Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at Fri Apr 15 09:20:25 CEST 2011.
-------- --- openssl/openssl.changes 2011-02-10 08:45:42.000000000 +0100 +++ /mounts/work_src_done/STABLE/openssl/openssl.changes 2011-04-13 05:21:06.000000000 +0200 @@ -1,0 +2,19 @@ +Wed Apr 13 02:03:02 UTC 2011 - [email protected] + +- Fix engine loading issues [bnc#660452] +- Update AES-NI patch to upstream version 4 +- Drop CVE-2011-0014.patch and replace it with pristine tarball + of 1.0.0d which only fixes this vulnerability. + +------------------------------------------------------------------- +Sat Apr 9 18:18:42 UTC 2011 - [email protected] + +- Correct last change + +------------------------------------------------------------------- +Sat Apr 9 15:00:33 UTC 2011 - [email protected] + +- Disable SSLv2 support permanently,it must not be used. +- No longer requires -fno-strict-aliasing + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- CVE-2011-0014.patch openssl-1.0.0b-aesni.patch openssl-1.0.0c.tar.bz2 New: ---- _service _service:download_url:openssl-1.0.0d.tar.gz openssl-1.0.0-aesni-v4.patch openssl-padlock-x86_64-head.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.zKHfJF/_old 2011-04-15 09:13:22.000000000 +0200 +++ /var/tmp/diff_new_pack.zKHfJF/_new 2011-04-15 09:13:22.000000000 +0200 @@ -32,11 +32,11 @@ %endif # #Version: 1.0.0 -Version: 1.0.0c -Release: 20 +Version: 1.0.0d +Release: 1 Summary: Secure Sockets and Transport Layer Security Url: http://www.openssl.org/ -Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2 +Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz # to get mtime of file: Source1: openssl.changes Source2: baselibs.conf @@ -48,8 +48,9 @@ #Patch4: patchset-19727.diff #Patch5: CVE-2010-2939.patch #Patch6: CVE-2010-3864.patch -Patch7: openssl-1.0.0b-aesni.patch -Patch8: CVE-2011-0014.patch +Patch7: openssl-1.0.0-aesni-v4.patch +#PATCH_FIX-UPSTREAM Fix padlock engine in x86_64 hosts +Patch8: openssl-padlock-x86_64-head.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -178,12 +179,12 @@ %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p1 +%patch2 #%patch3 -p1 #%patch4 -p1 #%patch5 -p1 #%patch6 -p1 -%patch7 -p1 +%patch7 %patch8 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -224,6 +225,9 @@ ./config --test-sanity # config_flags="threads shared no-rc5 no-idea \ +%if 0%{suse_version} > 1140 +no-ssl2 \ +%endif enable-camellia \ zlib \ --prefix=%{_prefix} \ @@ -232,7 +236,6 @@ $RPM_OPT_FLAGS \ -Wa,--noexecstack \ -fomit-frame-pointer \ --fno-strict-aliasing \ -DTERMIO \ -DPURIFY \ %ifnarch hppa @@ -337,7 +340,7 @@ SSL_CTX *ctx; SSL *ssl; SSL_METHOD *meth; - meth = SSLv2_client_method(); + meth = SSLv23_client_method(); SSLeay_add_ssl_algorithms(); ctx = SSL_CTX_new(meth); if (ctx == NULL) return 0; @@ -370,14 +373,36 @@ ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so +#ugly artifact to delete engines that are disabled/unusable in LINUX +#that for some reason the build system insist on creating. + +# CAPI, Windows specific +rm %{buildroot}/%_lib/engines/libcapi.so +# GMP, has been always non-functional +rm %{buildroot}/%_lib/engines/libgmp.so +# Requires propietary Broadcom library, not available +rm %{buildroot}/%_lib/engines/libubsec.so +#Requires library called libnfhwcrhk.so which is not available +rm %{buildroot}/%_lib/engines/libchil.so +#requires library named "SureWareHook" which is not available +rm %{buildroot}/%_lib/engines/libsureware.so +#requires DSO "libswift.so",propietary and not available +rm %{buildroot}/%_lib/engines/libcswift.so +#requires DSO "nuronssl.so", propietary and not available +rm %{buildroot}/%_lib/engines/libnuron.so +#only supported in AIX and Windows... +rm %{buildroot}/%_lib/engines/lib4758cca.so +# deprecated in favor of http://sourceforge.net/projects/opencryptoki/files/ (??) +rm %{buildroot}/%_lib/engines/libaep.so +# HP Atalla AXL600L SSL Accelerator Card, EOL, linux 2.4/SLE8, useless nowdays +rm %{buildroot}/%_lib/engines/libatalla.so + %clean if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi -%post -n libopenssl1_0_0 -/sbin/ldconfig +%post -n libopenssl1_0_0 -p /sbin/ldconfig -%postun -n libopenssl1_0_0 -/sbin/ldconfig +%postun -n libopenssl1_0_0 -p /sbin/ldconfig %files -n libopenssl1_0_0 %defattr(-, root, root) ++++++ _service ++++++ <services> <service name="download_url"> <param name="protocol">http</param> <param name="host">www.openssl.org</param> <param name="path">/source/openssl-1.0.0d.tar.gz</param> </service> <service name="verify_file"> <param name="file">_service:download_url:openssl-1.0.0d.tar.gz</param> <param name="verifier">sha256</param> <param name="checksum">92511d1f0caaa298dba250426f8e7d5d00b271847886d1adc62422778d6320db</param> </service> </services>++++++ bug610223.patch ++++++ --- /var/tmp/diff_new_pack.zKHfJF/_old 2011-04-15 09:13:22.000000000 +0200 +++ /var/tmp/diff_new_pack.zKHfJF/_new 2011-04-15 09:13:22.000000000 +0200 @@ -1,8 +1,6 @@ -Index: openssl-1.0.0/Configure -=================================================================== ---- openssl-1.0.0.orig/Configure -+++ openssl-1.0.0/Configure -@@ -1673,7 +1673,8 @@ while (<IN>) +--- Configure.orig ++++ Configure +@@ -1688,7 +1688,8 @@ while (<IN>) } elsif (/^#define\s+ENGINESDIR/) { ++++++ openssl-1.0.0-aesni-v4.patch ++++++ ++++ 2367 lines (skipped) ++++++ openssl-padlock-x86_64-head.patch ++++++ diff --git a/engines/e_padlock.c b/engines/e_padlock.c index 7d09419..ce7e086 100644 --- a/engines/e_padlock.c +++ b/engines/e_padlock.c @@ -101,10 +101,15 @@ compiler choice is limited to GCC and Microsoft C. */ #undef COMPILE_HW_PADLOCK #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM) -# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \ +# if (defined(__GNUC__) && __GNUC__>=2 && \ + (defined(__i386__) || defined(__i386) || \ + defined(__x86_64__) || defined(__x86_64)) \ + ) || \ (defined(_MSC_VER) && defined(_M_IX86)) # define COMPILE_HW_PADLOCK +# ifdef OPENSSL_NO_DYNAMIC_ENGINE static ENGINE *ENGINE_padlock (void); +# endif # endif #endif @@ -135,7 +140,7 @@ void ENGINE_load_padlock (void) # endif #elif defined(__GNUC__) # ifndef alloca -# define alloca(s) __builtin_alloca(s) +# define alloca(s) __builtin_alloca((s)) # endif #endif @@ -197,6 +202,7 @@ padlock_bind_helper(ENGINE *e) return 1; } +#ifdef OPENSSL_NO_DYNAMIC_ENGINE /* Constructor */ static ENGINE * ENGINE_padlock(void) @@ -214,6 +220,7 @@ ENGINE_padlock(void) return eng; } +#endif /* Check availability of the engine */ static int @@ -298,6 +305,7 @@ static volatile struct padlock_cipher_data *padlock_saved_context; * ======================================================= */ #if defined(__GNUC__) && __GNUC__>=2 +#if defined(__i386__) || defined(__i386) /* * As for excessive "push %ebx"/"pop %ebx" found all over. * When generating position-independent code GCC won't let @@ -377,21 +385,6 @@ padlock_available(void) return padlock_use_ace + padlock_use_rng; } -#ifndef OPENSSL_NO_AES -/* Our own htonl()/ntohl() */ -static inline void -padlock_bswapl(AES_KEY *ks) -{ - size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]); - unsigned int *key = ks->rd_key; - - while (i--) { - asm volatile ("bswapl %0" : "+r"(*key)); - key++; - } -} -#endif - /* Force key reload from memory to the CPU microcode. Loading EFLAGS from the stack clears EFLAGS[30] which does the trick. */ @@ -449,12 +442,127 @@ static inline void *name(size_t cnt, \ : "edx", "cc", "memory"); \ return iv; \ } +#endif + +#elif defined(__x86_64__) || defined(__x86_64) + +/* Load supported features of the CPU to see if + the PadLock is available. */ +static int +padlock_available(void) +{ + char vendor_string[16]; + unsigned int eax, edx; + + /* Are we running on the Centaur (VIA) CPU? */ + eax = 0x00000000; + vendor_string[12] = 0; + asm volatile ( + "cpuid\n" + "movl %%ebx,(%1)\n" + "movl %%edx,4(%1)\n" + "movl %%ecx,8(%1)\n" + : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx"); + if (strcmp(vendor_string, "CentaurHauls") != 0) + return 0; + + /* Check for Centaur Extended Feature Flags presence */ + eax = 0xC0000000; + asm volatile ("cpuid" + : "+a"(eax) : : "rbx", "rcx", "rdx"); + if (eax < 0xC0000001) + return 0; + + /* Read the Centaur Extended Feature Flags */ + eax = 0xC0000001; + asm volatile ("cpuid" + : "+a"(eax), "=d"(edx) : : "rbx", "rcx"); + + /* Fill up some flags */ + padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6)); + padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2)); + + return padlock_use_ace + padlock_use_rng; +} + +/* Force key reload from memory to the CPU microcode. + Loading EFLAGS from the stack clears EFLAGS[30] + which does the trick. */ +static inline void +padlock_reload_key(void) +{ + asm volatile ("pushfq; popfq"); +} + +#ifndef OPENSSL_NO_AES +/* + * This is heuristic key context tracing. At first one + * believes that one should use atomic swap instructions, + * but it's not actually necessary. Point is that if + * padlock_saved_context was changed by another thread + * after we've read it and before we compare it with cdata, + * our key *shall* be reloaded upon thread context switch + * and we are therefore set in either case... + */ +static inline void +padlock_verify_context(struct padlock_cipher_data *cdata) +{ + asm volatile ( + "pushfq\n" +" btl $30,(%%rsp)\n" +" jnc 1f\n" +" cmpq %2,%1\n" +" je 1f\n" +" popfq\n" +" subq $8,%%rsp\n" +"1: addq $8,%%rsp\n" +" movq %2,%0" + :"+m"(padlock_saved_context) + : "r"(padlock_saved_context), "r"(cdata) : "cc"); +} + +/* Template for padlock_xcrypt_* modes */ +/* BIG FAT WARNING: + * The offsets used with 'leal' instructions + * describe items of the 'padlock_cipher_data' + * structure. + */ +#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \ +static inline void *name(size_t cnt, \ + struct padlock_cipher_data *cdata, \ + void *out, const void *inp) \ +{ void *iv; \ + asm volatile ( "leaq 16(%0),%%rdx\n" \ + " leaq 32(%0),%%rbx\n" \ + rep_xcrypt "\n" \ + : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \ + : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \ + : "rbx", "rdx", "cc", "memory"); \ + return iv; \ +} +#endif + +#endif /* cpu */ +#ifndef OPENSSL_NO_AES /* Generate all functions with appropriate opcodes */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */ + +/* Our own htonl()/ntohl() */ +static inline void +padlock_bswapl(AES_KEY *ks) +{ + size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]); + unsigned int *key = ks->rd_key; + + while (i--) { + asm volatile ("bswapl %0" : "+r"(*key)); + key++; + } +} #endif /* The RNG call itself */ @@ -485,8 +593,8 @@ padlock_xstore(void *addr, unsigned int edx_in) static inline unsigned char * padlock_memcpy(void *dst,const void *src,size_t n) { - long *d=dst; - const long *s=src; + size_t *d=dst; + const size_t *s=src; n /= sizeof(*d); do { *d++ = *s++; } while (--n); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
