From 947d7e2a9802db6f911dab55b2d275be131414d1 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Elan=20Ruusam=C3=A4e?= Date: Wed, 15 Oct 2014 22:42:51 +0300 Subject: [PATCH] up to OpenSSL 1.0.1j [15 Oct 2014]: - Fix for CVE-2014-3513 - Fix for CVE-2014-3567 - Mitigation for CVE-2014-3566 (SSL protocol vulnerability) - Fix for CVE-2014-3568 --- openssl-CVE-2014-3566.patch | 488 ------------------------------------ openssl.spec | 8 +- 2 files changed, 3 insertions(+), 493 deletions(-) delete mode 100644 openssl-CVE-2014-3566.patch diff --git a/openssl-CVE-2014-3566.patch b/openssl-CVE-2014-3566.patch deleted file mode 100644 index 6215742..0000000 --- a/openssl-CVE-2014-3566.patch +++ /dev/null @@ -1,488 +0,0 @@ -From 6bfe55380abbf7528e04e59f18921bd6c896af1c Mon Sep 17 00:00:00 2001 -From: Bodo Moeller -Date: Wed, 15 Oct 2014 04:05:42 +0200 -Subject: [PATCH] Support TLS_FALLBACK_SCSV. - -Reviewed-by: Rich Salz ---- - CHANGES | 6 +++++ - apps/s_client.c | 10 +++++++++ - crypto/err/openssl.ec | 1 + - ssl/d1_lib.c | 10 +++++++++ - ssl/dtls1.h | 3 ++- - ssl/s23_clnt.c | 3 +++ - ssl/s23_srvr.c | 3 +++ - ssl/s2_lib.c | 4 +++- - ssl/s3_enc.c | 2 +- - ssl/s3_lib.c | 29 +++++++++++++++++++++++- - ssl/ssl.h | 9 ++++++++ - ssl/ssl3.h | 7 +++++- - ssl/ssl_err.c | 2 ++ - ssl/ssl_lib.c | 60 +++++++++++++++++++++++++++++++++++++------------ - ssl/t1_enc.c | 1 + - ssl/tls1.h | 15 ++++++++----- - 16 files changed, 140 insertions(+), 25 deletions(-) - -; *) Add support for TLS_FALLBACK_SCSV. -; Client applications doing fallback retries should call -; SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). -; (CVE-2014-3566) -; [Adam Langley, Bodo Moeller] -; -diff --git a/apps/s_client.c b/apps/s_client.c -index 4625467..c2e160c 100644 ---- a/apps/s_client.c -+++ b/apps/s_client.c -@@ -337,6 +337,7 @@ static void sc_usage(void) - BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); - BIO_printf(bio_err," -tls1 - just use TLSv1\n"); - BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); -+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); - BIO_printf(bio_err," -mtu - set the link layer MTU\n"); - BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); - BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); -@@ -617,6 +618,7 @@ int MAIN(int argc, char **argv) - char *sess_out = NULL; - struct sockaddr peer; - int peerlen = sizeof(peer); -+ int fallback_scsv = 0; - int enable_timeouts = 0 ; - long socket_mtu = 0; - #ifndef OPENSSL_NO_JPAKE -@@ -823,6 +825,10 @@ int MAIN(int argc, char **argv) - meth=DTLSv1_client_method(); - socket_type=SOCK_DGRAM; - } -+ else if (strcmp(*argv,"-fallback_scsv") == 0) -+ { -+ fallback_scsv = 1; -+ } - else if (strcmp(*argv,"-timeout") == 0) - enable_timeouts=1; - else if (strcmp(*argv,"-mtu") == 0) -@@ -1235,6 +1241,10 @@ bad: - SSL_set_session(con, sess); - SSL_SESSION_free(sess); - } -+ -+ if (fallback_scsv) -+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); -+ - #ifndef OPENSSL_NO_TLSEXT - if (servername != NULL) - { -diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec -index e0554b4..34754e5 100644 ---- a/crypto/err/openssl.ec -+++ b/crypto/err/openssl.ec -@@ -71,6 +71,7 @@ R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 - R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 - R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 - R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 -+R SSL_R_SSLV3_ALERT_INAPPROPRIATE_FALLBACK 1086 - R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 - R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 - R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 -diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c -index 6bde16f..82ca653 100644 ---- a/ssl/d1_lib.c -+++ b/ssl/d1_lib.c -@@ -266,6 +266,16 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) - case DTLS_CTRL_LISTEN: - ret = dtls1_listen(s, parg); - break; -+ case SSL_CTRL_CHECK_PROTO_VERSION: -+ /* For library-internal use; checks that the current protocol -+ * is the highest enabled version (according to s->ctx->method, -+ * as version negotiation may have changed s->method). */ -+#if DTLS_MAX_VERSION != DTLS1_VERSION -+# error Code needs update for DTLS_method() support beyond DTLS1_VERSION. -+#endif -+ /* Just one protocol version is supported so far; -+ * fail closed if the version is not as expected. */ -+ return s->version == DTLS_MAX_VERSION; - - default: - ret = ssl3_ctrl(s, cmd, larg, parg); -diff --git a/ssl/dtls1.h b/ssl/dtls1.h -index e65d501..192c5de 100644 ---- a/ssl/dtls1.h -+++ b/ssl/dtls1.h -@@ -84,6 +84,8 @@ extern "C" { - #endif - - #define DTLS1_VERSION 0xFEFF -+#define DTLS_MAX_VERSION DTLS1_VERSION -+ - #define DTLS1_BAD_VER 0x0100 - - #if 0 -@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st - } - #endif - #endif -- -diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c -index 2b93c63..d4e43c3 100644 ---- a/ssl/s23_clnt.c -+++ b/ssl/s23_clnt.c -@@ -736,6 +736,9 @@ static int ssl23_get_server_hello(SSL *s) - goto err; - } - -+ /* ensure that TLS_MAX_VERSION is up-to-date */ -+ OPENSSL_assert(s->version <= TLS_MAX_VERSION); -+ - if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) - { - /* fatal alert */ -diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c -index 2901a6b..567a6b1 100644 ---- a/ssl/s23_srvr.c -+++ b/ssl/s23_srvr.c -@@ -421,6 +421,9 @@ int ssl23_get_client_hello(SSL *s) - } - } - -+ /* ensure that TLS_MAX_VERSION is up-to-date */ -+ OPENSSL_assert(s->version <= TLS_MAX_VERSION); -+ - #ifdef OPENSSL_FIPS - if (FIPS_mode() && (s->version < TLS1_VERSION)) - { -diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c -index c0bdae5..c63be30 100644 ---- a/ssl/s2_lib.c -+++ b/ssl/s2_lib.c -@@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg) - case SSL_CTRL_GET_SESSION_REUSED: - ret=s->hit; - break; -+ case SSL_CTRL_CHECK_PROTO_VERSION: -+ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg); - default: - break; - } -@@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) - if (p != NULL) - { - l=c->id; -- if ((l & 0xff000000) != 0x02000000) return(0); -+ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0); - p[0]=((unsigned char)(l>>16L))&0xFF; - p[1]=((unsigned char)(l>> 8L))&0xFF; - p[2]=((unsigned char)(l ))&0xFF; -diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c -index 9962677..9db45af 100644 ---- a/ssl/s3_enc.c -+++ b/ssl/s3_enc.c -@@ -900,7 +900,7 @@ int ssl3_alert_code(int code) - case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE); - case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE); - case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); -+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); - default: return(-1); - } - } -- -diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c -index e17f126..3f17453 100644 ---- a/ssl/s3_lib.c -+++ b/ssl/s3_lib.c -@@ -3355,6 +3355,33 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) - #endif - - #endif /* !OPENSSL_NO_TLSEXT */ -+ -+ case SSL_CTRL_CHECK_PROTO_VERSION: -+ /* For library-internal use; checks that the current protocol -+ * is the highest enabled version (according to s->ctx->method, -+ * as version negotiation may have changed s->method). */ -+ if (s->version == s->ctx->method->version) -+ return 1; -+ /* Apparently we're using a version-flexible SSL_METHOD -+ * (not at its highest protocol version). */ -+ if (s->ctx->method->version == SSLv23_method()->version) -+ { -+#if TLS_MAX_VERSION != TLS1_2_VERSION -+# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION. -+#endif -+ if (!(s->options & SSL_OP_NO_TLSv1_2)) -+ return s->version == TLS1_2_VERSION; -+ if (!(s->options & SSL_OP_NO_TLSv1_1)) -+ return s->version == TLS1_1_VERSION; -+ if (!(s->options & SSL_OP_NO_TLSv1)) -+ return s->version == TLS1_VERSION; -+ if (!(s->options & SSL_OP_NO_SSLv3)) -+ return s->version == SSL3_VERSION; -+ if (!(s->options & SSL_OP_NO_SSLv2)) -+ return s->version == SSL2_VERSION; -+ } -+ return 0; /* Unexpected state; fail closed. */ -+ - default: - break; - } -@@ -3714,6 +3741,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) - break; - #endif - #endif -+ - default: - return(0); - } -@@ -4296,4 +4324,3 @@ long ssl_get_algorithm2(SSL *s) - return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; - return alg2; - } -- -diff --git a/ssl/ssl.h b/ssl/ssl.h -index b73da5e..b78a1cc 100644 ---- a/ssl/ssl.h -+++ b/ssl/ssl.h -@@ -653,6 +653,10 @@ struct ssl_session_st - */ - #define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L - #define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L -+/* Send TLS_FALLBACK_SCSV in the ClientHello. -+ * To be set by applications that reconnect with a downgraded protocol -+ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ -+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L - - /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, - * they cannot be used to clear bits. */ -@@ -1511,6 +1515,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) - #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE - #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE - #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ -+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ - - #define SSL_ERROR_NONE 0 - #define SSL_ERROR_SSL 1 -@@ -1621,6 +1626,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) - #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 - #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 - -+#define SSL_CTRL_CHECK_PROTO_VERSION 119 -+ - #define DTLSv1_get_timeout(ssl, arg) \ - SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) - #define DTLSv1_handle_timeout(ssl) \ -@@ -2379,6 +2386,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_HTTPS_PROXY_REQUEST 155 - #define SSL_R_HTTP_REQUEST 156 - #define SSL_R_ILLEGAL_PADDING 283 -+#define SSL_R_INAPPROPRIATE_FALLBACK 373 - #define SSL_R_INCONSISTENT_COMPRESSION 340 - #define SSL_R_INVALID_CHALLENGE_LENGTH 158 - #define SSL_R_INVALID_COMMAND 280 -@@ -2525,6 +2533,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 - #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 - #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 -+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 - #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 - #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 - #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 -diff --git a/ssl/ssl3.h b/ssl/ssl3.h -index 37f19e3..85f1504 100644 ---- a/ssl/ssl3.h -+++ b/ssl/ssl3.h -@@ -128,9 +128,14 @@ - extern "C" { - #endif - --/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ -+/* Signalling cipher suite value from RFC 5746 -+ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */ - #define SSL3_CK_SCSV 0x030000FF - -+/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00 -+ * (TLS_FALLBACK_SCSV) */ -+#define SSL3_CK_FALLBACK_SCSV 0x03005600 -+ - #define SSL3_CK_RSA_NULL_MD5 0x03000001 - #define SSL3_CK_RSA_NULL_SHA 0x03000002 - #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 -diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c -index d2f0dec..1b7eb47 100644 ---- a/ssl/ssl_err.c -+++ b/ssl/ssl_err.c -@@ -383,6 +383,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= - {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, - {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, - {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, -+{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"}, - {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"}, - {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, - {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, -@@ -529,6 +530,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= - {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"}, -+{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"}, - {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"}, -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index cc094e4..3f66fc0 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -1387,6 +1387,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, - - if (sk == NULL) return(0); - q=p; -+ if (put_cb == NULL) -+ put_cb = s->method->put_cipher_by_char; - - for (i=0; isrp_ctx.srp_Mask & SSL_kSRP)) - continue; - #endif /* OPENSSL_NO_SRP */ -- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); -+ j = put_cb(c,p); - p+=j; - } -- /* If p == q, no ciphers and caller indicates an error. Otherwise -- * add SCSV if not renegotiating. -- */ -- if (p != q && !s->renegotiate) -+ /* If p == q, no ciphers; caller indicates an error. -+ * Otherwise, add applicable SCSVs. */ -+ if (p != q) - { -- static SSL_CIPHER scsv = -+ if (!s->renegotiate) - { -- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 -- }; -- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); -- p+=j; -+ static SSL_CIPHER scsv = -+ { -+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 -+ }; -+ j = put_cb(&scsv,p); -+ p+=j; - #ifdef OPENSSL_RI_DEBUG -- fprintf(stderr, "SCSV sent by client\n"); -+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); - #endif -- } -+ } -+ -+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) -+ { -+ static SSL_CIPHER scsv = -+ { -+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 -+ }; -+ j = put_cb(&scsv,p); -+ p+=j; -+ } -+ } - - return(p-q); - } -@@ -1439,11 +1453,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, - const SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk; - int i,n; -+ - if (s->s3) - s->s3->send_connection_binding = 0; - - n=ssl_put_cipher_by_char(s,NULL,NULL); -- if ((num%n) != 0) -+ if (n == 0 || (num%n) != 0) - { - SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - return(NULL); -@@ -1458,7 +1473,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, - - for (i=0; is3 && (n != 3 || !p[0]) && - (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && - (p[n-1] == (SSL3_CK_SCSV & 0xff))) -@@ -1478,6 +1493,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, - continue; - } - -+ /* Check for TLS_FALLBACK_SCSV */ -+ if ((n != 3 || !p[0]) && -+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && -+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) -+ { -+ /* The SCSV indicates that the client previously tried a higher version. -+ * Fail if the current version is an unexpected downgrade. */ -+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) -+ { -+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK); -+ if (s->s3) -+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); -+ goto err; -+ } -+ continue; -+ } -+ - c=ssl_get_cipher_by_char(s,p); - p+=n; - if (c != NULL) -diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 1427484..1923cf3 100644 ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -1241,6 +1241,7 @@ int tls1_alert_code(int code) - case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); - case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); - case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); -+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); - #if 0 /* not appropriate for TLS, not used for DTLS */ - case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return - (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); -diff --git a/ssl/tls1.h b/ssl/tls1.h -index c992091..6ae8876 100644 ---- a/ssl/tls1.h -+++ b/ssl/tls1.h -@@ -159,17 +159,19 @@ extern "C" { - - #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 - -+#define TLS1_VERSION 0x0301 -+#define TLS1_1_VERSION 0x0302 - #define TLS1_2_VERSION 0x0303 --#define TLS1_2_VERSION_MAJOR 0x03 --#define TLS1_2_VERSION_MINOR 0x03 -+#define TLS_MAX_VERSION TLS1_2_VERSION -+ -+#define TLS1_VERSION_MAJOR 0x03 -+#define TLS1_VERSION_MINOR 0x01 - --#define TLS1_1_VERSION 0x0302 - #define TLS1_1_VERSION_MAJOR 0x03 - #define TLS1_1_VERSION_MINOR 0x02 - --#define TLS1_VERSION 0x0301 --#define TLS1_VERSION_MAJOR 0x03 --#define TLS1_VERSION_MINOR 0x01 -+#define TLS1_2_VERSION_MAJOR 0x03 -+#define TLS1_2_VERSION_MINOR 0x03 - - #define TLS1_get_version(s) \ - ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) -@@ -187,6 +189,7 @@ extern "C" { - #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ - #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ - #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ -+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ - #define TLS1_AD_USER_CANCELLED 90 - #define TLS1_AD_NO_RENEGOTIATION 100 - /* codes 110-114 are from RFC3546 */ --- -1.7.9.5 - diff --git a/openssl.spec b/openssl.spec index 9f038e2..f059a77 100644 --- a/openssl.spec +++ b/openssl.spec @@ -16,12 +16,12 @@ Summary(pt_BR.UTF-8): Uma biblioteca C que fornece vários algoritmos e protocol Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl -Version: 1.0.1i -Release: 2 +Version: 1.0.1j +Release: 1 License: Apache-like Group: Libraries Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz -# Source0-md5: c8dc151a671b9b92ff3e4c118b174972 +# Source0-md5: f7175c9cd3c39bb1907ac8bba9df8ed3 Source2: %{name}.1.pl Source3: %{name}-ssl-certificate.sh Source4: %{name}-c_rehash.sh @@ -34,7 +34,6 @@ Patch5: %{name}-asflag.patch Patch6: %{name}-ca-certificates.patch Patch7: %{name}-ldflags.patch Patch8: %{name}-find.patch -Patch9: %{name}-CVE-2014-3566.patch # from debian Patch10: default_bits.patch Patch11: pic.patch @@ -254,7 +253,6 @@ RC4, RSA и SSL. Включает статические библиотеки д %patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 -- 2.43.0