rpms/openssl/F-12 openssl-1.0.0-beta4-dtls-ipv6.patch, NONE, 1.1 openssl-1.0.0-beta4-reneg-err.patch, NONE, 1.1 openssl.spec, 1.147, 1.148
Tomáš Mráz
tmraz at fedoraproject.org
Tue Dec 15 18:12:29 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/openssl/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6987
Modified Files:
openssl.spec
Added Files:
openssl-1.0.0-beta4-dtls-ipv6.patch
openssl-1.0.0-beta4-reneg-err.patch
Log Message:
* Mon Nov 23 2009 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.16.beta4
- fix non-fips mingw build (patch by Kalev Lember)
- add IPV6 fix for DTLS
openssl-1.0.0-beta4-dtls-ipv6.patch:
b_sock.c | 3 -
bss_dgram.c | 139 +++++++++++++++++++++++++++++++++++-------------------------
2 files changed, 84 insertions(+), 58 deletions(-)
--- NEW FILE openssl-1.0.0-beta4-dtls-ipv6.patch ---
diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c
--- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 2009-11-09 15:09:53.000000000 +0100
+++ openssl-1.0.0-beta4/crypto/bio/b_sock.c 2009-11-23 08:50:45.000000000 +0100
@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr)
if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
{
OPENSSL_assert(sa.len.s<=sizeof(sa.from));
- sa.len.i = (unsigned int)sa.len.s;
+ sa.len.i = (int)sa.len.s;
+ /* use sa.len.i from this point */
}
if (ret == INVALID_SOCKET)
{
diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c
--- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 2009-10-15 19:41:44.000000000 +0200
+++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c 2009-11-23 08:50:45.000000000 +0100
@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp=
typedef struct bio_dgram_data_st
{
+ union {
+ struct sockaddr sa;
+ struct sockaddr_in sa_in;
#if OPENSSL_USE_IPV6
- struct sockaddr_storage peer;
-#else
- struct sockaddr_in peer;
+ struct sockaddr_in6 sa_in6;
#endif
+ } peer;
unsigned int connected;
unsigned int _errno;
unsigned int mtu;
@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out,
int ret=0;
bio_dgram_data *data = (bio_dgram_data *)b->ptr;
+ struct {
+ /*
+ * See commentary in b_sock.c. <appro>
+ */
+ union { size_t s; int i; } len;
+ union {
+ struct sockaddr sa;
+ struct sockaddr_in sa_in;
#if OPENSSL_USE_IPV6
- struct sockaddr_storage peer;
-#else
- struct sockaddr_in peer;
+ struct sockaddr_in6 sa_in6;
#endif
- int peerlen = sizeof(peer);
+ } peer;
+ } sa;
+
+ sa.len.s=0;
+ sa.len.i=sizeof(sa.peer);
if (out != NULL)
{
clear_socket_error();
- memset(&peer, 0x00, peerlen);
- /* Last arg in recvfrom is signed on some platforms and
- * unsigned on others. It is of type socklen_t on some
- * but this is not universal. Cast to (void *) to avoid
- * compiler warnings.
- */
+ memset(&sa.peer, 0x00, sizeof(sa.peer));
dgram_adjust_rcv_timeout(b);
- ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen);
+ ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len);
+ if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
+ {
+ OPENSSL_assert(sa.len.s<=sizeof(sa.peer));
+ sa.len.i = (int)sa.len.s;
+ }
dgram_reset_rcv_timeout(b);
if ( ! data->connected && ret >= 0)
- BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer);
+ BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer);
BIO_clear_retry_flags(b);
if (ret < 0)
@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha
if ( data->connected )
ret=writesocket(b->num,in,inl);
else
-#if OPENSSL_USE_IPV6
- if (data->peer.ss_family == AF_INET)
#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
+ ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer));
#else
- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
-#endif
- else
-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
-#else
- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6));
-#endif
-#else
-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
-#else
- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in));
-#endif
+ ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer));
#endif
BIO_clear_retry_flags(b);
@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd,
else
{
#endif
+ switch (to->sa_family)
+ {
+ case AF_INET:
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
+ break;
#if OPENSSL_USE_IPV6
- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
-#else
- memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
-#endif
+ case AF_INET6:
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
+ break;
+#endif
+ default:
+ memcpy(&data->peer,to,sizeof(data->peer.sa));
+ break;
+ }
#if 0
}
#endif
@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd,
if ( to != NULL)
{
data->connected = 1;
+ switch (to->sa_family)
+ {
+ case AF_INET:
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
+ break;
#if OPENSSL_USE_IPV6
- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage));
-#else
- memcpy(&(data->peer),to, sizeof(struct sockaddr_in));
-#endif
+ case AF_INET6:
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
+ break;
+#endif
+ default:
+ memcpy(&data->peer,to,sizeof(data->peer.sa));
+ break;
+ }
}
else
{
data->connected = 0;
-#if OPENSSL_USE_IPV6
- memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage));
-#else
- memset(&(data->peer), 0x00, sizeof(struct sockaddr_in));
-#endif
+ memset(&(data->peer), 0x00, sizeof(data->peer));
}
break;
case BIO_CTRL_DGRAM_GET_PEER:
to = (struct sockaddr *) ptr;
-
+ switch (to->sa_family)
+ {
+ case AF_INET:
+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in)));
+ break;
#if OPENSSL_USE_IPV6
- memcpy(to, &(data->peer), sizeof(struct sockaddr_storage));
- ret = sizeof(struct sockaddr_storage);
-#else
- memcpy(to, &(data->peer), sizeof(struct sockaddr_in));
- ret = sizeof(struct sockaddr_in);
-#endif
+ case AF_INET6:
+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6)));
+ break;
+#endif
+ default:
+ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa)));
+ break;
+ }
break;
case BIO_CTRL_DGRAM_SET_PEER:
to = (struct sockaddr *) ptr;
-
+ switch (to->sa_family)
+ {
+ case AF_INET:
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in));
+ break;
#if OPENSSL_USE_IPV6
- memcpy(&(data->peer), to, sizeof(struct sockaddr_storage));
-#else
- memcpy(&(data->peer), to, sizeof(struct sockaddr_in));
-#endif
+ case AF_INET6:
+ memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
+ break;
+#endif
+ default:
+ memcpy(&data->peer,to,sizeof(data->peer.sa));
+ break;
+ }
break;
case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));
openssl-1.0.0-beta4-reneg-err.patch:
s23_srvr.c | 5 +++++
ssl.h | 3 +++
ssl_err.c | 3 +++
t1_lib.c | 4 ++++
4 files changed, 15 insertions(+)
--- NEW FILE openssl-1.0.0-beta4-reneg-err.patch ---
Better error reporting for unsafe renegotiation.
diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c
--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100
@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
+{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
{ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
{ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"},
{ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"},
+{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
{ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"},
diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h
--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100
@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
#define SSL_F_SSL_NEW 186
#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
+#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
+#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
#define SSL_F_SSL_PEEK 270
#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253
#define SSL_R_UNKNOWN_SSL_VERSION 254
#define SSL_R_UNKNOWN_STATE 255
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338
#define SSL_R_UNSUPPORTED_CIPHER 256
#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
#define SSL_R_UNSUPPORTED_DIGEST_TYPE 326
diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c
--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100
@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s)
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
#else
+ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ goto err;
+ }
/* we are talking sslv2 */
/* we need to clean up the SSLv3/TLSv1 setup and put in the
* sslv2 stuff. */
diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c
--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100
@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
{
/* We should always see one extension: the renegotiate extension */
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0;
}
return 1;
@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
if (s->new_session && !renegotiate_seen
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
+ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
return 0;
}
@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
{
/* We should always see one extension: the renegotiate extension */
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0;
}
#endif
@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
&& !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
*al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */
+ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0;
}
#endif
Index: openssl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssl/F-12/openssl.spec,v
retrieving revision 1.147
retrieving revision 1.148
diff -u -p -r1.147 -r1.148
--- openssl.spec 18 Nov 2009 14:03:10 -0000 1.147
+++ openssl.spec 15 Dec 2009 18:12:29 -0000 1.148
@@ -23,7 +23,7 @@
Summary: A general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.0
-Release: 0.13.%{beta}%{?dist}
+Release: 0.16.%{beta}%{?dist}
# We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below.
Source: openssl-%{version}-%{beta}-usa.tar.bz2
@@ -66,6 +66,8 @@ Patch60: openssl-1.0.0-beta4-reneg.patch
# This one is not backported but has to be applied after reneg patch
Patch61: openssl-1.0.0-beta4-client-reneg.patch
Patch62: openssl-1.0.0-beta4-backports.patch
+Patch63: openssl-1.0.0-beta4-reneg-err.patch
+Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -148,6 +150,8 @@ from other formats to the formats used b
%patch60 -p1 -b .reneg
%patch61 -p1 -b .client-reneg
%patch62 -p1 -b .backports
+%patch63 -p1 -b .reneg-err
+%patch64 -p1 -b .dtls-ipv6
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -181,7 +185,7 @@ sslarch=linux-alpha-gcc
sslarch="linux-generic32 -DB_ENDIAN"
%endif
%ifarch s390x
-sslarch="linux-generic64 -DB_ENDIAN"
+sslarch="linux-s390x"
%endif
%ifarch %{arm} sh3 sh4
sslarch=linux-generic32
@@ -396,6 +400,16 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipsca
%postun -p /sbin/ldconfig
%changelog
+* Mon Nov 23 2009 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.16.beta4
+- fix non-fips mingw build (patch by Kalev Lember)
+- add IPV6 fix for DTLS
+
+* Fri Nov 20 2009 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.15.beta4
+- add better error reporting for the unsafe renegotiation
+
+* Fri Nov 20 2009 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.14.beta4
+- fix build on s390x
+
* Wed Nov 18 2009 Tomas Mraz <tmraz at redhat.com> 1.0.0-0.13.beta4
- disable enforcement of the renegotiation extension on the client (#537962)
- add fixes from the current upstream snapshot
More information about the fedora-extras-commits
mailing list