rpms/openssl/devel openssl-1.0.0-beta4-backports.patch, NONE, 1.1 openssl-1.0.0-beta4-client-reneg.patch, NONE, 1.1 openssl.spec, 1.148, 1.149

Tomáš Mráz tmraz at fedoraproject.org
Wed Nov 18 13:14:14 UTC 2009 

Author: tmraz

Update of /cvs/pkgs/rpms/openssl/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21233

Modified Files:
	openssl.spec 
Added Files:
	openssl-1.0.0-beta4-backports.patch 
	openssl-1.0.0-beta4-client-reneg.patch 
Log Message:
* Wed Nov 18 2009 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.13.beta4
- disable enforcement of the renegotiation extension on the client (#537962)
- add fixes from the current upstream snapshot


openssl-1.0.0-beta4-backports.patch:
 asn1/d2i_pu.c   |   10 +++++++---
 evp/p_lib.c     |    3 +++
 x509/x509_vfy.c |    1 +
 3 files changed, 11 insertions(+), 3 deletions(-)

--- NEW FILE openssl-1.0.0-beta4-backports.patch ---
diff -up openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c
--- openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c.backports	2008-11-12 04:57:49.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/asn1/d2i_pu.c	2009-11-18 14:11:14.000000000 +0100
@@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PK
 		}
 	else	ret= *a;
 
-	ret->save_type=type;
-	ret->type=EVP_PKEY_type(type);
-	switch (ret->type)
+	if (!EVP_PKEY_set_type(ret, type))
+		{
+		ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
+		goto err;
+		}
+
+	switch (EVP_PKEY_id(ret))
 		{
 #ifndef OPENSSL_NO_RSA
 	case EVP_PKEY_RSA:
diff -up openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports openssl-1.0.0-beta4/crypto/evp/p_lib.c
--- openssl-1.0.0-beta4/crypto/evp/p_lib.c.backports	2006-07-04 22:27:44.000000000 +0200
+++ openssl-1.0.0-beta4/crypto/evp/p_lib.c	2009-11-18 14:11:26.000000000 +0100
@@ -220,7 +220,10 @@ static int pkey_set_type(EVP_PKEY *pkey,
 #ifndef OPENSSL_NO_ENGINE
 		/* If we have an ENGINE release it */
 		if (pkey->engine)
+			{
 			ENGINE_finish(pkey->engine);
+			pkey->engine = NULL;
+			}
 #endif
 		}
 	if (str)
diff -up openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports openssl-1.0.0-beta4/crypto/x509/x509_vfy.c
--- openssl-1.0.0-beta4/crypto/x509/x509_vfy.c.backports	2009-10-31 20:21:47.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/x509/x509_vfy.c	2009-11-18 14:11:31.000000000 +0100
@@ -1727,6 +1727,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, 
 			offset= -offset;
 		}
 	atm.type=ctm->type;
+	atm.flags = 0;
 	atm.length=sizeof(buff2);
 	atm.data=(unsigned char *)buff2;
 

openssl-1.0.0-beta4-client-reneg.patch:
 t1_lib.c |    4 ++++
 1 file changed, 4 insertions(+)

--- NEW FILE openssl-1.0.0-beta4-client-reneg.patch ---
Do not enforce the renegotiation extension on the client - too many broken servers remain.
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg openssl-1.0.0-beta4/ssl/t1_lib.c
--- openssl-1.0.0-beta4/ssl/t1_lib.c.client-reneg	2009-11-12 15:17:29.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/t1_lib.c	2009-11-18 14:04:19.000000000 +0100
@@ -985,6 +985,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
 
 	if (data >= (d+n-2))
 		{
+#if 0
 		/* Because the client does not see any renegotiation during an
 		   attack, we must enforce this on all server hellos, even the
 		   first */
@@ -994,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
 			*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
 			return 0;
 			}
+#endif
 		return 1;
 		}
 
@@ -1126,12 +1128,14 @@ int ssl_parse_serverhello_tlsext(SSL *s,
 		return 0;
 		}
 
+#if 0
 	if (!renegotiate_seen
 		&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 		{
 		*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
 		return 0;
 		}
+#endif
 
 	if (!s->hit && tlsext_servername == 1)
 		{


Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/devel/openssl.spec,v
retrieving revision 1.148
retrieving revision 1.149
diff -u -p -r1.148 -r1.149
--- openssl.spec	13 Nov 2009 12:11:41 -0000	1.148
+++ openssl.spec	18 Nov 2009 13:14:13 -0000	1.149
@@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0
-Release: 0.12.%{beta}%{?dist}
+Release: 0.13.%{beta}%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -63,6 +63,9 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.p
 Patch51: openssl-1.0.0-beta4-version.patch
 # Backported fixes including security fixes
 Patch60: openssl-1.0.0-beta4-reneg.patch
+# This one is not backported but has to be applied after reneg patch
+Patch61: openssl-1.0.0-beta4-client-reneg.patch
+Patch62: openssl-1.0.0-beta4-backports.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -143,6 +146,8 @@ from other formats to the formats used b
 %patch51 -p1 -b .version
 
 %patch60 -p1 -b .reneg
+%patch61 -p1 -b .client-reneg
+%patch62 -p1 -b .backports
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -391,6 +396,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipsca
 %postun -p /sbin/ldconfig
 
 %changelog
+* Wed Nov 18 2009 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.13.beta4
+- disable enforcement of the renegotiation extension on the client (#537962)
+- add fixes from the current upstream snapshot
+
 * Fri Nov 13 2009 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.12.beta4
 - keep the beta status in version number at 3 so we do not have to rebuild
   openssh and possibly other dependencies with too strict version check

More information about the scm-commits mailing list