mirror of
git://projects.qi-hardware.com/openwrt-xburst.git
synced 2024-11-27 19:25:21 +02:00
openssl: upgrade to 0.9.8m (patch by Peter Wagner)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19939 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
parent
5c26b81aaa
commit
cca15d6bb8
@ -8,15 +8,15 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=openssl
|
||||
PKG_VERSION:=0.9.8l
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=0.9.8m
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=http://www.openssl.org/source/ \
|
||||
ftp://ftp.funet.fi/pub/crypt/cryptography/libs/openssl/source/ \
|
||||
ftp://ftp.webmonster.de/pub/openssl/source/ \
|
||||
ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/
|
||||
PKG_MD5SUM:=05a0ece1372392a2cf310ebb96333025
|
||||
PKG_MD5SUM:=898bf125370926d5f692a2201124f8ec
|
||||
|
||||
PKG_BUILD_DEPENDS := ocf-crypto-headers
|
||||
PKG_CONFIG_DEPENDS := CONFIG_OPENSSL_ENGINE
|
||||
|
@ -1,139 +0,0 @@
|
||||
--- a/ssl/d1_clnt.c
|
||||
+++ b/ssl/d1_clnt.c
|
||||
@@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s
|
||||
|
||||
static SSL_METHOD *dtls1_get_client_method(int ver)
|
||||
{
|
||||
- if (ver == DTLS1_VERSION)
|
||||
+ if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
|
||||
return(DTLSv1_client_method());
|
||||
else
|
||||
return(NULL);
|
||||
@@ -181,7 +181,8 @@ int dtls1_connect(SSL *s)
|
||||
s->server=0;
|
||||
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
|
||||
|
||||
- if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
|
||||
+ if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
|
||||
+ (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
|
||||
{
|
||||
SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
|
||||
ret = -1;
|
||||
--- a/ssl/d1_lib.c
|
||||
+++ b/ssl/d1_lib.c
|
||||
@@ -187,7 +187,10 @@ void dtls1_free(SSL *s)
|
||||
void dtls1_clear(SSL *s)
|
||||
{
|
||||
ssl3_clear(s);
|
||||
- s->version=DTLS1_VERSION;
|
||||
+ if (s->options & SSL_OP_CISCO_ANYCONNECT)
|
||||
+ s->version=DTLS1_BAD_VER;
|
||||
+ else
|
||||
+ s->version=DTLS1_VERSION;
|
||||
}
|
||||
|
||||
/*
|
||||
--- a/ssl/d1_pkt.c
|
||||
+++ b/ssl/d1_pkt.c
|
||||
@@ -987,15 +987,17 @@ start:
|
||||
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
|
||||
{
|
||||
struct ccs_header_st ccs_hdr;
|
||||
+ int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
|
||||
|
||||
dtls1_get_ccs_header(rr->data, &ccs_hdr);
|
||||
|
||||
/* 'Change Cipher Spec' is just a single byte, so we know
|
||||
* exactly what the record payload has to look like */
|
||||
/* XDTLS: check that epoch is consistent */
|
||||
- if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
|
||||
- (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
|
||||
- (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
|
||||
+ if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER)
|
||||
+ ccs_hdr_len = 3;
|
||||
+
|
||||
+ if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
|
||||
{
|
||||
i=SSL_AD_ILLEGAL_PARAMETER;
|
||||
SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
|
||||
@@ -1311,7 +1313,7 @@ int do_dtls1_write(SSL *s, int type, con
|
||||
#if 0
|
||||
/* 'create_empty_fragment' is true only when this function calls itself */
|
||||
if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
|
||||
- && SSL_version(s) != DTLS1_VERSION)
|
||||
+ && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
|
||||
{
|
||||
/* countermeasure against known-IV weakness in CBC ciphersuites
|
||||
* (see http://www.openssl.org/~bodo/tls-cbc.txt)
|
||||
--- a/ssl/s3_clnt.c
|
||||
+++ b/ssl/s3_clnt.c
|
||||
@@ -708,7 +708,7 @@ int ssl3_get_server_hello(SSL *s)
|
||||
|
||||
if (!ok) return((int)n);
|
||||
|
||||
- if ( SSL_version(s) == DTLS1_VERSION)
|
||||
+ if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
|
||||
{
|
||||
if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
|
||||
{
|
||||
--- a/ssl/ssl.h
|
||||
+++ b/ssl/ssl.h
|
||||
@@ -510,6 +510,8 @@ typedef struct ssl_session_st
|
||||
#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
|
||||
/* Don't use RFC4507 ticket extension */
|
||||
#define SSL_OP_NO_TICKET 0x00004000L
|
||||
+/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
|
||||
+#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
|
||||
|
||||
/* As server, disallow session resumption on renegotiation */
|
||||
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -995,7 +995,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
|
||||
s->max_cert_list=larg;
|
||||
return(l);
|
||||
case SSL_CTRL_SET_MTU:
|
||||
- if (SSL_version(s) == DTLS1_VERSION)
|
||||
+ if (SSL_version(s) == DTLS1_VERSION ||
|
||||
+ SSL_version(s) == DTLS1_BAD_VER)
|
||||
{
|
||||
s->d1->mtu = larg;
|
||||
return larg;
|
||||
--- a/ssl/ssl_sess.c
|
||||
+++ b/ssl/ssl_sess.c
|
||||
@@ -211,6 +211,11 @@ int ssl_get_new_session(SSL *s, int sess
|
||||
ss->ssl_version=TLS1_VERSION;
|
||||
ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
|
||||
}
|
||||
+ else if (s->version == DTLS1_BAD_VER)
|
||||
+ {
|
||||
+ ss->ssl_version=DTLS1_BAD_VER;
|
||||
+ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
|
||||
+ }
|
||||
else if (s->version == DTLS1_VERSION)
|
||||
{
|
||||
ss->ssl_version=DTLS1_VERSION;
|
||||
--- a/ssl/t1_enc.c
|
||||
+++ b/ssl/t1_enc.c
|
||||
@@ -765,10 +765,10 @@ int tls1_mac(SSL *ssl, unsigned char *md
|
||||
HMAC_CTX_init(&hmac);
|
||||
HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
|
||||
|
||||
- if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
|
||||
+ if (ssl->version == DTLS1_BAD_VER ||
|
||||
+ (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER))
|
||||
{
|
||||
unsigned char dtlsseq[8],*p=dtlsseq;
|
||||
-
|
||||
s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
|
||||
memcpy (p,&seq[2],6);
|
||||
|
||||
@@ -793,7 +793,7 @@ printf("rec=");
|
||||
{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
|
||||
#endif
|
||||
|
||||
- if ( SSL_version(ssl) != DTLS1_VERSION)
|
||||
+ if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER)
|
||||
{
|
||||
for (i=7; i>=0; i--)
|
||||
{
|
@ -1,23 +0,0 @@
|
||||
--- a/Makefile.org
|
||||
+++ b/Makefile.org
|
||||
@@ -333,15 +333,15 @@ build_crypto:
|
||||
dir=crypto; target=all; $(BUILD_ONE_CMD)
|
||||
build_fips:
|
||||
@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
|
||||
-build_ssl:
|
||||
+build_ssl: build_crypto
|
||||
@dir=ssl; target=all; $(BUILD_ONE_CMD)
|
||||
-build_engines:
|
||||
+build_engines: build_crypto
|
||||
@dir=engines; target=all; $(BUILD_ONE_CMD)
|
||||
-build_apps:
|
||||
+build_apps: build_libs
|
||||
@dir=apps; target=all; $(BUILD_ONE_CMD)
|
||||
-build_tests:
|
||||
+build_tests: build_libs
|
||||
@dir=test; target=all; $(BUILD_ONE_CMD)
|
||||
-build_tools:
|
||||
+build_tools: build_libs
|
||||
@dir=tools; target=all; $(BUILD_ONE_CMD)
|
||||
|
||||
all_testapps: build_libs build_testapps
|
@ -1,6 +1,8 @@
|
||||
diff --git a/Configure b/Configure
|
||||
index 32e154b..eec5066 100755
|
||||
--- a/Configure
|
||||
+++ b/Configure
|
||||
@@ -364,6 +364,8 @@ my %table=(
|
||||
@@ -370,6 +370,8 @@ my %table=(
|
||||
"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
|
||||
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
|
||||
|
@ -1,15 +1,5 @@
|
||||
--- a/util/domd
|
||||
+++ b/util/domd
|
||||
@@ -14,7 +14,8 @@ if [ "$MAKEDEPEND" = "" ]; then MAKEDEPE
|
||||
cp Makefile Makefile.save
|
||||
# fake the presence of Kerberos
|
||||
touch $TOP/krb5.h
|
||||
-if [ "$MAKEDEPEND" = "gcc" ]; then
|
||||
+D=${MAKEDEPEND/%*gcc/gcc}
|
||||
+if [ "$D" = "gcc" ]; then
|
||||
args=""
|
||||
while [ $# -gt 0 ]; do
|
||||
if [ "$1" != "--" ]; then args="$args $1"; fi
|
||||
@@ -22,7 +23,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
|
||||
done
|
||||
sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp
|
||||
|
@ -1,23 +0,0 @@
|
||||
--- a/config
|
||||
+++ b/config
|
||||
@@ -399,8 +399,11 @@ exit 0
|
||||
# this is where the translation occurs into SSLeay terms
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
+# figure out if gcc is available and if so we use it otherwise
|
||||
+# we fallback to whatever cc does on the system
|
||||
GCCVER=`(gcc -dumpversion) 2>/dev/null`
|
||||
if [ "$GCCVER" != "" ]; then
|
||||
+ CC=gcc
|
||||
# then strip off whatever prefix egcs prepends the number with...
|
||||
# Hopefully, this will work for any future prefixes as well.
|
||||
GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
|
||||
@@ -409,6 +412,8 @@ if [ "$GCCVER" != "" ]; then
|
||||
# major and minor version numbers.
|
||||
# peak single digit before and after first dot, e.g. 2.95.1 gives 29
|
||||
GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
|
||||
+else
|
||||
+ CC=cc
|
||||
fi
|
||||
|
||||
# Only set CC if not supplied already
|
@ -1,37 +0,0 @@
|
||||
--- a/Makefile.org
|
||||
+++ b/Makefile.org
|
||||
@@ -357,7 +357,7 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
|
||||
$(AR) libcrypto.a fips/fipscanister.o ; \
|
||||
else \
|
||||
if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
|
||||
- FIPSLD_CC=$(CC); CC=fips/fipsld; \
|
||||
+ FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
|
||||
export CC FIPSLD_CC; \
|
||||
fi; \
|
||||
$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
|
||||
@@ -380,7 +380,7 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
|
||||
fips/fipscanister.o: build_fips
|
||||
libfips$(SHLIB_EXT): fips/fipscanister.o
|
||||
@if [ "$(SHLIB_TARGET)" != "" ]; then \
|
||||
- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
|
||||
+ FIPSLD_CC="$(CC)"; CC=fips/fipsld; export CC FIPSLD_CC; \
|
||||
$(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
CC=$${CC} LIBNAME=fips THIS=$@ \
|
||||
LIBEXTRAS=fips/fipscanister.o \
|
||||
--- a/apps/Makefile
|
||||
+++ b/apps/Makefile
|
||||
@@ -153,12 +153,12 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(
|
||||
shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
|
||||
shlib_target="$(SHLIB_TARGET)"; \
|
||||
elif [ -n "$(FIPSCANLIB)" ]; then \
|
||||
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
||||
+ FIPSLD_CC="$(CC)"; CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
||||
fi; \
|
||||
LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
|
||||
[ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
|
||||
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
||||
- CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
|
||||
+ CC="$${CC}" APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
|
||||
LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
|
||||
link_app.$${shlib_target}
|
||||
-(cd ..; \
|
@ -116,22 +116,7 @@
|
||||
# on Unix, "cyg" for certain forms under Cygwin...) or suffix (.a, .so,
|
||||
--- a/config
|
||||
+++ b/config
|
||||
@@ -48,10 +48,10 @@ done
|
||||
|
||||
# First get uname entries that we use below
|
||||
|
||||
-MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
|
||||
-RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
|
||||
-SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown"
|
||||
-VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
|
||||
+[ "$MACHINE" ] || MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
|
||||
+[ "$RELEASE" ] || RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
|
||||
+[ "$SYSTEM" ] || SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown"
|
||||
+[ "$VERSION" ] || VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
|
||||
|
||||
|
||||
# Now test for ISC and SCO, since it is has a braindamaged uname.
|
||||
@@ -270,7 +270,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${
|
||||
@@ -270,7 +270,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
|
||||
echo "ppc-apple-darwin${VERSION}"
|
||||
;;
|
||||
*)
|
||||
@ -140,23 +125,21 @@
|
||||
;;
|
||||
esac
|
||||
exit 0
|
||||
@@ -401,9 +401,9 @@ exit 0
|
||||
@@ -399,7 +399,8 @@ exit 0
|
||||
# this is where the translation occurs into SSLeay terms
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
# figure out if gcc is available and if so we use it otherwise
|
||||
# we fallback to whatever cc does on the system
|
||||
-GCCVER=`(gcc -dumpversion) 2>/dev/null`
|
||||
+CC="${CC:-gcc}"
|
||||
+GCCVER=`(${CC} -dumpversion) 2>/dev/null`
|
||||
if [ "$GCCVER" != "" ]; then
|
||||
- CC=gcc
|
||||
# then strip off whatever prefix egcs prepends the number with...
|
||||
# Hopefully, this will work for any future prefixes as well.
|
||||
GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
|
||||
@@ -413,7 +413,7 @@ if [ "$GCCVER" != "" ]; then
|
||||
@@ -409,6 +410,8 @@ if [ "$GCCVER" != "" ]; then
|
||||
# major and minor version numbers.
|
||||
# peak single digit before and after first dot, e.g. 2.95.1 gives 29
|
||||
GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
|
||||
else
|
||||
- CC=cc
|
||||
+else
|
||||
+ CC="${CC:-cc}"
|
||||
fi
|
||||
|
||||
@ -343,9 +326,9 @@
|
||||
static double results[ALGOR_NUM][SIZE_NUM];
|
||||
-static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
|
||||
+static int lengths[SIZE_NUM]={16,64,256,1024,2*1024,4*1024};
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
static double rsa_results[RSA_NUM][2];
|
||||
static double dsa_results[DSA_NUM][2];
|
||||
#ifndef OPENSSL_NO_ECDSA
|
||||
#endif
|
||||
@@ -328,6 +328,79 @@ static SIGRETTYPE sig_done(int sig)
|
||||
#define START 0
|
||||
#define STOP 1
|
||||
@ -467,7 +450,7 @@
|
||||
j++;
|
||||
}
|
||||
|
||||
-#ifdef HAVE_FORK
|
||||
-#ifndef NO_FORK
|
||||
- if(multi && do_multi(multi))
|
||||
- goto show_res;
|
||||
-#endif
|
||||
@ -772,15 +755,6 @@
|
||||
static int get_cryptodev_ciphers(const int **cnids);
|
||||
static int get_cryptodev_digests(const int **cnids);
|
||||
static int cryptodev_usable_ciphers(const int **nids);
|
||||
@@ -100,7 +112,7 @@ static int cryptodev_asym(struct crypt_k
|
||||
static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
|
||||
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
|
||||
- RSA *rsa);
|
||||
+ RSA *rsa, BN_CTX *ctx);
|
||||
static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
|
||||
static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
|
||||
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
@@ -130,9 +142,12 @@ static struct {
|
||||
int ivmax;
|
||||
int keylen;
|
||||
@ -1251,15 +1225,6 @@
|
||||
*digest = NULL;
|
||||
break;
|
||||
}
|
||||
@@ -625,7 +942,7 @@ static int
|
||||
bn2crparam(const BIGNUM *a, struct crparam *crp)
|
||||
{
|
||||
int i, j, k;
|
||||
- ssize_t words, bytes, bits;
|
||||
+ ssize_t bytes, bits;
|
||||
u_char *b;
|
||||
|
||||
crp->crp_p = NULL;
|
||||
@@ -637,6 +954,7 @@ bn2crparam(const BIGNUM *a, struct crpar
|
||||
b = malloc(bytes);
|
||||
if (b == NULL)
|
||||
@ -1277,21 +1242,6 @@
|
||||
if (kop->crk_param[i].crp_p)
|
||||
free(kop->crk_param[i].crp_p);
|
||||
kop->crk_param[i].crp_p = NULL;
|
||||
@@ -756,12 +1074,10 @@ err:
|
||||
}
|
||||
|
||||
static int
|
||||
-cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
|
||||
+cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
||||
{
|
||||
int r;
|
||||
- BN_CTX *ctx;
|
||||
-
|
||||
- ctx = BN_CTX_new();
|
||||
+ ctx = BN_CTX_new(); /* not sure why we reallocate this. DM */
|
||||
r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
|
||||
BN_CTX_free(ctx);
|
||||
return (r);
|
||||
--- a/crypto/engine/engine.h
|
||||
+++ b/crypto/engine/engine.h
|
||||
@@ -703,7 +703,7 @@ typedef int (*dynamic_bind_engine)(ENGIN
|
||||
|
@ -1,44 +0,0 @@
|
||||
http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
|
||||
|
||||
--- a/crypto/pqueue/pqueue.c
|
||||
+++ b/crypto/pqueue/pqueue.c
|
||||
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
|
||||
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+int
|
||||
+pqueue_size(pqueue_s *pq)
|
||||
+{
|
||||
+ pitem *item = pq->items;
|
||||
+ int count = 0;
|
||||
+
|
||||
+ while(item != NULL)
|
||||
+ {
|
||||
+ count++;
|
||||
+ item = item->next;
|
||||
+ }
|
||||
+ return count;
|
||||
+}
|
||||
--- a/crypto/pqueue/pqueue.h
|
||||
+++ b/crypto/pqueue/pqueue.h
|
||||
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
|
||||
pitem *pqueue_next(piterator *iter);
|
||||
|
||||
void pqueue_print(pqueue pq);
|
||||
+int pqueue_size(pqueue pq);
|
||||
|
||||
#endif /* ! HEADER_PQUEUE_H */
|
||||
--- a/ssl/d1_pkt.c
|
||||
+++ b/ssl/d1_pkt.c
|
||||
@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
|
||||
DTLS1_RECORD_DATA *rdata;
|
||||
pitem *item;
|
||||
|
||||
+ /* Limit the size of the queue to prevent DOS attacks */
|
||||
+ if (pqueue_size(queue->q) >= 100)
|
||||
+ return 0;
|
||||
+
|
||||
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
|
||||
item = pitem_new(priority, rdata);
|
||||
if (rdata == NULL || item == NULL)
|
@ -1,22 +0,0 @@
|
||||
http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
|
||||
|
||||
--- a/ssl/d1_both.c
|
||||
+++ b/ssl/d1_both.c
|
||||
@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s,
|
||||
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
|
||||
goto err;
|
||||
|
||||
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
|
||||
+ /* Try to find item in queue, to prevent duplicate entries */
|
||||
+ pq_64bit_init(&seq64);
|
||||
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
|
||||
+ item = pqueue_find(s->d1->buffered_messages, seq64);
|
||||
+ pq_64bit_free(&seq64);
|
||||
+
|
||||
+ /* Discard the message if sequence number was already there, is
|
||||
+ * too far in the future or the fragment is already in the queue */
|
||||
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
|
||||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
|
||||
{
|
||||
unsigned char devnull [256];
|
||||
|
@ -1,19 +0,0 @@
|
||||
--- a/ssl/d1_both.c
|
||||
+++ b/ssl/d1_both.c
|
||||
@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
|
||||
|
||||
if ( s->d1->handshake_read_seq == frag->msg_header.seq)
|
||||
{
|
||||
+ unsigned long frag_len = frag->msg_header.frag_len;
|
||||
pqueue_pop(s->d1->buffered_messages);
|
||||
|
||||
al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
|
||||
@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
|
||||
if (al==0)
|
||||
{
|
||||
*ok = 1;
|
||||
- return frag->msg_header.frag_len;
|
||||
+ return frag_len;
|
||||
}
|
||||
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
@ -1,53 +0,0 @@
|
||||
http://bugs.gentoo.org/270305
|
||||
|
||||
fix from upstream
|
||||
|
||||
--- a/ssl/d1_both.c
|
||||
+++ b/ssl/d1_both.c
|
||||
@@ -585,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s,
|
||||
}
|
||||
}
|
||||
|
||||
- frag = dtls1_hm_fragment_new(frag_len);
|
||||
- if ( frag == NULL)
|
||||
- goto err;
|
||||
+ if (frag_len)
|
||||
+ {
|
||||
+ frag = dtls1_hm_fragment_new(frag_len);
|
||||
+ if ( frag == NULL)
|
||||
+ goto err;
|
||||
|
||||
- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
|
||||
+ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
|
||||
|
||||
- if (frag_len)
|
||||
- {
|
||||
- /* read the body of the fragment (header has already been read */
|
||||
+ /* read the body of the fragment (header has already been read) */
|
||||
i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
|
||||
frag->fragment,frag_len,0);
|
||||
if (i<=0 || (unsigned long)i!=frag_len)
|
||||
goto err;
|
||||
- }
|
||||
|
||||
- pq_64bit_init(&seq64);
|
||||
- pq_64bit_assign_word(&seq64, msg_hdr->seq);
|
||||
+ pq_64bit_init(&seq64);
|
||||
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
|
||||
|
||||
- item = pitem_new(seq64, frag);
|
||||
- pq_64bit_free(&seq64);
|
||||
- if ( item == NULL)
|
||||
- goto err;
|
||||
+ item = pitem_new(seq64, frag);
|
||||
+ pq_64bit_free(&seq64);
|
||||
+ if ( item == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ pqueue_insert(s->d1->buffered_messages, item);
|
||||
+ }
|
||||
|
||||
- pqueue_insert(s->d1->buffered_messages, item);
|
||||
return DTLS1_HM_FRAGMENT_RETRY;
|
||||
|
||||
err:
|
@ -1,59 +0,0 @@
|
||||
http://bugs.gentoo.org/280591
|
||||
|
||||
fix from upstream
|
||||
|
||||
http://cvs.openssl.org/chngview?cn=18260
|
||||
|
||||
--- a/crypto/evp/c_alld.c
|
||||
+++ b/crypto/evp/c_alld.c
|
||||
@@ -64,9 +64,6 @@
|
||||
|
||||
void OpenSSL_add_all_digests(void)
|
||||
{
|
||||
-#ifndef OPENSSL_NO_MD2
|
||||
- EVP_add_digest(EVP_md2());
|
||||
-#endif
|
||||
#ifndef OPENSSL_NO_MD4
|
||||
EVP_add_digest(EVP_md4());
|
||||
#endif
|
||||
--- a/crypto/x509/x509_vfy.c
|
||||
+++ b/crypto/x509/x509_vfy.c
|
||||
@@ -986,7 +986,11 @@ static int internal_verify(X509_STORE_CT
|
||||
while (n >= 0)
|
||||
{
|
||||
ctx->error_depth=n;
|
||||
- if (!xs->valid)
|
||||
+
|
||||
+ /* Skip signature check for self signed certificates. It
|
||||
+ * doesn't add any security and just wastes time.
|
||||
+ */
|
||||
+ if (!xs->valid && xs != xi)
|
||||
{
|
||||
if ((pkey=X509_get_pubkey(xi)) == NULL)
|
||||
{
|
||||
@@ -996,13 +1000,6 @@ static int internal_verify(X509_STORE_CT
|
||||
if (!ok) goto end;
|
||||
}
|
||||
else if (X509_verify(xs,pkey) <= 0)
|
||||
- /* XXX For the final trusted self-signed cert,
|
||||
- * this is a waste of time. That check should
|
||||
- * optional so that e.g. 'openssl x509' can be
|
||||
- * used to detect invalid self-signatures, but
|
||||
- * we don't verify again and again in SSL
|
||||
- * handshakes and the like once the cert has
|
||||
- * been declared trusted. */
|
||||
{
|
||||
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
|
||||
ctx->current_cert=xs;
|
||||
--- a/ssl/ssl_algs.c
|
||||
+++ b/ssl/ssl_algs.c
|
||||
@@ -92,9 +92,6 @@ int SSL_library_init(void)
|
||||
EVP_add_cipher(EVP_seed_cbc());
|
||||
#endif
|
||||
|
||||
-#ifndef OPENSSL_NO_MD2
|
||||
- EVP_add_digest(EVP_md2());
|
||||
-#endif
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
EVP_add_digest(EVP_md5());
|
||||
EVP_add_digest_alias(SN_md5,"ssl2-md5");
|
@ -1,19 +0,0 @@
|
||||
--- a/Configure.rej
|
||||
+++ /dev/null
|
||||
@@ -1,16 +0,0 @@
|
||||
-***************
|
||||
-*** 162,167 ****
|
||||
- "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
|
||||
- "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
|
||||
- "debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
|
||||
- "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
|
||||
- "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
- "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
---- 162,168 ----
|
||||
- "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
|
||||
- "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
|
||||
- "debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
|
||||
-+ "debug-ben-no-renegotiation", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DNO_RENEGOTIATION -g3 -O2 -pipe::(unknown)::::::",
|
||||
- "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
|
||||
- "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
- "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
Loading…
Reference in New Issue
Block a user