From 0f93859bd281df1954f054a5923c985892278c0e Mon Sep 17 00:00:00 2001 From: nbd Date: Sun, 9 Mar 2014 13:23:41 +0000 Subject: [PATCH] openssl: update to 1.0.1f This version includes this changes: Don't include gmt_unix_time in TLS server and client random values Fix for TLS record tampering bug CVE-2013-4353 Fix for TLS version checking bug CVE-2013-6449 Fix for DTLS retransmission bug CVE-2013-6450 Signed-off-by: Peter Wagner git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39853 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- package/libs/openssl/Makefile | 6 ++--- .../openssl/patches/110-optimize-for-size.patch | 2 +- .../libs/openssl/patches/120-cisco-dtls-fix.patch | 31 ---------------------- package/libs/openssl/patches/150-no_engines.patch | 2 +- .../openssl/patches/160-disable_doc_tests.patch | 4 +-- .../patches/190-remove_timestamp_check.patch | 2 +- .../libs/openssl/patches/200-parallel_build.patch | 16 +++++------ 7 files changed, 16 insertions(+), 47 deletions(-) delete mode 100644 package/libs/openssl/patches/120-cisco-dtls-fix.patch diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 38679acb2b..8a8e8520d4 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl -PKG_VERSION:=1.0.1e -PKG_RELEASE:=2 +PKG_VERSION:=1.0.1f +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 @@ -18,7 +18,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.openssl.org/source/ \ ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.openssl.org/source \ ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/ -PKG_MD5SUM:=66bf6f10f060d561929de96f9dfe5b8c +PKG_MD5SUM:=f26b09c028a0541cab33da697d522b25 PKG_LICENSE:=SSLEAY OPENSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/110-optimize-for-size.patch b/package/libs/openssl/patches/110-optimize-for-size.patch index 9869c97d4b..d6cf2b5910 100644 --- a/package/libs/openssl/patches/110-optimize-for-size.patch +++ b/package/libs/openssl/patches/110-optimize-for-size.patch @@ -1,6 +1,6 @@ --- a/Configure +++ b/Configure -@@ -402,6 +402,10 @@ my %table=( +@@ -403,6 +403,10 @@ my %table=( "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", diff --git a/package/libs/openssl/patches/120-cisco-dtls-fix.patch b/package/libs/openssl/patches/120-cisco-dtls-fix.patch deleted file mode 100644 index 11e6bb5f2f..0000000000 --- a/package/libs/openssl/patches/120-cisco-dtls-fix.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Tue, 12 Feb 2013 14:55:32 +0000 -Subject: [PATCH] Check DTLS_BAD_VER for version number. - -The version check for DTLS1_VERSION was redundant as -DTLS1_VERSION > TLS1_1_VERSION, however we do need to -check for DTLS1_BAD_VER for compatibility. - -PR:2984 -(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc) ---- - ssl/s3_cbc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c -index 02edf3f..443a31e 100644 ---- a/ssl/s3_cbc.c -+++ b/ssl/s3_cbc.c -@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; - /* Check if version requires explicit IV */ -- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) -+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) - { - /* These lengths are all public so we can test them in - * non-constant time. --- -1.8.1.2 - diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch index 8e93970fec..92a3a78389 100644 --- a/package/libs/openssl/patches/150-no_engines.patch +++ b/package/libs/openssl/patches/150-no_engines.patch @@ -1,6 +1,6 @@ --- a/Configure +++ b/Configure -@@ -2003,6 +2003,11 @@ EOF +@@ -2004,6 +2004,11 @@ EOF close(OUT); } diff --git a/package/libs/openssl/patches/160-disable_doc_tests.patch b/package/libs/openssl/patches/160-disable_doc_tests.patch index d0bf19a3ef..54f58fb5a4 100644 --- a/package/libs/openssl/patches/160-disable_doc_tests.patch +++ b/package/libs/openssl/patches/160-disable_doc_tests.patch @@ -36,7 +36,7 @@ build_libs: build_crypto build_ssl build_engines -@@ -539,7 +539,7 @@ dist: +@@ -540,7 +540,7 @@ dist: dist_pem_h: (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) @@ -47,7 +47,7 @@ @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ --- a/Makefile.org +++ b/Makefile.org -@@ -537,7 +537,7 @@ dist: +@@ -538,7 +538,7 @@ dist: dist_pem_h: (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) diff --git a/package/libs/openssl/patches/190-remove_timestamp_check.patch b/package/libs/openssl/patches/190-remove_timestamp_check.patch index 2677b2d6f1..460068840e 100644 --- a/package/libs/openssl/patches/190-remove_timestamp_check.patch +++ b/package/libs/openssl/patches/190-remove_timestamp_check.patch @@ -9,7 +9,7 @@ # as we stick to -e, CLEARENV ensures that local variables in lower # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn -@@ -396,11 +396,6 @@ openssl.pc: Makefile +@@ -397,11 +397,6 @@ openssl.pc: Makefile echo 'Libs.private: $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc diff --git a/package/libs/openssl/patches/200-parallel_build.patch b/package/libs/openssl/patches/200-parallel_build.patch index b527683676..c43ffa1186 100644 --- a/package/libs/openssl/patches/200-parallel_build.patch +++ b/package/libs/openssl/patches/200-parallel_build.patch @@ -29,7 +29,7 @@ all_testapps: build_libs build_testapps build_testapps: -@@ -454,7 +454,7 @@ report: +@@ -455,7 +455,7 @@ report: @$(PERL) util/selftest.pl depend: @@ -38,7 +38,7 @@ lint: @set -e; target=lint; $(RECURSIVE_BUILD_CMD) -@@ -532,9 +532,9 @@ dist: +@@ -533,9 +533,9 @@ dist: dist_pem_h: (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) @@ -50,7 +50,7 @@ @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \ -@@ -543,12 +543,19 @@ install_sw: +@@ -544,12 +544,19 @@ install_sw: $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ $(INSTALL_PREFIX)$(OPENSSLDIR)/private @@ -71,7 +71,7 @@ @set -e; liblist="$(LIBS)"; for i in $$liblist ;\ do \ if [ -f "$$i" ]; then \ -@@ -628,12 +635,7 @@ install_html_docs: +@@ -629,12 +636,7 @@ install_html_docs: done; \ done @@ -97,7 +97,7 @@ fi; \ --- a/crypto/Makefile +++ b/crypto/Makefile -@@ -86,11 +86,11 @@ testapps: +@@ -88,11 +88,11 @@ testapps: @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi subdirs: @@ -111,7 +111,7 @@ links: @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) -@@ -101,7 +101,7 @@ links: +@@ -103,7 +103,7 @@ links: # lib: $(LIB): are splitted to avoid end-less loop lib: $(LIB) @touch lib @@ -120,7 +120,7 @@ $(AR) $(LIB) $(LIBOBJ) [ -z "$(FIPSLIBDIR)" ] || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o $(RANLIB) $(LIB) || echo Never mind. -@@ -112,7 +112,7 @@ shared: buildinf.h lib subdirs +@@ -114,7 +114,7 @@ shared: buildinf.h lib subdirs fi libs: @@ -129,7 +129,7 @@ install: @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... -@@ -121,7 +121,7 @@ install: +@@ -123,7 +123,7 @@ install: (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; -- 2.11.0