main/openssl: security upgrade to 1.0.2b

CVE-2015-1788 Malformed ECParameters causes infinite loop CVE-2015-1789 Exploitable out-of-bounds read in X509_cmp_time CVE-2015-1790 PKCS7 crash with missing EnvelopedContent CVE-2015-1792 CMS verify infinite loop with unknown hash function CVE-2015-1791 Race condition handling NewSessionTicket
author: Timo Teräs <timo.teras@iki.fi> 2015-06-12 12:22:46 +0300
committer: Timo Teräs <timo.teras@iki.fi> 2015-06-12 16:59:39 +0300
commit: 85a7f61d0de63bbcf3f91f4c809320ddf2b21a22 (patch)
tree: b5d00235d306c3dc81f07774a281e9e00c2d1251 /main/openssl
parent: 90c464e2cdf3d06f9a45c84711906633e493dc1d (diff)
download: aports-85a7f61d0de63bbcf3f91f4c809320ddf2b21a22.tar.bz2
aports-85a7f61d0de63bbcf3f91f4c809320ddf2b21a22.tar.xz
3 files changed, 134 insertions, 33 deletions
diff --git a/main/openssl/0004-fix-default-ca-path-for-apps.patch b/main/openssl/0004-fix-default-ca-path-for-apps.patch
index 6e17a71f3a..c2c53184a6 100644
--- a/main/openssl/0004-fix-default-ca-path-for-apps.patch
+++ b/main/openssl/0004-fix-default-ca-path-for-apps.patch
@@ -4,35 +4,10 @@ Date: Thu, 5 Feb 2015 08:52:05 +0200
 Subject: [PATCH] fix default ca path for apps
 
 ---
- apps/s_client.c | 13 ++++++-------
  apps/s_server.c | 22 ++++++++++++++--------
  apps/s_time.c   | 13 ++++++-------
  3 files changed, 26 insertions(+), 22 deletions(-)
 
-diff --git a/apps/s_client.c b/apps/s_client.c
-index b1152aa..8aee02a 100644
---- a/apps/s_client.c
-+++ b/apps/s_client.c
-@@ -1337,13 +1337,12 @@ int MAIN(int argc, char **argv)
- 
-     SSL_CTX_set_verify(ctx, verify, verify_callback);
- 
--    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
--        (!SSL_CTX_set_default_verify_paths(ctx))) {
--        /*
--         * BIO_printf(bio_err,"error setting default verify locations\n");
--         */
--        ERR_print_errors(bio_err);
--        /* goto end; */
-+    if (CAfile == NULL && CApath == NULL) {
-+        if (!SSL_CTX_set_default_verify_paths(ctx))
-+            ERR_print_errors(bio_err);
-+    } else {
-+        if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
-+            ERR_print_errors(bio_err);
-     }
- 
-     ssl_ctx_add_crls(ctx, crls, crl_download);
 diff --git a/apps/s_server.c b/apps/s_server.c
 index baa2455..2d5dc97 100644
 --- a/apps/s_server.c
diff --git a/main/openssl/0100-fix-hmac-abi.patch b/main/openssl/0100-fix-hmac-abi.patch
new file mode 100644
index 0000000000..6f3d187d3a
--- /dev/null
+++ b/main/openssl/0100-fix-hmac-abi.patch
@@ -0,0 +1,122 @@
+From 1030f89f5ea238820645e3d34049eb1bd30e81c4 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 12 Jun 2015 13:08:04 +0100
+Subject: [PATCH] Fix ABI break with HMAC
+
+Recent HMAC changes broke ABI compatibility due to a new field in HMAC_CTX.
+This backs that change out, and does it a different way.
+
+Thanks to Timo Teras for the concept.
+
+Conflicts:
+	crypto/hmac/hmac.c
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+---
+ crypto/hmac/hmac.c     | 19 +++++++------------
+ crypto/hmac/hmac.h     |  1 -
+ crypto/hmac/hmactest.c |  7 ++++++-
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
+index 15a9a21..51a0a3e 100644
+--- a/crypto/hmac/hmac.c
++++ b/crypto/hmac/hmac.c
+@@ -97,6 +97,9 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+             return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
+     }
+ #endif
++    /* If we are changing MD then we must have a key */
++    if (md != NULL && md != ctx->md && (key == NULL || len < 0))
++        return 0;
+ 
+     if (md != NULL) {
+         reset = 1;
+@@ -107,9 +110,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+         return 0;
+     }
+ 
+-    if (!ctx->key_init && key == NULL)
+-        return 0;
+-
+     if (key != NULL) {
+         reset = 1;
+         j = EVP_MD_block_size(md);
+@@ -131,7 +131,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+         if (ctx->key_length != HMAC_MAX_MD_CBLOCK)
+             memset(&ctx->key[ctx->key_length], 0,
+                    HMAC_MAX_MD_CBLOCK - ctx->key_length);
+-        ctx->key_init = 1;
+     }
+ 
+     if (reset) {
+@@ -169,7 +168,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
+     if (FIPS_mode() && !ctx->i_ctx.engine)
+         return FIPS_hmac_update(ctx, data, len);
+ #endif
+-    if (!ctx->key_init)
++    if (!ctx->md)
+         return 0;
+ 
+     return EVP_DigestUpdate(&ctx->md_ctx, data, len);
+@@ -184,7 +183,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
+         return FIPS_hmac_final(ctx, md, len);
+ #endif
+ 
+-    if (!ctx->key_init)
++    if (!ctx->md)
+         goto err;
+ 
+     if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i))
+@@ -205,7 +204,6 @@ void HMAC_CTX_init(HMAC_CTX *ctx)
+     EVP_MD_CTX_init(&ctx->i_ctx);
+     EVP_MD_CTX_init(&ctx->o_ctx);
+     EVP_MD_CTX_init(&ctx->md_ctx);
+-    ctx->key_init = 0;
+     ctx->md = NULL;
+ }
+ 
+@@ -217,11 +215,8 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
+         goto err;
+     if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx))
+         goto err;
+-    dctx->key_init = sctx->key_init;
+-    if (sctx->key_init) {
+-        memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK);
+-        dctx->key_length = sctx->key_length;
+-    }
++    memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK);
++    dctx->key_length = sctx->key_length;
+     dctx->md = sctx->md;
+     return 1;
+  err:
+diff --git a/crypto/hmac/hmac.h b/crypto/hmac/hmac.h
+index f8e9f5e..b8b55cd 100644
+--- a/crypto/hmac/hmac.h
++++ b/crypto/hmac/hmac.h
+@@ -79,7 +79,6 @@ typedef struct hmac_ctx_st {
+     EVP_MD_CTX o_ctx;
+     unsigned int key_length;
+     unsigned char key[HMAC_MAX_MD_CBLOCK];
+-    int key_init;
+ } HMAC_CTX;
+ 
+ # define HMAC_size(e)    (EVP_MD_size((e)->md))
+diff --git a/crypto/hmac/hmactest.c b/crypto/hmac/hmactest.c
+index 86b6c25..271d0eb 100644
+--- a/crypto/hmac/hmactest.c
++++ b/crypto/hmac/hmactest.c
+@@ -233,7 +233,12 @@ int main(int argc, char *argv[])
+         err++;
+         goto test6;
+     }
+-    if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) {
++    if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) {
++        printf("Should disallow changing MD without a new key (test 5)\n");
++        err++;
++        goto test6;
++    }
++    if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha256(), NULL)) {
+         printf("Failed to reinitialise HMAC (test 5)\n");
+         err++;
+         goto test6;
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index e71a1aead2..1d3e3dce03 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Timo Teras <timo.teras@iki.fi>
 pkgname=openssl
-pkgver=1.0.2a
-pkgrel=1
+pkgver=1.0.2b
+pkgrel=0
 pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
 url="http://openssl.org"
 depends=
@@ -25,6 +25,7 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
 	0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
 	0009-no-rpath.patch
 	0010-ssl-env-zlib.patch
+	0100-fix-hmac-abi.patch
 	1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
 	1002-backport-changes-from-upstream-padlock-module.patch
 	1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
@@ -117,47 +118,50 @@ libssl() {
 	done
 }
 
-md5sums="a06c547dac9044161a477211049f60ef  openssl-1.0.2a.tar.gz
+md5sums="7729b259e2dea7d60b32fc3934d6984b  openssl-1.0.2b.tar.gz
 0df9ba76033b23ab881216d4f469c81e  0001-fix-manpages.patch
 67bdfe450143a41042d2c318003e963a  0002-busybox-basename.patch
 84c03f201f55ca7fbfde364cfdfc9cf4  0003-use-termios.patch
-451efb6471e55a57064b73bfe6edddee  0004-fix-default-ca-path-for-apps.patch
+9bb9dffdd871eeccc945494771302cc3  0004-fix-default-ca-path-for-apps.patch
 9efaeff0a5246f6ec38189ae249dabbb  0005-fix-parallel-build.patch
 5a5753f52b9f54f769f1ad915d0119bd  0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
 106b2c7590d49a28c782cf3f5d623543  0007-reimplement-c_rehash-in-C.patch
 7a2f9c883ecdfca3087062df4a68150a  0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
 28e89dd715fc4ed85e747bd7306f2970  0009-no-rpath.patch
 742ee13d88b13414248f329a09f9a92d  0010-ssl-env-zlib.patch
+fac937e81323b5739d46c46626d102a7  0100-fix-hmac-abi.patch
 25091afb907de2b504f8bad6bf70002c  1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
 aa16c89b283faf0fe546e3f897279c44  1002-backport-changes-from-upstream-padlock-module.patch
 57cca845e22c178c3b317010be56edf0  1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
 2ac874d1249f5f68d8c7cd58d157d29a  1004-crypto-engine-autoload-padlock-dynamic-engine.patch"
-sha256sums="15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a  openssl-1.0.2a.tar.gz
+sha256sums="d5d488cc9f0a07974195a7427094ea3cab9800a4e90178b989aa621fbc238e3f  openssl-1.0.2b.tar.gz
 4383de0433cb11696346660ae736f120511a7cd0d6ff14543080e0bb93e45ebb  0001-fix-manpages.patch
 b449fb998b5f60a3a1779ac2f432b2c7f08ae52fc6dfa98bca37d735f863d400  0002-busybox-basename.patch
 c3e6a9710726dac72e3eeffd78961d3bae67a480f6bde7890e066547da25cdfd  0003-use-termios.patch
-d438a36b2b0adf342ebef4b5e9793bcdae3b3027061100f660749c322acbe93d  0004-fix-default-ca-path-for-apps.patch
+1f022ccab9b2e5850f32d2ac75cb617c8ce7b803a4548ce71e82776fe5b15b67  0004-fix-default-ca-path-for-apps.patch
 3ee86d6e2d3e4d21cd6b8b996f8ec033c0c792a32c908a440f39f20f2c026aff  0005-fix-parallel-build.patch
 9baecc8024bd5004ef045c6c53537f7453029c1e273874ce639834145564ca6d  0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
 c934b5d1a2cb58b5235da2dfee423f0f66bb83e1d479f511b444751899637c37  0007-reimplement-c_rehash-in-C.patch
 1030f885dc76f352854a7a95d73e68cfd1479c5f9ee198d6afef6b0755ee1c81  0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
 6b7ac5c9db430d9d3e8aaf87e0e95aa8a0ef460517d6563cca24014d4d890fbc  0009-no-rpath.patch
 fa2e3101ca7c6daed7ea063860d586424be7590b1cec4302bc2beee1a3c6039f  0010-ssl-env-zlib.patch
+4674ac44b550971cadc566329acad7e11ee0a2581a1f25d4865a412ad0b4340f  0100-fix-hmac-abi.patch
 2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7  1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
 aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260  1002-backport-changes-from-upstream-padlock-module.patch
 c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea  1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
 2f7c850af078a3ae71b2dd38d5d0b3964ea4262e52673e36ff33498cc6223e6c  1004-crypto-engine-autoload-padlock-dynamic-engine.patch"
-sha512sums="02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4  openssl-1.0.2a.tar.gz
+sha512sums="563eb662113668bb9ccf17a6e36697ad6392321ac1a32aa2cada9d8f4047651c2fa4da61f508ee3e1834fea343dbba189e09c1d6cabe5d1de5e3e6d022c31f4f  openssl-1.0.2b.tar.gz
 b7142256c25f208a42078e2cbdd5165aac833f0453fea0915c63d34d8177e4bb01aeb6676d8cadb988539c181a0d21991bb05a5443580053e75bc8c047b7db17  0001-fix-manpages.patch
 2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c  0002-busybox-basename.patch
 58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4  0003-use-termios.patch
-82340da695de51a8df9e76289ea1cbb9b3ad2f10d3b793b0d2155ddfce573d497ed1e35e68fdfea8e3b6c1007908698e1a5354041f9567175f2d480920d86f63  0004-fix-default-ca-path-for-apps.patch
+c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae  0004-fix-default-ca-path-for-apps.patch
 93978a0f0cc89403d1dd4a4820e17dce87e6233d376bb1a98db35a77766c4d9dfeef4238c32387f0e1292140dd58d02d31c590f8bf297ae32c13a867efead101  0005-fix-parallel-build.patch
 820d4ce1c222696fe3f1dd0d11815c06262ec230fdb174532fd507286667a0aefbf858ea5edac4245a54b950cd0556545ecd0c5cf494692a2ba131c667e7bcd5  0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
 fc4e383ec85c6543e4e82520904122a5a5601c68042ece1e95a0cae95e02d89174f06f78ba2f8aacae8df16052df6ec628b568519a41706428a3fa07984cc8e3  0007-reimplement-c_rehash-in-C.patch
 17ad683bb91a3a3c5bcc456c8aed7f0b42414c6de06ebafa4753af93c42d9827c9978a43d4d53d741a45df7f7895c6f6163172af57cc7b391cfd15f45ce6c351  0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
 5dbbc01985190ae1254350fb12565beb6abb916b6a7bb1f0f22d9762b1e575d124aaf9aa4cfe5f908e420978f691072d48c61a72660f09dfd6d9a2f83f862bc1  0009-no-rpath.patch
 5febe20948e3f12d981e378e1f4ea538711657aacb6865a1aa91339d4a04277e250f490a1f2abc2c6f290bdc2b1bffdba1d00983b4c09f7ea983eef8163f9420  0010-ssl-env-zlib.patch
+688a686d4993118d3be95c2cb8e22964af81e58a79ba22ff54d47c925a920996a0d1f8fd02d8f96a034db2351d5b1bc4e61d1e74a733bb254c9fbfdeed1d8d38  0100-fix-hmac-abi.patch
 8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17  1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
 a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389  1002-backport-changes-from-upstream-padlock-module.patch
 6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc  1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
author	Timo Teräs <timo.teras@iki.fi>	2015-06-12 12:22:46 +0300
committer	Timo Teräs <timo.teras@iki.fi>	2015-06-12 16:59:39 +0300
commit	85a7f61d0de63bbcf3f91f4c809320ddf2b21a22 (patch)
tree	b5d00235d306c3dc81f07774a281e9e00c2d1251 /main/openssl
parent	90c464e2cdf3d06f9a45c84711906633e493dc1d (diff)
download	aports-85a7f61d0de63bbcf3f91f4c809320ddf2b21a22.tar.bz2 aports-85a7f61d0de63bbcf3f91f4c809320ddf2b21a22.tar.xz