openssl: update to 1.0.1f
authorFelix Fietkau <nbd@openwrt.org>
Sun, 9 Mar 2014 13:23:41 +0000 (13:23 +0000)
committerFelix Fietkau <nbd@openwrt.org>
Sun, 9 Mar 2014 13:23:41 +0000 (13:23 +0000)
This version includes this changes:

    Don't include gmt_unix_time in TLS server and client random values
    Fix for TLS record tampering bug CVE-2013-4353
    Fix for TLS version checking bug CVE-2013-6449
    Fix for DTLS retransmission bug CVE-2013-6450

Signed-off-by: Peter Wagner <tripolar@gmx.at>
SVN-Revision: 39853

package/libs/openssl/Makefile
package/libs/openssl/patches/110-optimize-for-size.patch
package/libs/openssl/patches/120-cisco-dtls-fix.patch [deleted file]
package/libs/openssl/patches/150-no_engines.patch
package/libs/openssl/patches/160-disable_doc_tests.patch
package/libs/openssl/patches/190-remove_timestamp_check.patch
package/libs/openssl/patches/200-parallel_build.patch

index 38679acb2be9a15337836e06e4a97cc74f39cb22..8a8e8520d4bc0d1656b38383e4466c57efd1b597 100644 (file)
@@ -8,8 +8,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
-PKG_VERSION:=1.0.1e
-PKG_RELEASE:=2
+PKG_VERSION:=1.0.1f
+PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_BUILD_PARALLEL:=1
@@ -18,7 +18,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.openssl.org/source/ \
        ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.openssl.org/source \
        ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/
-PKG_MD5SUM:=66bf6f10f060d561929de96f9dfe5b8c
+PKG_MD5SUM:=f26b09c028a0541cab33da697d522b25
 
 PKG_LICENSE:=SSLEAY OPENSSL
 PKG_LICENSE_FILES:=LICENSE
index 9869c97d4bfd3e65c1a1d5ea7f0fe4a034da11cf..d6cf2b5910f8dc53c6ceb3e8abb103e6a0f37a3f 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Configure
 +++ b/Configure
-@@ -402,6 +402,10 @@ my %table=(
+@@ -403,6 +403,10 @@ my %table=(
  "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
  "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
  
diff --git a/package/libs/openssl/patches/120-cisco-dtls-fix.patch b/package/libs/openssl/patches/120-cisco-dtls-fix.patch
deleted file mode 100644 (file)
index 11e6bb5..0000000
+++ /dev/null
@@ -1,31 +0,0 @@
-From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw2@infradead.org>
-Date: Tue, 12 Feb 2013 14:55:32 +0000
-Subject: [PATCH] Check DTLS_BAD_VER for version number.
-
-The version check for DTLS1_VERSION was redundant as
-DTLS1_VERSION > TLS1_1_VERSION, however we do need to
-check for DTLS1_BAD_VER for compatibility.
-
-PR:2984
-(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
----
- ssl/s3_cbc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
-index 02edf3f..443a31e 100644
---- a/ssl/s3_cbc.c
-+++ b/ssl/s3_cbc.c
-@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
-       unsigned padding_length, good, to_check, i;
-       const unsigned overhead = 1 /* padding length byte */ + mac_size;
-       /* Check if version requires explicit IV */
--      if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
-+      if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
-               {
-               /* These lengths are all public so we can test them in
-                * non-constant time.
--- 
-1.8.1.2
-
index 8e93970fec556f508c40625cc9370f0d1597e55e..92a3a78389930425513f540167a0bcad29eb0e70 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Configure
 +++ b/Configure
-@@ -2003,6 +2003,11 @@ EOF
+@@ -2004,6 +2004,11 @@ EOF
        close(OUT);
    }
    
index d0bf19a3ef9d76ad4bb4baa9c2ea6360ccace308..54f58fb5a4704d961c02bdc5f129321a847477fc 100644 (file)
@@ -36,7 +36,7 @@
  
  build_libs: build_crypto build_ssl build_engines
  
-@@ -539,7 +539,7 @@ dist:
+@@ -540,7 +540,7 @@ dist:
  dist_pem_h:
        (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
  
@@ -47,7 +47,7 @@
        @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 --- a/Makefile.org
 +++ b/Makefile.org
-@@ -537,7 +537,7 @@ dist:
+@@ -538,7 +538,7 @@ dist:
  dist_pem_h:
        (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
  
index 2677b2d6f1f7dd2bf3cb581e6d509f62114b1b58..460068840e3668233ba71ff386b3f658397cbd42 100644 (file)
@@ -9,7 +9,7 @@
  
  # as we stick to -e, CLEARENV ensures that local variables in lower
  # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
-@@ -396,11 +396,6 @@ openssl.pc: Makefile
+@@ -397,11 +397,6 @@ openssl.pc: Makefile
            echo 'Libs.private: $(EX_LIBS)'; \
            echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
  
index b52768367624c725cc39c1f2013664937caea9be..c43ffa1186e9215d83c290a97d34d7303721e5ca 100644 (file)
@@ -29,7 +29,7 @@
  
  all_testapps: build_libs build_testapps
  build_testapps:
-@@ -454,7 +454,7 @@ report:
+@@ -455,7 +455,7 @@ report:
        @$(PERL) util/selftest.pl
  
  depend:
@@ -38,7 +38,7 @@
  
  lint:
        @set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-@@ -532,9 +532,9 @@ dist:   
+@@ -533,9 +533,9 @@ dist:
  dist_pem_h:
        (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
  
@@ -50,7 +50,7 @@
        @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
                $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
                $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -543,12 +543,19 @@ install_sw:
+@@ -544,12 +544,19 @@ install_sw:
                $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
                $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
                $(INSTALL_PREFIX)$(OPENSSLDIR)/private
@@ -71,7 +71,7 @@
        @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
        do \
                if [ -f "$$i" ]; then \
-@@ -628,12 +635,7 @@ install_html_docs:
+@@ -629,12 +636,7 @@ install_html_docs:
                done; \
        done
  
@@ -97,7 +97,7 @@
                fi; \
 --- a/crypto/Makefile
 +++ b/crypto/Makefile
-@@ -86,11 +86,11 @@ testapps:
+@@ -88,11 +88,11 @@ testapps:
        @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
  
  subdirs:
  
  links:
        @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -101,7 +101,7 @@ links:
+@@ -103,7 +103,7 @@ links:
  # lib: $(LIB): are splitted to avoid end-less loop
  lib:  $(LIB)
        @touch lib
        $(AR) $(LIB) $(LIBOBJ)
        [ -z "$(FIPSLIBDIR)" ] || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
        $(RANLIB) $(LIB) || echo Never mind.
-@@ -112,7 +112,7 @@ shared: buildinf.h lib subdirs
+@@ -114,7 +114,7 @@ shared: buildinf.h lib subdirs
        fi
  
  libs:
  
  install:
        @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -121,7 +121,7 @@ install:
+@@ -123,7 +123,7 @@ install:
        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
        done;