- rel 2; add debian fixes

diff --git a/aesni-mac.patch b/aesni-mac.patch
new file mode 100644 (file)
index 0000000..7bb5345
--- /dev/null
+++ b/aesni-mac.patch
@@ -0,0 +1,26 @@
+From: Andy Polyakov <appro@openssl.org>
+Date: Mon, 18 Mar 2013 19:29:41 +0100
+Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9ab3ce124616cb12bd39c6aa1e1bde0f46969b29
+Bug-Debian: http://bugs.debian.org/701868
+Bug: http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index 483e04b..fb2c884 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ 
+                               if (res!=SHA_CBLOCK) continue;
+ 
+-                              mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
++                              /* j is not incremented yet */
++                              mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
+                               data->u[SHA_LBLOCK-1] |= bitlen&mask;
+                               sha1_block_data_order(&key->md,data,1);
+-                              mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
++                              mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
+                               pmac->u[0] |= key->md.h0 & mask;
+                               pmac->u[1] |= key->md.h1 & mask;
+                               pmac->u[2] |= key->md.h2 & mask;
+

diff --git a/cpuid.patch b/cpuid.patch
new file mode 100644 (file)
index 0000000..4e37491
--- /dev/null
+++ b/cpuid.patch
@@ -0,0 +1,27 @@
+From: Andy Polyakov <appro@openssl.org>
+Date: Mon, 4 Mar 2013 19:05:04 +0000 (+0100)
+Subject: x86cpuid.pl: make it work with older CPUs.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=5702e965d759dde8a098d8108660721ba2b93a7d
+Bug-Debian: http://bugs.debian.org/699692
+Bug: http://rt.openssl.org/Ticket/Display.html?id=3005&user=guest&pass=guest
+
+diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
+index 3b6c469..e8a7518 100644
+--- a/crypto/x86cpuid.pl
++++ b/crypto/x86cpuid.pl
+@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+       &inc    ("esi");                # number of cores
+ 
+       &mov    ("eax",1);
++      &xor    ("ecx","ecx");
+       &cpuid  ();
+       &bt     ("edx",28);
+       &jnc    (&label("generic"));
+@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ 
+ &set_label("nocacheinfo");
+       &mov    ("eax",1);
++      &xor    ("ecx","ecx");
+       &cpuid  ();
+       &and    ("edx",0xbfefffff);     # force reserved bits #20, #30 to 0
+       &cmp    ("ebp",0);

diff --git a/default_bits.patch b/default_bits.patch
new file mode 100644 (file)
index 0000000..8e7e416
--- /dev/null
+++ b/default_bits.patch
@@ -0,0 +1,11 @@
+--- openssl/apps/openssl.cnf   2012-06-06 00:51:47.000000000 +0200
++++ openssl/apps/openssl.cnf   2012-06-06 00:53:48.000000000 +0200
+@@ -105,7 +105,7 @@
+ 
+ ####################################################################
+ [ req ]
+-default_bits          = 1024
++default_bits          = 2048
+ default_keyfile       = privkey.pem
+ distinguished_name    = req_distinguished_name
+ attributes            = req_attributes

diff --git a/dtls_version.patch b/dtls_version.patch
new file mode 100644 (file)
index 0000000..1537868
--- /dev/null
+++ b/dtls_version.patch
@@ -0,0 +1,25 @@
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253
+Bug-Debian: http://bugs.debian.org/701826
+Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+       unsigned padding_length, good, to_check, i;
+       const unsigned overhead = 1 /* padding length byte */ + mac_size;
+       /* Check if version requires explicit IV */
+-      if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++      if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+               {
+               /* These lengths are all public so we can test them in
+                * non-constant time.
+

diff --git a/get_certificate.patch b/get_certificate.patch
new file mode 100644 (file)
index 0000000..69ca7d9
--- /dev/null
+++ b/get_certificate.patch
@@ -0,0 +1,27 @@
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Mon, 11 Feb 2013 18:24:03 +0000
+Subject: Fix for SSL_get_certificate
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=147dbb2fe3bead7a10e2f280261b661ce7af7adc
+Bug-Debian: http://bugs.debian.org/703031
+
+
+Now we set the current certificate to the one used by a server
+there is no need to call ssl_get_server_send_cert which will
+fail if we haven't sent a certificate yet.
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 14d143d..ff5a85a 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
+ /* Fix this function so that it takes an optional type parameter */
+ X509 *SSL_get_certificate(const SSL *s)
+       {
+-      if (s->server)
+-              return(ssl_get_server_send_cert(s));
+-      else if (s->cert != NULL)
++      if (s->cert != NULL)
+               return(s->cert->key->x509);
+       else
+               return(NULL);
+

diff --git a/openssl.spec b/openssl.spec
index 932f8ff9820b5934dd74d5ab1077bf1344407677..40a65e9ccc384f7e6ac7cfd9e048f698fdf95de1 100644 (file)
--- a/openssl.spec
+++ b/openssl.spec
@@ -17,7 +17,7 @@ Summary(ru.UTF-8):    Библиотеки и утилиты для соедине
 Summary(uk.UTF-8):     Бібліотеки та утиліти для з'єднань через Secure Sockets Layer
 Name:          openssl
 Version:       1.0.1e
-Release:       1
+Release:       2
 License:       Apache-like
 Group:         Libraries
 Source0:       ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
@@ -33,6 +33,16 @@ Patch4:              %{name}-man-namespace.patch
 Patch5:                %{name}-asflag.patch
 Patch6:                %{name}-ca-certificates.patch
 Patch7:                %{name}-ldflags.patch
+
+# from debian
+Patch10:       aesni-mac.patch
+Patch11:       cpuid.patch
+Patch12:       default_bits.patch
+Patch13:       dtls_version.patch
+Patch14:       get_certificate.patch
+Patch15:       pic.patch
+Patch16:       stddef.patch
+
 URL:           http://www.openssl.org/
 BuildRequires: bc
 BuildRequires: perl-devel >= 1:5.6.1
@@ -245,6 +255,14 @@ RC4, RSA и SSL. Включает статические библиотеки д
 %patch6 -p1
 %patch7 -p1
 
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+
 sed -i -e 's|\$prefix/\$libdir/engines|/%{_lib}/engines|g' Configure
 
 %build

diff --git a/pic.patch b/pic.patch
new file mode 100644 (file)
index 0000000..2f13e57
--- /dev/null
+++ b/pic.patch
@@ -0,0 +1,175 @@
+Index: openssl-1.0.1c/crypto/des/asm/desboth.pl
+===================================================================
+--- openssl-1.0.1c.orig/crypto/des/asm/desboth.pl      2001-10-24 23:20:56.000000000 +0200
++++ openssl-1.0.1c/crypto/des/asm/desboth.pl   2012-07-29 14:15:26.000000000 +0200
+@@ -16,6 +16,11 @@
+ 
+       &push("edi");
+ 
++      &call   (&label("pic_point0"));
++      &set_label("pic_point0");
++      &blindpop("ebp");
++      &add    ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++
+       &comment("");
+       &comment("Load the data words");
+       &mov($L,&DWP(0,"ebx","",0));
+@@ -47,15 +52,21 @@
+       &mov(&swtmp(2), (DWC(($enc)?"1":"0")));
+       &mov(&swtmp(1), "eax");
+       &mov(&swtmp(0), "ebx");
+-      &call("DES_encrypt2");
++      &exch("ebx", "ebp");
++      &call("DES_encrypt2\@PLT");
++      &exch("ebx", "ebp");
+       &mov(&swtmp(2), (DWC(($enc)?"0":"1")));
+       &mov(&swtmp(1), "edi");
+       &mov(&swtmp(0), "ebx");
+-      &call("DES_encrypt2");
++      &exch("ebx", "ebp");
++      &call("DES_encrypt2\@PLT");
++      &exch("ebx", "ebp");
+       &mov(&swtmp(2), (DWC(($enc)?"1":"0")));
+       &mov(&swtmp(1), "esi");
+       &mov(&swtmp(0), "ebx");
+-      &call("DES_encrypt2");
++      &exch("ebx", "ebp");
++      &call("DES_encrypt2\@PLT");
++      &exch("ebx", "ebp");
+ 
+       &stack_pop(3);
+       &mov($L,&DWP(0,"ebx","",0));
+Index: openssl-1.0.1c/crypto/perlasm/cbc.pl
+===================================================================
+--- openssl-1.0.1c.orig/crypto/perlasm/cbc.pl  2011-07-13 08:22:46.000000000 +0200
++++ openssl-1.0.1c/crypto/perlasm/cbc.pl       2012-07-29 14:15:26.000000000 +0200
+@@ -122,7 +122,11 @@
+       &mov(&DWP($data_off,"esp","",0),        "eax"); # put in array for call
+       &mov(&DWP($data_off+4,"esp","",0),      "ebx"); #
+ 
+-      &call($enc_func);
++      &call   (&label("pic_point0"));
++      &set_label("pic_point0");
++      &blindpop("ebx");
++      &add    ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++      &call("$enc_func\@PLT");
+ 
+       &mov("eax",     &DWP($data_off,"esp","",0));
+       &mov("ebx",     &DWP($data_off+4,"esp","",0));
+@@ -185,7 +189,11 @@
+       &mov(&DWP($data_off,"esp","",0),        "eax"); # put in array for call
+       &mov(&DWP($data_off+4,"esp","",0),      "ebx"); #
+ 
+-      &call($enc_func);
++      &call   (&label("pic_point1"));
++      &set_label("pic_point1");
++      &blindpop("ebx");
++      &add    ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]");
++      &call("$enc_func\@PLT");
+ 
+       &mov("eax",     &DWP($data_off,"esp","",0));
+       &mov("ebx",     &DWP($data_off+4,"esp","",0));
+@@ -218,7 +226,11 @@
+       &mov(&DWP($data_off,"esp","",0),        "eax"); # put back
+       &mov(&DWP($data_off+4,"esp","",0),      "ebx"); #
+ 
+-      &call($dec_func);
++      &call   (&label("pic_point2"));
++      &set_label("pic_point2");
++      &blindpop("ebx");
++      &add    ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]");
++      &call("$dec_func\@PLT");
+ 
+       &mov("eax",     &DWP($data_off,"esp","",0));    # get return
+       &mov("ebx",     &DWP($data_off+4,"esp","",0));  #
+@@ -261,7 +273,11 @@
+       &mov(&DWP($data_off,"esp","",0),        "eax"); # put back
+       &mov(&DWP($data_off+4,"esp","",0),      "ebx"); #
+ 
+-      &call($dec_func);
++      &call   (&label("pic_point3"));
++      &set_label("pic_point3");
++      &blindpop("ebx");
++      &add    ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]");
++      &call("$dec_func\@PLT");
+ 
+       &mov("eax",     &DWP($data_off,"esp","",0));    # get return
+       &mov("ebx",     &DWP($data_off+4,"esp","",0));  #
+Index: openssl-1.0.1c/crypto/perlasm/x86gas.pl
+===================================================================
+--- openssl-1.0.1c.orig/crypto/perlasm/x86gas.pl       2011-12-09 20:16:35.000000000 +0100
++++ openssl-1.0.1c/crypto/perlasm/x86gas.pl    2012-07-29 14:15:26.000000000 +0200
+@@ -161,6 +161,7 @@
+       if ($::macosx)  { push (@out,"$tmp,2\n"); }
+       elsif ($::elf)  { push (@out,"$tmp,4\n"); }
+       else            { push (@out,"$tmp\n"); }
++      if ($::elf)     { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); }
+     }
+     push(@out,$initseg) if ($initseg);
+ }
+@@ -218,8 +219,23 @@
+     elsif ($::elf)
+     { $initseg.=<<___;
+ .section      .init
++___
++        if ($::pic)
++      {   $initseg.=<<___;
++      pushl   %ebx
++      call    .pic_point0
++.pic_point0:
++      popl    %ebx
++      addl    \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx
++      call    $f\@PLT
++      popl    %ebx
++___
++      }
++      else
++      {   $initseg.=<<___;
+       call    $f
+ ___
++      }
+     }
+     elsif ($::coff)
+     {   $initseg.=<<___;      # applies to both Cygwin and Mingw
+Index: openssl-1.0.1c/crypto/x86cpuid.pl
+===================================================================
+--- openssl-1.0.1c.orig/crypto/x86cpuid.pl     2012-02-28 15:20:34.000000000 +0100
++++ openssl-1.0.1c/crypto/x86cpuid.pl  2012-07-29 14:15:26.000000000 +0200
+@@ -8,6 +8,8 @@
+ 
+ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ 
++push(@out, ".hidden OPENSSL_ia32cap_P\n");
++
+ &function_begin("OPENSSL_ia32_cpuid");
+       &xor    ("edx","edx");
+       &pushf  ();
+@@ -139,9 +141,7 @@
+ &set_label("nocpuid");
+ &function_end("OPENSSL_ia32_cpuid");
+ 
+-&external_label("OPENSSL_ia32cap_P");
+-
+-&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_rdtsc");
+       &xor    ("eax","eax");
+       &xor    ("edx","edx");
+       &picmeup("ecx","OPENSSL_ia32cap_P");
+@@ -155,7 +155,7 @@
+ # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
+ # but it's safe to call it on any [supported] 32-bit platform...
+ # Just check for [non-]zero return value...
+-&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_instrument_halt");
+       &picmeup("ecx","OPENSSL_ia32cap_P");
+       &bt     (&DWP(0,"ecx"),4);
+       &jnc    (&label("nohalt"));     # no TSC
+@@ -222,7 +222,7 @@
+       &ret    ();
+ &function_end_B("OPENSSL_far_spin");
+ 
+-&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_wipe_cpu");
+       &xor    ("eax","eax");
+       &xor    ("edx","edx");
+       &picmeup("ecx","OPENSSL_ia32cap_P");

diff --git a/stddef.patch b/stddef.patch
new file mode 100644 (file)
index 0000000..bb65b23
--- /dev/null
+++ b/stddef.patch
@@ -0,0 +1,12 @@
+Index: openssl-0.9.8k/crypto/sha/sha.h
+===================================================================
+--- openssl-0.9.8k.orig/crypto/sha/sha.h       2008-09-16 12:47:28.000000000 +0200
++++ openssl-0.9.8k/crypto/sha/sha.h    2009-07-19 11:36:28.000000000 +0200
+@@ -59,6 +59,7 @@
+ #ifndef HEADER_SHA_H
+ #define HEADER_SHA_H
+ 
++#include <stddef.h>
+ #include <openssl/e_os2.h>
+ #include <stddef.h>
+