Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist Changes between 1.0.1d and ...
details: https://anonhg.NetBSD.org/src/rev/0a092f669a11
branches: trunk
changeset: 784869:0a092f669a11
user: christos <christos%NetBSD.org@localhost>
date: Tue Feb 12 19:10:49 2013 +0000
description:
Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
supporting platforms or when small records were transferred.
[Andy Polyakov, Steve Henson]
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 4 +
crypto/external/bsd/openssl/dist/FAQ | 4 +-
crypto/external/bsd/openssl/dist/INSTALL.W32 | 4 +-
crypto/external/bsd/openssl/dist/Makefile | 4 +-
crypto/external/bsd/openssl/dist/Makefile.org | 2 +-
crypto/external/bsd/openssl/dist/NEWS | 4 +
crypto/external/bsd/openssl/dist/README | 4 +-
crypto/external/bsd/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c | 79 +++--
crypto/external/bsd/openssl/dist/openssl.spec | 2 +-
crypto/external/bsd/openssl/dist/ssl/d1_srtp.c | 5 +-
crypto/external/bsd/openssl/dist/ssl/s3_cbc.c | 124 +++++----
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c | 4 +
crypto/external/bsd/openssl/dist/test/testssl | 17 +
13 files changed, 157 insertions(+), 100 deletions(-)
diffs (truncated from 593 to 300 lines):
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Tue Feb 12 19:10:49 2013 +0000
@@ -2,6 +2,10 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
+
+ *)
+
Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/FAQ
--- a/crypto/external/bsd/openssl/dist/FAQ Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/FAQ Tue Feb 12 19:10:49 2013 +0000
@@ -83,11 +83,11 @@
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1d was released on Feb 5th, 2013.
+OpenSSL 1.0.1e was released on Feb 11th, 2013.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
* Where is the documentation?
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/INSTALL.W32
--- a/crypto/external/bsd/openssl/dist/INSTALL.W32 Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/INSTALL.W32 Tue Feb 12 19:10:49 2013 +0000
@@ -29,7 +29,7 @@
is required if you intend to utilize assembler modules. Note that NASM
is now the only supported assembler.
- If you are compiling from a tarball or a CVS snapshot then the Win32 files
+ If you are compiling from a tarball or a Git snapshot then the Win32 files
may well be not up to date. This may mean that some "tweaking" is required to
get it all to work. See the trouble shooting section later on for if (when?)
it goes wrong.
@@ -257,7 +257,7 @@
then ms\do_XXX should not give a warning any more. However the numbers that
get assigned by this technique may not match those that eventually get
- assigned in the CVS tree: so anything linked against this version of the
+ assigned in the Git tree: so anything linked against this version of the
library may need to be recompiled.
If you get errors about unresolved symbols there are several possible
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Tue Feb 12 19:10:49 2013 +0000
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1d
+VERSION=1.0.1e
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
@@ -71,7 +71,7 @@
NM= nm
PERL= /usr/bin/perl
TAR= tar
-TARFLAGS= --no-recursion
+TARFLAGS= --no-recursion --record-size=10240
MAKEDEPPROG=makedepend
LIBDIR=lib
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/Makefile.org
--- a/crypto/external/bsd/openssl/dist/Makefile.org Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile.org Tue Feb 12 19:10:49 2013 +0000
@@ -69,7 +69,7 @@
NM= nm
PERL= perl
TAR= tar
-TARFLAGS= --no-recursion
+TARFLAGS= --no-recursion --record-size=10240
MAKEDEPPROG=makedepend
LIBDIR=lib
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Tue Feb 12 19:10:49 2013 +0000
@@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e:
+
+ o Corrected fix for CVE-2013-0169
+
Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d:
o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/README Tue Feb 12 19:10:49 2013 +0000
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1d 5 Feb 2013
+ OpenSSL 1.0.1e 11 Feb 2013
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -190,7 +190,7 @@
reason as to why that feature isn't implemented.
Patches should be as up to date as possible, preferably relative to the
- current CVS or the last snapshot. They should follow the coding style of
+ current Git or the last snapshot. They should follow the coding style of
OpenSSL and compile without warnings. Some of the core team developer targets
can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
compiles on many varied platforms: try to ensure you only use portable
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c
--- a/crypto/external/bsd/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c Tue Feb 12 19:10:49 2013 +0000
@@ -244,7 +244,10 @@
}
} else {
union { unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
- unsigned char c[SHA_DIGEST_LENGTH]; } mac;
+ unsigned char c[32+SHA_DIGEST_LENGTH]; } mac, *pmac;
+
+ /* arrange cache line alignment */
+ pmac = (void *)(((size_t)mac.c+31)&((size_t)0-32));
/* decrypt HMAC|padding at once */
aesni_cbc_encrypt(in,out,len,
@@ -300,17 +303,21 @@
/* but pretend as if we hashed padded payload */
bitlen = key->md.Nl+(inp_len<<3); /* at most 18 bits */
+#ifdef BSWAP
+ bitlen = BSWAP(bitlen);
+#else
mac.c[0] = 0;
mac.c[1] = (unsigned char)(bitlen>>16);
mac.c[2] = (unsigned char)(bitlen>>8);
mac.c[3] = (unsigned char)bitlen;
bitlen = mac.u[0];
+#endif
- mac.u[0]=0;
- mac.u[1]=0;
- mac.u[2]=0;
- mac.u[3]=0;
- mac.u[4]=0;
+ pmac->u[0]=0;
+ pmac->u[1]=0;
+ pmac->u[2]=0;
+ pmac->u[3]=0;
+ pmac->u[4]=0;
for (res=key->md.num, j=0;j<len;j++) {
size_t c = out[j];
@@ -325,11 +332,11 @@
data->u[SHA_LBLOCK-1] |= bitlen&mask;
sha1_block_data_order(&key->md,data,1);
mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
- mac.u[0] |= key->md.h0 & mask;
- mac.u[1] |= key->md.h1 & mask;
- mac.u[2] |= key->md.h2 & mask;
- mac.u[3] |= key->md.h3 & mask;
- mac.u[4] |= key->md.h4 & mask;
+ pmac->u[0] |= key->md.h0 & mask;
+ pmac->u[1] |= key->md.h1 & mask;
+ pmac->u[2] |= key->md.h2 & mask;
+ pmac->u[3] |= key->md.h3 & mask;
+ pmac->u[4] |= key->md.h4 & mask;
res=0;
}
@@ -340,11 +347,11 @@
data->u[SHA_LBLOCK-1] |= bitlen&mask;
sha1_block_data_order(&key->md,data,1);
mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
- mac.u[0] |= key->md.h0 & mask;
- mac.u[1] |= key->md.h1 & mask;
- mac.u[2] |= key->md.h2 & mask;
- mac.u[3] |= key->md.h3 & mask;
- mac.u[4] |= key->md.h4 & mask;
+ pmac->u[0] |= key->md.h0 & mask;
+ pmac->u[1] |= key->md.h1 & mask;
+ pmac->u[2] |= key->md.h2 & mask;
+ pmac->u[3] |= key->md.h3 & mask;
+ pmac->u[4] |= key->md.h4 & mask;
memset(data,0,SHA_CBLOCK);
j+=64;
@@ -352,32 +359,32 @@
data->u[SHA_LBLOCK-1] = bitlen;
sha1_block_data_order(&key->md,data,1);
mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
- mac.u[0] |= key->md.h0 & mask;
- mac.u[1] |= key->md.h1 & mask;
- mac.u[2] |= key->md.h2 & mask;
- mac.u[3] |= key->md.h3 & mask;
- mac.u[4] |= key->md.h4 & mask;
+ pmac->u[0] |= key->md.h0 & mask;
+ pmac->u[1] |= key->md.h1 & mask;
+ pmac->u[2] |= key->md.h2 & mask;
+ pmac->u[3] |= key->md.h3 & mask;
+ pmac->u[4] |= key->md.h4 & mask;
#ifdef BSWAP
- mac.u[0] = BSWAP(mac.u[0]);
- mac.u[1] = BSWAP(mac.u[1]);
- mac.u[2] = BSWAP(mac.u[2]);
- mac.u[3] = BSWAP(mac.u[3]);
- mac.u[4] = BSWAP(mac.u[4]);
+ pmac->u[0] = BSWAP(pmac->u[0]);
+ pmac->u[1] = BSWAP(pmac->u[1]);
+ pmac->u[2] = BSWAP(pmac->u[2]);
+ pmac->u[3] = BSWAP(pmac->u[3]);
+ pmac->u[4] = BSWAP(pmac->u[4]);
#else
for (i=0;i<5;i++) {
- res = mac.u[i];
- mac.c[4*i+0]=(unsigned char)(res>>24);
- mac.c[4*i+1]=(unsigned char)(res>>16);
- mac.c[4*i+2]=(unsigned char)(res>>8);
- mac.c[4*i+3]=(unsigned char)res;
+ res = pmac->u[i];
+ pmac->c[4*i+0]=(unsigned char)(res>>24);
+ pmac->c[4*i+1]=(unsigned char)(res>>16);
+ pmac->c[4*i+2]=(unsigned char)(res>>8);
+ pmac->c[4*i+3]=(unsigned char)res;
}
#endif
len += SHA_DIGEST_LENGTH;
#else
SHA1_Update(&key->md,out,inp_len);
res = key->md.num;
- SHA1_Final(mac.c,&key->md);
+ SHA1_Final(pmac->c,&key->md);
{
unsigned int inp_blocks, pad_blocks;
@@ -393,8 +400,8 @@
}
#endif
key->md = key->tail;
- SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);
- SHA1_Final(mac.c,&key->md);
+ SHA1_Update(&key->md,pmac->c,SHA_DIGEST_LENGTH);
+ SHA1_Final(pmac->c,&key->md);
/* verify HMAC */
out += inp_len;
@@ -411,7 +418,7 @@
cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
res |= (c^pad)&~cmask; /* ... and padding */
cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
- res |= (c^mac.c[i])&cmask;
+ res |= (c^pmac->c[i])&cmask;
i += 1&cmask;
}
maxpad -= SHA_DIGEST_LENGTH;
@@ -421,7 +428,7 @@
}
#else
for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
- res |= out[i]^mac.c[i];
+ res |= out[i]^pmac->c[i];
res = 0-((0-res)>>(sizeof(res)*8-1));
ret &= (int)~res;
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/openssl.spec
--- a/crypto/external/bsd/openssl/dist/openssl.spec Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/openssl.spec Tue Feb 12 19:10:49 2013 +0000
@@ -2,7 +2,7 @@
%define libmaj 1
%define libmin 0
%define librel 1
-%define librev d
+%define librev e
Release: 1
%define openssldir /var/ssl
diff -r 4090e405bede -r 0a092f669a11 crypto/external/bsd/openssl/dist/ssl/d1_srtp.c
--- a/crypto/external/bsd/openssl/dist/ssl/d1_srtp.c Tue Feb 12 15:06:40 2013 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/d1_srtp.c Tue Feb 12 19:10:49 2013 +0000
@@ -115,11 +115,12 @@
Copyright (C) 2011, RTFM, Inc.
*/
-#ifndef OPENSSL_NO_SRTP
-
#include <stdio.h>
#include <openssl/objects.h>
#include "ssl_locl.h"
+
+#ifndef OPENSSL_NO_SRTP
+
#include "srtp.h"
Home |
Main Index |
Thread Index |
Old Index