openssl: upgrade to 0.9.8m (patch by Peter Wagner)
authorFelix Fietkau <nbd@openwrt.org>
Mon, 1 Mar 2010 18:46:43 +0000 (18:46 +0000)
committerFelix Fietkau <nbd@openwrt.org>
Mon, 1 Mar 2010 18:46:43 +0000 (18:46 +0000)
SVN-Revision: 19939

14 files changed:
package/openssl/Makefile
package/openssl/patches/001-upstream_dtls_cisco.patch [deleted file]
package/openssl/patches/100-parallel-build.patch [deleted file]
package/openssl/patches/110-optimize-for-size.patch
package/openssl/patches/120-makedepend.patch
package/openssl/patches/121-ocf-config.patch [deleted file]
package/openssl/patches/169-makefile-ccache_needs_quotes.patch [deleted file]
package/openssl/patches/200-ocf-20080917.patch
package/openssl/patches/900-CVE-2009-1377.patch [deleted file]
package/openssl/patches/900-CVE-2009-1378.patch [deleted file]
package/openssl/patches/900-CVE-2009-1379.patch [deleted file]
package/openssl/patches/900-CVE-2009-1387.patch [deleted file]
package/openssl/patches/900-CVE-2009-2409.patch [deleted file]
package/openssl/patches/901-remove_rej.patch [deleted file]

index 2d2a9404996e4b42c74198d27e36eed05c99b760..3b99c08684992479e58809b62844ccf90da12680 100644 (file)
@@ -8,15 +8,15 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
-PKG_VERSION:=0.9.8l
-PKG_RELEASE:=2
+PKG_VERSION:=0.9.8m
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.openssl.org/source/ \
        ftp://ftp.funet.fi/pub/crypt/cryptography/libs/openssl/source/ \
        ftp://ftp.webmonster.de/pub/openssl/source/ \
        ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/
-PKG_MD5SUM:=05a0ece1372392a2cf310ebb96333025
+PKG_MD5SUM:=898bf125370926d5f692a2201124f8ec
 
 PKG_BUILD_DEPENDS := ocf-crypto-headers
 PKG_CONFIG_DEPENDS := CONFIG_OPENSSL_ENGINE
diff --git a/package/openssl/patches/001-upstream_dtls_cisco.patch b/package/openssl/patches/001-upstream_dtls_cisco.patch
deleted file mode 100644 (file)
index 46f4bb2..0000000
+++ /dev/null
@@ -1,139 +0,0 @@
---- a/ssl/d1_clnt.c
-+++ b/ssl/d1_clnt.c
-@@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s
- static SSL_METHOD *dtls1_get_client_method(int ver)
-       {
--      if (ver == DTLS1_VERSION)
-+      if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
-               return(DTLSv1_client_method());
-       else
-               return(NULL);
-@@ -181,7 +181,8 @@ int dtls1_connect(SSL *s)
-                       s->server=0;
-                       if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
--                      if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
-+                      if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
-+                          (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
-                               {
-                               SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
-                               ret = -1;
---- a/ssl/d1_lib.c
-+++ b/ssl/d1_lib.c
-@@ -187,7 +187,10 @@ void dtls1_free(SSL *s)
- void dtls1_clear(SSL *s)
-       {
-       ssl3_clear(s);
--      s->version=DTLS1_VERSION;
-+      if (s->options & SSL_OP_CISCO_ANYCONNECT)
-+              s->version=DTLS1_BAD_VER;
-+      else
-+              s->version=DTLS1_VERSION;
-       }
- /*
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -987,15 +987,17 @@ start:
-       if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
-               {
-               struct ccs_header_st ccs_hdr;
-+              int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
-               dtls1_get_ccs_header(rr->data, &ccs_hdr);
-               /* 'Change Cipher Spec' is just a single byte, so we know
-                * exactly what the record payload has to look like */
-               /* XDTLS: check that epoch is consistent */
--              if (    (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
--                      (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || 
--                      (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
-+              if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER)
-+                      ccs_hdr_len = 3;
-+
-+              if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
-                       {
-                       i=SSL_AD_ILLEGAL_PARAMETER;
-                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-@@ -1311,7 +1313,7 @@ int do_dtls1_write(SSL *s, int type, con
- #if 0
-       /* 'create_empty_fragment' is true only when this function calls itself */
-       if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
--              && SSL_version(s) != DTLS1_VERSION)
-+          && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
-               {
-               /* countermeasure against known-IV weakness in CBC ciphersuites
-                * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
---- a/ssl/s3_clnt.c
-+++ b/ssl/s3_clnt.c
-@@ -708,7 +708,7 @@ int ssl3_get_server_hello(SSL *s)
-       if (!ok) return((int)n);
--      if ( SSL_version(s) == DTLS1_VERSION)
-+      if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
-               {
-               if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
-                       {
---- a/ssl/ssl.h
-+++ b/ssl/ssl.h
-@@ -510,6 +510,8 @@ typedef struct ssl_session_st
- #define SSL_OP_COOKIE_EXCHANGE              0x00002000L
- /* Don't use RFC4507 ticket extension */
- #define SSL_OP_NO_TICKET                  0x00004000L
-+/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client)  */
-+#define SSL_OP_CISCO_ANYCONNECT                   0x00008000L
- /* As server, disallow session resumption on renegotiation */
- #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -995,7 +995,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
-               s->max_cert_list=larg;
-               return(l);
-       case SSL_CTRL_SET_MTU:
--              if (SSL_version(s) == DTLS1_VERSION)
-+              if (SSL_version(s) == DTLS1_VERSION ||
-+                  SSL_version(s) == DTLS1_BAD_VER)
-                       {
-                       s->d1->mtu = larg;
-                       return larg;
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -211,6 +211,11 @@ int ssl_get_new_session(SSL *s, int sess
-                       ss->ssl_version=TLS1_VERSION;
-                       ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
-                       }
-+              else if (s->version == DTLS1_BAD_VER)
-+                      {
-+                      ss->ssl_version=DTLS1_BAD_VER;
-+                      ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
-+                      }
-               else if (s->version == DTLS1_VERSION)
-                       {
-                       ss->ssl_version=DTLS1_VERSION;
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -765,10 +765,10 @@ int tls1_mac(SSL *ssl, unsigned char *md
-       HMAC_CTX_init(&hmac);
-       HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
--      if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
-+      if (ssl->version == DTLS1_BAD_VER ||
-+          (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER))
-               {
-               unsigned char dtlsseq[8],*p=dtlsseq;
--
-               s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
-               memcpy (p,&seq[2],6);
-@@ -793,7 +793,7 @@ printf("rec=");
- {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
- #endif
--      if ( SSL_version(ssl) != DTLS1_VERSION)
-+      if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER)
-               {
-               for (i=7; i>=0; i--)
-                       {
diff --git a/package/openssl/patches/100-parallel-build.patch b/package/openssl/patches/100-parallel-build.patch
deleted file mode 100644 (file)
index 0e07ba4..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -333,15 +333,15 @@ build_crypto:
-               dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_fips:
-       @dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
--build_ssl:
-+build_ssl: build_crypto
-       @dir=ssl; target=all; $(BUILD_ONE_CMD)
--build_engines:
-+build_engines: build_crypto
-       @dir=engines; target=all; $(BUILD_ONE_CMD)
--build_apps:
-+build_apps: build_libs
-       @dir=apps; target=all; $(BUILD_ONE_CMD)
--build_tests:
-+build_tests: build_libs
-       @dir=test; target=all; $(BUILD_ONE_CMD)
--build_tools:
-+build_tools: build_libs
-       @dir=tools; target=all; $(BUILD_ONE_CMD)
- all_testapps: build_libs build_testapps
index 7661a8d1e32efe9d35ed2badd275a5cf7426129f..769a3d9366a781d6cc50a953722e4e32b15b21f0 100644 (file)
@@ -1,6 +1,8 @@
+diff --git a/Configure b/Configure
+index 32e154b..eec5066 100755
 --- a/Configure
 +++ b/Configure
-@@ -364,6 +364,8 @@ my %table=(
+@@ -370,6 +370,8 @@ my %table=(
  "linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
  "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
index 228e1129085936687c80dbd645adaaf238f6cb5f..95600ff8e828369b415f4e69b31cb096ad56e5e8 100644 (file)
@@ -1,15 +1,5 @@
 --- a/util/domd
 +++ b/util/domd
-@@ -14,7 +14,8 @@ if [ "$MAKEDEPEND" = "" ]; then MAKEDEPE
- cp Makefile Makefile.save
- # fake the presence of Kerberos
- touch $TOP/krb5.h
--if [ "$MAKEDEPEND" = "gcc" ]; then
-+D=${MAKEDEPEND/%*gcc/gcc}
-+if [ "$D" = "gcc" ]; then
-     args=""
-     while [ $# -gt 0 ]; do
-       if [ "$1" != "--" ]; then args="$args $1"; fi
 @@ -22,7 +23,7 @@ if [ "$MAKEDEPEND" = "gcc" ]; then
      done
      sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp
diff --git a/package/openssl/patches/121-ocf-config.patch b/package/openssl/patches/121-ocf-config.patch
deleted file mode 100644 (file)
index d40f1ee..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
---- a/config
-+++ b/config
-@@ -399,8 +399,11 @@ exit 0
- # this is where the translation occurs into SSLeay terms
- # ---------------------------------------------------------------------------
-+# figure out if gcc is available and if so we use it otherwise
-+# we fallback to whatever cc does on the system
- GCCVER=`(gcc -dumpversion) 2>/dev/null`
- if [ "$GCCVER" != "" ]; then
-+  CC=gcc
-   # then strip off whatever prefix egcs prepends the number with...
-   # Hopefully, this will work for any future prefixes as well.
-   GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
-@@ -409,6 +412,8 @@ if [ "$GCCVER" != "" ]; then
-   # major and minor version numbers.
-   # peak single digit before and after first dot, e.g. 2.95.1 gives 29
-   GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
-+else
-+  CC=cc
- fi
- # Only set CC if not supplied already
diff --git a/package/openssl/patches/169-makefile-ccache_needs_quotes.patch b/package/openssl/patches/169-makefile-ccache_needs_quotes.patch
deleted file mode 100644 (file)
index 94b3b78..0000000
+++ /dev/null
@@ -1,37 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -357,7 +357,7 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
-                       $(AR) libcrypto.a fips/fipscanister.o ; \
-               else \
-                       if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
--                              FIPSLD_CC=$(CC); CC=fips/fipsld; \
-+                              FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
-                               export CC FIPSLD_CC; \
-                       fi; \
-                       $(MAKE) -e SHLIBDIRS='crypto' build-shared; \
-@@ -380,7 +380,7 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
- fips/fipscanister.o:  build_fips
- libfips$(SHLIB_EXT):          fips/fipscanister.o
-       @if [ "$(SHLIB_TARGET)" != "" ]; then \
--              FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
-+              FIPSLD_CC="$(CC)"; CC=fips/fipsld; export CC FIPSLD_CC; \
-               $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-                       CC=$${CC} LIBNAME=fips THIS=$@ \
-                       LIBEXTRAS=fips/fipscanister.o \
---- a/apps/Makefile
-+++ b/apps/Makefile
-@@ -153,12 +153,12 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(
-       shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
-               shlib_target="$(SHLIB_TARGET)"; \
-       elif [ -n "$(FIPSCANLIB)" ]; then \
--        FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
-+        FIPSLD_CC="$(CC)"; CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
-       fi; \
-       LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
-       [ "x$(FIPSCANLIB)" = "xlibfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
-       $(MAKE) -f $(TOP)/Makefile.shared -e \
--              CC=$${CC} APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
-+              CC="$${CC}" APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
-               LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
-               link_app.$${shlib_target}
-       -(cd ..; \
index 6da5644ed995f7f7d46d141ac7a29133f9b08519..92520ea4eb4feb969fb798dc5ec6d03c59f53172 100644 (file)
  # on Unix, "cyg" for certain forms under Cygwin...) or suffix (.a, .so,
 --- a/config
 +++ b/config
-@@ -48,10 +48,10 @@ done
- # First get uname entries that we use below
--MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
--RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
--SYSTEM=`(uname -s) 2>/dev/null`  || SYSTEM="unknown"
--VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
-+[ "$MACHINE" ] || MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
-+[ "$RELEASE" ] || RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
-+[ "$SYSTEM" ]  || SYSTEM=`(uname -s) 2>/dev/null`  || SYSTEM="unknown"
-+[ "$VERSION" ] || VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
- # Now test for ISC and SCO, since it is has a braindamaged uname.
-@@ -270,7 +270,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${
+@@ -270,7 +270,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
                echo "ppc-apple-darwin${VERSION}"
                ;;
            *)
                ;;
        esac
        exit 0
-@@ -401,9 +401,9 @@ exit 0
+@@ -399,7 +399,8 @@ exit 0
+ # this is where the translation occurs into SSLeay terms
+ # ---------------------------------------------------------------------------
  
- # figure out if gcc is available and if so we use it otherwise
- # we fallback to whatever cc does on the system
 -GCCVER=`(gcc -dumpversion) 2>/dev/null`
 +CC="${CC:-gcc}"
 +GCCVER=`(${CC} -dumpversion) 2>/dev/null`
  if [ "$GCCVER" != "" ]; then
--  CC=gcc
    # then strip off whatever prefix egcs prepends the number with...
    # Hopefully, this will work for any future prefixes as well.
-   GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
-@@ -413,7 +413,7 @@ if [ "$GCCVER" != "" ]; then
+@@ -409,6 +410,8 @@ if [ "$GCCVER" != "" ]; then
+   # major and minor version numbers.
    # peak single digit before and after first dot, e.g. 2.95.1 gives 29
    GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
- else
--  CC=cc
++else
 +  CC="${CC:-cc}"
  fi
  
  static double results[ALGOR_NUM][SIZE_NUM];
 -static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
 +static int lengths[SIZE_NUM]={16,64,256,1024,2*1024,4*1024};
+ #ifndef OPENSSL_NO_RSA
  static double rsa_results[RSA_NUM][2];
- static double dsa_results[DSA_NUM][2];
- #ifndef OPENSSL_NO_ECDSA
+ #endif
 @@ -328,6 +328,79 @@ static SIGRETTYPE sig_done(int sig)
  #define START 0
  #define STOP  1
                j++;
                }
  
--#ifdef HAVE_FORK
+-#ifndef NO_FORK
 -      if(multi && do_multi(multi))
 -              goto show_res;
 -#endif
  static int get_cryptodev_ciphers(const int **cnids);
  static int get_cryptodev_digests(const int **cnids);
  static int cryptodev_usable_ciphers(const int **nids);
-@@ -100,7 +112,7 @@ static int cryptodev_asym(struct crypt_k
- static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
-     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
- static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
--    RSA *rsa);
-+    RSA *rsa, BN_CTX *ctx);
- static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
- static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
-     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 @@ -130,9 +142,12 @@ static struct {
        int     ivmax;
        int     keylen;
                *digest = NULL;
                break;
        }
-@@ -625,7 +942,7 @@ static int
- bn2crparam(const BIGNUM *a, struct crparam *crp)
- {
-       int i, j, k;
--      ssize_t words, bytes, bits;
-+      ssize_t bytes, bits;
-       u_char *b;
-       crp->crp_p = NULL;
 @@ -637,6 +954,7 @@ bn2crparam(const BIGNUM *a, struct crpar
        b = malloc(bytes);
        if (b == NULL)
                if (kop->crk_param[i].crp_p)
                        free(kop->crk_param[i].crp_p);
                kop->crk_param[i].crp_p = NULL;
-@@ -756,12 +1074,10 @@ err:
- }
- static int
--cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
-+cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
- {
-       int r;
--      BN_CTX *ctx;
--
--      ctx = BN_CTX_new();
-+      ctx = BN_CTX_new(); /* not sure why we reallocate this. DM */
-       r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
-       BN_CTX_free(ctx);
-       return (r);
 --- a/crypto/engine/engine.h
 +++ b/crypto/engine/engine.h
 @@ -703,7 +703,7 @@ typedef int (*dynamic_bind_engine)(ENGIN
diff --git a/package/openssl/patches/900-CVE-2009-1377.patch b/package/openssl/patches/900-CVE-2009-1377.patch
deleted file mode 100644 (file)
index 8b8faf4..0000000
+++ /dev/null
@@ -1,44 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
-
---- a/crypto/pqueue/pqueue.c
-+++ b/crypto/pqueue/pqueue.c
-@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
-       return ret;
-       }
-+
-+int
-+pqueue_size(pqueue_s *pq)
-+{
-+      pitem *item = pq->items;
-+      int count = 0;
-+      
-+      while(item != NULL)
-+      {
-+              count++;
-+              item = item->next;
-+      }
-+      return count;
-+}
---- a/crypto/pqueue/pqueue.h
-+++ b/crypto/pqueue/pqueue.h
-@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
- pitem *pqueue_next(piterator *iter);
- void   pqueue_print(pqueue pq);
-+int    pqueue_size(pqueue pq);
- #endif /* ! HEADER_PQUEUE_H */
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
-     DTLS1_RECORD_DATA *rdata;
-       pitem *item;
-+      /* Limit the size of the queue to prevent DOS attacks */
-+      if (pqueue_size(queue->q) >= 100)
-+              return 0;
-+              
-       rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
-       item = pitem_new(priority, rdata);
-       if (rdata == NULL || item == NULL)
diff --git a/package/openssl/patches/900-CVE-2009-1378.patch b/package/openssl/patches/900-CVE-2009-1378.patch
deleted file mode 100644 (file)
index 514d444..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
-
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s,
-       if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
-               goto err;
--      if (msg_hdr->seq <= s->d1->handshake_read_seq)
-+      /* Try to find item in queue, to prevent duplicate entries */
-+      pq_64bit_init(&seq64);
-+      pq_64bit_assign_word(&seq64, msg_hdr->seq);
-+      item = pqueue_find(s->d1->buffered_messages, seq64);
-+      pq_64bit_free(&seq64);
-+      
-+      /* Discard the message if sequence number was already there, is
-+       * too far in the future or the fragment is already in the queue */
-+      if (msg_hdr->seq <= s->d1->handshake_read_seq ||
-+              msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
-               {
-               unsigned char devnull [256];
diff --git a/package/openssl/patches/900-CVE-2009-1379.patch b/package/openssl/patches/900-CVE-2009-1379.patch
deleted file mode 100644 (file)
index b72f116..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
-       if ( s->d1->handshake_read_seq == frag->msg_header.seq)
-               {
-+              unsigned long frag_len = frag->msg_header.frag_len;
-               pqueue_pop(s->d1->buffered_messages);
-               al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
-@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
-               if (al==0)
-                       {
-                       *ok = 1;
--                      return frag->msg_header.frag_len;
-+                      return frag_len;
-                       }
-               ssl3_send_alert(s,SSL3_AL_FATAL,al);
diff --git a/package/openssl/patches/900-CVE-2009-1387.patch b/package/openssl/patches/900-CVE-2009-1387.patch
deleted file mode 100644 (file)
index 7a2a47e..0000000
+++ /dev/null
@@ -1,53 +0,0 @@
-http://bugs.gentoo.org/270305
-
-fix from upstream
-
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -585,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s,
-                       }
-               }
--      frag = dtls1_hm_fragment_new(frag_len);
--      if ( frag == NULL)
--              goto err;
-+      if (frag_len)
-+      {
-+              frag = dtls1_hm_fragment_new(frag_len);
-+              if ( frag == NULL)
-+                      goto err;
--      memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
-+              memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
--      if (frag_len)
--              {
--              /* read the body of the fragment (header has already been read */
-+              /* read the body of the fragment (header has already been read) */
-               i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
-                       frag->fragment,frag_len,0);
-               if (i<=0 || (unsigned long)i!=frag_len)
-                       goto err;
--              }
--      pq_64bit_init(&seq64);
--      pq_64bit_assign_word(&seq64, msg_hdr->seq);
-+              pq_64bit_init(&seq64);
-+              pq_64bit_assign_word(&seq64, msg_hdr->seq);
--      item = pitem_new(seq64, frag);
--      pq_64bit_free(&seq64);
--      if ( item == NULL)
--              goto err;
-+              item = pitem_new(seq64, frag);
-+              pq_64bit_free(&seq64);
-+              if ( item == NULL)
-+                      goto err;
-+
-+              pqueue_insert(s->d1->buffered_messages, item);
-+      }
--      pqueue_insert(s->d1->buffered_messages, item);
-       return DTLS1_HM_FRAGMENT_RETRY;
- err:
diff --git a/package/openssl/patches/900-CVE-2009-2409.patch b/package/openssl/patches/900-CVE-2009-2409.patch
deleted file mode 100644 (file)
index 4800968..0000000
+++ /dev/null
@@ -1,59 +0,0 @@
-http://bugs.gentoo.org/280591
-
-fix from upstream
-
-http://cvs.openssl.org/chngview?cn=18260
-
---- a/crypto/evp/c_alld.c
-+++ b/crypto/evp/c_alld.c
-@@ -64,9 +64,6 @@
- void OpenSSL_add_all_digests(void)
-       {
--#ifndef OPENSSL_NO_MD2
--      EVP_add_digest(EVP_md2());
--#endif
- #ifndef OPENSSL_NO_MD4
-       EVP_add_digest(EVP_md4());
- #endif
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -986,7 +986,11 @@ static int internal_verify(X509_STORE_CT
-       while (n >= 0)
-               {
-               ctx->error_depth=n;
--              if (!xs->valid)
-+
-+              /* Skip signature check for self signed certificates. It
-+               * doesn't add any security and just wastes time.
-+               */
-+              if (!xs->valid && xs != xi)
-                       {
-                       if ((pkey=X509_get_pubkey(xi)) == NULL)
-                               {
-@@ -996,13 +1000,6 @@ static int internal_verify(X509_STORE_CT
-                               if (!ok) goto end;
-                               }
-                       else if (X509_verify(xs,pkey) <= 0)
--                              /* XXX  For the final trusted self-signed cert,
--                               * this is a waste of time.  That check should
--                               * optional so that e.g. 'openssl x509' can be
--                               * used to detect invalid self-signatures, but
--                               * we don't verify again and again in SSL
--                               * handshakes and the like once the cert has
--                               * been declared trusted. */
-                               {
-                               ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
-                               ctx->current_cert=xs;
---- a/ssl/ssl_algs.c
-+++ b/ssl/ssl_algs.c
-@@ -92,9 +92,6 @@ int SSL_library_init(void)
-       EVP_add_cipher(EVP_seed_cbc());
- #endif
--#ifndef OPENSSL_NO_MD2
--      EVP_add_digest(EVP_md2());
--#endif
- #ifndef OPENSSL_NO_MD5
-       EVP_add_digest(EVP_md5());
-       EVP_add_digest_alias(SN_md5,"ssl2-md5");
diff --git a/package/openssl/patches/901-remove_rej.patch b/package/openssl/patches/901-remove_rej.patch
deleted file mode 100644 (file)
index b73ed4f..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
---- a/Configure.rej
-+++ /dev/null
-@@ -1,16 +0,0 @@
--***************
--*** 162,167 ****
--  "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
--  "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
--  "debug-ben-debug",  "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
--  "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
--  "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
--  "debug-bodo",       "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
----- 162,168 ----
--  "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
--  "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
--  "debug-ben-debug",  "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
--+ "debug-ben-no-renegotiation",       "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG  -DDEBUG_SAFESTACK -DNO_RENEGOTIATION -g3 -O2 -pipe::(unknown)::::::",
--  "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
--  "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
--  "debug-bodo",       "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",