; + struct addrinfo *res, *res0, hints; + char * failed_call = NULL; + int s; + int e; if (!ssl_sock_init()) return(0); - memset((char *)&them,0,sizeof(them)); - them.sin_family=AF_INET; - them.sin_port=htons((unsigned short)port); - addr=(unsigned long) - ((unsigned long)ip[0]<<24L)| - ((unsigned long)ip[1]<<16L)| - ((unsigned long)ip[2]<< 8L)| - ((unsigned long)ip[3]); - them.sin_addr.s_addr=htonl(addr); - - if (type == SOCK_STREAM) - s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); - else /* ( type == SOCK_DGRAM) */ - s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); - - if (s == INVALID_SOCKET) { perror("socket"); return(0); } + memset(&hints, '\0', sizeof(hints)); + hints.ai_socktype = type; + hints.ai_flags = AI_ADDRCONFIG; + + e = getaddrinfo(host, port, &hints, &res); + if (e) + { + fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); + if (e == EAI_SYSTEM) + perror("getaddrinfo"); + return (0); + } + res0 = res; + while (res) + { + s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); + if (s == INVALID_SOCKET) + { + failed_call = "socket"; + goto nextres; + } #if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE) if (type == SOCK_STREAM) { - i=0; - i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); - if (i < 0) { closesocket(s); perror("keepalive"); return(0); } + int i=0; + i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE, + (char *)&i,sizeof(i)); + if (i < 0) { + failed_call = "keepalive"; + goto nextres; + } } #endif - - if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) - { closesocket(s); perror("connect"); return(0); } + if (connect(s,(struct sockaddr *)res->ai_addr, + res->ai_addrlen) == 0) + { + freeaddrinfo(res0); *sock=s; return(1); } -int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) + failed_call = "socket"; +nextres: + if (s != INVALID_SOCKET) + close(s); + res = res->ai_next; + } + freeaddrinfo(res0); + + perror(failed_call); + return(0); + } + +int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context) { int sock; char *name = NULL; @@ -322,33 +333,50 @@ int do_server(int port, int type, int *r } } -static int init_server_long(int *sock, int port, char *ip, int type) +static int init_server(int *sock, char *port, int type) { - int ret=0; - struct sockaddr_in server; - int s= -1; + struct addrinfo *res, *res0 = NULL, hints; + char * failed_call = NULL; + int s = INVALID_SOCKET; + int e; if (!ssl_sock_init()) return(0); - memset((char *)&server,0,sizeof(server)); - server.sin_family=AF_INET; - server.sin_port=htons((unsigned short)port); - if (ip == NULL) - server.sin_addr.s_addr=INADDR_ANY; - else -/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */ -#ifndef BIT_FIELD_LIMITS - memcpy(&server.sin_addr.s_addr,ip,4); -#else - memcpy(&server.sin_addr,ip,4); -#endif + memset(&hints, '\0', sizeof(hints)); + hints.ai_family = AF_INET6; +tryipv4: + hints.ai_socktype = type; + hints.ai_flags = AI_PASSIVE; - if (type == SOCK_STREAM) - s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); - else /* type == SOCK_DGRAM */ - s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP); + e = getaddrinfo(NULL, port, &hints, &res); + if (e) + { + if (hints.ai_family == AF_INET) + { + fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e)); + if (e == EAI_SYSTEM) + perror("getaddrinfo"); + return (0); + } + else + res = NULL; + } - if (s == INVALID_SOCKET) goto err; + res0 = res; + while (res) + { + s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); + if (s == INVALID_SOCKET) + { + failed_call = "socket"; + goto nextres; + } + if (hints.ai_family == AF_INET6) + { + int j = 0; + setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, + (void *) &j, sizeof j); + } #if defined SOL_SOCKET && defined SO_REUSEADDR { int j = 1; @@ -356,35 +384,49 @@ static int init_server_long(int *sock, i (void *) &j, sizeof j); } #endif - if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1) + + if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) { -#ifndef OPENSSL_SYS_WINDOWS - perror("bind"); -#endif - goto err; + failed_call = "bind"; + goto nextres; } - /* Make it 128 for linux */ - if (type==SOCK_STREAM && listen(s,128) == -1) goto err; - *sock=s; - ret=1; -err: - if ((ret == 0) && (s != -1)) + if (type==SOCK_STREAM && listen(s,128) == -1) { - SHUTDOWN(s); + failed_call = "listen"; + goto nextres; } - return(ret); + + *sock=s; + return(1); + +nextres: + if (s != INVALID_SOCKET) + close(s); + res = res->ai_next; } + if (res0) + freeaddrinfo(res0); -static int init_server(int *sock, int port, int type) + if (s == INVALID_SOCKET) { - return(init_server_long(sock, port, NULL, type)); + if (hints.ai_family == AF_INET6) + { + hints.ai_family = AF_INET; + goto tryipv4; + } + perror("socket"); + return(0); + } + + perror(failed_call); + return(0); } static int do_accept(int acc_sock, int *sock, char **host) { + static struct sockaddr_storage from; + char buffer[NI_MAXHOST]; int ret; - struct hostent *h1,*h2; - static struct sockaddr_in from; int len; /* struct linger ling; */ @@ -431,138 +473,59 @@ redoit: */ if (host == NULL) goto end; -#ifndef BIT_FIELD_LIMITS - /* I should use WSAAsyncGetHostByName() under windows */ - h1=gethostbyaddr((char *)&from.sin_addr.s_addr, - sizeof(from.sin_addr.s_addr),AF_INET); -#else - h1=gethostbyaddr((char *)&from.sin_addr, - sizeof(struct in_addr),AF_INET); -#endif - if (h1 == NULL) + + if (getnameinfo((struct sockaddr *)&from, sizeof(from), + buffer, sizeof(buffer), + NULL, 0, 0)) { - BIO_printf(bio_err,"bad gethostbyaddr\n"); + BIO_printf(bio_err,"getnameinfo failed\n"); *host=NULL; /* return(0); */ } else { - if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL) + if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL) { perror("OPENSSL_malloc"); closesocket(ret); return(0); } - BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1); - - h2=GetHostByName(*host); - if (h2 == NULL) - { - BIO_printf(bio_err,"gethostbyname failure\n"); - closesocket(ret); - return(0); - } - if (h2->h_addrtype != AF_INET) - { - BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); - closesocket(ret); - return(0); - } + strcpy(*host, buffer); } end: *sock=ret; return(1); } -int extract_host_port(char *str, char **host_ptr, unsigned char *ip, - short *port_ptr) +int extract_host_port(char *str, char **host_ptr, + char **port_ptr) { - char *h,*p; + char *h,*p,*x; - h=str; - p=strchr(str,':'); + x=h=str; + if (*h == '[') + { + h++; + p=strchr(h,']'); if (p == NULL) { - BIO_printf(bio_err,"no port defined\n"); + BIO_printf(bio_err,"no ending bracket for IPv6 address\n"); return(0); } *(p++)='\0'; - - if ((ip != NULL) && !host_ip(str,ip)) - goto err; - if (host_ptr != NULL) *host_ptr=h; - - if (!extract_port(p,port_ptr)) - goto err; - return(1); -err: - return(0); + x = p; } - -static int host_ip(char *str, unsigned char ip[4]) - { - unsigned int in[4]; - int i; - - if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4) - { - for (i=0; i<4; i++) - if (in[i] > 255) - { - BIO_printf(bio_err,"invalid IP address\n"); - goto err; - } - ip[0]=in[0]; - ip[1]=in[1]; - ip[2]=in[2]; - ip[3]=in[3]; - } - else - { /* do a gethostbyname */ - struct hostent *he; - - if (!ssl_sock_init()) return(0); - - he=GetHostByName(str); - if (he == NULL) - { - BIO_printf(bio_err,"gethostbyname failure\n"); - goto err; - } - /* cast to short because of win16 winsock definition */ - if ((short)he->h_addrtype != AF_INET) + p=strchr(x,':'); + if (p == NULL) { - BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); - return(0); - } - ip[0]=he->h_addr_list[0][0]; - ip[1]=he->h_addr_list[0][1]; - ip[2]=he->h_addr_list[0][2]; - ip[3]=he->h_addr_list[0][3]; - } - return(1); -err: + BIO_printf(bio_err,"no port defined\n"); return(0); } + *(p++)='\0'; -int extract_port(char *str, short *port_ptr) - { - int i; - struct servent *s; + if (host_ptr != NULL) *host_ptr=h; + if (port_ptr != NULL) *port_ptr=p; - i=atoi(str); - if (i != 0) - *port_ptr=(unsigned short)i; - else - { - s=getservbyname(str,"tcp"); - if (s == NULL) - { - BIO_printf(bio_err,"getservbyname failure for %s\n",str); - return(0); - } - *port_ptr=ntohs((unsigned short)s->s_port); - } return(1); } ++++++ openssl-1.0.1e-add-suse-default-cipher-header.patch ++++++ Index: openssl-1.0.1g/ssl/ssl.h =================================================================== --- openssl-1.0.1g.orig/ssl/ssl.h +++ openssl-1.0.1g/ssl/ssl.h @@ -332,9 +332,11 @@ extern "C" { * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ #define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES" + #define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA" + /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is * throwing out anonymous and unencrypted ciphersuites! ++++++ openssl-1.0.1e-add-suse-default-cipher.patch ++++++ Index: openssl-1.0.1g/ssl/ssl_ciph.c =================================================================== --- openssl-1.0.1g.orig/ssl/ssl_ciph.c +++ openssl-1.0.1g/ssl/ssl_ciph.c @@ -1470,7 +1470,17 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ */ ok = 1; rule_p = rule_str; - if (strncmp(rule_str,"DEFAULT",7) == 0) + + if (strncmp(rule_str,"DEFAULT_SUSE",12) == 0) + { + ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, + &head, &tail, ca_list); + rule_p += 12; + if (*rule_p == ':') + rule_p++; + } + + else if (strncmp(rule_str,"DEFAULT",7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail, ca_list); Index: openssl-1.0.1g/ssl/ssl.h =================================================================== --- openssl-1.0.1g.orig/ssl/ssl.h +++ openssl-1.0.1g/ssl/ssl.h @@ -331,7 +331,10 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ -#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW" +#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES" +#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ + "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ + "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA" /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * starts with a reasonable order, and all we have to do for DEFAULT is * throwing out anonymous and unencrypted ciphersuites! ++++++ openssl-1.0.1e-add-test-suse-default-cipher-suite.patch ++++++ Index: openssl-1.0.1f/test/testssl =================================================================== --- openssl-1.0.1f.orig/test/testssl +++ openssl-1.0.1f/test/testssl @@ -136,6 +136,25 @@ for protocol in TLSv1.2 SSLv3; do done done +echo "Testing default ciphersuites" + +for cipher_suite in DEFAULT_SUSE DEFAULT; do + ../util/shlib_wrap.sh ../apps/openssl ciphers $cipher_suite + if [ $? -ne 0 ]; then + echo "Failed default ciphersuite $cipher_suite" + exit 1 + fi +done + +echo "Testing if MD5, DES and RC4 are excluded from DEFAULT_SUSE cipher suite" +../util/shlib_wrap.sh ../apps/openssl ciphers DEFAULT_SUSE| grep "MD5\|RC4\|DES-[^CBC3]" + +if [ $? -ne 1 ];then + echo "weak ciphers are present on DEFAULT_SUSE cipher suite" + exit 1 +fi + + ############################################################################# if ../util/shlib_wrap.sh ../apps/openssl no-dh; then ++++++ openssl-1.0.1e-fips-ctor.patch ++++++ Index: openssl-1.0.1e/crypto/fips/fips.c =================================================================== --- openssl-1.0.1e.orig/crypto/fips/fips.c +++ openssl-1.0.1e/crypto/fips/fips.c @@ -60,6 +60,8 @@ #include #include #include +#include +#include #include "fips_locl.h" #ifdef OPENSSL_FIPS @@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len) return hex; } -#define HMAC_PREFIX "." -#define HMAC_SUFFIX ".hmac" +#define HMAC_PREFIX "." +#ifndef HMAC_SUFFIX +#define HMAC_SUFFIX ".hmac" +#endif #define READ_BUFFER_LENGTH 16384 static char * @@ -279,19 +283,13 @@ end: } static int -FIPSCHECK_verify(const char *libname, const char *symbolname) +FIPSCHECK_verify(const char *path) { - char path[PATH_MAX+1]; - int rv; + int rv = 0; FILE *hf; char *hmacpath, *p; char *hmac = NULL; size_t n; - - rv = get_library_path(libname, symbolname, path, sizeof(path)); - - if (rv < 0) - return 0; hmacpath = make_hmac_path(path); if (hmacpath == NULL) @@ -341,6 +339,53 @@ end: return 1; } +static int +verify_checksums(void) + { + int rv; + char path[PATH_MAX+1]; + char *p; + + /* we need to avoid dlopening libssl, assume both libcrypto and libssl + are in the same directory */ + + rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path)); + if (rv < 0) + return 0; + + rv = FIPSCHECK_verify(path); + if (!rv) + return 0; + + /* replace libcrypto with libssl */ + while ((p = strstr(path, "libcrypto.so")) != NULL) + { + p = stpcpy(p, "libssl"); + memmove(p, p+3, strlen(p+2)); + } + + rv = FIPSCHECK_verify(path); + if (!rv) + return 0; + return 1; + } + +#ifndef FIPS_MODULE_PATH +#define FIPS_MODULE_PATH "/etc/system-fips" +#endif + +int +FIPS_module_installed(void) + { + int rv; + rv = access(FIPS_MODULE_PATH, F_OK); + if (rv < 0 && errno != ENOENT) + rv = 0; + + /* Installed == true */ + return !rv; + } + int FIPS_module_mode_set(int onoff, const char *auth) { int ret = 0; @@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons } #endif - if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set")) - { - FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); - fips_selftest_fail = 1; - ret = 0; - goto end; - } - - if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new")) + if(!verify_checksums()) { FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); fips_selftest_fail = 1; Index: openssl-1.0.1e/crypto/fips/fips.h =================================================================== --- openssl-1.0.1e.orig/crypto/fips/fips.h +++ openssl-1.0.1e/crypto/fips/fips.h @@ -74,6 +74,7 @@ struct hmac_ctx_st; int FIPS_module_mode_set(int onoff, const char *auth); int FIPS_module_mode(void); +int FIPS_module_installed(void); const void *FIPS_rand_check(void); int FIPS_selftest(void); int FIPS_selftest_failed(void); Index: openssl-1.0.1e/crypto/o_init.c =================================================================== --- openssl-1.0.1e.orig/crypto/o_init.c +++ openssl-1.0.1e/crypto/o_init.c @@ -70,6 +70,9 @@ static void init_fips_mode(void) { char buf[2] = "0"; int fd; + + /* Ensure the selftests always run */ + FIPS_mode_set(1); if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { @@ -85,9 +88,15 @@ static void init_fips_mode(void) * otherwise. */ - if (buf[0] == '1') + if (buf[0] != '1') + { + /* drop down to non-FIPS mode if it is not requested */ + FIPS_mode_set(0); + } + else { - FIPS_mode_set(1); + /* abort if selftest failed */ + FIPS_selftest_check(); } } #endif @@ -96,13 +105,19 @@ static void init_fips_mode(void) * Currently only sets FIPS callbacks */ -void OPENSSL_init_library(void) +void __attribute__ ((constructor)) OPENSSL_init_library(void) { static int done = 0; if (done) return; done = 1; #ifdef OPENSSL_FIPS + /* this should be an option, comment it, temporarily */ + /* if (!FIPS_module_installed()) + { + return; + } + */ RAND_init_fips(); init_fips_mode(); if (!FIPS_mode()) ++++++ openssl-1.0.1e-fips-ec.patch ++++++ ++++ 1960 lines (skipped) ++++++ openssl-1.0.1e-fips.patch ++++++ ++++ 20371 lines (skipped) ++++++ openssl-1.0.1e-new-fips-reqs.patch ++++++ ++++ 1115 lines (skipped) ++++++ openssl-1.0.1e-truststore.diff ++++++ Don't use the legacy /etc/ssl/certs directory anymore but rather the p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991) Index: openssl-1.0.1e/crypto/cryptlib.h =================================================================== --- openssl-1.0.1e.orig/crypto/cryptlib.h +++ openssl-1.0.1e/crypto/cryptlib.h @@ -81,7 +81,7 @@ extern "C" { #ifndef OPENSSL_SYS_VMS #define X509_CERT_AREA OPENSSLDIR -#define X509_CERT_DIR OPENSSLDIR "/certs" +#define X509_CERT_DIR "/var/lib/ca-certificates/openssl" #define X509_CERT_FILE OPENSSLDIR "/cert.pem" #define X509_PRIVATE_DIR OPENSSLDIR "/private" #else ++++++ openssl-CVE-2015-0209.patch ++++++ commit 89117535f1bb3ea72a17933b703271587d7aaf0b Author: Matt Caswell Date: Mon Feb 9 11:38:41 2015 +0000 Fix a failure to NULL a pointer freed on error. Inspired by BoringSSL commit 517073cd4b by Eric Roman CVE-2015-0209 Reviewed-by: Emilia Käsper Index: openssl-1.0.1k/crypto/ec/ec_asn1.c =================================================================== --- openssl-1.0.1k.orig/crypto/ec/ec_asn1.c 2015-03-19 15:58:22.021039425 +0100 +++ openssl-1.0.1k/crypto/ec/ec_asn1.c 2015-03-19 15:58:26.431103852 +0100 @@ -1142,8 +1142,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con ERR_R_MALLOC_FAILURE); goto err; } - if (a) - *a = ret; } else ret = *a; @@ -1225,11 +1223,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con ret->enc_flag |= EC_PKEY_NO_PUBKEY; } + if (a) + *a = ret; ok = 1; err: if (!ok) { - if (ret) + if (ret && (a == NULL || *a != ret)) EC_KEY_free(ret); ret = NULL; } ++++++ openssl-CVE-2015-0286.patch ++++++ commit ee5a1253285e5c9f406c8b57b0686319b70c07d8 Author: Dr. Stephen Henson Date: Mon Mar 9 23:11:45 2015 +0000 Fix ASN1_TYPE_cmp Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. CVE-2015-0286 Reviewed-by: Richard Levitte Index: openssl-1.0.1i/crypto/asn1/a_type.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/a_type.c 2015-03-17 14:15:18.832332902 +0100 +++ openssl-1.0.1i/crypto/asn1/a_type.c 2015-03-17 14:15:19.738346161 +0100 @@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co case V_ASN1_OBJECT: result = OBJ_cmp(a->value.object, b->value.object); break; + case V_ASN1_BOOLEAN: + result = a->value.boolean - b->value.boolean; + break; case V_ASN1_NULL: result = 0; /* They do not have content. */ break; ++++++ openssl-CVE-2015-0287.patch ++++++ commit 1a87b757b9f755f687492f6b9f685be8e0cd82b0 Author: Dr. Stephen Henson Date: Mon Feb 23 12:57:50 2015 +0000 Free up passed ASN.1 structure if reused. Change the "reuse" behaviour in ASN1_item_d2i: if successful the old structure is freed and a pointer to the new one used. If it is not successful then the passed structure is untouched. Exception made for primitive types so ssl_asn1.c still works. Reviewed-by: Tim Hudson Reviewed-by: Emilia K�sper commit a9f34a7aac5fd89f33a34fb71e954b85fbf35875 Author: Dr. Stephen Henson Date: Mon Feb 23 02:32:44 2015 +0000 Free up ADB and CHOICE if already initialised. CVE-2015-0287 Reviewed-by: Tim Hudson Reviewed-by: Emilia K�sper Index: openssl-1.0.1i/crypto/asn1/tasn_dec.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/tasn_dec.c 2015-03-17 13:18:26.732161376 +0100 +++ openssl-1.0.1i/crypto/asn1/tasn_dec.c 2015-03-17 13:22:20.424576154 +0100 @@ -311,9 +317,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; - /* Allocate structure */ - if (!*pval && !ASN1_item_ex_new(pval, it)) - { + if (*pval) { + /* Free up and zero CHOICE value if initialised */ + i = asn1_get_choice_selector(pval, it); + if ((i >= 0) && (i < it->tcount)) { + tt = it->templates + i; + pchptr = asn1_get_field_ptr(pval, tt); + ASN1_template_free(pchptr, tt); + asn1_set_choice_selector(pval, -1, it); + } + } else if (!ASN1_item_ex_new(pval, it)) { ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; @@ -407,6 +420,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; + /* Free up and zero any ADB found */ + for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { + if (tt->flags & ASN1_TFLG_ADB_MASK) { + const ASN1_TEMPLATE *seqtt; + ASN1_VALUE **pseqval; + seqtt = asn1_do_adb(pval, tt, 1); + pseqval = asn1_get_field_ptr(pval, seqtt); + ASN1_template_free(pseqval, seqtt); + } + } + /* Get each field entry */ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { Index: openssl-1.0.1i/doc/crypto/d2i_X509.pod =================================================================== --- openssl-1.0.1i.orig/doc/crypto/d2i_X509.pod 2015-03-17 13:18:26.731161362 +0100 +++ openssl-1.0.1i/doc/crypto/d2i_X509.pod 2015-03-17 13:18:52.046531518 +0100 @@ -199,6 +199,12 @@ B<*px> is valid is broken and some parts persist if they are not present in the new one. As a result the use of this "reuse" behaviour is strongly discouraged. +Current versions of OpenSSL will not modify B<*px> if an error occurs. +If parsing succeeds then B<*px> is freed (if it is not NULL) and then +set to the value of the newly decoded structure. As a result B<*px> +B be allocated on the stack or an attempt will be made to +free an invalid pointer. + i2d_X509() will not return an error in many versions of OpenSSL, if mandatory fields are not initialized due to a programming error then the encoded structure may contain invalid data or omit the ++++++ openssl-CVE-2015-0288.patch ++++++ commit 51527f1e3564f210e984fe5b654c45d34e4f03d7 Author: Dr. Stephen Henson Date: Wed Feb 18 00:34:59 2015 +0000 Check public key is not NULL. CVE-2015-0288 PR#3708 Reviewed-by: Matt Caswell (cherry picked from commit 28a00bcd8e318da18031b2ac8778c64147cd54f9) Index: openssl-1.0.1i/crypto/x509/x509_req.c =================================================================== --- openssl-1.0.1i.orig/crypto/x509/x509_req.c 2015-03-17 13:22:30.712726374 +0100 +++ openssl-1.0.1i/crypto/x509/x509_req.c 2015-03-17 13:23:20.486453016 +0100 @@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_ goto err; pktmp = X509_get_pubkey(x); + if (pktmp == NULL) + goto err; i=X509_REQ_set_pubkey(ret,pktmp); EVP_PKEY_free(pktmp); if (!i) goto err; ++++++ openssl-CVE-2015-0289.patch ++++++ commit d3d52c73544bba800c2a8f5ef3376358158cf2ca Author: Emilia Kasper Date: Fri Feb 27 16:52:23 2015 +0100 PKCS#7: avoid NULL pointer dereferences with missing content In PKCS#7, the ASN.1 content component is optional. This typically applies to inner content (detached signatures), however we must also handle unexpected missing outer content correctly. This patch only addresses functions reachable from parsing, decryption and verification, and functions otherwise associated with reading potentially untrusted data. Correcting all low-level API calls requires further work. CVE-2015-0289 Thanks to Michal Zalewski (Google) for reporting this issue. Reviewed-by: Steve Henson Index: openssl-1.0.1i/crypto/pkcs7/pk7_doit.c =================================================================== --- openssl-1.0.1i.orig/crypto/pkcs7/pk7_doit.c 2015-03-17 13:23:33.961649688 +0100 +++ openssl-1.0.1i/crypto/pkcs7/pk7_doit.c 2015-03-17 13:34:34.445347342 +0100 @@ -272,6 +272,25 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) PKCS7_RECIP_INFO *ri=NULL; ASN1_OCTET_STRING *os=NULL; + if (p7 == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER); + return NULL; + } + /* + * The content field in the PKCS7 ContentInfo is optional, but that really + * only applies to inner content (precisely, detached signatures). + * + * When reading content, missing outer content is therefore treated as an + * error. + * + * When creating content, PKCS7_content_new() must be called before + * calling this method, so a NULL p7->d is always an error. + */ + if (p7->d.ptr == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT); + return NULL; + } + i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; @@ -433,6 +452,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE unsigned char *ek = NULL, *tkey = NULL; int eklen = 0, tkeylen = 0; + if (p7 == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER); + return NULL; + } + + if (p7->d.ptr == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); + return NULL; + } + i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; @@ -752,6 +781,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; ASN1_OCTET_STRING *os=NULL; + if (p7 == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); + return 0; + } + + if (p7->d.ptr == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); + return 0; + } + EVP_MD_CTX_init(&ctx_tmp); i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; @@ -796,6 +835,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) /* If detached data then the content is excluded */ if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { M_ASN1_OCTET_STRING_free(os); + os = NULL; p7->d.sign->contents->d.data = NULL; } break; @@ -806,6 +846,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) { M_ASN1_OCTET_STRING_free(os); + os = NULL; p7->d.digest->contents->d.data = NULL; } break; @@ -878,24 +919,31 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); } - if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) - { - char *cont; - long contlen; - btmp=BIO_find_type(bio,BIO_TYPE_MEM); - if (btmp == NULL) - { - PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); - goto err; - } - contlen = BIO_get_mem_data(btmp, &cont); - /* Mark the BIO read only then we can use its copy of the data - * instead of making an extra copy. - */ - BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); - BIO_set_mem_eof_return(btmp, 0); - ASN1_STRING_set0(os, (unsigned char *)cont, contlen); - } + if (!PKCS7_is_detached(p7)) { + /* + * NOTE(emilia): I think we only reach os == NULL here because detached + * digested data support is broken. + */ + if (os == NULL) + goto err; + if (!(os->flags & ASN1_STRING_FLAG_NDEF)) { + char *cont; + long contlen; + btmp = BIO_find_type(bio, BIO_TYPE_MEM); + if (btmp == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO); + goto err; + } + contlen = BIO_get_mem_data(btmp, &cont); + /* + * Mark the BIO read only then we can use its copy of the data + * instead of making an extra copy. + */ + BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); + BIO_set_mem_eof_return(btmp, 0); + ASN1_STRING_set0(os, (unsigned char *)cont, contlen); + } + } ret=1; err: EVP_MD_CTX_cleanup(&ctx_tmp); @@ -971,6 +1019,16 @@ int PKCS7_dataVerify(X509_STORE *cert_st STACK_OF(X509) *cert; X509 *x509; + if (p7 == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); + return 0; + } + + if (p7->d.ptr == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); + return 0; + } + if (PKCS7_type_is_signed(p7)) { cert=p7->d.sign->cert; Index: openssl-1.0.1i/crypto/pkcs7/pk7_lib.c =================================================================== --- openssl-1.0.1i.orig/crypto/pkcs7/pk7_lib.c 2015-03-17 13:23:37.451700626 +0100 +++ openssl-1.0.1i/crypto/pkcs7/pk7_lib.c 2015-03-17 13:36:01.708627632 +0100 @@ -71,6 +71,7 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long switch (cmd) { + /* NOTE(emilia): does not support detached digested data. */ case PKCS7_OP_SET_DETACHED_SIGNATURE: if (nid == NID_pkcs7_signed) { @@ -459,6 +460,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7) { + if (p7 == NULL || p7->d.ptr == NULL) + return NULL; if (PKCS7_type_is_signed(p7)) { return(p7->d.sign->signer_info); ++++++ openssl-CVE-2015-0293.patch ++++++ commit a40c1bcb8c37fbad24d8f28f0fb0204d76f0fee2 Author: Emilia Kasper Date: Wed Mar 4 09:05:02 2015 -0800 Fix reachable assert in SSLv2 servers. This assert is reachable for servers that support SSLv2 and export ciphers. Therefore, such servers can be DoSed by sending a specially crafted SSLv2 CLIENT-MASTER-KEY. Also fix s2_srvr.c to error out early if the key lengths are malformed. These lengths are sent unencrypted, so this does not introduce an oracle. CVE-2015-0293 This issue was discovered by Sean Burford (Google) and Emilia Käsper of the OpenSSL development team. Reviewed-by: Richard Levitte Reviewed-by: Tim Hudson Index: openssl-1.0.1i/ssl/s2_lib.c =================================================================== --- openssl-1.0.1i.orig/ssl/s2_lib.c 2015-03-17 14:05:13.745459798 +0100 +++ openssl-1.0.1i/ssl/s2_lib.c 2015-03-17 14:05:14.763474757 +0100 @@ -487,7 +487,7 @@ int ssl2_generate_key_material(SSL *s) OPENSSL_assert(s->session->master_key_length >= 0 && s->session->master_key_length - < (int)sizeof(s->session->master_key)); + <= (int)sizeof(s->session->master_key)); EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length); EVP_DigestUpdate(&ctx,&c,1); c++; Index: openssl-1.0.1i/ssl/s2_srvr.c =================================================================== --- openssl-1.0.1i.orig/ssl/s2_srvr.c 2015-03-17 14:05:13.721459445 +0100 +++ openssl-1.0.1i/ssl/s2_srvr.c 2015-03-17 14:07:43.262655766 +0100 @@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s) SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); return(-1); } - i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc, - &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), - (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); is_export=SSL_C_IS_EXPORT(s->session->cipher); @@ -467,21 +464,59 @@ static int get_client_master_key(SSL *s) else ek=5; + /* + * The format of the CLIENT-MASTER-KEY message is + * 1 byte message type + * 3 bytes cipher + * 2-byte clear key length (stored in s->s2->tmp.clear) + * 2-byte encrypted key length (stored in s->s2->tmp.enc) + * 2-byte key args length (IV etc) + * clear key + * encrypted key + * key args + * + * If the cipher is an export cipher, then the encrypted key bytes + * are a fixed portion of the total key (5 or 8 bytes). The size of + * this portion is in |ek|. If the cipher is not an export cipher, + * then the entire key material is encrypted (i.e., clear key length + * must be zero). + */ + if ((!is_export && s->s2->tmp.clear != 0) || + (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) { + ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); + return -1; + } + /* + * The encrypted blob must decrypt to the encrypted portion of the key. + * Decryption can't be expanding, so if we don't have enough encrypted + * bytes to fit the key in the buffer, stop now. + */ + if ((is_export && s->s2->tmp.enc < ek) || + (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) { + ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); + return -1; + } + + i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, + &(p[s->s2->tmp.clear]), + &(p[s->s2->tmp.clear]), + (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : + RSA_PKCS1_PADDING); + /* bad decrypt */ #if 1 /* If a bad decrypt, continue with protocol but with a * random master secret (Bleichenbacher attack) */ - if ((i < 0) || - ((!is_export && (i != EVP_CIPHER_key_length(c))) - || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i != - (unsigned int)EVP_CIPHER_key_length(c)))))) - { + if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) + || (is_export && i != ek))) { ERR_clear_error(); if (is_export) i=ek; else i=EVP_CIPHER_key_length(c); - if (RAND_pseudo_bytes(p,i) <= 0) + if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0) return 0; } #else @@ -505,7 +540,8 @@ static int get_client_master_key(SSL *s) } #endif - if (is_export) i+=s->s2->tmp.clear; + if (is_export) + i = EVP_CIPHER_key_length(c); if (i > SSL_MAX_MASTER_KEY_LENGTH) { ++++++ openssl-CVE-2015-1788.patch ++++++ commit 4924b37ee01f71ae19c94a8934b80eeb2f677932 Author: Andy Polyakov Date: Thu Jun 11 00:18:01 2015 +0200 bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters. CVE-2015-1788 Reviewed-by: Matt Caswell Index: openssl-1.0.1i/crypto/bn/bn_gf2m.c =================================================================== --- openssl-1.0.1i.orig/crypto/bn/bn_gf2m.c 2015-06-12 09:46:24.360586854 +0200 +++ openssl-1.0.1i/crypto/bn/bn_gf2m.c 2015-06-12 09:48:11.218840146 +0200 @@ -568,9 +568,10 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIG } #else { - int i, ubits = BN_num_bits(u), - vbits = BN_num_bits(v), /* v is copy of p */ - top = p->top; + int i; + int ubits = BN_num_bits(u); + int vbits = BN_num_bits(v); /* v is copy of p */ + int top = p->top; BN_ULONG *udp,*bdp,*vdp,*cdp; bn_wexpand(u,top); udp = u->d; @@ -611,7 +612,12 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIG ubits--; } - if (ubits<=BN_BITS2 && udp[0]==1) break; + if (ubits <= BN_BITS2) { + if (udp[0] == 0) /* poly was reducible */ + goto err; + if (udp[0] == 1) + break; + } if (ubits Date: Wed Apr 8 16:56:43 2015 +0200 Fix length checks in X509_cmp_time to avoid out-of-bounds reads. Also tighten X509_cmp_time to reject more than three fractional seconds in the time; and to reject trailing garbage after the offset. CVE-2015-1789 Reviewed-by: Viktor Dukhovni Reviewed-by: Richard Levitte Index: openssl-1.0.1i/crypto/x509/x509_vfy.c =================================================================== --- openssl-1.0.1i.orig/crypto/x509/x509_vfy.c 2015-06-12 09:53:10.174344061 +0200 +++ openssl-1.0.1i/crypto/x509/x509_vfy.c 2015-06-12 10:06:54.613990422 +0200 @@ -1684,49 +1684,87 @@ int X509_cmp_time(const ASN1_TIME *ctm, ASN1_TIME atm; long offset; char buff1[24],buff2[24],*p; - int i,j; + int i,j,remaining; p=buff1; - i=ctm->length; + remaining=ctm->length; str=(char *)ctm->data; + /* + * Note that the following (historical) code allows much more slack in the + * time format than RFC5280. In RFC5280, the representation is fixed: + * UTCTime: YYMMDDHHMMSSZ + * GeneralizedTime: YYYYMMDDHHMMSSZ + */ if (ctm->type == V_ASN1_UTCTIME) { - if ((i < 11) || (i > 17)) return 0; + /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */ + int min_length = sizeof("YYMMDDHHMMZ") - 1; + int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1; + if (remaining < min_length || remaining > max_length) + return 0; memcpy(p,str,10); p+=10; str+=10; + remaining -= 10; } else { - if (i < 13) return 0; + /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */ + int min_length = sizeof("YYYYMMDDHHMMZ") - 1; + int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1; + if (remaining < min_length || remaining > max_length) + return 0; memcpy(p,str,12); p+=12; str+=12; + remaining -= 12; } if ((*str == 'Z') || (*str == '-') || (*str == '+')) { *(p++)='0'; *(p++)='0'; } else { + /* SS (seconds) */ + if (remaining < 2) + return 0; *(p++)= *(str++); *(p++)= *(str++); - /* Skip any fractional seconds... */ - if (*str == '.') - { + remaining -= 2; + /* + * Skip any (up to three) fractional seconds... + * TODO(emilia): in RFC5280, fractional seconds are forbidden. + * Can we just kill them altogether? + */ + if (remaining && *str == '.') { str++; - while ((*str >= '0') && (*str <= '9')) str++; + remaining--; + for (i = 0; i < 3 && remaining; i++, str++, remaining--) { + if (*str < '0' || *str > '9') + break; + } } } *(p++)='Z'; *(p++)='\0'; - if (*str == 'Z') - offset=0; - else - { + /* We now need either a terminating 'Z' or an offset. */ + if (!remaining) + return 0; + if (*str == 'Z') { + if (remaining != 1) + return 0; + offset=0; + } else { + /* (+-)HHMM */ if ((*str != '+') && (*str != '-')) return 0; + /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */ + if (remaining != 5) + return 0; + if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' || + str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9') + return 0; offset=((str[1]-'0')*10+(str[2]-'0'))*60; offset+=(str[3]-'0')*10+(str[4]-'0'); if (*str == '-') ++++++ openssl-CVE-2015-1790.patch ++++++ commit 59302b600e8d5b77ef144e447bb046fd7ab72686 Author: Emilia Kasper Date: Tue May 12 19:00:30 2015 +0200 PKCS#7: Fix NULL dereference with missing EncryptedContent. CVE-2015-1790 Reviewed-by: Rich Salz Index: openssl-1.0.1i/crypto/pkcs7/pk7_doit.c =================================================================== --- openssl-1.0.1i.orig/crypto/pkcs7/pk7_doit.c 2015-06-12 12:40:53.809587792 +0200 +++ openssl-1.0.1i/crypto/pkcs7/pk7_doit.c 2015-06-12 12:40:53.838588132 +0200 @@ -468,6 +468,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE switch (i) { case NID_pkcs7_signed: + /* + * p7->d.sign->contents is a PKCS7 structure consisting of a contentType + * field and optional content. + * data_body is NULL if that structure has no (=detached) content + * or if the contentType is wrong (i.e., not "data"). + */ data_body=PKCS7_get_octet_string(p7->d.sign->contents); if (!PKCS7_is_detached(p7) && data_body == NULL) { @@ -479,6 +485,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE case NID_pkcs7_signedAndEnveloped: rsk=p7->d.signed_and_enveloped->recipientinfo; md_sk=p7->d.signed_and_enveloped->md_algs; + /* data_body is NULL if the optional EncryptedContent is missing. */ data_body=p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); @@ -504,6 +511,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE goto err; } + /* Detached content must be supplied via in_bio instead. */ + if (data_body == NULL && in_bio == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); + goto err; + } + /* We will be checking the signature */ if (md_sk != NULL) { @@ -660,8 +673,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE } #if 1 - if (PKCS7_is_detached(p7) || (in_bio != NULL)) - { + if (in_bio != NULL) { bio=in_bio; } else ++++++ openssl-CVE-2015-1791.patch ++++++ commit 98ece4eebfb6cd45cc8d550c6ac0022965071afc Author: Matt Caswell Date: Mon May 18 16:27:48 2015 +0100 Fix race condition in NewSessionTicket If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. CVE-2015-1791 This also fixes RT#3808 where a session ID is changed for a session already in the client session cache. Since the session ID is the key to the cache this breaks the cache access. Parts of this patch were inspired by this Akamai change: https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3 Reviewed-by: Rich Salz commit 907f04a30354615e54beaa2bc0b986083f7793ee Author: Matt Caswell Date: Thu Jun 11 01:30:06 2015 +0100 More ssl_session_dup fixes Fix error handling in ssl_session_dup, as well as incorrect setting up of the session ticket. Follow on from CVE-2015-1791. Thanks to LibreSSL project for reporting these issues. Conflicts: ssl/ssl_sess.c Reviewed-by: Tim Hudson Index: openssl-1.0.1i/ssl/ssl.h =================================================================== --- openssl-1.0.1i.orig/ssl/ssl.h 2015-06-12 19:15:11.549954732 +0200 +++ openssl-1.0.1i/ssl/ssl.h 2015-06-12 19:15:13.279975926 +0200 @@ -2254,6 +2254,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_READ 223 #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 +#define SSL_F_SSL_SESSION_DUP 348 #define SSL_F_SSL_SESSION_NEW 189 #define SSL_F_SSL_SESSION_PRINT_FP 190 #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 Index: openssl-1.0.1i/ssl/s3_clnt.c =================================================================== --- openssl-1.0.1i.orig/ssl/s3_clnt.c 2015-06-12 19:15:11.549954732 +0200 +++ openssl-1.0.1i/ssl/s3_clnt.c 2015-06-12 19:15:13.279975926 +0200 @@ -2105,6 +2105,38 @@ int ssl3_get_new_session_ticket(SSL *s) } p=d=(unsigned char *)s->init_msg; + + if (s->session->session_id_length > 0) { + int i = s->session_ctx->session_cache_mode; + SSL_SESSION *new_sess; + /* + * We reused an existing session, so we need to replace it with a new + * one + */ + if (i & SSL_SESS_CACHE_CLIENT) { + /* + * Remove the old session from the cache + */ + if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE) { + if (s->session_ctx->remove_session_cb != NULL) + s->session_ctx->remove_session_cb(s->session_ctx, + s->session); + } else { + /* We carry on if this fails */ + SSL_CTX_remove_session(s->session_ctx, s->session); + } + } + + if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + goto f_err; + } + + SSL_SESSION_free(s->session); + s->session = new_sess; + } + n2l(p, s->session->tlsext_tick_lifetime_hint); n2s(p, ticklen); /* ticket_lifetime_hint + ticket_length + ticket */ Index: openssl-1.0.1i/ssl/ssl_err.c =================================================================== --- openssl-1.0.1i.orig/ssl/ssl_err.c 2015-06-12 19:15:11.549954732 +0200 +++ openssl-1.0.1i/ssl/ssl_err.c 2015-06-12 19:15:13.280975939 +0200 @@ -245,6 +245,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"}, {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"}, +{ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"}, {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"}, {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"}, Index: openssl-1.0.1i/ssl/ssl_locl.h =================================================================== --- openssl-1.0.1i.orig/ssl/ssl_locl.h 2015-06-12 19:15:11.549954732 +0200 +++ openssl-1.0.1i/ssl/ssl_locl.h 2015-06-12 19:15:13.280975939 +0200 @@ -835,6 +835,7 @@ void ssl_sess_cert_free(SESS_CERT *sc); int ssl_set_peer_cert_type(SESS_CERT *c, int type); int ssl_get_new_session(SSL *s, int session); int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit); +SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b); DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); Index: openssl-1.0.1i/ssl/ssl_sess.c =================================================================== --- openssl-1.0.1i.orig/ssl/ssl_sess.c 2015-06-12 19:15:11.549954732 +0200 +++ openssl-1.0.1i/ssl/ssl_sess.c 2015-06-12 19:26:20.502163556 +0200 @@ -224,6 +224,129 @@ SSL_SESSION *SSL_SESSION_new(void) return(ss); } +/* + * Create a new SSL_SESSION and duplicate the contents of |src| into it. If + * ticket == 0 then no ticket information is duplicated, otherwise it is. + */ +SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) +{ + SSL_SESSION *dest; + + dest = OPENSSL_malloc(sizeof(*src)); + if (dest == NULL) { + goto err; + } + memcpy(dest, src, sizeof(*dest)); + + /* Set the various pointers to NULL so that we can call SSL_SESSION_free in + * the case of an error whilst halfway through constructing dest + */ +#ifndef OPENSSL_NO_PSK + dest->psk_identity_hint = NULL; + dest->psk_identity = NULL; +#endif + dest->ciphers = NULL; +#ifndef OPENSSL_NO_TLSEXT + dest->tlsext_hostname = NULL; +# ifndef OPENSSL_NO_EC + dest->tlsext_ecpointformatlist = NULL; + dest->tlsext_ellipticcurvelist = NULL; +# endif +#endif + dest->tlsext_tick = NULL; +#ifndef OPENSSL_NO_SRP + dest->srp_username = NULL; +#endif + memset(&dest->ex_data, 0, sizeof(dest->ex_data)); + + /* We deliberately don't copy the prev and next pointers */ + dest->prev = NULL; + dest->next = NULL; + + dest->references = 1; + + if (src->sess_cert != NULL) + CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT); + + if (src->peer != NULL) + CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509); +#ifndef OPENSSL_NO_PSK + if (src->psk_identity_hint) { + dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint); + if (dest->psk_identity_hint == NULL) { + goto err; + } + } + if (src->psk_identity) { + dest->psk_identity = BUF_strdup(src->psk_identity); + if (dest->psk_identity == NULL) { + goto err; + } + } +#endif + + if(src->ciphers != NULL) { + dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers); + if (dest->ciphers == NULL) + goto err; + } + + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, + &dest->ex_data, &src->ex_data)) { + goto err; + } + +#ifndef OPENSSL_NO_TLSEXT + if (src->tlsext_hostname) { + dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname); + if (dest->tlsext_hostname == NULL) { + goto err; + } + } +# ifndef OPENSSL_NO_EC + if (src->tlsext_ecpointformatlist) { + dest->tlsext_ecpointformatlist = + BUF_memdup(src->tlsext_ecpointformatlist, + src->tlsext_ecpointformatlist_length); + if (dest->tlsext_ecpointformatlist == NULL) + goto err; + } + if (src->tlsext_ellipticcurvelist) { + dest->tlsext_ellipticcurvelist = + BUF_memdup(src->tlsext_ellipticcurvelist, + src->tlsext_ellipticcurvelist_length); + if (dest->tlsext_ellipticcurvelist == NULL) + goto err; + } +# endif +#endif + + if (ticket != 0) { + dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen); + if(dest->tlsext_tick == NULL) + goto err; + } else { + dest->tlsext_tick_lifetime_hint = 0; + dest->tlsext_ticklen = 0; + } + +#ifndef OPENSSL_NO_SRP + if (src->srp_username) { + dest->srp_username = BUF_strdup(src->srp_username); + if (dest->srp_username == NULL) { + goto err; + } + } +#endif + + return dest; +err: + SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE); + SSL_SESSION_free(dest); + return NULL; +} + + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) { if(len) ++++++ openssl-CVE-2015-1792.patch ++++++ commit 92f9a8bf3844359bb50d86dab92bc24b074d350d Author: Dr. Stephen Henson Date: Fri Jun 5 12:11:25 2015 +0100 Fix infinite loop in CMS Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting to verify and a digest is not recognised. Reported by Johannes Bauer. CVE-2015-1792 Reviewed-by: Matt Caswell Index: openssl-1.0.1i/crypto/cms/cms_smime.c =================================================================== --- openssl-1.0.1i.orig/crypto/cms/cms_smime.c 2015-06-12 11:37:27.983984849 +0200 +++ openssl-1.0.1i/crypto/cms/cms_smime.c 2015-06-12 11:38:03.058396809 +0200 @@ -141,7 +141,7 @@ static void do_free_upto(BIO *f, BIO *up BIO_free(f); f = tbio; } - while (f != upto); + while (f && f != upto); } else BIO_free_all(f); ++++++ openssl-CVE-2015-3194.patch ++++++ >From d8541d7e9e63bf5f343af24644046c8d96498c17 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 2 Oct 2015 13:10:29 +0100 Subject: [PATCH] Add PSS parameter check. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid seg fault by checking mgf1 parameter is not NULL. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug. CVE-2015-3194 Reviewed-by: Matt Caswell --- crypto/rsa/rsa_ameth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: openssl-1.0.1i/crypto/rsa/rsa_ameth.c =================================================================== --- openssl-1.0.1i.orig/crypto/rsa/rsa_ameth.c 2015-12-03 17:56:38.292632624 +0100 +++ openssl-1.0.1i/crypto/rsa/rsa_ameth.c 2015-12-03 17:58:11.106130819 +0100 @@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co { ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 - && param->type == V_ASN1_SEQUENCE) + && param && param->type == V_ASN1_SEQUENCE) { p = param->value.sequence->data; plen = param->value.sequence->length; ++++++ openssl-CVE-2015-3195.patch ++++++ >From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 10 Nov 2015 19:03:07 +0000 Subject: [PATCH] Fix leak with ASN.1 combine. When parsing a combined structure pass a flag to the decode routine so on error a pointer to the parent structure is not zeroed as this will leak any additional components in the parent. This can leak memory in any application parsing PKCS#7 or CMS structures. CVE-2015-3195. Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using libFuzzer. PR#4131 Reviewed-by: Richard Levitte --- crypto/asn1/tasn_dec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) Index: openssl-1.0.1i/crypto/asn1/tasn_dec.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/tasn_dec.c 2015-12-03 17:59:01.272944957 +0100 +++ openssl-1.0.1i/crypto/asn1/tasn_dec.c 2015-12-03 18:02:54.285726394 +0100 @@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + int combine = aclass & ASN1_TFLG_COMBINE; + aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; if (aux && aux->asn1_cb) @@ -534,7 +536,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, auxerr: ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); err: - ASN1_item_ex_free(pval, it); + if (combine == 0) + ASN1_item_ex_free(pval, it); if (errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname); @@ -762,7 +765,7 @@ static int asn1_template_noexp_d2i(ASN1_ { /* Nothing special */ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, opt, ctx); + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ++++++ openssl-CVE-2015-3196.patch ++++++ >From d6be3124f22870f1888c532523b74ea5d89795eb Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 1 Jul 2015 23:40:03 +0100 Subject: [PATCH] Fix PSK handling. The PSK identity hint should be stored in the SSL_SESSION structure and not in the parent context (which will overwrite values used by other SSL structures with the same SSL_CTX). Use BUF_strndup when copying identity as it may not be null terminated. Reviewed-by: Tim Hudson (cherry picked from commit 3c66a669dfc7b3792f7af0758ea26fe8502ce70c) --- ssl/s3_clnt.c | 17 +++-------------- ssl/s3_srvr.c | 2 +- 2 files changed, 4 insertions(+), 15 deletions(-) Index: openssl-1.0.1k/ssl/s3_clnt.c =================================================================== --- openssl-1.0.1k.orig/ssl/s3_clnt.c 2015-12-04 17:07:16.576888840 +0100 +++ openssl-1.0.1k/ssl/s3_clnt.c 2015-12-04 17:23:09.487644962 +0100 @@ -1360,8 +1360,6 @@ int ssl3_get_key_exchange(SSL *s) #ifndef OPENSSL_NO_PSK if (alg_k & SSL_kPSK) { - char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; - param_len = 2; if (param_len > n) { @@ -1390,17 +1388,8 @@ int ssl3_get_key_exchange(SSL *s) } param_len += i; - /* If received PSK identity hint contains NULL - * characters, the hint is truncated from the first - * NULL. p may not be ending with NULL, so create a - * NULL-terminated string. */ - memcpy(tmp_id_hint, p, i); - memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); - if (s->ctx->psk_identity_hint != NULL) - OPENSSL_free(s->ctx->psk_identity_hint); - s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); - if (s->ctx->psk_identity_hint == NULL) - { + s->session->psk_identity_hint = BUF_strndup((char *)p, i); + if (s->session->psk_identity_hint == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); goto f_err; @@ -3002,7 +2991,7 @@ int ssl3_send_client_key_exchange(SSL *s } memset(identity, 0, sizeof(identity)); - psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, + psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, identity, sizeof(identity) - 1, psk_or_pre_ms, sizeof(psk_or_pre_ms)); if (psk_len > PSK_MAX_PSK_LEN) Index: openssl-1.0.1k/ssl/s3_srvr.c =================================================================== --- openssl-1.0.1k.orig/ssl/s3_srvr.c 2015-12-04 17:07:14.127850873 +0100 +++ openssl-1.0.1k/ssl/s3_srvr.c 2015-12-04 17:07:16.577888855 +0100 @@ -2816,7 +2816,7 @@ int ssl3_get_client_key_exchange(SSL *s) if (s->session->psk_identity != NULL) OPENSSL_free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup((char *)p); + s->session->psk_identity = BUF_strndup((char *)p, i); if (s->session->psk_identity == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ++++++ openssl-CVE-2015-3197.patch ++++++ commit 38015f7f9bb5cc3e8bcaf4a091082e5540af858d Author: Viktor Dukhovni Date: Wed Dec 30 22:44:51 2015 -0500 Better SSLv2 cipher-suite enforcement Based on patch by: Nimrod Aviram Reviewed-by: Tim Hudson Index: openssl-1.0.1k/ssl/s2_srvr.c =================================================================== --- openssl-1.0.1k.orig/ssl/s2_srvr.c 2016-01-28 15:29:26.391648704 +0100 +++ openssl-1.0.1k/ssl/s2_srvr.c 2016-01-28 15:38:15.819172856 +0100 @@ -400,7 +400,7 @@ static int get_client_master_key(SSL *s) } cp=ssl2_get_cipher_by_char(p); - if (cp == NULL) + if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH); @@ -698,9 +698,13 @@ static int get_client_hello(SSL *s) prio = cs; allow = cl; } + + /* Generate list of SSLv2 ciphers shared between client and server */ for (z=0; z algorithm_ssl & SSL_SSLV2) == 0 || + sk_SSL_CIPHER_find(allow, cp) < 0) { (void)sk_SSL_CIPHER_delete(prio,z); z--; @@ -711,6 +715,14 @@ static int get_client_hello(SSL *s) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = prio; } + + /* Make sure we have at least one cipher in common */ + if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) { + ssl2_return_error(s, SSL2_PE_NO_CIPHER); + SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH); + return -1; + } + /* s->session->ciphers should now have a list of * ciphers that are on both the client and server. * This list is ordered by the order the client sent ++++++ openssl-fips-hidden.patch ++++++ --- openssl-1.0.1g.orig/crypto/fips/fips_rand_lcl.h +++ openssl-1.0.1g/crypto/fips/fips_rand_lcl.h @@ -51,6 +51,8 @@ * ==================================================================== */ +#pragma GCC visibility push(hidden) + typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; @@ -217,3 +219,5 @@ const struct evp_cipher_st *FIPS_get_cip #define FIPS_digestupdate EVP_DigestUpdate #define FIPS_digestfinal EVP_DigestFinal #define M_EVP_MD_size EVP_MD_size + +#pragma GCC visibility pop --- openssl-1.0.1g.orig/crypto/fips/fips_rsa_x931g.c +++ openssl-1.0.1g/crypto/fips/fips_rsa_x931g.c @@ -65,7 +65,7 @@ #ifdef OPENSSL_FIPS #include -extern int fips_check_rsa(RSA *rsa); +extern int fips_check_rsa(RSA *rsa) __attribute__ ((visibility ("hidden"))); #endif /* X9.31 RSA key derivation and generation */ ++++++ openssl-fix-pod-syntax.diff ++++++ >From jaenicke@openssl.net Thu May 30 09:46:58 2013 CC: Jonathan Liu Resent-Date: Thu, 30 May 2013 09:46:58 +0200 X-Spam-Status: No, score=-2.3 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_TO_NO_BRKTS_FREEMAIL autolearn=ham version=3.3.2 X-Mailer: git-send-email 1.8.3 Message-ID: <1369887573-10819-1-git-send-email-net147@gmail.com> X-Received: by 10.68.65.134 with SMTP id x6mr5859535pbs.219.1369886755138; Wed, 29 May 2013 21:05:55 -0700 (PDT) Resent-To: rt-i12@openssl.net Received: by openssl.net (Postfix, from userid 29209) id 1548C1E0128; Thu, 30 May 2013 09:46:58 +0200 (CEST) Received: by openssl.net (Postfix, from userid 65534) id 852471E12CB; Thu, 30 May 2013 06:14:07 +0200 (CEST) Received: by openssl.net (Postfix, from userid 30009) id 6FF4D1E12CF; Thu, 30 May 2013 06:14:07 +0200 (CEST) Received: from master.openssl.org (openssl.org [194.97.152.144]) by openssl.net (Postfix) with ESMTP id B4F491E12CB for
3011
Age (days ago)
3011
Last active (days ago)
0 comments
1 participants
participants (1)
-
root@hilbert.suse.de