Hello community,
here is the log from the commit of package openssl.2786 for openSUSE:12.3:Update checked in at 2014-05-13 15:58:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/openssl.2786 (Old)
and /work/SRC/openSUSE:12.3:Update/.openssl.2786.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl.2786"
Changes:
--------
New Changes file:
--- /dev/null 2014-04-28 00:21:37.460033756 +0200
+++ /work/SRC/openSUSE:12.3:Update/.openssl.2786.new/openssl.changes 2014-05-13 15:58:37.000000000 +0200
@@ -0,0 +1,1500 @@
+-------------------------------------------------------------------
+Mon May 5 06:42:36 UTC 2014 - citypw@gmail.com
+
+- Fixed bug[ bnc#876282], CVE-2014-0198 openssl: OpenSSL NULL pointer dereference in do_ssl3_write
+ Add file: CVE-2014-0198.patch
+
+-------------------------------------------------------------------
+Wed Apr 23 06:16:53 UTC 2014 - citypw@gmail.com
+
+- Fixed bug[ bnc#873351] CVE-2010-5298: openssl: Use-after-free race condition,in OpenSSL's read buffer
+ Add file: CVE-2010-5298.patch
+
+-------------------------------------------------------------------
+Thu Apr 10 12:31:10 UTC 2014 - shchang@suse.com
+
+- Upgrade to 1.0.1g:
+ * TLS heartbeat read overrun (CVE-2014-0160)
+ * Fixed: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450, CVE-2014-0076, CVE-2014-0160
+
+ Add files: openssl-1.0.1g.tar.gz, openssl-1.0.1g.tar.gz.asc
+ Delete files: openssl-1.0.1e.tar.gz, openssl-1.0.1e.tar.gz.asc, CVE-2013-4353.patch,
+ CVE-2013-6449.patch, CVE-2013-6450.patch, CVE-2014-0076.patch, bug-861384-crash_webrtc.patch,
+ CVE-2014-0160.patch, SSL_get_certificate-broken.patch, openssl-1.0.1e-bnc822642.patch
+
+-------------------------------------------------------------------
+Tue Apr 8 05:24:11 UTC 2014 - shchang@suse.com
+
+- Fixed bug[ bnc#872299] CVE-2014-0160: openssl: missing bounds checks for heartbeat messages
+ Add file: CVE-2014-0160.patch
+
+-------------------------------------------------------------------
+Tue Mar 25 05:14:55 UTC 2014 - shchang@suse.com
+
+- Fix bug[ bnc#869945] CVE-2014-0076: openssl: Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack
+ Add file: CVE-2014-0076.patch
+
+-------------------------------------------------------------------
+Wed Feb 19 03:32:52 UTC 2014 - shchang@suse.com
+
+- Fixed bnc#861384, update to openssl-1.0.1e-11.14.1 broke WebRTC functionality in FreeSWITCH
+ Add file: bug-861384-crash_webrtc.patch
+
+-------------------------------------------------------------------
+Wed Jan 8 07:09:48 UTC 2014 - shchang@suse.com
+
+- Fixed bnc#857640, openssl: TLS record tampering issue can lead to OpenSSL crash
+ Add file: CVE-2013-4353.patch
+
+-------------------------------------------------------------------
+Thu Jan 2 17:06:57 UTC 2014 - shchang@suse.com
+
+- Fixed bnc#857203, openssl: crash in DTLS renegotiation after packet loss
+ Add file: CVE-2013-6450.patch
+
+-------------------------------------------------------------------
+Sun Dec 22 08:52:36 UTC 2013 - shchang@suse.com
+
+- Fixed bnc#856687, openssl: crash when using TLS 1.2
+ Add file: CVE-2013-6449.patch
+
+-------------------------------------------------------------------
+Tue Dec 17 13:57:40 UTC 2013 - meissner@suse.com
+
+- compression_methods_switch.patch: setenv might not be successful
+ if a surrounding library or application filters it, like e.g. sudo.
+ As setenv() does not seem to be useful anyway, remove it.
+ bnc#849377
+
+-------------------------------------------------------------------
+Mon Oct 28 16:11:30 UTC 2013 - meissner@suse.com
+
+- compression_methods_switch.patch:
+ Disable ssl compression by default to mitigate compression oracle
+ attacks like CRIME or BEAST.
+ bnc#793420 / CVE-2012-4929
+
+-------------------------------------------------------------------
+Fri Sep 27 10:26:43 UTC 2013 - dmacvicar@suse.de
+
+- VPN openconnect problem (DTLS handshake failed)
+ (git 9fe4603b8, bnc#822642, openssl ticket#2984)
+ + added openssl-1.0.1e-bnc822642.patch
+
+-------------------------------------------------------------------
+Mon Aug 12 06:16:31 UTC 2013 - shchang@suse.com
+
+- Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken
+ modify patch file: SSL_get_certificate-broken.patch
+
+-------------------------------------------------------------------
+Tue Feb 12 00:08:06 UTC 2013 - hrvoje.senjan@gmail.com
+
+- Update to 1.0.1e
+ o Bugfix release (bnc#803004)
+- Drop openssl-1.0.1d-s3-packet.patch, included upstream
+
+-------------------------------------------------------------------
+Sun Feb 10 20:33:51 UTC 2013 - hrvoje.senjan@gmail.com
+
+- Added openssl-1.0.1d-s3-packet.patch from upstream, fixes
+ bnc#803004, openssl ticket#2975
+
+-------------------------------------------------------------------
+Tue Feb 5 16:00:17 UTC 2013 - meissner@suse.com
+
+- update to version 1.0.1d, fixing security issues
+ o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
+ o Include the fips configuration module.
+ o Fix OCSP bad key DoS attack CVE-2013-0166
+ o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+ bnc#802184
+ o Fix for TLS AESNI record handling flaw CVE-2012-2686
+
+-------------------------------------------------------------------
+Mon Nov 12 08:39:31 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#784994] - VIA padlock support on 64 systems
+ e_padlock: add support for x86_64 gcc
+
+-------------------------------------------------------------------
+Sun Aug 19 23:38:32 UTC 2012 - crrodriguez@opensuse.org
+
+- Open Internal file descriptors with O_CLOEXEC, leaving
+ those open across fork()..execve() makes a perfect
+ vector for a side-channel attack...
+
+-------------------------------------------------------------------
+Tue Aug 7 17:17:34 UTC 2012 - dmueller@suse.com
+
+- fix build on armv5 (bnc#774710)
+
+-------------------------------------------------------------------
+Thu May 10 19:18:06 UTC 2012 - crrodriguez@opensuse.org
+
+- Update to version 1.0.1c for the complete list of changes see
+ NEWS, this only list packaging changes.
+- Drop aes-ni patch, no longer needed as it is builtin in openssl
+ now.
+- Define GNU_SOURCE and use -std=gnu99 to build the package.
+- Use LFS_CFLAGS in platforms where it matters.
+
+-------------------------------------------------------------------
+Fri May 4 12:09:57 UTC 2012 - lnussel@suse.de
+
+- don't install any demo or expired certs at all
+
+-------------------------------------------------------------------
+Mon Apr 23 05:57:35 UTC 2012 - gjhe@suse.com
+
+- update to latest stable verison 1.0.0i
+ including the following patches:
+ CVE-2012-2110.path
+ Bug748738_Tolerate_bad_MIME_headers.patch
+ bug749213-Free-headers-after-use.patch
+ bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
+ CVE-2012-1165.patch
+ CVE-2012-0884.patch
+ bug749735.patch
+
+-------------------------------------------------------------------
+Tue Mar 27 09:16:37 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#749735] - Memory leak when creating public keys.
+ fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack
+ CVE-2012-0884
+
+-------------------------------------------------------------------
+Thu Mar 22 03:24:20 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#751946] - S/MIME verification may erroneously fail
+ CVE-2012-1165
+
+-------------------------------------------------------------------
+Wed Mar 21 02:44:41 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#749213]-Free headers after use in error message
+ and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt
+
+-------------------------------------------------------------------
+Tue Mar 20 14:29:24 UTC 2012 - cfarrell@suse.com
+
+- license update: OpenSSL
+
+-------------------------------------------------------------------
+Fri Feb 24 02:33:22 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's
+ asn1 parser.
+ CVE-2006-7250
+
+-------------------------------------------------------------------
+Thu Feb 2 06:55:12 UTC 2012 - gjhe@suse.com
+
+- Update to version 1.0.0g fix the following:
+ DTLS DoS attack (CVE-2012-0050)
+
+-------------------------------------------------------------------
++++ 1303 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.3:Update/.openssl.2786.new/openssl.changes
New:
----
CVE-2010-5298.patch
CVE-2014-0198.patch
README.SuSE
VIA_padlock_support_on_64systems.patch
baselibs.conf
bug610223.patch
compression_methods_switch.patch
merge_from_0.9.8k.patch
openssl-1.0.0-c_rehash-compat.diff
openssl-1.0.1g.tar.gz
openssl-1.0.1g.tar.gz.asc
openssl-ocloexec.patch
openssl.changes
openssl.spec
openssl.test
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl.spec ++++++
#
# spec file for package openssl
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: openssl
BuildRequires: bc
BuildRequires: ed
BuildRequires: pkg-config
BuildRequires: zlib-devel
%define ssletcdir %{_sysconfdir}/ssl
#%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
%define num_version 1.0.0
Provides: ssl
# bug437293
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
Version: 1.0.1g
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
Group: Productivity/Networking/Security
Url: http://www.openssl.org/
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz
Source42: http://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
# to get mtime of file:
Source1: openssl.changes
Source2: baselibs.conf
Source10: README.SuSE
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
Patch3: openssl-ocloexec.patch
Patch4: VIA_padlock_support_on_64systems.patch
Patch5: compression_methods_switch.patch
Patch6: CVE-2010-5298.patch
Patch7: CVE-2014-0198.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and open source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols with full-strength cryptography. The project is managed
by a worldwide community of volunteers that use the Internet to
communicate, plan, and develop the OpenSSL toolkit and its related
documentation.
Derivation and License
OpenSSL is based on the excellent SSLeay library developed by Eric A.
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
Apache-style license, which basically means that you are free to get it
and to use it for commercial and noncommercial purposes.
Authors:
--------
Mark J. Cox
Ralf S. Engelschall
Dr. Stephen Henson
Ben Laurie
Bodo Moeller
Ulf Moeller
Holger Reif
Paul C. Sutton
%package -n libopenssl1_0_0
Summary: Secure Sockets and Transport Layer Security
Group: Productivity/Networking/Security
Recommends: openssl-certs
# bug437293
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
#
%description -n libopenssl1_0_0
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and open source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols with full-strength cryptography. The project is managed
by a worldwide community of volunteers that use the Internet to
communicate, plan, and develop the OpenSSL toolkit and its related
documentation.
Derivation and License
OpenSSL is based on the excellent SSLeay library developed by Eric A.
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
Apache-style license, which basically means that you are free to get it
and to use it for commercial and noncommercial purposes.
Authors:
--------
Mark J. Cox
Ralf S. Engelschall
Dr. Stephen Henson
Ben Laurie
Bodo Moeller
Ulf Moeller
Holger Reif
Paul C. Sutton
%package -n libopenssl-devel
Summary: Include Files and Libraries mandatory for Development
Group: Development/Libraries/C and C++
Obsoletes: openssl-devel < %{version}
Requires: %name = %version
Requires: libopenssl1_0_0 = %{version}
Requires: zlib-devel
Provides: openssl-devel = %{version}
# bug437293
%ifarch ppc64
Obsoletes: openssl-devel-64bit
%endif
#
%description -n libopenssl-devel
This package contains all necessary include files and libraries needed
to develop applications that require these.
Authors:
--------
Mark J. Cox
Ralf S. Engelschall
Dr. Stephen
Ben Laurie
Bodo Moeller
Ulf Moeller
Holger Reif
Paul C. Sutton
%package doc
Summary: Additional Package Documentation
Group: Productivity/Networking/Security
BuildArch: noarch
%description doc
This package contains optional documentation provided in addition to
this package's base documentation.
Authors:
--------
Mark J. Cox
Ralf S. Engelschall
Dr. Stephen
Ben Laurie
Bodo Moeller
Ulf Moeller
Holger Reif
Paul C. Sutton
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
cp -p %{S:10} .
echo "adding/overwriting some entries in the 'table' hash in Configure"
# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::'
cat </dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
for i in man?/*; do
if test -L $i ; then
LDEST=`readlink $i`
rm -f $i ${i}ssl
ln -sf ${LDEST}ssl ${i}ssl
else
mv $i ${i}ssl
fi
case `basename ${i%.*}` in
asn1parse|ca|config|crl|crl2pkcs7|crypto|dgst|dhparam|dsa|dsaparam|enc|gendsa|genrsa|nseq|openssl|passwd|pkcs12|pkcs7|pkcs8|rand|req|rsa|rsautl|s_client|s_server|smime|spkac|ssl|verify|version|x509)
# these are the pages mentioned in openssl(1). They go into the main package.
echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist;;
*)
# the rest goes into the openssl-doc package.
echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist.doc;;
esac
done
popd
#
# check wether some shared library has been installed
#
ls -l $RPM_BUILD_ROOT%{_libdir}
test -f $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version}
test -f $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version}
test -L $RPM_BUILD_ROOT%{_libdir}/libssl.so
test -L $RPM_BUILD_ROOT%{_libdir}/libcrypto.so
#
# see what we've got
#
cat > showciphers.c <
#include
int main(){
unsigned int i;
SSL_CTX *ctx;
SSL *ssl;
SSL_METHOD *meth;
meth = SSLv23_client_method();
SSLeay_add_ssl_algorithms();
ctx = SSL_CTX_new(meth);
if (ctx == NULL) return 0;
ssl = SSL_new(ctx);
if (!ssl) return 0;
for (i=0; ; i++) {
int j, k;
SSL_CIPHER *sc;
sc = (meth->get_cipher)(i);
if (!sc) break;
k = SSL_CIPHER_get_bits(sc, &j);
printf("%s\n", sc->name);
}
return 0;
};
EOF
gcc $RPM_OPT_FLAGS -I${RPM_BUILD_ROOT}%{_includedir} -c showciphers.c
gcc -o showciphers showciphers.o -L${RPM_BUILD_ROOT}%{_libdir} -lssl -lcrypto
LD_LIBRARY_PATH=${RPM_BUILD_ROOT}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true
cat AVAILABLE_CIPHERS
# Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} \;
#process openssllib
mkdir $RPM_BUILD_ROOT/%{_lib}
mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
cd $RPM_BUILD_ROOT%{_libdir}/
ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
%clean
if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
%post -n libopenssl1_0_0 -p /sbin/ldconfig
%postun -n libopenssl1_0_0 -p /sbin/ldconfig
%files -n libopenssl1_0_0
%defattr(-, root, root)
/%{_lib}/libssl.so.%{num_version}
/%{_lib}/libcrypto.so.%{num_version}
/%{_lib}/engines
%files -n libopenssl-devel
%defattr(-, root, root)
%{_includedir}/%{name}/
%{_includedir}/ssl
%exclude %{_libdir}/libcrypto.a
%exclude %{_libdir}/libssl.a
%{_libdir}/libssl.so
%{_libdir}/libcrypto.so
%_libdir/pkgconfig/libcrypto.pc
%_libdir/pkgconfig/libssl.pc
%_libdir/pkgconfig/openssl.pc
%files doc -f filelist.doc
%defattr(-, root, root)
%doc doc/* demos
%doc showciphers.c
%files -f filelist
%defattr(-, root, root)
%doc CHANGE* INSTAL* AVAILABLE_CIPHERS
%doc LICENSE NEWS README README.SuSE
%dir %{ssletcdir}
%dir %{ssletcdir}/certs
%config (noreplace) %{ssletcdir}/openssl.cnf
%attr(700,root,root) %{ssletcdir}/private
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%{_bindir}/c_rehash
%{_bindir}/%{name}
%changelog
++++++ CVE-2010-5298.patch ++++++
Index: openssl-1.0.1g/ssl/s3_pkt.c
===================================================================
--- openssl-1.0.1g.orig/ssl/s3_pkt.c
+++ openssl-1.0.1g/ssl/s3_pkt.c
@@ -1055,7 +1055,7 @@ start:
{
s->rstate=SSL_ST_READ_HEADER;
rr->off=0;
- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
ssl3_release_read_buffer(s);
}
}
++++++ CVE-2014-0198.patch ++++++
Index: openssl-1.0.1g/ssl/s3_pkt.c
===================================================================
--- openssl-1.0.1g.orig/ssl/s3_pkt.c
+++ openssl-1.0.1g/ssl/s3_pkt.c
@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ
if (i <= 0)
return(i);
/* if it went, fall through and send more stuff */
+ /* we may have released our buffer, so get it again */
+ if (wb->buf == NULL)
+ if (!ssl3_setup_write_buffer(s))
+ return -1;
}
if (len == 0 && !create_empty_fragment)
++++++ README.SuSE ++++++
Please note that the man pages for the openssl libraries and tools
have been placed in a package on its own right: openssl-doc Please
install the openssl-doc package if you need the man pages, HTML
documentation or sample C programs.
The C header files and static libraries have also been extracted, they
can now be found in the openssl-devel package.
Your SuSE Team.
++++++ VIA_padlock_support_on_64systems.patch ++++++
Index: openssl-1.0.1c/engines/e_padlock.c
===================================================================
--- openssl-1.0.1c.orig/engines/e_padlock.c
+++ openssl-1.0.1c/engines/e_padlock.c
@@ -101,7 +101,10 @@
compiler choice is limited to GCC and Microsoft C. */
#undef COMPILE_HW_PADLOCK
#if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
+# if (defined(__GNUC__) && __GNUC__>=2 && \
+ (defined(__i386__) || defined(__i386) || \
+ defined(__x86_64__) || defined(__x86_64)) \
+ ) || \
(defined(_MSC_VER) && defined(_M_IX86))
# define COMPILE_HW_PADLOCK
# endif
@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
* =======================================================
*/
#if defined(__GNUC__) && __GNUC__>=2
+#if defined(__i386__) || defined(__i386)
/*
* As for excessive "push %ebx"/"pop %ebx" found all over.
* When generating position-independent code GCC won't let
@@ -383,21 +387,6 @@ padlock_available(void)
return padlock_use_ace + padlock_use_rng;
}
-#ifndef OPENSSL_NO_AES
-/* Our own htonl()/ntohl() */
-static inline void
-padlock_bswapl(AES_KEY *ks)
-{
- size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
- unsigned int *key = ks->rd_key;
-
- while (i--) {
- asm volatile ("bswapl %0" : "+r"(*key));
- key++;
- }
-}
-#endif
-
/* Force key reload from memory to the CPU microcode.
Loading EFLAGS from the stack clears EFLAGS[30]
which does the trick. */
@@ -456,11 +445,130 @@ static inline void *name(size_t cnt, \
return iv; \
}
+
+#endif
+
+#elif defined(__x86_64__) || defined(__x86_64)
+
+/* Load supported features of the CPU to see if
+ the PadLock is available. */
+ static int
+padlock_available(void)
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
+
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x00000000;
+ vendor_string[12] = 0;
+ asm volatile (
+ "cpuid\n"
+ "movl %%ebx,(%1)\n"
+ "movl %%edx,4(%1)\n"
+ "movl %%ecx,8(%1)\n"
+ : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
+ return 0;
+
+ /* Check for Centaur Extended Feature Flags presence */
+ eax = 0xC0000000;
+ asm volatile ("cpuid"
+ : "+a"(eax) : : "rbx", "rcx", "rdx");
+ if (eax < 0xC0000001)
+ return 0;
+
+ /* Read the Centaur Extended Feature Flags */
+ eax = 0xC0000001;
+ asm volatile ("cpuid"
+ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
+
+ /* Fill up some flags */
+ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
+ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
+
+ return padlock_use_ace + padlock_use_rng;
+}
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS from the stack clears EFLAGS[30]
+ which does the trick. */
+ static inline void
+padlock_reload_key(void)
+{
+ asm volatile ("pushfq; popfq");
+}
+
+#ifndef OPENSSL_NO_AES
+/*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+ * but it's not actually necessary. Point is that if
+ * padlock_saved_context was changed by another thread
+ * after we've read it and before we compare it with cdata,
+ * our key *shall* be reloaded upon thread context switch
+ * and we are therefore set in either case...
+ */
+ static inline void
+padlock_verify_context(struct padlock_cipher_data *cdata)
+{
+ asm volatile (
+ "pushfq\n"
+ " btl $30,(%%rsp)\n"
+ " jnc 1f\n"
+ " cmpq %2,%1\n"
+ " je 1f\n"
+ " popfq\n"
+ " subq $8,%%rsp\n"
+ "1: addq $8,%%rsp\n"
+ " movq %2,%0"
+ :"+m"(padlock_saved_context)
+ : "r"(padlock_saved_context), "r"(cdata) : "cc");
+}
+
+/* Template for padlock_xcrypt_* modes */
+/* BIG FAT WARNING:
+ * The offsets used with 'leal' instructions
+ * describe items of the 'padlock_cipher_data'
+ * structure.
+ */
+#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
+ static inline void *name(size_t cnt, \
+ struct padlock_cipher_data *cdata, \
+ void *out, const void *inp) \
+{ void *iv; \
+ asm volatile ( "leaq 16(%0),%%rdx\n" \
+ " leaq 32(%0),%%rbx\n" \
+ rep_xcrypt "\n" \
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
+ : "rbx", "rdx", "cc", "memory"); \
+ return iv; \
+}
+#endif
+
+#endif /* cpu */
+
+#ifndef OPENSSL_NO_AES
+
+
/* Generate all functions with appropriate opcodes */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
+
+/* Our own htonl()/ntohl() */
+static inline void
+padlock_bswapl(AES_KEY *ks)
+{
+ size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
+ unsigned int *key = ks->rd_key;
+
+ while (i--) {
+ asm volatile ("bswapl %0" : "+r"(*key));
+ key++;
+ }
+}
#endif
/* The RNG call itself */
@@ -491,8 +599,8 @@ padlock_xstore(void *addr, unsigned int
static inline unsigned char *
padlock_memcpy(void *dst,const void *src,size_t n)
{
- long *d=dst;
- const long *s=src;
+ size_t *d=dst;
+ const size_t *s=src;
n /= sizeof(*d);
do { *d++ = *s++; } while (--n);
Index: openssl-1.0.1c/engines/e_padlock.c
===================================================================
--- openssl-1.0.1c.orig/engines/e_padlock.c
+++ openssl-1.0.1c/engines/e_padlock.c
@@ -457,30 +457,33 @@ padlock_available(void)
{
char vendor_string[16];
unsigned int eax, edx;
+ size_t scratch;
/* Are we running on the Centaur (VIA) CPU? */
eax = 0x00000000;
vendor_string[12] = 0;
asm volatile (
+ "movq %%rbx,%1\n"
"cpuid\n"
- "movl %%ebx,(%1)\n"
- "movl %%edx,4(%1)\n"
- "movl %%ecx,8(%1)\n"
- : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
+ "movl %%ebx,(%2)\n"
+ "movl %%edx,4(%2)\n"
+ "movl %%ecx,8(%2)\n"
+ "movq %1,%%rbx"
+ : "+a"(eax), "=&r"(scratch) : "r"(vendor_string) : "rcx", "rdx");
if (strcmp(vendor_string, "CentaurHauls") != 0)
return 0;
/* Check for Centaur Extended Feature Flags presence */
eax = 0xC0000000;
- asm volatile ("cpuid"
- : "+a"(eax) : : "rbx", "rcx", "rdx");
+ asm volatile ("movq %%rbx,%1; cpuid; movq %1,%%rbx"
+ : "+a"(eax), "=&r"(scratch) : : "rcx", "rdx");
if (eax < 0xC0000001)
return 0;
/* Read the Centaur Extended Feature Flags */
eax = 0xC0000001;
- asm volatile ("cpuid"
- : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
+ asm volatile ("movq %%rbx,%2; cpuid; movq %2,%%rbx"
+ : "+a"(eax), "=d"(edx), "=&r"(scratch) : : "rcx");
/* Fill up some flags */
padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
@@ -536,12 +539,15 @@ padlock_verify_context(struct padlock_ci
struct padlock_cipher_data *cdata, \
void *out, const void *inp) \
{ void *iv; \
- asm volatile ( "leaq 16(%0),%%rdx\n" \
+ size_t scratch; \
+ asm volatile ( "movq %%rbx,%4\n" \
+ " leaq 16(%0),%%rdx\n" \
" leaq 32(%0),%%rbx\n" \
rep_xcrypt "\n" \
- : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
+ " movq %4,%%rbx" \
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp), "=&r"(scratch) \
: "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
- : "rbx", "rdx", "cc", "memory"); \
+ : "rdx", "cc", "memory"); \
return iv; \
}
#endif
++++++ baselibs.conf ++++++
libopenssl1_0_0
obsoletes "openssl-<targettype> <= <version>"
libopenssl-devel
requires -libopenssl-<targettype>
requires "libopenssl1_0_0-<targettype> = <version>"
++++++ bug610223.patch ++++++
Index: openssl-1.0.0/Configure
===================================================================
--- openssl-1.0.0.orig/Configure
+++ openssl-1.0.0/Configure
@@ -1673,7 +1673,8 @@ while (<IN>)
}
elsif (/^#define\s+ENGINESDIR/)
{
- my $foo = "$prefix/$libdir/engines";
+ #my $foo = "$prefix/$libdir/engines";
+ my $foo = "/$libdir/engines";
$foo =~ s/\\/\\\\/g;
print OUT "#define ENGINESDIR \"$foo\"\n";
}
++++++ compression_methods_switch.patch ++++++
Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
===================================================================
--- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -41,6 +41,24 @@ of compression methods supported on a pe
The OpenSSL library has the compression methods B and (when
especially enabled during compilation) B available.
+And, there is an environment variable to switch the compression
+methods off and on. In default the compression is off to mitigate
+the so called CRIME attack ( CVE-2012-4929). If you want to enable
+compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".
+
+The variable can be switched on and off at runtime; when this variable
+is set "no" compression is enabled, otherwise no, for example:
+
+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
+or in C to call
+int setenv(const char *name, const char *value, int overwrite); and
+int unsetenv(const char *name);
+
+Note: This reverts the behavior of the variable as it was before!
+
+And pay attention that this freaure is temporary, it maybe changed by
+the following updates.
+
=head1 WARNINGS
Once the identities of the compression methods for the TLS protocol have
Index: openssl-1.0.1e/ssl/ssl_ciph.c
===================================================================
--- openssl-1.0.1e.orig/ssl/ssl_ciph.c
+++ openssl-1.0.1e/ssl/ssl_ciph.c
@@ -452,10 +452,16 @@ static void load_builtin_compressions(vo
if (ssl_comp_methods == NULL)
{
SSL_COMP *comp = NULL;
+ const char *nodefaultzlib;
MemCheck_off();
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL)
+
+ /* The default is "no" compression to avoid CRIME/BEAST */
+ nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB");
+ if ( ssl_comp_methods != NULL &&
+ nodefaultzlib &&
+ strncmp( nodefaultzlib, "no", 2) == 0)
{
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL)
++++++ merge_from_0.9.8k.patch ++++++
--- openssl-1.0.1c.orig/Configure
+++ openssl-1.0.1c/Configure
@@ -931,7 +931,7 @@ PROCESS_ARGS:
}
else
{
- die "target already defined - $target (offending arg: $_)\n" if ($target ne "");
+ warn "target already defined - $target (offending arg: $_)\n" if ($target ne "");
$target=$_;
}
@@ -1204,7 +1204,7 @@ if ($target =~ /^mingw/ && `$cc --target
my $no_shared_warn=0;
my $no_user_cflags=0;
-if ($flags ne "") { $cflags="$flags$cflags"; }
+if ($flags ne "") { $cflags="$cflags $flags"; }
else { $no_user_cflags=1; }
# Kerberos settings. The flavor must be provided from outside, either through
--- openssl-1.0.1c.orig/config
+++ openssl-1.0.1c/config
@@ -573,7 +573,8 @@ case "$GUESSOS" in
options="$options -arch%20${MACHINE}"
OUT="iphoneos-cross" ;;
alpha-*-linux2)
- ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
+ #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
+ ISA=EV56
case ${ISA:-generic} in
*[678]) OUT="linux-alpha+bwx-$CC" ;;
*) OUT="linux-alpha-$CC" ;;
@@ -593,7 +594,8 @@ case "$GUESSOS" in
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
- OUT="linux-ppc"
+ # we have the target and force it here
+ OUT="linux-ppc64"
;;
ppc-*-linux2) OUT="linux-ppc" ;;
ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
@@ -614,10 +616,10 @@ case "$GUESSOS" in
sparc-*-linux2)
KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo`
case ${KARCH:-sun4} in
- sun4u*) OUT="linux-sparcv9" ;;
- sun4m) OUT="linux-sparcv8" ;;
- sun4d) OUT="linux-sparcv8" ;;
- *) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
+# sun4u*) OUT="linux-sparcv9" ;;
+# sun4m) OUT="linux-sparcv8" ;;
+# sun4d) OUT="linux-sparcv8" ;;
+ *) OUT="linux-sparcv8" ;;
esac ;;
parisc*-*-linux2)
# 64-bit builds under parisc64 linux are not supported and
@@ -636,7 +638,11 @@ case "$GUESSOS" in
# PA8500 -> 8000 (2.0)
# PA8600 -> 8000 (2.0)
- CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'`
+ # CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'`
+ # lets have CPUSCHEDULE for 1.1:
+ CPUSCHEDULE=7100LC
+ # we want to support 1.1 CPUs as well:
+ CPUARCH=1.1
# Finish Model transformations
options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH"
++++++ openssl-1.0.0-c_rehash-compat.diff ++++++
From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel
Date: Wed, 21 Apr 2010 15:52:10 +0200
Subject: [PATCH] also create old hash for compatibility
---
tools/c_rehash.in | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index bfc4a69..f8d0ce1 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -83,6 +83,7 @@ sub hash_dir {
next;
}
link_hash_cert($fname) if($cert);
+ link_hash_cert_old($fname) if($cert);
link_hash_crl($fname) if($crl);
}
}
@@ -116,8 +117,9 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
+ my $hashopt = $_[1] || '-subject_hash';
$fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
chomp $hash;
chomp $fprint;
$fprint =~ s/^.*=//;
@@ -147,6 +149,10 @@ sub link_hash_cert {
$hashlist{$hash} = $fprint;
}
+sub link_hash_cert_old {
+ link_hash_cert($_[0], '-subject_hash_old');
+}
+
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
--
1.6.4.2
++++++ openssl-ocloexec.patch ++++++
--- crypto/bio/b_sock.c.orig
+++ crypto/bio/b_sock.c
@@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in
}
again:
- s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
+ s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
if (s == INVALID_SOCKET)
{
SYSerr(SYS_F_SOCKET,get_last_socket_error());
@@ -784,7 +784,7 @@ again:
}
else goto err;
}
- cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
+ cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
if (cs != INVALID_SOCKET)
{
int ii;
--- crypto/bio/bss_conn.c.orig
+++ crypto/bio/bss_conn.c
@@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC
c->them.sin_addr.s_addr=htonl(l);
c->state=BIO_CONN_S_CREATE_SOCKET;
- ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+ ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
if (ret == INVALID_SOCKET)
{
SYSerr(SYS_F_SOCKET,get_last_socket_error());
--- crypto/bio/bss_dgram.c.orig
+++ crypto/bio/bss_dgram.c
@@ -999,7 +999,7 @@ static int dgram_sctp_read(BIO *b, char
msg.msg_control = cmsgbuf;
msg.msg_controllen = 512;
msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, 0);
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
if (msg.msg_controllen > 0)
{
@@ -1560,7 +1560,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
msg.msg_controllen = 0;
msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, MSG_PEEK);
+ n = recvmsg(b->num, &msg, MSG_PEEK| MSG_CMSG_CLOEXEC);
if (n <= 0)
{
if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
@@ -1583,7 +1583,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
msg.msg_controllen = 0;
msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, 0);
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
if (n <= 0)
{
if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
@@ -1644,7 +1644,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
fcntl(b->num, F_SETFL, O_NONBLOCK);
}
- n = recvmsg(b->num, &msg, MSG_PEEK);
+ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
if (is_dry)
{
@@ -1688,7 +1688,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
sockflags = fcntl(b->num, F_GETFL, 0);
fcntl(b->num, F_SETFL, O_NONBLOCK);
- n = recvmsg(b->num, &msg, MSG_PEEK);
+ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
fcntl(b->num, F_SETFL, sockflags);
/* if notification, process and try again */
@@ -1709,7 +1709,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
msg.msg_control = NULL;
msg.msg_controllen = 0;
msg.msg_flags = 0;
- n = recvmsg(b->num, &msg, 0);
+ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
if (data->handle_notifications != NULL)
data->handle_notifications(b, data->notification_context, (void*) &snp);
--- crypto/bio/bss_file.c.orig
+++ crypto/bio/bss_file.c
@@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename,
{
BIO *ret;
FILE *file=NULL;
+ size_t modelen = strlen (mode);
+ char newmode[modelen + 2];
+
+ memcpy (mempcpy (newmode, mode, modelen), "e", 2);
#if defined(_WIN32) && defined(CP_UTF8)
int sz, len_0 = (int)strlen(filename)+1;
@@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename,
file = fopen(filename,mode);
}
#else
- file=fopen(filename,mode);
+ file=fopen(filename,newmode);
#endif
if (file == NULL)
{
@@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
long ret=1;
FILE *fp=(FILE *)b->ptr;
FILE **fpp;
- char p[4];
+ char p[5];
switch (cmd)
{
@@ -392,6 +396,8 @@ static long MS_CALLBACK file_ctrl(BIO *b
else
strcat(p,"t");
#endif
+ strcat(p, "e");
+
fp=fopen(ptr,p);
if (fp == NULL)
{
--- crypto/rand/rand_unix.c.orig
+++ crypto/rand/rand_unix.c
@@ -262,7 +262,7 @@ int RAND_poll(void)
for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) &&
(n < ENTROPY_NEEDED); i++)
{
- if ((fd = open(randomfiles[i], O_RDONLY
+ if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC
#ifdef O_NONBLOCK
|O_NONBLOCK
#endif
--- crypto/rand/randfile.c.orig
+++ crypto/rand/randfile.c
@@ -134,7 +134,7 @@ int RAND_load_file(const char *file, lon
#ifdef OPENSSL_SYS_VMS
in=vms_fopen(file,"rb",VMS_OPEN_ATTRS);
#else
- in=fopen(file,"rb");
+ in=fopen(file,"rbe");
#endif
if (in == NULL) goto err;
#if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO)
@@ -207,7 +207,7 @@ int RAND_write_file(const char *file)
#endif
/* chmod(..., 0600) is too late to protect the file,
* permissions should be restrictive from the start */
- int fd = open(file, O_WRONLY|O_CREAT|O_BINARY, 0600);
+ int fd = open(file, O_WRONLY|O_CREAT|O_BINARY|O_CLOEXEC, 0600);
if (fd != -1)
out = fdopen(fd, "wb");
}
@@ -238,7 +238,7 @@ int RAND_write_file(const char *file)
out = vms_fopen(file,"wb",VMS_OPEN_ATTRS);
#else
if (out == NULL)
- out = fopen(file,"wb");
+ out = fopen(file,"wbe");
#endif
if (out == NULL) goto err;
++++++ openssl.test ++++++
openssl autmatically tests iteslf, no further testing needed
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org