From 111acbad43ca83e803833897ca3ee65424ed8942 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Tue, 17 Dec 2013 13:33:03 +0200 Subject: main/openssl: don't use rdrand engine as default (fixes #2512) As security measure, do not rely solely on hardware random source. (cherry picked from commit 1fd915b81678c58d35bf63761c260efd5362a93d) --- main/openssl/APKBUILD | 6 +++++- main/openssl/openssl-disable-rdrand-default.patch | 23 +++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 main/openssl/openssl-disable-rdrand-default.patch (limited to 'main') diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index c66c6c8344..598fab488b 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Timo Teras pkgname=openssl pkgver=1.0.1e -pkgrel=4 +pkgrel=5 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url="http://openssl.org" depends= @@ -24,6 +24,7 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz 0005-s_client-ircv3-starttls.patch openssl-1.0.1-version-eglibc.patch openssl-use-termios.patch + openssl-disable-rdrand-default.patch fix-default-apps-capath.patch c_rehash.sh " @@ -127,6 +128,7 @@ c32f42451a07267ee5dfb3781fa40c00 0004-crypto-engine-autoload-padlock-dynamic-en c5b1042a3acaf3591f3f5620b7086e12 0005-s_client-ircv3-starttls.patch d1f3aaad7c36590f21355682983cd14e openssl-1.0.1-version-eglibc.patch 2681796363085d01db8a81c249cd2d7b openssl-use-termios.patch +8a251d30c977ffe8bfbf9d9b7eae1a8e openssl-disable-rdrand-default.patch efec1bce615256961b1756e575ee1d0a fix-default-apps-capath.patch b1068a6dd30ec8adf63b4fd0057491a0 c_rehash.sh" sha256sums="f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 openssl-1.0.1e.tar.gz @@ -139,6 +141,7 @@ cbb2493ec9157e78035e9cc02be17655996ee9cd0a71b79507fc19f3862f452b 0003-engines-e 44b553d92e33c48f854a8e15b23830375bc400e987505c74956ac196266f0d46 0005-s_client-ircv3-starttls.patch 51146851d8454dcb73138f794ced8bd629658b4a0524c466f61b653fff536c93 openssl-1.0.1-version-eglibc.patch 05266a671143cf17367dee8d409ad6d0857201392c99731d7ebb8f8cdcdc32f7 openssl-use-termios.patch +c215b03f9328b8dfb81e3fa90bdf0332d6b649688944ff79fe60be62131ccb60 openssl-disable-rdrand-default.patch 1e11d6b8cdcdd6957c69d33ab670c5918fc96c12fdb9b76b4287cb8f69c3545d fix-default-apps-capath.patch 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 c_rehash.sh" sha512sums="c76857e439431b2ef6f2aa123997e53f82b9c3c964d4d765d7cc6c0c20b37a21adf578f9b759b2b65ae3925454c432a01b7de0cd320ece7181dc292e00d3244e openssl-1.0.1e.tar.gz @@ -151,5 +154,6 @@ b019320869d215014ad46e0b29aa239e31243571c4d45256b3ce6449a67fdc106a381c1cf3abd55d 70cd257bbd5a86685dc2508399e67746b60ed5d581eb84fe4d4fc6af214f31b71e2a58ad758d572976a61f67bf64c37a935a9788db160f75bced75397b9bcce3 0005-s_client-ircv3-starttls.patch 6db9d9ee62048d27f80e392eda99a46712ee85f1c8fd49f4931be73c880da8b84844a72657f7bceddb7db0026daddd31870d9c5065494f8d359ee8560284fd4a openssl-1.0.1-version-eglibc.patch 22261ad902ad4826db889fa0e6196b57d6cb389c1707f5827ba48a4630097e590979257f16f4a36fe611199fa33ba32d5f412c8b93beb84001865c2501b288da openssl-use-termios.patch +2af7a40d023e4a09c14712661056a45c572416d5bbee8d90caf5d9d44854ffa86b1d3a0bebf78156ec5da2e71ae91724c007c3d0a8de5f025b3947fd0add287d openssl-disable-rdrand-default.patch f2e737146a473d55b99f27457718ca299a02a0c74009026a30c3d1347c575bc264962b5708995e02ef7d68521b8366ccea7320523efb87b1ab2632d73fec5658 fix-default-apps-capath.patch 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da c_rehash.sh" diff --git a/main/openssl/openssl-disable-rdrand-default.patch b/main/openssl/openssl-disable-rdrand-default.patch new file mode 100644 index 0000000000..d9a40d294d --- /dev/null +++ b/main/openssl/openssl-disable-rdrand-default.patch @@ -0,0 +1,23 @@ +http://seclists.org/fulldisclosure/2013/Dec/99 + +From: Dr. Stephen Henson +Date: Wed, 11 Dec 2013 14:45:12 +0000 (+0000) +Subject: Don't use rdrand engine as default unless explicitly requested. +X-Git-Url: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=8a1956f3eac8b164f8c741ff1a259008bab3bac1 + +Don't use rdrand engine as default unless explicitly requested. +(cherry picked from commit 16898401bd47a153fbf799127ff57fdcfcbd324f) +--- + +diff --git a/crypto/engine/eng_rdrand.c b/crypto/engine/eng_rdrand.c +index a9ba5ae..4e9e91d 100644 +--- a/crypto/engine/eng_rdrand.c ++++ b/crypto/engine/eng_rdrand.c +@@ -104,6 +104,7 @@ static int bind_helper(ENGINE *e) + { + if (!ENGINE_set_id(e, engine_e_rdrand_id) || + !ENGINE_set_name(e, engine_e_rdrand_name) || ++ !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) || + !ENGINE_set_init_function(e, rdrand_init) || + !ENGINE_set_RAND(e, &rdrand_meth) ) + return 0; -- cgit v1.2.3