summaryrefslogtreecommitdiff
path: root/core/openssl
diff options
context:
space:
mode:
authorNicolás Reynolds <fauno@endefensadelsl.org>2013-12-27 23:55:53 +0000
committerNicolás Reynolds <fauno@endefensadelsl.org>2013-12-27 23:55:53 +0000
commit65eeff79fff8a1bfdf67ca51d147384f46f4d5c0 (patch)
treefbfdff322b28d9a3c37e6e31c94caf1d8e48dac1 /core/openssl
parentd53c44f055929b18d7d1b25f8367ee5836c435fc (diff)
Fri Dec 27 23:54:04 UTC 2013
Diffstat (limited to 'core/openssl')
-rw-r--r--core/openssl/PKGBUILD18
-rw-r--r--core/openssl/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch31
-rw-r--r--core/openssl/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch32
3 files changed, 77 insertions, 4 deletions
diff --git a/core/openssl/PKGBUILD b/core/openssl/PKGBUILD
index 35d52bef9..f3d13b221 100644
--- a/core/openssl/PKGBUILD
+++ b/core/openssl/PKGBUILD
@@ -1,4 +1,4 @@
-# $Id: PKGBUILD 197168 2013-10-23 13:51:53Z pierre $
+# $Id: PKGBUILD 199034 2013-11-07 14:18:31Z pierre $
# Maintainer: Pierre Schmitz <pierre@archlinux.de>
pkgname=openssl
@@ -6,7 +6,7 @@ _ver=1.0.1e
# use a pacman compatible version scheme
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
#pkgver=$_ver
-pkgrel=4
+pkgrel=5
pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
arch=('i686' 'x86_64')
url='https://www.openssl.org'
@@ -19,12 +19,16 @@ source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz"
"https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz.asc"
'no-rpath.patch'
'ca-dir.patch'
- 'openssl-1.0.1e-fix_pod_syntax-1.patch')
+ 'openssl-1.0.1e-fix_pod_syntax-1.patch'
+ 'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch'
+ 'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch')
md5sums=('66bf6f10f060d561929de96f9dfe5b8c'
'SKIP'
'dc78d3d06baffc16217519242ce92478'
'3bf51be3a1bbd262be46dc619f92aa90'
- '88d3bef4bbdc640b0412315d8d347bdf')
+ '88d3bef4bbdc640b0412315d8d347bdf'
+ 'ae7848bb152b8834ceff30c8c480d422'
+ 'c5cc62a47cef72f4e5ad119a88e97ae4')
prepare() {
cd $srcdir/$pkgname-$_ver
@@ -35,6 +39,12 @@ prepare() {
patch -p0 -i $srcdir/ca-dir.patch
patch -p1 -i $srcdir/openssl-1.0.1e-fix_pod_syntax-1.patch
+ # OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER
+ # http://rt.openssl.org/Ticket/Display.html?id=2984
+ patch -p1 -i $srcdir/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
+ # Communication problems with 1.0.1e
+ # http://rt.openssl.org/Ticket/Display.html?id=3002
+ patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
}
build() {
diff --git a/core/openssl/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch b/core/openssl/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
new file mode 100644
index 000000000..5a88220c3
--- /dev/null
+++ b/core/openssl/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
@@ -0,0 +1,31 @@
+From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+PR:2984
+(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
+---
+ ssl/s3_cbc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ unsigned padding_length, good, to_check, i;
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ /* These lengths are all public so we can test them in
+ * non-constant time.
+--
+1.8.4.2
+
diff --git a/core/openssl/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch b/core/openssl/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
new file mode 100644
index 000000000..f1a251227
--- /dev/null
+++ b/core/openssl/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
@@ -0,0 +1,32 @@
+From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Mon, 18 Mar 2013 19:29:41 +0100
+Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
+
+PR: 3002
+(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc)
+---
+ crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index 483e04b..fb2c884 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+
+ if (res!=SHA_CBLOCK) continue;
+
+- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
++ /* j is not incremented yet */
++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
+ pmac->u[0] |= key->md.h0 & mask;
+ pmac->u[1] |= key->md.h1 & mask;
+ pmac->u[2] |= key->md.h2 & mask;
+--
+1.8.4.2
+