From 3b0168a635a29adc92556e2f25a442ebf20ff4b4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Sun, 19 Jan 2014 01:20:56 +0100 Subject: [PATCH] - up to 1.0.1f; fixes CVE-2013-4353, CVE-2013-6449, CVE-2013-6450 --- aesni-mac.patch | 26 --- dtls_version.patch | 25 --- get_certificate.patch | 27 --- openssl-find.patch | 61 ++++++ openssl-pod.patch | 460 ++++++++++++++++++++++++++++++++++++++++++ openssl.spec | 24 +-- 6 files changed, 531 insertions(+), 92 deletions(-) delete mode 100644 aesni-mac.patch delete mode 100644 dtls_version.patch delete mode 100644 get_certificate.patch create mode 100644 openssl-find.patch create mode 100644 openssl-pod.patch diff --git a/aesni-mac.patch b/aesni-mac.patch deleted file mode 100644 index 7bb5345..0000000 --- a/aesni-mac.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Andy Polyakov -Date: Mon, 18 Mar 2013 19:29:41 +0100 -Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms. -Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 -Bug-Debian: http://bugs.debian.org/701868 -Bug: http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest - -diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c -index 483e04b..fb2c884 100644 ---- a/crypto/evp/e_aes_cbc_hmac_sha1.c -+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c -@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - - if (res!=SHA_CBLOCK) continue; - -- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); -+ /* j is not incremented yet */ -+ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1)); - data->u[SHA_LBLOCK-1] |= bitlen&mask; - sha1_block_data_order(&key->md,data,1); -- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); -+ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1)); - pmac->u[0] |= key->md.h0 & mask; - pmac->u[1] |= key->md.h1 & mask; - pmac->u[2] |= key->md.h2 & mask; - diff --git a/dtls_version.patch b/dtls_version.patch deleted file mode 100644 index 1537868..0000000 --- a/dtls_version.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: David Woodhouse -Date: Tue, 12 Feb 2013 14:55:32 +0000 -Subject: Check DTLS_BAD_VER for version number. -Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253 -Bug-Debian: http://bugs.debian.org/701826 -Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest - -The version check for DTLS1_VERSION was redundant as -DTLS1_VERSION > TLS1_1_VERSION, however we do need to -check for DTLS1_BAD_VER for compatibility. - -diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c -index 02edf3f..443a31e 100644 ---- a/ssl/s3_cbc.c -+++ b/ssl/s3_cbc.c -@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; - /* Check if version requires explicit IV */ -- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) -+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) - { - /* These lengths are all public so we can test them in - * non-constant time. - diff --git a/get_certificate.patch b/get_certificate.patch deleted file mode 100644 index 69ca7d9..0000000 --- a/get_certificate.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: "Dr. Stephen Henson" -Date: Mon, 11 Feb 2013 18:24:03 +0000 -Subject: Fix for SSL_get_certificate -Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=147dbb2fe3bead7a10e2f280261b661ce7af7adc -Bug-Debian: http://bugs.debian.org/703031 - - -Now we set the current certificate to the one used by a server -there is no need to call ssl_get_server_send_cert which will -fail if we haven't sent a certificate yet. - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 14d143d..ff5a85a 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s) - /* Fix this function so that it takes an optional type parameter */ - X509 *SSL_get_certificate(const SSL *s) - { -- if (s->server) -- return(ssl_get_server_send_cert(s)); -- else if (s->cert != NULL) -+ if (s->cert != NULL) - return(s->cert->key->x509); - else - return(NULL); - diff --git a/openssl-find.patch b/openssl-find.patch new file mode 100644 index 0000000..8ca7a55 --- /dev/null +++ b/openssl-find.patch @@ -0,0 +1,61 @@ +diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.0i/find.pl b/meta/recipes-connectivity/openssl/openssl-1.0.0i/find.pl +new file mode 100644 +index 0000000..8e1b42c +--- /dev/null ++++ openssl-1.0.0i/find.pl +@@ -0,0 +1,54 @@ ++warn "Legacy library @{[(caller(0))[6]]} will be removed from the Perl core distribution in the next major release. Please install it from the CPAN distribution Perl4::CoreLibs. It is being used at @{[(caller)[1]]}, line @{[(caller)[2]]}.\n"; ++ ++# This library is deprecated and unmaintained. It is included for ++# compatibility with Perl 4 scripts which may use it, but it will be ++# removed in a future version of Perl. Please use the File::Find module ++# instead. ++ ++# Usage: ++# require "find.pl"; ++# ++# &find('/foo','/bar'); ++# ++# sub wanted { ... } ++# where wanted does whatever you want. $dir contains the ++# current directory name, and $_ the current filename within ++# that directory. $name contains "$dir/$_". You are cd'ed ++# to $dir when the function is called. The function may ++# set $prune to prune the tree. ++# ++# For example, ++# ++# find / -name .nfs\* -mtime +7 -exec rm -f {} \; -o -fstype nfs -prune ++# ++# corresponds to this ++# ++# sub wanted { ++# /^\.nfs.*$/ && ++# (($dev,$ino,$mode,$nlink,$uid,$gid) = lstat($_)) && ++# int(-M _) > 7 && ++# unlink($_) ++# || ++# ($nlink || (($dev,$ino,$mode,$nlink,$uid,$gid) = lstat($_))) && ++# $dev < 0 && ++# ($prune = 1); ++# } ++# ++# Set the variable $dont_use_nlink if you're using AFS, since AFS cheats. ++ ++use File::Find (); ++ ++*name = *File::Find::name; ++*prune = *File::Find::prune; ++*dir = *File::Find::dir; ++*topdir = *File::Find::topdir; ++*topdev = *File::Find::topdev; ++*topino = *File::Find::topino; ++*topmode = *File::Find::topmode; ++*topnlink = *File::Find::topnlink; ++ ++sub find { ++ &File::Find::find(\&wanted, @_); ++} ++ ++1; + diff --git a/openssl-pod.patch b/openssl-pod.patch new file mode 100644 index 0000000..b5fe11e --- /dev/null +++ b/openssl-pod.patch @@ -0,0 +1,460 @@ +diff -urN openssl-1.0.1f.org/doc/apps/cms.pod openssl-1.0.1f/doc/apps/cms.pod +--- openssl-1.0.1f.org/doc/apps/cms.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/apps/cms.pod 2014-01-19 01:10:11.205967419 +0100 +@@ -450,28 +450,28 @@ + + =over 4 + +-=item 0 ++=item C<0> + + the operation was completely successfully. + +-=item 1 ++=item C<1> + + an error occurred parsing the command options. + +-=item 2 ++=item C<2> + + one of the input files could not be read. + +-=item 3 ++=item C<3> + + an error occurred creating the CMS file or when reading the MIME + message. + +-=item 4 ++=item C<4> + + an error occurred decrypting or verifying the message. + +-=item 5 ++=item C<5> + + the message was verified correctly but an error occurred writing out + the signers certificates. +diff -urN openssl-1.0.1f.org/doc/apps/smime.pod openssl-1.0.1f/doc/apps/smime.pod +--- openssl-1.0.1f.org/doc/apps/smime.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/apps/smime.pod 2014-01-19 01:10:11.229301529 +0100 +@@ -308,28 +308,28 @@ + + =over 4 + +-=item 0 ++=item C<0> + + the operation was completely successfully. + +-=item 1 ++=item C<1> + + an error occurred parsing the command options. + +-=item 2 ++=item C<2> + + one of the input files could not be read. + +-=item 3 ++=item C<3> + + an error occurred creating the PKCS#7 file or when reading the MIME + message. + +-=item 4 ++=item C<4> + + an error occurred decrypting or verifying the message. + +-=item 5 ++=item C<5> + + the message was verified correctly but an error occurred writing out + the signers certificates. +diff -urN openssl-1.0.1f.org/doc/apps/ts.pod openssl-1.0.1f/doc/apps/ts.pod +--- openssl-1.0.1f.org/doc/apps/ts.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/apps/ts.pod 2014-01-19 01:10:11.239301862 +0100 +@@ -58,19 +58,19 @@ + + =over 4 + +-=item 1. ++=item C<1>. + + The TSA client computes a one-way hash value for a data file and sends + the hash to the TSA. + +-=item 2. ++=item C<2>. + + The TSA attaches the current date and time to the received hash value, + signs them and sends the time stamp token back to the client. By + creating this token the TSA certifies the existence of the original + data file at the time of response generation. + +-=item 3. ++=item C<3>. + + The TSA client receives the time stamp token and verifies the + signature on it. It also checks if the token contains the same hash +diff -urN openssl-1.0.1f.org/doc/crypto/rand.pod openssl-1.0.1f/doc/crypto/rand.pod +--- openssl-1.0.1f.org/doc/crypto/rand.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/crypto/rand.pod 2014-01-19 01:10:11.382639970 +0100 +@@ -74,16 +74,16 @@ + + =over 4 + +-=item 1 ++=item C<1> + + A good hashing algorithm to mix things up and to convert the RNG 'state' + to random numbers. + +-=item 2 ++=item C<2> + + An initial source of random 'state'. + +-=item 3 ++=item C<3> + + The state should be very large. If the RNG is being used to generate + 4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum). +@@ -93,13 +93,13 @@ + a bad idea to keep quite a lot of RNG state. It should be easier to + break a cipher than guess the RNG seed data. + +-=item 4 ++=item C<4> + + Any RNG seed data should influence all subsequent random numbers + generated. This implies that any random seed data entered will have + an influence on all subsequent random numbers generated. + +-=item 5 ++=item C<5> + + When using data to seed the RNG state, the data used should not be + extractable from the RNG state. I believe this should be a +@@ -108,12 +108,12 @@ + not be disclosed by either subsequent random numbers or a + 'core' dump left by a program crash. + +-=item 6 ++=item C<6> + + Given the same initial 'state', 2 systems should deviate in their RNG state + (and hence the random numbers generated) over time if at all possible. + +-=item 7 ++=item C<7> + + Given the random number output stream, it should not be possible to determine + the RNG state or the next random number. +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_accept.pod openssl-1.0.1f/doc/ssl/SSL_accept.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_accept.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_accept.pod 2014-01-19 01:10:11.409307524 +0100 +@@ -44,13 +44,13 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The TLS/SSL handshake was not successful but was shut down controlled and + by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the + return value B to find out the reason. + +-=item 1 ++=item C<1> + + The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been + established. +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_clear.pod openssl-1.0.1f/doc/ssl/SSL_clear.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_clear.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_clear.pod 2014-01-19 01:10:11.415974413 +0100 +@@ -56,12 +56,12 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The SSL_clear() operation could not be performed. Check the error stack to + find out the reason. + +-=item 1 ++=item C<1> + + The SSL_clear() operation was successful. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_COMP_add_compression_method.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_COMP_add_compression_method.pod 2014-01-19 01:10:11.415974413 +0100 +@@ -53,11 +53,11 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The operation succeeded. + +-=item 1 ++=item C<1> + + The operation failed. Check the error queue to find out the reason. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_connect.pod openssl-1.0.1f/doc/ssl/SSL_connect.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_connect.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_connect.pod 2014-01-19 01:10:11.415974413 +0100 +@@ -41,13 +41,13 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The TLS/SSL handshake was not successful but was shut down controlled and + by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the + return value B to find out the reason. + +-=item 1 ++=item C<1> + + The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been + established. +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_add_session.pod openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_CTX_add_session.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_CTX_add_session.pod 2014-01-19 01:10:11.419307858 +0100 +@@ -52,13 +52,13 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The operation failed. In case of the add operation, it was tried to add + the same (identical) session twice. In case of the remove operation, the + session was not found in the cache. + +-=item 1 ++=item C<1> + + The operation succeeded. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_load_verify_locations.pod openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-01-19 01:10:11.422641302 +0100 +@@ -100,13 +100,13 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The operation failed because B and B are NULL or the + processing at one of the locations specified failed. Check the error + stack to find out the reason. + +-=item 1 ++=item C<1> + + The operation succeeded. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_client_CA_list.pod openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-01-19 01:10:11.429308190 +0100 +@@ -66,13 +66,13 @@ + + =over 4 + +-=item 0 ++=item C<0> + + A failure while manipulating the STACK_OF(X509_NAME) object occurred or + the X509_NAME could not be extracted from B. Check the error stack + to find out the reason. + +-=item 1 ++=item C<1> + + The operation succeeded. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_session_id_context.pod openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-01-19 01:10:11.439308524 +0100 +@@ -64,13 +64,13 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The length B of the session id context B exceeded + the maximum allowed length of B. The error + is logged to the error stack. + +-=item 1 ++=item C<1> + + The operation succeeded. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_ssl_version.pod openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-01-19 01:10:11.439308524 +0100 +@@ -42,11 +42,11 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The new choice failed, check the error stack to find out the reason. + +-=item 1 ++=item C<1> + + The operation succeeded. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_CTX_use_psk_identity_hint.pod openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-01-19 01:10:11.445975412 +0100 +@@ -96,7 +96,7 @@ + connection will fail with decryption_error before it will be finished + completely. + +-=item 0 ++=item C<0> + + PSK identity was not found. An "unknown_psk_identity" alert message + will be sent and the connection setup fails. +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_do_handshake.pod openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_do_handshake.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_do_handshake.pod 2014-01-19 01:10:11.445975412 +0100 +@@ -45,13 +45,13 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The TLS/SSL handshake was not successful but was shut down controlled and + by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the + return value B to find out the reason. + +-=item 1 ++=item C<1> + + The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been + established. +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_read.pod openssl-1.0.1f/doc/ssl/SSL_read.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_read.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_read.pod 2014-01-19 01:10:11.459309190 +0100 +@@ -86,7 +86,7 @@ + The read operation was successful; the return value is the number of + bytes actually read from the TLS/SSL connection. + +-=item 0 ++=item C<0> + + The read operation was not successful. The reason may either be a clean + shutdown due to a "close notify" alert sent by the peer (in which case +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_session_reused.pod openssl-1.0.1f/doc/ssl/SSL_session_reused.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_session_reused.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_session_reused.pod 2014-01-19 01:10:11.465976078 +0100 +@@ -27,11 +27,11 @@ + + =over 4 + +-=item 0 ++=item C<0> + + A new session was negotiated. + +-=item 1 ++=item C<1> + + A session was reused. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_set_fd.pod openssl-1.0.1f/doc/ssl/SSL_set_fd.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_set_fd.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_set_fd.pod 2014-01-19 01:10:11.469309522 +0100 +@@ -35,11 +35,11 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The operation failed. Check the error stack to find out why. + +-=item 1 ++=item C<1> + + The operation succeeded. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_set_session.pod openssl-1.0.1f/doc/ssl/SSL_set_session.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_set_session.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_set_session.pod 2014-01-19 01:10:11.469309522 +0100 +@@ -37,11 +37,11 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The operation failed; check the error stack to find out the reason. + +-=item 1 ++=item C<1> + + The operation succeeded. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_set_shutdown.pod openssl-1.0.1f/doc/ssl/SSL_set_shutdown.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_set_shutdown.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_set_shutdown.pod 2014-01-19 01:10:11.469309522 +0100 +@@ -24,7 +24,7 @@ + + =over 4 + +-=item 0 ++=item C<0> + + No shutdown setting, yet. + +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_shutdown.pod openssl-1.0.1f/doc/ssl/SSL_shutdown.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_shutdown.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_shutdown.pod 2014-01-19 01:10:11.469309522 +0100 +@@ -92,14 +92,14 @@ + + =over 4 + +-=item 0 ++=item C<0> + + The shutdown is not yet finished. Call SSL_shutdown() for a second time, + if a bidirectional shutdown shall be performed. + The output of L may be misleading, as an + erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. + +-=item 1 ++=item C<1> + + The shutdown was successfully completed. The "close notify" alert was sent + and the peer's "close notify" alert was received. +diff -urN openssl-1.0.1f.org/doc/ssl/SSL_write.pod openssl-1.0.1f/doc/ssl/SSL_write.pod +--- openssl-1.0.1f.org/doc/ssl/SSL_write.pod 2014-01-06 14:47:42.000000000 +0100 ++++ openssl-1.0.1f/doc/ssl/SSL_write.pod 2014-01-19 01:10:11.475976412 +0100 +@@ -79,7 +79,7 @@ + The write operation was successful, the return value is the number of + bytes actually written to the TLS/SSL connection. + +-=item 0 ++=item C<0> + + The write operation was not successful. Probably the underlying connection + was closed. Call SSL_get_error() with the return value B to find out, diff --git a/openssl.spec b/openssl.spec index 1fe6dd4..8ddbc34 100644 --- a/openssl.spec +++ b/openssl.spec @@ -16,12 +16,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 1.0.1e -Release: 3 +Version: 1.0.1f +Release: 1 License: Apache-like Group: Libraries Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: 66bf6f10f060d561929de96f9dfe5b8c +# Source0-md5: f26b09c028a0541cab33da697d522b25 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh @@ -33,15 +33,13 @@ Patch4: %{name}-man-namespace.patch Patch5: %{name}-asflag.patch Patch6: %{name}-ca-certificates.patch Patch7: %{name}-ldflags.patch +Patch8: %{name}-find.patch +Patch9: %{name}-pod.patch # from debian -Patch10: aesni-mac.patch -Patch11: cpuid.patch -Patch12: default_bits.patch -Patch13: dtls_version.patch -Patch14: get_certificate.patch -Patch15: pic.patch -Patch16: stddef.patch +Patch10: default_bits.patch +Patch11: pic.patch +Patch12: stddef.patch URL: http://www.openssl.org/ BuildRequires: bc @@ -257,14 +255,12 @@ RC4, RSA и SSL. Включает статические библиотеки д %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 sed -i -e 's|\$prefix/\$libdir/engines|/%{_lib}/engines|g' Configure -- 2.43.0