update openssl to 0.9.8l -- thanks puchu
authorImre Kaloz <kaloz@openwrt.org>
Thu, 12 Nov 2009 10:39:10 +0000 (10:39 +0000)
committerImre Kaloz <kaloz@openwrt.org>
Thu, 12 Nov 2009 10:39:10 +0000 (10:39 +0000)
SVN-Revision: 18398

package/openssl/Makefile
package/openssl/patches/900-CVE-2009-1377.patch [new file with mode: 0644]
package/openssl/patches/900-CVE-2009-1378.patch [new file with mode: 0644]
package/openssl/patches/900-CVE-2009-1379.patch [new file with mode: 0644]
package/openssl/patches/901-remove_rej.patch [new file with mode: 0644]

index e6788172d19158d5084d83fe71cf9d6a36056179..23695fcc2f853add28d8db3ea976a86e29905a70 100644 (file)
@@ -8,15 +8,15 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
-PKG_VERSION:=0.9.8k
-PKG_RELEASE:=2
+PKG_VERSION:=0.9.8l
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.openssl.org/source/ \
        ftp://ftp.funet.fi/pub/crypt/cryptography/libs/openssl/source/ \
        ftp://ftp.webmonster.de/pub/openssl/source/ \
        ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/
-PKG_MD5SUM:=e555c6d58d276aec7fdc53363e338ab3
+PKG_MD5SUM:=05a0ece1372392a2cf310ebb96333025
 
 PKG_BUILD_DEPENDS:=ocf-crypto-headers
 
diff --git a/package/openssl/patches/900-CVE-2009-1377.patch b/package/openssl/patches/900-CVE-2009-1377.patch
new file mode 100644 (file)
index 0000000..cc5a19f
--- /dev/null
@@ -0,0 +1,53 @@
+http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
+
+Index: openssl/crypto/pqueue/pqueue.c
+RCS File: /v/openssl/cvs/openssl/crypto/pqueue/pqueue.c,v
+rcsdiff -q -kk '-r1.2.2.4' '-r1.2.2.5' -u '/v/openssl/cvs/openssl/crypto/pqueue/pqueue.c,v' 2>/dev/null
+--- pqueue.c   2005/06/28 12:53:33     1.2.2.4
++++ pqueue.c   2009/05/16 16:18:44     1.2.2.5
+@@ -234,3 +234,17 @@
+       return ret;
+       }
++
++int
++pqueue_size(pqueue_s *pq)
++{
++      pitem *item = pq->items;
++      int count = 0;
++      
++      while(item != NULL)
++      {
++              count++;
++              item = item->next;
++      }
++      return count;
++}
+Index: openssl/crypto/pqueue/pqueue.h
+RCS File: /v/openssl/cvs/openssl/crypto/pqueue/pqueue.h,v
+rcsdiff -q -kk '-r1.2.2.1' '-r1.2.2.2' -u '/v/openssl/cvs/openssl/crypto/pqueue/pqueue.h,v' 2>/dev/null
+--- pqueue.h   2005/05/30 22:34:27     1.2.2.1
++++ pqueue.h   2009/05/16 16:18:44     1.2.2.2
+@@ -91,5 +91,6 @@
+ pitem *pqueue_next(piterator *iter);
+ void   pqueue_print(pqueue pq);
++int    pqueue_size(pqueue pq);
+ #endif /* ! HEADER_PQUEUE_H */
+Index: openssl/ssl/d1_pkt.c
+RCS File: /v/openssl/cvs/openssl/ssl/d1_pkt.c,v
+rcsdiff -q -kk '-r1.4.2.17' '-r1.4.2.18' -u '/v/openssl/cvs/openssl/ssl/d1_pkt.c,v' 2>/dev/null
+--- d1_pkt.c   2009/05/16 15:51:59     1.4.2.17
++++ d1_pkt.c   2009/05/16 16:18:45     1.4.2.18
+@@ -167,6 +167,10 @@
+     DTLS1_RECORD_DATA *rdata;
+       pitem *item;
++      /* Limit the size of the queue to prevent DOS attacks */
++      if (pqueue_size(queue->q) >= 100)
++              return 0;
++              
+       rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+       item = pitem_new(priority, rdata);
+       if (rdata == NULL || item == NULL)
diff --git a/package/openssl/patches/900-CVE-2009-1378.patch b/package/openssl/patches/900-CVE-2009-1378.patch
new file mode 100644 (file)
index 0000000..50f51cd
--- /dev/null
@@ -0,0 +1,24 @@
+http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
+
+Index: openssl/ssl/d1_both.c
+===================================================================
+--- d1_both.c.orig
++++ d1_both.c
+@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s,
+       if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+               goto err;
+-      if (msg_hdr->seq <= s->d1->handshake_read_seq)
++      /* Try to find item in queue, to prevent duplicate entries */
++      pq_64bit_init(&seq64);
++      pq_64bit_assign_word(&seq64, msg_hdr->seq);
++      item = pqueue_find(s->d1->buffered_messages, seq64);
++      pq_64bit_free(&seq64);
++      
++      /* Discard the message if sequence number was already there, is
++       * too far in the future or the fragment is already in the queue */
++      if (msg_hdr->seq <= s->d1->handshake_read_seq ||
++              msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
+               {
+               unsigned char devnull [256];
diff --git a/package/openssl/patches/900-CVE-2009-1379.patch b/package/openssl/patches/900-CVE-2009-1379.patch
new file mode 100644 (file)
index 0000000..7067324
--- /dev/null
@@ -0,0 +1,22 @@
+Index: openssl/ssl/d1_both.c
+RCS File: /v/openssl/cvs/openssl/ssl/d1_both.c,v
+rcsdiff -q -kk '-r1.14.2.6' '-r1.14.2.7' -u '/v/openssl/cvs/openssl/ssl/d1_both.c,v' 2>/dev/null
+--- d1_both.c  2009/04/22 12:17:02     1.14.2.6
++++ d1_both.c  2009/05/13 11:51:30     1.14.2.7
+@@ -519,6 +519,7 @@
+       if ( s->d1->handshake_read_seq == frag->msg_header.seq)
+               {
++              unsigned long frag_len = frag->msg_header.frag_len;
+               pqueue_pop(s->d1->buffered_messages);
+               al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
+@@ -536,7 +537,7 @@
+               if (al==0)
+                       {
+                       *ok = 1;
+-                      return frag->msg_header.frag_len;
++                      return frag_len;
+                       }
+               ssl3_send_alert(s,SSL3_AL_FATAL,al);
diff --git a/package/openssl/patches/901-remove_rej.patch b/package/openssl/patches/901-remove_rej.patch
new file mode 100644 (file)
index 0000000..a452c27
--- /dev/null
@@ -0,0 +1,20 @@
+diff -burN openssl-0.9.8l/Configure.rej openssl-0.9.8l.patched/Configure.rej
+--- openssl-0.9.8l/Configure.rej       2009-11-05 13:07:06.000000000 +0100
++++ openssl-0.9.8l.patched/Configure.rej       1970-01-01 01:00:00.000000000 +0100
+@@ -1,16 +0,0 @@
+-***************
+-*** 162,167 ****
+-  "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
+-  "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
+-  "debug-ben-debug",  "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
+-  "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
+-  "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+-  "debug-bodo",       "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+---- 162,168 ----
+-  "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
+-  "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
+-  "debug-ben-debug",  "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
+-+ "debug-ben-no-renegotiation",       "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -DNO_RENEGOTIATION -g3 -O2 -pipe::(unknown)::::::",
+-  "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
+-  "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+-  "debug-bodo",       "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",