diff --git a/openssl-1.0.0-beta4-dtls-ipv6.patch b/openssl-1.0.0-beta4-dtls-ipv6.patch new file mode 100644 index 0000000..1173f1a --- /dev/null +++ b/openssl-1.0.0-beta4-dtls-ipv6.patch @@ -0,0 +1,219 @@ +diff -up openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/b_sock.c +--- openssl-1.0.0-beta4/crypto/bio/b_sock.c.dtls-ipv6 2009-11-09 15:09:53.000000000 +0100 ++++ openssl-1.0.0-beta4/crypto/bio/b_sock.c 2009-11-23 08:50:45.000000000 +0100 +@@ -822,7 +822,8 @@ int BIO_accept(int sock, char **addr) + if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) + { + OPENSSL_assert(sa.len.s<=sizeof(sa.from)); +- sa.len.i = (unsigned int)sa.len.s; ++ sa.len.i = (int)sa.len.s; ++ /* use sa.len.i from this point */ + } + if (ret == INVALID_SOCKET) + { +diff -up openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 openssl-1.0.0-beta4/crypto/bio/bss_dgram.c +--- openssl-1.0.0-beta4/crypto/bio/bss_dgram.c.dtls-ipv6 2009-10-15 19:41:44.000000000 +0200 ++++ openssl-1.0.0-beta4/crypto/bio/bss_dgram.c 2009-11-23 08:50:45.000000000 +0100 +@@ -108,11 +108,13 @@ static BIO_METHOD methods_dgramp= + + typedef struct bio_dgram_data_st + { ++ union { ++ struct sockaddr sa; ++ struct sockaddr_in sa_in; + #if OPENSSL_USE_IPV6 +- struct sockaddr_storage peer; +-#else +- struct sockaddr_in peer; ++ struct sockaddr_in6 sa_in6; + #endif ++ } peer; + unsigned int connected; + unsigned int _errno; + unsigned int mtu; +@@ -278,28 +280,38 @@ static int dgram_read(BIO *b, char *out, + int ret=0; + bio_dgram_data *data = (bio_dgram_data *)b->ptr; + ++ struct { ++ /* ++ * See commentary in b_sock.c. ++ */ ++ union { size_t s; int i; } len; ++ union { ++ struct sockaddr sa; ++ struct sockaddr_in sa_in; + #if OPENSSL_USE_IPV6 +- struct sockaddr_storage peer; +-#else +- struct sockaddr_in peer; ++ struct sockaddr_in6 sa_in6; + #endif +- int peerlen = sizeof(peer); ++ } peer; ++ } sa; ++ ++ sa.len.s=0; ++ sa.len.i=sizeof(sa.peer); + + if (out != NULL) + { + clear_socket_error(); +- memset(&peer, 0x00, peerlen); +- /* Last arg in recvfrom is signed on some platforms and +- * unsigned on others. It is of type socklen_t on some +- * but this is not universal. Cast to (void *) to avoid +- * compiler warnings. +- */ ++ memset(&sa.peer, 0x00, sizeof(sa.peer)); + dgram_adjust_rcv_timeout(b); +- ret=recvfrom(b->num,out,outl,0,(struct sockaddr *)&peer,(void *)&peerlen); ++ ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len); ++ if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0) ++ { ++ OPENSSL_assert(sa.len.s<=sizeof(sa.peer)); ++ sa.len.i = (int)sa.len.s; ++ } + dgram_reset_rcv_timeout(b); + + if ( ! data->connected && ret >= 0) +- BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer); ++ BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer); + + BIO_clear_retry_flags(b); + if (ret < 0) +@@ -323,25 +335,10 @@ static int dgram_write(BIO *b, const cha + if ( data->connected ) + ret=writesocket(b->num,in,inl); + else +-#if OPENSSL_USE_IPV6 +- if (data->peer.ss_family == AF_INET) + #if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) +- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); ++ ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer)); + #else +- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); +-#endif +- else +-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) +- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6)); +-#else +- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in6)); +-#endif +-#else +-#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK) +- ret=sendto(b->num, (char *)in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); +-#else +- ret=sendto(b->num, in, inl, 0, (const struct sockaddr *)&data->peer, sizeof(struct sockaddr_in)); +-#endif ++ ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer)); + #endif + + BIO_clear_retry_flags(b); +@@ -428,11 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd, + else + { + #endif ++ switch (to->sa_family) ++ { ++ case AF_INET: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); ++ break; + #if OPENSSL_USE_IPV6 +- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage)); +-#else +- memcpy(&(data->peer),to, sizeof(struct sockaddr_in)); +-#endif ++ case AF_INET6: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); ++ break; ++#endif ++ default: ++ memcpy(&data->peer,to,sizeof(data->peer.sa)); ++ break; ++ } + #if 0 + } + #endif +@@ -537,41 +543,60 @@ static long dgram_ctrl(BIO *b, int cmd, + if ( to != NULL) + { + data->connected = 1; ++ switch (to->sa_family) ++ { ++ case AF_INET: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); ++ break; + #if OPENSSL_USE_IPV6 +- memcpy(&(data->peer),to, sizeof(struct sockaddr_storage)); +-#else +- memcpy(&(data->peer),to, sizeof(struct sockaddr_in)); +-#endif ++ case AF_INET6: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); ++ break; ++#endif ++ default: ++ memcpy(&data->peer,to,sizeof(data->peer.sa)); ++ break; ++ } + } + else + { + data->connected = 0; +-#if OPENSSL_USE_IPV6 +- memset(&(data->peer), 0x00, sizeof(struct sockaddr_storage)); +-#else +- memset(&(data->peer), 0x00, sizeof(struct sockaddr_in)); +-#endif ++ memset(&(data->peer), 0x00, sizeof(data->peer)); + } + break; + case BIO_CTRL_DGRAM_GET_PEER: + to = (struct sockaddr *) ptr; +- ++ switch (to->sa_family) ++ { ++ case AF_INET: ++ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in))); ++ break; + #if OPENSSL_USE_IPV6 +- memcpy(to, &(data->peer), sizeof(struct sockaddr_storage)); +- ret = sizeof(struct sockaddr_storage); +-#else +- memcpy(to, &(data->peer), sizeof(struct sockaddr_in)); +- ret = sizeof(struct sockaddr_in); +-#endif ++ case AF_INET6: ++ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa_in6))); ++ break; ++#endif ++ default: ++ memcpy(to,&data->peer,(ret=sizeof(data->peer.sa))); ++ break; ++ } + break; + case BIO_CTRL_DGRAM_SET_PEER: + to = (struct sockaddr *) ptr; +- ++ switch (to->sa_family) ++ { ++ case AF_INET: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in)); ++ break; + #if OPENSSL_USE_IPV6 +- memcpy(&(data->peer), to, sizeof(struct sockaddr_storage)); +-#else +- memcpy(&(data->peer), to, sizeof(struct sockaddr_in)); +-#endif ++ case AF_INET6: ++ memcpy(&data->peer,to,sizeof(data->peer.sa_in6)); ++ break; ++#endif ++ default: ++ memcpy(&data->peer,to,sizeof(data->peer.sa)); ++ break; ++ } + break; + case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT: + memcpy(&(data->next_timeout), ptr, sizeof(struct timeval)); diff --git a/openssl-1.0.0-beta4-reneg-err.patch b/openssl-1.0.0-beta4-reneg-err.patch new file mode 100644 index 0000000..271dbe7 --- /dev/null +++ b/openssl-1.0.0-beta4-reneg-err.patch @@ -0,0 +1,93 @@ +Better error reporting for unsafe renegotiation. +diff -up openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err openssl-1.0.0-beta4/ssl/ssl_err.c +--- openssl-1.0.0-beta4/ssl/ssl_err.c.reneg-err 2009-11-09 19:45:42.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/ssl_err.c 2009-11-20 17:56:57.000000000 +0100 +@@ -226,7 +226,9 @@ static ERR_STRING_DATA SSL_str_functs[]= + {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, + {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, + {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"}, ++{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"}, + {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"}, ++{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"}, + {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, + {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"}, + {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"}, +@@ -526,6 +528,7 @@ static ERR_STRING_DATA SSL_str_reasons[] + {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"}, + {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"}, + {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"}, ++{ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"}, + {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, + {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"}, + {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupported digest type"}, +diff -up openssl-1.0.0-beta4/ssl/ssl.h.reneg-err openssl-1.0.0-beta4/ssl/ssl.h +--- openssl-1.0.0-beta4/ssl/ssl.h.reneg-err 2009-11-12 15:17:29.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/ssl.h 2009-11-20 17:56:57.000000000 +0100 +@@ -1934,7 +1934,9 @@ void ERR_load_SSL_strings(void); + #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 + #define SSL_F_SSL_NEW 186 + #define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300 ++#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302 + #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301 ++#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303 + #define SSL_F_SSL_PEEK 270 + #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281 + #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282 +@@ -2231,6 +2233,7 @@ void ERR_load_SSL_strings(void); + #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 + #define SSL_R_UNKNOWN_SSL_VERSION 254 + #define SSL_R_UNKNOWN_STATE 255 ++#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338 + #define SSL_R_UNSUPPORTED_CIPHER 256 + #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 + #define SSL_R_UNSUPPORTED_DIGEST_TYPE 326 +diff -up openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err openssl-1.0.0-beta4/ssl/s23_srvr.c +--- openssl-1.0.0-beta4/ssl/s23_srvr.c.reneg-err 2009-11-12 15:17:29.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/s23_srvr.c 2009-11-20 17:57:23.000000000 +0100 +@@ -497,6 +497,11 @@ int ssl23_get_client_hello(SSL *s) + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); + goto err; + #else ++ if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) ++ { ++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); ++ goto err; ++ } + /* we are talking sslv2 */ + /* we need to clean up the SSLv3/TLSv1 setup and put in the + * sslv2 stuff. */ +diff -up openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err openssl-1.0.0-beta4/ssl/t1_lib.c +--- openssl-1.0.0-beta4/ssl/t1_lib.c.reneg-err 2009-11-18 14:04:19.000000000 +0100 ++++ openssl-1.0.0-beta4/ssl/t1_lib.c 2009-11-20 17:56:57.000000000 +0100 +@@ -636,6 +636,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, + { + /* We should always see one extension: the renegotiate extension */ + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + return 1; +@@ -965,6 +966,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, + if (s->new_session && !renegotiate_seen + && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { ++ SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ + return 0; + } +@@ -993,6 +995,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + { + /* We should always see one extension: the renegotiate extension */ + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + #endif +@@ -1133,6 +1136,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + && !(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + *al = SSL_AD_ILLEGAL_PARAMETER; /* is this the right alert? */ ++ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + return 0; + } + #endif diff --git a/openssl.spec b/openssl.spec index 8f1d2ba..2729e7e 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.0 -Release: 0.13.%{beta}%{?dist} +Release: 0.16.%{beta}%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-%{beta}-usa.tar.bz2 @@ -66,6 +66,8 @@ Patch60: openssl-1.0.0-beta4-reneg.patch # This one is not backported but has to be applied after reneg patch Patch61: openssl-1.0.0-beta4-client-reneg.patch Patch62: openssl-1.0.0-beta4-backports.patch +Patch63: openssl-1.0.0-beta4-reneg-err.patch +Patch64: openssl-1.0.0-beta4-dtls-ipv6.patch License: OpenSSL Group: System Environment/Libraries @@ -148,6 +150,8 @@ from other formats to the formats used by the OpenSSL toolkit. %patch60 -p1 -b .reneg %patch61 -p1 -b .client-reneg %patch62 -p1 -b .backports +%patch63 -p1 -b .reneg-err +%patch64 -p1 -b .dtls-ipv6 # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -181,7 +185,7 @@ sslarch=linux-alpha-gcc sslarch="linux-generic32 -DB_ENDIAN" %endif %ifarch s390x -sslarch="linux-generic64 -DB_ENDIAN" +sslarch="linux-s390x" %endif %ifarch %{arm} sh3 sh4 sslarch=linux-generic32 @@ -396,6 +400,16 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Mon Nov 23 2009 Tomas Mraz 1.0.0-0.16.beta4 +- fix non-fips mingw build (patch by Kalev Lember) +- add IPV6 fix for DTLS + +* Fri Nov 20 2009 Tomas Mraz 1.0.0-0.15.beta4 +- add better error reporting for the unsafe renegotiation + +* Fri Nov 20 2009 Tomas Mraz 1.0.0-0.14.beta4 +- fix build on s390x + * Wed Nov 18 2009 Tomas Mraz 1.0.0-0.13.beta4 - disable enforcement of the renegotiation extension on the client (#537962) - add fixes from the current upstream snapshot