From db96272455e46f5400361d6b03ea581e2ae04a78 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Mon, 1 Mar 2010 18:46:43 +0000 Subject: openssl: upgrade to 0.9.8m (patch by Peter Wagner) git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19939 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- .../openssl/patches/001-upstream_dtls_cisco.patch | 139 --------------------- package/openssl/patches/100-parallel-build.patch | 23 ---- .../openssl/patches/110-optimize-for-size.patch | 4 +- package/openssl/patches/120-makedepend.patch | 10 -- package/openssl/patches/121-ocf-config.patch | 23 ---- .../patches/169-makefile-ccache_needs_quotes.patch | 37 ------ package/openssl/patches/200-ocf-20080917.patch | 70 ++--------- package/openssl/patches/900-CVE-2009-1377.patch | 44 ------- package/openssl/patches/900-CVE-2009-1378.patch | 22 ---- package/openssl/patches/900-CVE-2009-1379.patch | 19 --- package/openssl/patches/900-CVE-2009-1387.patch | 53 -------- package/openssl/patches/900-CVE-2009-2409.patch | 59 --------- package/openssl/patches/901-remove_rej.patch | 19 --- 13 files changed, 13 insertions(+), 509 deletions(-) delete mode 100644 package/openssl/patches/001-upstream_dtls_cisco.patch delete mode 100644 package/openssl/patches/100-parallel-build.patch delete mode 100644 package/openssl/patches/121-ocf-config.patch delete mode 100644 package/openssl/patches/169-makefile-ccache_needs_quotes.patch delete mode 100644 package/openssl/patches/900-CVE-2009-1377.patch delete mode 100644 package/openssl/patches/900-CVE-2009-1378.patch delete mode 100644 package/openssl/patches/900-CVE-2009-1379.patch delete mode 100644 package/openssl/patches/900-CVE-2009-1387.patch delete mode 100644 package/openssl/patches/900-CVE-2009-2409.patch delete mode 100644 package/openssl/patches/901-remove_rej.patch (limited to 'package/openssl/patches') diff --git a/package/openssl/patches/001-upstream_dtls_cisco.patch b/package/openssl/patches/001-upstream_dtls_cisco.patch deleted file mode 100644 index 46f4bb2233..0000000000 --- a/package/openssl/patches/001-upstream_dtls_cisco.patch +++ /dev/null @@ -1,139 +0,0 @@ ---- a/ssl/d1_clnt.c -+++ b/ssl/d1_clnt.c -@@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s - - static SSL_METHOD *dtls1_get_client_method(int ver) - { -- if (ver == DTLS1_VERSION) -+ if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) - return(DTLSv1_client_method()); - else - return(NULL); -@@ -181,7 +181,8 @@ int dtls1_connect(SSL *s) - s->server=0; - if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); - -- if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) -+ if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) && -+ (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00)) - { - SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); - ret = -1; ---- a/ssl/d1_lib.c -+++ b/ssl/d1_lib.c -@@ -187,7 +187,10 @@ void dtls1_free(SSL *s) - void dtls1_clear(SSL *s) - { - ssl3_clear(s); -- s->version=DTLS1_VERSION; -+ if (s->options & SSL_OP_CISCO_ANYCONNECT) -+ s->version=DTLS1_BAD_VER; -+ else -+ s->version=DTLS1_VERSION; - } - - /* ---- a/ssl/d1_pkt.c -+++ b/ssl/d1_pkt.c -@@ -987,15 +987,17 @@ start: - if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) - { - struct ccs_header_st ccs_hdr; -+ int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; - - dtls1_get_ccs_header(rr->data, &ccs_hdr); - - /* 'Change Cipher Spec' is just a single byte, so we know - * exactly what the record payload has to look like */ - /* XDTLS: check that epoch is consistent */ -- if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) || -- (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || -- (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) -+ if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER) -+ ccs_hdr_len = 3; -+ -+ if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) - { - i=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); -@@ -1311,7 +1313,7 @@ int do_dtls1_write(SSL *s, int type, con - #if 0 - /* 'create_empty_fragment' is true only when this function calls itself */ - if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done -- && SSL_version(s) != DTLS1_VERSION) -+ && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) - { - /* countermeasure against known-IV weakness in CBC ciphersuites - * (see http://www.openssl.org/~bodo/tls-cbc.txt) ---- a/ssl/s3_clnt.c -+++ b/ssl/s3_clnt.c -@@ -708,7 +708,7 @@ int ssl3_get_server_hello(SSL *s) - - if (!ok) return((int)n); - -- if ( SSL_version(s) == DTLS1_VERSION) -+ if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) - { - if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) - { ---- a/ssl/ssl.h -+++ b/ssl/ssl.h -@@ -510,6 +510,8 @@ typedef struct ssl_session_st - #define SSL_OP_COOKIE_EXCHANGE 0x00002000L - /* Don't use RFC4507 ticket extension */ - #define SSL_OP_NO_TICKET 0x00004000L -+/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */ -+#define SSL_OP_CISCO_ANYCONNECT 0x00008000L - - /* As server, disallow session resumption on renegotiation */ - #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -995,7 +995,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v - s->max_cert_list=larg; - return(l); - case SSL_CTRL_SET_MTU: -- if (SSL_version(s) == DTLS1_VERSION) -+ if (SSL_version(s) == DTLS1_VERSION || -+ SSL_version(s) == DTLS1_BAD_VER) - { - s->d1->mtu = larg; - return larg; ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -211,6 +211,11 @@ int ssl_get_new_session(SSL *s, int sess - ss->ssl_version=TLS1_VERSION; - ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; - } -+ else if (s->version == DTLS1_BAD_VER) -+ { -+ ss->ssl_version=DTLS1_BAD_VER; -+ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; -+ } - else if (s->version == DTLS1_VERSION) - { - ss->ssl_version=DTLS1_VERSION; ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -765,10 +765,10 @@ int tls1_mac(SSL *ssl, unsigned char *md - HMAC_CTX_init(&hmac); - HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); - -- if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER) -+ if (ssl->version == DTLS1_BAD_VER || -+ (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)) - { - unsigned char dtlsseq[8],*p=dtlsseq; -- - s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); - memcpy (p,&seq[2],6); - -@@ -793,7 +793,7 @@ printf("rec="); - {unsigned int z; for (z=0; zlength; z++) printf("%02X ",buf[z]); printf("\n"); } - #endif - -- if ( SSL_version(ssl) != DTLS1_VERSION) -+ if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER) - { - for (i=7; i>=0; i--) - { diff --git a/package/openssl/patches/100-parallel-build.patch b/package/openssl/patches/100-parallel-build.patch deleted file mode 100644 index 0e07ba4fd0..0000000000 --- a/package/openssl/patches/100-parallel-build.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- a/Makefile.org -+++ b/Makefile.org -@@ -333,15 +333,15 @@ build_crypto: - dir=crypto; target=all; $(BUILD_ONE_CMD) - build_fips: - @dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD) --build_ssl: -+build_ssl: build_crypto - @dir=ssl; target=all; $(BUILD_ONE_CMD) --build_engines: -+build_engines: build_crypto - @dir=engines; target=all; $(BUILD_ONE_CMD) --build_apps: -+build_apps: build_libs - @dir=apps; target=all; $(BUILD_ONE_CMD) --build_tests: -+build_tests: build_libs - @dir=test; target=all; $(BUILD_ONE_CMD) --build_tools: -+build_tools: build_libs - @dir=tools; target=all; $(BUILD_ONE_CMD) - - all_testapps: build_libs build_testapps diff --git a/package/openssl/patches/110-optimize-for-size.patch b/package/openssl/patches/110-optimize-for-size.patch index 7661a8d1e3..769a3d9366 100644 --- a/package/openssl/patches/110-optimize-for-size.patch +++ b/package/openssl/patches/110-optimize-for-size.patch @@ -1,6 +1,8 @@ +diff --git a/Configure b/Configure +index 32e154b..eec5066 100755 --- a/Configure +++ b/Configure -@@ -364,6 +364,8 @@ my %table=( +@@ -370,6 +370,8 @@ my %table=( "linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", diff --git a/package/openssl/patches/120-makedepend.patch b/package/openssl/patches/120-makedepend.patch index 228e112908..95600ff8e8 100644 --- a/package/openssl/patches/120-makedepend.patch +++ b/package/openssl/patches/120-makedepend.patch @@ -1,15 +1,5 @@ --- a/util/domd +++ b/util/domd -@@ -14,7 +14,8 @@ if [ "$MAKEDEPEND" = "" ]; then MAKEDEPE - cp Makefile Makefile.save - # fake the presence of Kerberos - touch $TOP/krb5.h --if [ "$MAKEDEPEND" = "gcc" ]; then -+D=${MAKEDEPEND/%*gcc/gcc} -+if [ "$D" = "gcc" ]; then - args="" - while [ $# -gt 0 ]; do - if [ "$1" != "--" ]; then args="$args $1"; fi @@ -22,7 +23,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then done sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp diff --git a/package/openssl/patches/121-ocf-config.patch b/package/openssl/patches/121-ocf-config.patch deleted file mode 100644 index d40f1eec68..0000000000 --- a/package/openssl/patches/121-ocf-config.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- a/config -+++ b/config -@@ -399,8 +399,11 @@ exit 0 - # this is where the translation occurs into SSLeay terms - # --------------------------------------------------------------------------- - -+# figure out if gcc is available and if so we use it otherwise -+# we fallback to whatever cc does on the system - GCCVER=`(gcc -dumpversion) 2>/dev/null` - if [ "$GCCVER" != "" ]; then -+ CC=gcc - # then strip off whatever prefix egcs prepends the number with... - # Hopefully, this will work for any future prefixes as well. - GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'` -@@ -409,6 +412,8 @@ if [ "$GCCVER" != "" ]; then - # major and minor version numbers. - # peak single digit before and after first dot, e.g. 2.95.1 gives 29 - GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'` -+else -+ CC=cc - fi - - # Only set CC if not supplied already diff --git a/package/openssl/patches/169-makefile-ccache_needs_quotes.patch b/package/openssl/patches/169-makefile-ccache_needs_quotes.patch deleted file mode 100644 index 94b3b783ed..0000000000 --- a/package/openssl/patches/169-makefile-ccache_needs_quotes.patch +++ /dev/null @@ -1,37 +0,0 @@ ---- a/Makefile.org -+++ b/Makefile.org -@@ -357,7 +357,7 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA - $(AR) libcrypto.a fips/fipscanister.o ; \ - else \ - if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ -- FIPSLD_CC=$(CC); CC=fips/fipsld; \ -+ FIPSLD_CC="$(CC)"; CC=fips/fipsld; \ - export CC FIPSLD_CC; \ - fi; \ - $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ -@@ -380,7 +380,7 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT - fips/fipscanister.o: build_fips - libfips$(SHLIB_EXT): fips/fipscanister.o - @if [ "$(SHLIB_TARGET)" != "" ]; then \ -- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \ -+ FIPSLD_CC="$(CC)"; CC=fips/fipsld; export CC FIPSLD_CC; \ - $(MAKE) -f Makefile.shared -e $(BUILDENV) \ - CC=$${CC} LIBNAME=fips THIS=$@ \ - LIBEXTRAS=fips/fipscanister.o \ ---- a/apps/Makefile -+++ b/apps/Makefile -@@ -153,12 +153,12 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $( - shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ - shlib_target="$(SHLIB_TARGET)"; \ - elif [ -n "$(FIPSCANLIB)" ]; then \ -- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ -+ FIPSLD_CC="$(CC)"; CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ - fi; \ - LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ - [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ - $(MAKE) -f $(TOP)/Makefile.shared -e \ -- CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ -+ CC="$${CC}" APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ - LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ - link_app.$${shlib_target} - -(cd ..; \ diff --git a/package/openssl/patches/200-ocf-20080917.patch b/package/openssl/patches/200-ocf-20080917.patch index 6da5644ed9..92520ea4eb 100644 --- a/package/openssl/patches/200-ocf-20080917.patch +++ b/package/openssl/patches/200-ocf-20080917.patch @@ -116,22 +116,7 @@ # on Unix, "cyg" for certain forms under Cygwin...) or suffix (.a, .so, --- a/config +++ b/config -@@ -48,10 +48,10 @@ done - - # First get uname entries that we use below - --MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown" --RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown" --SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown" --VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown" -+[ "$MACHINE" ] || MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown" -+[ "$RELEASE" ] || RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown" -+[ "$SYSTEM" ] || SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown" -+[ "$VERSION" ] || VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown" - - - # Now test for ISC and SCO, since it is has a braindamaged uname. -@@ -270,7 +270,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${ +@@ -270,7 +270,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "ppc-apple-darwin${VERSION}" ;; *) @@ -140,23 +125,21 @@ ;; esac exit 0 -@@ -401,9 +401,9 @@ exit 0 +@@ -399,7 +399,8 @@ exit 0 + # this is where the translation occurs into SSLeay terms + # --------------------------------------------------------------------------- - # figure out if gcc is available and if so we use it otherwise - # we fallback to whatever cc does on the system -GCCVER=`(gcc -dumpversion) 2>/dev/null` +CC="${CC:-gcc}" +GCCVER=`(${CC} -dumpversion) 2>/dev/null` if [ "$GCCVER" != "" ]; then -- CC=gcc # then strip off whatever prefix egcs prepends the number with... # Hopefully, this will work for any future prefixes as well. - GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'` -@@ -413,7 +413,7 @@ if [ "$GCCVER" != "" ]; then +@@ -409,6 +410,8 @@ if [ "$GCCVER" != "" ]; then + # major and minor version numbers. # peak single digit before and after first dot, e.g. 2.95.1 gives 29 GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'` - else -- CC=cc ++else + CC="${CC:-cc}" fi @@ -343,9 +326,9 @@ static double results[ALGOR_NUM][SIZE_NUM]; -static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; +static int lengths[SIZE_NUM]={16,64,256,1024,2*1024,4*1024}; + #ifndef OPENSSL_NO_RSA static double rsa_results[RSA_NUM][2]; - static double dsa_results[DSA_NUM][2]; - #ifndef OPENSSL_NO_ECDSA + #endif @@ -328,6 +328,79 @@ static SIGRETTYPE sig_done(int sig) #define START 0 #define STOP 1 @@ -467,7 +450,7 @@ j++; } --#ifdef HAVE_FORK +-#ifndef NO_FORK - if(multi && do_multi(multi)) - goto show_res; -#endif @@ -772,15 +755,6 @@ static int get_cryptodev_ciphers(const int **cnids); static int get_cryptodev_digests(const int **cnids); static int cryptodev_usable_ciphers(const int **nids); -@@ -100,7 +112,7 @@ static int cryptodev_asym(struct crypt_k - static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, - const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); - static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, -- RSA *rsa); -+ RSA *rsa, BN_CTX *ctx); - static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); - static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, - const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); @@ -130,9 +142,12 @@ static struct { int ivmax; int keylen; @@ -1251,15 +1225,6 @@ *digest = NULL; break; } -@@ -625,7 +942,7 @@ static int - bn2crparam(const BIGNUM *a, struct crparam *crp) - { - int i, j, k; -- ssize_t words, bytes, bits; -+ ssize_t bytes, bits; - u_char *b; - - crp->crp_p = NULL; @@ -637,6 +954,7 @@ bn2crparam(const BIGNUM *a, struct crpar b = malloc(bytes); if (b == NULL) @@ -1277,21 +1242,6 @@ if (kop->crk_param[i].crp_p) free(kop->crk_param[i].crp_p); kop->crk_param[i].crp_p = NULL; -@@ -756,12 +1074,10 @@ err: - } - - static int --cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) -+cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) - { - int r; -- BN_CTX *ctx; -- -- ctx = BN_CTX_new(); -+ ctx = BN_CTX_new(); /* not sure why we reallocate this. DM */ - r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL); - BN_CTX_free(ctx); - return (r); --- a/crypto/engine/engine.h +++ b/crypto/engine/engine.h @@ -703,7 +703,7 @@ typedef int (*dynamic_bind_engine)(ENGIN diff --git a/package/openssl/patches/900-CVE-2009-1377.patch b/package/openssl/patches/900-CVE-2009-1377.patch deleted file mode 100644 index 8b8faf4f0c..0000000000 --- a/package/openssl/patches/900-CVE-2009-1377.patch +++ /dev/null @@ -1,44 +0,0 @@ -http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest - ---- a/crypto/pqueue/pqueue.c -+++ b/crypto/pqueue/pqueue.c -@@ -234,3 +234,17 @@ pqueue_next(pitem **item) - - return ret; - } -+ -+int -+pqueue_size(pqueue_s *pq) -+{ -+ pitem *item = pq->items; -+ int count = 0; -+ -+ while(item != NULL) -+ { -+ count++; -+ item = item->next; -+ } -+ return count; -+} ---- a/crypto/pqueue/pqueue.h -+++ b/crypto/pqueue/pqueue.h -@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq); - pitem *pqueue_next(piterator *iter); - - void pqueue_print(pqueue pq); -+int pqueue_size(pqueue pq); - - #endif /* ! HEADER_PQUEUE_H */ ---- a/ssl/d1_pkt.c -+++ b/ssl/d1_pkt.c -@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu - DTLS1_RECORD_DATA *rdata; - pitem *item; - -+ /* Limit the size of the queue to prevent DOS attacks */ -+ if (pqueue_size(queue->q) >= 100) -+ return 0; -+ - rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); - item = pitem_new(priority, rdata); - if (rdata == NULL || item == NULL) diff --git a/package/openssl/patches/900-CVE-2009-1378.patch b/package/openssl/patches/900-CVE-2009-1378.patch deleted file mode 100644 index 514d444807..0000000000 --- a/package/openssl/patches/900-CVE-2009-1378.patch +++ /dev/null @@ -1,22 +0,0 @@ -http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest - ---- a/ssl/d1_both.c -+++ b/ssl/d1_both.c -@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s, - if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) - goto err; - -- if (msg_hdr->seq <= s->d1->handshake_read_seq) -+ /* Try to find item in queue, to prevent duplicate entries */ -+ pq_64bit_init(&seq64); -+ pq_64bit_assign_word(&seq64, msg_hdr->seq); -+ item = pqueue_find(s->d1->buffered_messages, seq64); -+ pq_64bit_free(&seq64); -+ -+ /* Discard the message if sequence number was already there, is -+ * too far in the future or the fragment is already in the queue */ -+ if (msg_hdr->seq <= s->d1->handshake_read_seq || -+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) - { - unsigned char devnull [256]; - diff --git a/package/openssl/patches/900-CVE-2009-1379.patch b/package/openssl/patches/900-CVE-2009-1379.patch deleted file mode 100644 index b72f116897..0000000000 --- a/package/openssl/patches/900-CVE-2009-1379.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- a/ssl/d1_both.c -+++ b/ssl/d1_both.c -@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, - - if ( s->d1->handshake_read_seq == frag->msg_header.seq) - { -+ unsigned long frag_len = frag->msg_header.frag_len; - pqueue_pop(s->d1->buffered_messages); - - al=dtls1_preprocess_fragment(s,&frag->msg_header,max); -@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, - if (al==0) - { - *ok = 1; -- return frag->msg_header.frag_len; -+ return frag_len; - } - - ssl3_send_alert(s,SSL3_AL_FATAL,al); diff --git a/package/openssl/patches/900-CVE-2009-1387.patch b/package/openssl/patches/900-CVE-2009-1387.patch deleted file mode 100644 index 7a2a47e9b5..0000000000 --- a/package/openssl/patches/900-CVE-2009-1387.patch +++ /dev/null @@ -1,53 +0,0 @@ -http://bugs.gentoo.org/270305 - -fix from upstream - ---- a/ssl/d1_both.c -+++ b/ssl/d1_both.c -@@ -585,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s, - } - } - -- frag = dtls1_hm_fragment_new(frag_len); -- if ( frag == NULL) -- goto err; -+ if (frag_len) -+ { -+ frag = dtls1_hm_fragment_new(frag_len); -+ if ( frag == NULL) -+ goto err; - -- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); -+ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - -- if (frag_len) -- { -- /* read the body of the fragment (header has already been read */ -+ /* read the body of the fragment (header has already been read) */ - i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, - frag->fragment,frag_len,0); - if (i<=0 || (unsigned long)i!=frag_len) - goto err; -- } - -- pq_64bit_init(&seq64); -- pq_64bit_assign_word(&seq64, msg_hdr->seq); -+ pq_64bit_init(&seq64); -+ pq_64bit_assign_word(&seq64, msg_hdr->seq); - -- item = pitem_new(seq64, frag); -- pq_64bit_free(&seq64); -- if ( item == NULL) -- goto err; -+ item = pitem_new(seq64, frag); -+ pq_64bit_free(&seq64); -+ if ( item == NULL) -+ goto err; -+ -+ pqueue_insert(s->d1->buffered_messages, item); -+ } - -- pqueue_insert(s->d1->buffered_messages, item); - return DTLS1_HM_FRAGMENT_RETRY; - - err: diff --git a/package/openssl/patches/900-CVE-2009-2409.patch b/package/openssl/patches/900-CVE-2009-2409.patch deleted file mode 100644 index 4800968aa5..0000000000 --- a/package/openssl/patches/900-CVE-2009-2409.patch +++ /dev/null @@ -1,59 +0,0 @@ -http://bugs.gentoo.org/280591 - -fix from upstream - -http://cvs.openssl.org/chngview?cn=18260 - ---- a/crypto/evp/c_alld.c -+++ b/crypto/evp/c_alld.c -@@ -64,9 +64,6 @@ - - void OpenSSL_add_all_digests(void) - { --#ifndef OPENSSL_NO_MD2 -- EVP_add_digest(EVP_md2()); --#endif - #ifndef OPENSSL_NO_MD4 - EVP_add_digest(EVP_md4()); - #endif ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -986,7 +986,11 @@ static int internal_verify(X509_STORE_CT - while (n >= 0) - { - ctx->error_depth=n; -- if (!xs->valid) -+ -+ /* Skip signature check for self signed certificates. It -+ * doesn't add any security and just wastes time. -+ */ -+ if (!xs->valid && xs != xi) - { - if ((pkey=X509_get_pubkey(xi)) == NULL) - { -@@ -996,13 +1000,6 @@ static int internal_verify(X509_STORE_CT - if (!ok) goto end; - } - else if (X509_verify(xs,pkey) <= 0) -- /* XXX For the final trusted self-signed cert, -- * this is a waste of time. That check should -- * optional so that e.g. 'openssl x509' can be -- * used to detect invalid self-signatures, but -- * we don't verify again and again in SSL -- * handshakes and the like once the cert has -- * been declared trusted. */ - { - ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; - ctx->current_cert=xs; ---- a/ssl/ssl_algs.c -+++ b/ssl/ssl_algs.c -@@ -92,9 +92,6 @@ int SSL_library_init(void) - EVP_add_cipher(EVP_seed_cbc()); - #endif - --#ifndef OPENSSL_NO_MD2 -- EVP_add_digest(EVP_md2()); --#endif - #ifndef OPENSSL_NO_MD5 - EVP_add_digest(EVP_md5()); - EVP_add_digest_alias(SN_md5,"ssl2-md5"); diff --git a/package/openssl/patches/901-remove_rej.patch b/package/openssl/patches/901-remove_rej.patch deleted file mode 100644 index b73ed4fd93..0000000000 --- a/package/openssl/patches/901-remove_rej.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- a/Configure.rej -+++ /dev/null -@@ -1,16 +0,0 @@ --*************** --*** 162,167 **** -- "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", -- "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", -- "debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::", -- "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", -- "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -- "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", ----- 162,168 ---- -- "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", -- "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", -- "debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::", --+ "debug-ben-no-renegotiation", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DNO_RENEGOTIATION -g3 -O2 -pipe::(unknown)::::::", -- "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", -- "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -- "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -- cgit v1.2.3