diff options
author | Timo Teräs <timo.teras@iki.fi> | 2015-01-09 08:16:24 +0200 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2015-01-09 08:16:24 +0200 |
commit | 26dd384585d2182a35bd9450091726b6472b3b24 (patch) | |
tree | bee89d1cc4e7ebe21c27b3f91f22a26e757c3fcc /main/openssl | |
parent | 200f97e8c8068760beb4ae8b7b7a6bcceb13def7 (diff) | |
download | aports-26dd384585d2182a35bd9450091726b6472b3b24.tar.bz2 aports-26dd384585d2182a35bd9450091726b6472b3b24.tar.xz |
main/openssl: security upgrade to 1.0.1k
CVE-2014-3571 DTLS segmentation fault in dtls1_get_record
CVE-2015-0206 DTLS memory leak in dtls1_buffer_record
CVE-2014-3569 no-ssl3 configuration sets method to NULL
CVE-2014-3572 ECDHE silently downgrades to ECDH [Client]
CVE-2015-0204 RSA silently downgrades to EXPORT_RSA [Client]
CVE-2015-0205 DH client certificates accepted without verification [Server]
CVE-2014-8275 Certificate fingerprints can be modified
CVE-2014-3570 Bignum squaring may produce incorrect results
Diffstat (limited to 'main/openssl')
-rw-r--r-- | main/openssl/0002-engines-e_padlock-backport-cvs-head-changes.patch | 34 | ||||
-rw-r--r-- | main/openssl/APKBUILD | 14 |
2 files changed, 19 insertions, 29 deletions
diff --git a/main/openssl/0002-engines-e_padlock-backport-cvs-head-changes.patch b/main/openssl/0002-engines-e_padlock-backport-cvs-head-changes.patch index c508c9c5a..74fc3d8e7 100644 --- a/main/openssl/0002-engines-e_padlock-backport-cvs-head-changes.patch +++ b/main/openssl/0002-engines-e_padlock-backport-cvs-head-changes.patch @@ -1,22 +1,11 @@ -From 6e182155643a6aeb07cbba1e7f79ac1adfcddad2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> -Date: Wed, 28 Jul 2010 08:29:09 +0300 -Subject: [PATCH 2/4] engines/e_padlock: backport cvs head changes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - +Backport changes from upstream padlock module. Includes support for VIA Nano 64-bit mode. Signed-off-by: Timo Teräs <timo.teras@iki.fi> ---- - engines/e_padlock.c | 140 +++++++++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 122 insertions(+), 18 deletions(-) -diff --git a/engines/e_padlock.c b/engines/e_padlock.c -index 9f7a85a..6ab42d2 100644 ---- a/engines/e_padlock.c -+++ b/engines/e_padlock.c +diff -ru openssl-1.0.1k.orig/engines/e_padlock.c openssl-1.0.1k/engines/e_padlock.c +--- openssl-1.0.1k.orig/engines/e_padlock.c 2015-01-08 16:00:56.000000000 -0200 ++++ openssl-1.0.1k/engines/e_padlock.c 2015-01-09 08:08:35.421516799 -0200 @@ -101,7 +101,10 @@ compiler choice is limited to GCC and Microsoft C. */ #undef COMPILE_HW_PADLOCK @@ -29,7 +18,7 @@ index 9f7a85a..6ab42d2 100644 (defined(_MSC_VER) && defined(_M_IX86)) # define COMPILE_HW_PADLOCK # endif -@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_data *padlock_saved_context; +@@ -304,6 +307,7 @@ * ======================================================= */ #if defined(__GNUC__) && __GNUC__>=2 @@ -37,11 +26,12 @@ index 9f7a85a..6ab42d2 100644 /* * As for excessive "push %ebx"/"pop %ebx" found all over. * When generating position-independent code GCC won't let -@@ -383,21 +387,6 @@ padlock_available(void) +@@ -383,23 +387,6 @@ return padlock_use_ace + padlock_use_rng; } -#ifndef OPENSSL_NO_AES +-#ifndef AES_ASM -/* Our own htonl()/ntohl() */ -static inline void -padlock_bswapl(AES_KEY *ks) @@ -55,11 +45,12 @@ index 9f7a85a..6ab42d2 100644 - } -} -#endif +-#endif - /* Force key reload from memory to the CPU microcode. Loading EFLAGS from the stack clears EFLAGS[30] which does the trick. */ -@@ -455,12 +444,127 @@ static inline void *name(size_t cnt, \ +@@ -457,12 +444,129 @@ : "edx", "cc", "memory"); \ return iv; \ } @@ -172,6 +163,7 @@ index 9f7a85a..6ab42d2 100644 PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */ + ++#ifndef AES_ASM +/* Our own htonl()/ntohl() */ +static inline void +padlock_bswapl(AES_KEY *ks) @@ -184,10 +176,11 @@ index 9f7a85a..6ab42d2 100644 + key++; + } +} ++#endif #endif /* The RNG call itself */ -@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int edx_in) +@@ -493,8 +597,8 @@ static inline unsigned char * padlock_memcpy(void *dst,const void *src,size_t n) { @@ -198,6 +191,3 @@ index 9f7a85a..6ab42d2 100644 n /= sizeof(*d); do { *d++ = *s++; } while (--n); --- -1.7.11.3 - diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD index 9b78fc45a..46ab448c4 100644 --- a/main/openssl/APKBUILD +++ b/main/openssl/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Timo Teras <timo.teras@iki.fi> pkgname=openssl -pkgver=1.0.1j +pkgver=1.0.1k pkgrel=0 pkgdesc="Toolkit for SSL v2/v3 and TLS v1" url="http://openssl.org" @@ -129,11 +129,11 @@ libssl() { done } -md5sums="f7175c9cd3c39bb1907ac8bba9df8ed3 openssl-1.0.1j.tar.gz +md5sums="d4f002bd22a56881340105028842ae1f openssl-1.0.1k.tar.gz f75151bfdd0e1f5191e0d0e7147e1638 fix-manpages.patch c6a9857a5dbd30cead0404aa7dd73977 openssl-bb-basename.patch ddb5fc155145d5b852425adaec32234d 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch -4a7b9e20beb33a5e262ab64c2b8e5b48 0002-engines-e_padlock-backport-cvs-head-changes.patch +a7717dd564ef876d4923a80751714d63 0002-engines-e_padlock-backport-cvs-head-changes.patch cef4633142031b59960200e87ce3bb18 0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch c32f42451a07267ee5dfb3781fa40c00 0004-crypto-engine-autoload-padlock-dynamic-engine.patch c5b1042a3acaf3591f3f5620b7086e12 0005-s_client-ircv3-starttls.patch @@ -143,11 +143,11 @@ efec1bce615256961b1756e575ee1d0a fix-default-apps-capath.patch 05ad806219cef6fa5692ac727af7fab6 c_rehash.c 60ca340e32944e4825747e3681ccd553 openssl-1.0.1-parallel-build.patch b7f2421187ae2b4c7e424cda2022d41d abi-compat-no-freelists.patch" -sha256sums="1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3 openssl-1.0.1j.tar.gz +sha256sums="8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c openssl-1.0.1k.tar.gz 92296c9e121af10ecc1e302695bf2ceacaa9b00702e580504fc0ed04a9fba86e fix-manpages.patch 82863c2fed659a7186c7f3905a1853b8bd8060350ad101ce159fa7e7d2ba27e8 openssl-bb-basename.patch 18dd81fefb39b3328a444774ed10871ed50348ca171d2da9f826f916127b2dae 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch -39c31c2e33cded09543a2d1fd2e3238e9d11c672ba71a14d13095baad3ec9696 0002-engines-e_padlock-backport-cvs-head-changes.patch +30fbadf31dc13d9bcc758741f5560f6e13dd66c067f62d1b9066fb656f6aaaf2 0002-engines-e_padlock-backport-cvs-head-changes.patch cbb2493ec9157e78035e9cc02be17655996ee9cd0a71b79507fc19f3862f452b 0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch 157ec6d17add25b96956abc7c44259c91eebe8a6c1026cdb976b895bf42ec56f 0004-crypto-engine-autoload-padlock-dynamic-engine.patch 44b553d92e33c48f854a8e15b23830375bc400e987505c74956ac196266f0d46 0005-s_client-ircv3-starttls.patch @@ -157,11 +157,11 @@ cbb2493ec9157e78035e9cc02be17655996ee9cd0a71b79507fc19f3862f452b 0003-engines-e 7b0947fd09ad1e8d9cea360b883090025b40193d0fc8a631f2e3bb42db28d76b c_rehash.c bd56e5fe1b6fe594ab93f34d25fef0b7372633bad8532f81da998f3e6655d221 openssl-1.0.1-parallel-build.patch 41c7c1e5bea7f7e0ccc59203a48f097948627d72fcf87f943fcfe8c14b4069a2 abi-compat-no-freelists.patch" -sha512sums="a786bb99b68d88c1de79d3c5372767f091ebeefb5abc1d4883253fd3ab5a86af53389f5ff36fdd8faa27c5fb78be8bbff406392c373358697da80d250eadebb8 openssl-1.0.1j.tar.gz +sha512sums="8b000fbd1bf919d9913a314f99aedd48a69f6caa4ccf43237889e73e08cbe0d82bfc27e9c7c4cade09fc459f91d6c4a831a9b3fc8bca0344fb864eadd7d1e8e8 openssl-1.0.1k.tar.gz b0eda7e9b53195b0855da68617201c3c7026eb7464ab58f0bc9923013663ec6b826d1868fe88b87118d3134114cbd9ac15d2c8389c85ef9c1bb4d18575b68a5b fix-manpages.patch 6c4f4b0c1b606b3e5a8175618c4398923392f9c25ad8d3f5b65b0424fe51e104c4f456d2da590d9f572382225ab320278e88db1585790092450cad60a02819a5 openssl-bb-basename.patch ea282b09d4692a29e5a554e19b0798fa921717d4892decc68cba92cad11e85e4064d8ac78d98f6fa8bb45c65fdd1a5d1a6f6755e53102d520e9d8b807c3a7822 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch -96cdd28d1ad5efd3f5836b4c57c9c6ea8e790fbf919e32a8c4acd3883a3531b8d295053a4aa20e6165600153b141ce7b0a3d1d736fdfc325d59862b845aa4d98 0002-engines-e_padlock-backport-cvs-head-changes.patch +c86694b1931ef16eb467f5228a7ea2c36c90570daedb405bb24e7915b2e29f9ba20386cdef0ebea6af23ca04839d713bd05f0c8f3b7f6377331a6ab96c505f44 0002-engines-e_padlock-backport-cvs-head-changes.patch b019320869d215014ad46e0b29aa239e31243571c4d45256b3ce6449a67fdc106a381c1cf3abd55ddbfd6a0e9ffa3e3167377317cbc72b254b1f9bcc0e22b8b6 0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch 3bedc326ca3e5945bc4ec4dccfe596042ee87aaeaf90b5063110a99cc8e38584838d68289907e4a3fcdb8e04635052ad0759c94e1d7070bb317c2066e2506bbe 0004-crypto-engine-autoload-padlock-dynamic-engine.patch 70cd257bbd5a86685dc2508399e67746b60ed5d581eb84fe4d4fc6af214f31b71e2a58ad758d572976a61f67bf64c37a935a9788db160f75bced75397b9bcce3 0005-s_client-ircv3-starttls.patch |