From 65eeff79fff8a1bfdf67ca51d147384f46f4d5c0 Mon Sep 17 00:00:00 2001 From: Nicolás Reynolds Date: Fri, 27 Dec 2013 23:55:53 +0000 Subject: Fri Dec 27 23:54:04 UTC 2013 --- core/openssl/PKGBUILD | 18 +++++++++--- ...0.1-Check-DTLS_BAD_VER-for-version-number.patch | 31 +++++++++++++++++++++ ...mac_sha1.c-fix-rare-bad-record-mac-on-AES.patch | 32 ++++++++++++++++++++++ 3 files changed, 77 insertions(+), 4 deletions(-) create mode 100644 core/openssl/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch create mode 100644 core/openssl/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch (limited to 'core/openssl') diff --git a/core/openssl/PKGBUILD b/core/openssl/PKGBUILD index 35d52bef9..f3d13b221 100644 --- a/core/openssl/PKGBUILD +++ b/core/openssl/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 197168 2013-10-23 13:51:53Z pierre $ +# $Id: PKGBUILD 199034 2013-11-07 14:18:31Z pierre $ # Maintainer: Pierre Schmitz pkgname=openssl @@ -6,7 +6,7 @@ _ver=1.0.1e # use a pacman compatible version scheme pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} #pkgver=$_ver -pkgrel=4 +pkgrel=5 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security' arch=('i686' 'x86_64') url='https://www.openssl.org' @@ -19,12 +19,16 @@ source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz" "https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz.asc" 'no-rpath.patch' 'ca-dir.patch' - 'openssl-1.0.1e-fix_pod_syntax-1.patch') + 'openssl-1.0.1e-fix_pod_syntax-1.patch' + 'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch' + 'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch') md5sums=('66bf6f10f060d561929de96f9dfe5b8c' 'SKIP' 'dc78d3d06baffc16217519242ce92478' '3bf51be3a1bbd262be46dc619f92aa90' - '88d3bef4bbdc640b0412315d8d347bdf') + '88d3bef4bbdc640b0412315d8d347bdf' + 'ae7848bb152b8834ceff30c8c480d422' + 'c5cc62a47cef72f4e5ad119a88e97ae4') prepare() { cd $srcdir/$pkgname-$_ver @@ -35,6 +39,12 @@ prepare() { patch -p0 -i $srcdir/ca-dir.patch patch -p1 -i $srcdir/openssl-1.0.1e-fix_pod_syntax-1.patch + # OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER + # http://rt.openssl.org/Ticket/Display.html?id=2984 + patch -p1 -i $srcdir/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch + # Communication problems with 1.0.1e + # http://rt.openssl.org/Ticket/Display.html?id=3002 + patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch } build() { diff --git a/core/openssl/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch b/core/openssl/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch new file mode 100644 index 000000000..5a88220c3 --- /dev/null +++ b/core/openssl/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch @@ -0,0 +1,31 @@ +From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 12 Feb 2013 14:55:32 +0000 +Subject: Check DTLS_BAD_VER for version number. + +The version check for DTLS1_VERSION was redundant as +DTLS1_VERSION > TLS1_1_VERSION, however we do need to +check for DTLS1_BAD_VER for compatibility. + +PR:2984 +(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc) +--- + ssl/s3_cbc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c +index 02edf3f..443a31e 100644 +--- a/ssl/s3_cbc.c ++++ b/ssl/s3_cbc.c +@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, + unsigned padding_length, good, to_check, i; + const unsigned overhead = 1 /* padding length byte */ + mac_size; + /* Check if version requires explicit IV */ +- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) ++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) + { + /* These lengths are all public so we can test them in + * non-constant time. +-- +1.8.4.2 + diff --git a/core/openssl/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch b/core/openssl/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch new file mode 100644 index 000000000..f1a251227 --- /dev/null +++ b/core/openssl/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch @@ -0,0 +1,32 @@ +From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Mon, 18 Mar 2013 19:29:41 +0100 +Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms. + +PR: 3002 +(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc) +--- + crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c +index 483e04b..fb2c884 100644 +--- a/crypto/evp/e_aes_cbc_hmac_sha1.c ++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c +@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + if (res!=SHA_CBLOCK) continue; + +- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); ++ /* j is not incremented yet */ ++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1)); + data->u[SHA_LBLOCK-1] |= bitlen&mask; + sha1_block_data_order(&key->md,data,1); +- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); ++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1)); + pmac->u[0] |= key->md.h0 & mask; + pmac->u[1] |= key->md.h1 & mask; + pmac->u[2] |= key->md.h2 & mask; +-- +1.8.4.2 + -- cgit v1.2.3-54-g00ecf