From 84745a0c3ecccc028225ed6345956c6f4a3c777c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Fri, 17 May 2013 09:10:45 +0200 Subject: [PATCH] - rel 2; add debian fixes --- aesni-mac.patch | 26 +++++++ cpuid.patch | 27 +++++++ default_bits.patch | 11 +++ dtls_version.patch | 25 ++++++ get_certificate.patch | 27 +++++++ openssl.spec | 20 ++++- pic.patch | 175 ++++++++++++++++++++++++++++++++++++++++++ stddef.patch | 12 +++ 8 files changed, 322 insertions(+), 1 deletion(-) create mode 100644 aesni-mac.patch create mode 100644 cpuid.patch create mode 100644 default_bits.patch create mode 100644 dtls_version.patch create mode 100644 get_certificate.patch create mode 100644 pic.patch create mode 100644 stddef.patch diff --git a/aesni-mac.patch b/aesni-mac.patch new file mode 100644 index 0000000..7bb5345 --- /dev/null +++ b/aesni-mac.patch @@ -0,0 +1,26 @@ +From: Andy Polyakov +Date: Mon, 18 Mar 2013 19:29:41 +0100 +Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms. +Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 +Bug-Debian: http://bugs.debian.org/701868 +Bug: http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest + +diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c +index 483e04b..fb2c884 100644 +--- a/crypto/evp/e_aes_cbc_hmac_sha1.c ++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c +@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + if (res!=SHA_CBLOCK) continue; + +- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); ++ /* j is not incremented yet */ ++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1)); + data->u[SHA_LBLOCK-1] |= bitlen&mask; + sha1_block_data_order(&key->md,data,1); +- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); ++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1)); + pmac->u[0] |= key->md.h0 & mask; + pmac->u[1] |= key->md.h1 & mask; + pmac->u[2] |= key->md.h2 & mask; + diff --git a/cpuid.patch b/cpuid.patch new file mode 100644 index 0000000..4e37491 --- /dev/null +++ b/cpuid.patch @@ -0,0 +1,27 @@ +From: Andy Polyakov +Date: Mon, 4 Mar 2013 19:05:04 +0000 (+0100) +Subject: x86cpuid.pl: make it work with older CPUs. +Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=5702e965d759dde8a098d8108660721ba2b93a7d +Bug-Debian: http://bugs.debian.org/699692 +Bug: http://rt.openssl.org/Ticket/Display.html?id=3005&user=guest&pass=guest + +diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl +index 3b6c469..e8a7518 100644 +--- a/crypto/x86cpuid.pl ++++ b/crypto/x86cpuid.pl +@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + &inc ("esi"); # number of cores + + &mov ("eax",1); ++ &xor ("ecx","ecx"); + &cpuid (); + &bt ("edx",28); + &jnc (&label("generic")); +@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + + &set_label("nocacheinfo"); + &mov ("eax",1); ++ &xor ("ecx","ecx"); + &cpuid (); + &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0 + &cmp ("ebp",0); diff --git a/default_bits.patch b/default_bits.patch new file mode 100644 index 0000000..8e7e416 --- /dev/null +++ b/default_bits.patch @@ -0,0 +1,11 @@ +--- openssl/apps/openssl.cnf 2012-06-06 00:51:47.000000000 +0200 ++++ openssl/apps/openssl.cnf 2012-06-06 00:53:48.000000000 +0200 +@@ -105,7 +105,7 @@ + + #################################################################### + [ req ] +-default_bits = 1024 ++default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes diff --git a/dtls_version.patch b/dtls_version.patch new file mode 100644 index 0000000..1537868 --- /dev/null +++ b/dtls_version.patch @@ -0,0 +1,25 @@ +From: David Woodhouse +Date: Tue, 12 Feb 2013 14:55:32 +0000 +Subject: Check DTLS_BAD_VER for version number. +Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253 +Bug-Debian: http://bugs.debian.org/701826 +Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest + +The version check for DTLS1_VERSION was redundant as +DTLS1_VERSION > TLS1_1_VERSION, however we do need to +check for DTLS1_BAD_VER for compatibility. + +diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c +index 02edf3f..443a31e 100644 +--- a/ssl/s3_cbc.c ++++ b/ssl/s3_cbc.c +@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, + unsigned padding_length, good, to_check, i; + const unsigned overhead = 1 /* padding length byte */ + mac_size; + /* Check if version requires explicit IV */ +- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) ++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) + { + /* These lengths are all public so we can test them in + * non-constant time. + diff --git a/get_certificate.patch b/get_certificate.patch new file mode 100644 index 0000000..69ca7d9 --- /dev/null +++ b/get_certificate.patch @@ -0,0 +1,27 @@ +From: "Dr. Stephen Henson" +Date: Mon, 11 Feb 2013 18:24:03 +0000 +Subject: Fix for SSL_get_certificate +Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=147dbb2fe3bead7a10e2f280261b661ce7af7adc +Bug-Debian: http://bugs.debian.org/703031 + + +Now we set the current certificate to the one used by a server +there is no need to call ssl_get_server_send_cert which will +fail if we haven't sent a certificate yet. + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 14d143d..ff5a85a 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s) + /* Fix this function so that it takes an optional type parameter */ + X509 *SSL_get_certificate(const SSL *s) + { +- if (s->server) +- return(ssl_get_server_send_cert(s)); +- else if (s->cert != NULL) ++ if (s->cert != NULL) + return(s->cert->key->x509); + else + return(NULL); + diff --git a/openssl.spec b/openssl.spec index 932f8ff..40a65e9 100644 --- a/openssl.spec +++ b/openssl.spec @@ -17,7 +17,7 @@ Summary(ru.UTF-8): Библиотеки и утилиты для соедине Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer Name: openssl Version: 1.0.1e -Release: 1 +Release: 2 License: Apache-like Group: Libraries Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz @@ -33,6 +33,16 @@ Patch4: %{name}-man-namespace.patch Patch5: %{name}-asflag.patch Patch6: %{name}-ca-certificates.patch Patch7: %{name}-ldflags.patch + +# from debian +Patch10: aesni-mac.patch +Patch11: cpuid.patch +Patch12: default_bits.patch +Patch13: dtls_version.patch +Patch14: get_certificate.patch +Patch15: pic.patch +Patch16: stddef.patch + URL: http://www.openssl.org/ BuildRequires: bc BuildRequires: perl-devel >= 1:5.6.1 @@ -245,6 +255,14 @@ RC4, RSA и SSL. Включает статические библиотеки д %patch6 -p1 %patch7 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 + sed -i -e 's|\$prefix/\$libdir/engines|/%{_lib}/engines|g' Configure %build diff --git a/pic.patch b/pic.patch new file mode 100644 index 0000000..2f13e57 --- /dev/null +++ b/pic.patch @@ -0,0 +1,175 @@ +Index: openssl-1.0.1c/crypto/des/asm/desboth.pl +=================================================================== +--- openssl-1.0.1c.orig/crypto/des/asm/desboth.pl 2001-10-24 23:20:56.000000000 +0200 ++++ openssl-1.0.1c/crypto/des/asm/desboth.pl 2012-07-29 14:15:26.000000000 +0200 +@@ -16,6 +16,11 @@ + + &push("edi"); + ++ &call (&label("pic_point0")); ++ &set_label("pic_point0"); ++ &blindpop("ebp"); ++ &add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); ++ + &comment(""); + &comment("Load the data words"); + &mov($L,&DWP(0,"ebx","",0)); +@@ -47,15 +52,21 @@ + &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); + &mov(&swtmp(1), "eax"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + &mov(&swtmp(2), (DWC(($enc)?"0":"1"))); + &mov(&swtmp(1), "edi"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); + &mov(&swtmp(1), "esi"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + + &stack_pop(3); + &mov($L,&DWP(0,"ebx","",0)); +Index: openssl-1.0.1c/crypto/perlasm/cbc.pl +=================================================================== +--- openssl-1.0.1c.orig/crypto/perlasm/cbc.pl 2011-07-13 08:22:46.000000000 +0200 ++++ openssl-1.0.1c/crypto/perlasm/cbc.pl 2012-07-29 14:15:26.000000000 +0200 +@@ -122,7 +122,11 @@ + &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($enc_func); ++ &call (&label("pic_point0")); ++ &set_label("pic_point0"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); ++ &call("$enc_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); + &mov("ebx", &DWP($data_off+4,"esp","",0)); +@@ -185,7 +189,11 @@ + &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($enc_func); ++ &call (&label("pic_point1")); ++ &set_label("pic_point1"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]"); ++ &call("$enc_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); + &mov("ebx", &DWP($data_off+4,"esp","",0)); +@@ -218,7 +226,11 @@ + &mov(&DWP($data_off,"esp","",0), "eax"); # put back + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($dec_func); ++ &call (&label("pic_point2")); ++ &set_label("pic_point2"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]"); ++ &call("$dec_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); # get return + &mov("ebx", &DWP($data_off+4,"esp","",0)); # +@@ -261,7 +273,11 @@ + &mov(&DWP($data_off,"esp","",0), "eax"); # put back + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($dec_func); ++ &call (&label("pic_point3")); ++ &set_label("pic_point3"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]"); ++ &call("$dec_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); # get return + &mov("ebx", &DWP($data_off+4,"esp","",0)); # +Index: openssl-1.0.1c/crypto/perlasm/x86gas.pl +=================================================================== +--- openssl-1.0.1c.orig/crypto/perlasm/x86gas.pl 2011-12-09 20:16:35.000000000 +0100 ++++ openssl-1.0.1c/crypto/perlasm/x86gas.pl 2012-07-29 14:15:26.000000000 +0200 +@@ -161,6 +161,7 @@ + if ($::macosx) { push (@out,"$tmp,2\n"); } + elsif ($::elf) { push (@out,"$tmp,4\n"); } + else { push (@out,"$tmp\n"); } ++ if ($::elf) { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); } + } + push(@out,$initseg) if ($initseg); + } +@@ -218,8 +219,23 @@ + elsif ($::elf) + { $initseg.=<<___; + .section .init ++___ ++ if ($::pic) ++ { $initseg.=<<___; ++ pushl %ebx ++ call .pic_point0 ++.pic_point0: ++ popl %ebx ++ addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx ++ call $f\@PLT ++ popl %ebx ++___ ++ } ++ else ++ { $initseg.=<<___; + call $f + ___ ++ } + } + elsif ($::coff) + { $initseg.=<<___; # applies to both Cygwin and Mingw +Index: openssl-1.0.1c/crypto/x86cpuid.pl +=================================================================== +--- openssl-1.0.1c.orig/crypto/x86cpuid.pl 2012-02-28 15:20:34.000000000 +0100 ++++ openssl-1.0.1c/crypto/x86cpuid.pl 2012-07-29 14:15:26.000000000 +0200 +@@ -8,6 +8,8 @@ + + for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + ++push(@out, ".hidden OPENSSL_ia32cap_P\n"); ++ + &function_begin("OPENSSL_ia32_cpuid"); + &xor ("edx","edx"); + &pushf (); +@@ -139,9 +141,7 @@ + &set_label("nocpuid"); + &function_end("OPENSSL_ia32_cpuid"); + +-&external_label("OPENSSL_ia32cap_P"); +- +-&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_rdtsc"); + &xor ("eax","eax"); + &xor ("edx","edx"); + &picmeup("ecx","OPENSSL_ia32cap_P"); +@@ -155,7 +155,7 @@ + # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host], + # but it's safe to call it on any [supported] 32-bit platform... + # Just check for [non-]zero return value... +-&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_instrument_halt"); + &picmeup("ecx","OPENSSL_ia32cap_P"); + &bt (&DWP(0,"ecx"),4); + &jnc (&label("nohalt")); # no TSC +@@ -222,7 +222,7 @@ + &ret (); + &function_end_B("OPENSSL_far_spin"); + +-&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_wipe_cpu"); + &xor ("eax","eax"); + &xor ("edx","edx"); + &picmeup("ecx","OPENSSL_ia32cap_P"); diff --git a/stddef.patch b/stddef.patch new file mode 100644 index 0000000..bb65b23 --- /dev/null +++ b/stddef.patch @@ -0,0 +1,12 @@ +Index: openssl-0.9.8k/crypto/sha/sha.h +=================================================================== +--- openssl-0.9.8k.orig/crypto/sha/sha.h 2008-09-16 12:47:28.000000000 +0200 ++++ openssl-0.9.8k/crypto/sha/sha.h 2009-07-19 11:36:28.000000000 +0200 +@@ -59,6 +59,7 @@ + #ifndef HEADER_SHA_H + #define HEADER_SHA_H + ++#include + #include + #include + -- 2.43.0