Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock openssl/1.0.1e-2, it fixes a bunch of issues fixed in upstream git since the 1.0.1e release. debdiff attached. Kurt
diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog --- openssl-1.0.1e/debian/changelog 2013-02-11 19:40:07.000000000 +0100 +++ openssl-1.0.1e/debian/changelog 2013-03-18 20:37:14.000000000 +0100 @@ -1,3 +1,13 @@ +openssl (1.0.1e-2) unstable; urgency=high + + * Bump shlibs. It's needed for the udeb. + * Make cpuid work on cpu's that don't set ecx (Closes: #699692) + * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353) + * Fix problem with DTLS version check (Closes: #701826) + * Fix segfault in SSL_get_certificate (Closes: #703031) + + -- Kurt Roeckx <[email protected]> Mon, 18 Mar 2013 20:37:11 +0100 + openssl (1.0.1e-1) unstable; urgency=high * New upstream version (Closes: #699889) diff -Nru openssl-1.0.1e/debian/patches/aesni-mac.patch openssl-1.0.1e/debian/patches/aesni-mac.patch --- openssl-1.0.1e/debian/patches/aesni-mac.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1e/debian/patches/aesni-mac.patch 2013-03-18 20:19:47.000000000 +0100 @@ -0,0 +1,26 @@ +From: Andy Polyakov <[email protected]> +Date: Mon, 18 Mar 2013 19:29:41 +0100 +Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms. +Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 +Bug-Debian: http://bugs.debian.org/701868 +Bug: http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest + +diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c +index 483e04b..fb2c884 100644 +--- a/crypto/evp/e_aes_cbc_hmac_sha1.c ++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c +@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + if (res!=SHA_CBLOCK) continue; + +- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); ++ /* j is not incremented yet */ ++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1)); + data->u[SHA_LBLOCK-1] |= bitlen&mask; + sha1_block_data_order(&key->md,data,1); +- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); ++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1)); + pmac->u[0] |= key->md.h0 & mask; + pmac->u[1] |= key->md.h1 & mask; + pmac->u[2] |= key->md.h2 & mask; + diff -Nru openssl-1.0.1e/debian/patches/cpuid.patch openssl-1.0.1e/debian/patches/cpuid.patch --- openssl-1.0.1e/debian/patches/cpuid.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1e/debian/patches/cpuid.patch 2013-03-10 21:54:05.000000000 +0100 @@ -0,0 +1,27 @@ +From: Andy Polyakov <[email protected]> +Date: Mon, 4 Mar 2013 19:05:04 +0000 (+0100) +Subject: x86cpuid.pl: make it work with older CPUs. +Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=5702e965d759dde8a098d8108660721ba2b93a7d +Bug-Debian: http://bugs.debian.org/699692 +Bug: http://rt.openssl.org/Ticket/Display.html?id=3005&user=guest&pass=guest + +diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl +index 3b6c469..e8a7518 100644 +--- a/crypto/x86cpuid.pl ++++ b/crypto/x86cpuid.pl +@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + &inc ("esi"); # number of cores + + &mov ("eax",1); ++ &xor ("ecx","ecx"); + &cpuid (); + &bt ("edx",28); + &jnc (&label("generic")); +@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + + &set_label("nocacheinfo"); + &mov ("eax",1); ++ &xor ("ecx","ecx"); + &cpuid (); + &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0 + &cmp ("ebp",0); diff -Nru openssl-1.0.1e/debian/patches/dtls_version.patch openssl-1.0.1e/debian/patches/dtls_version.patch --- openssl-1.0.1e/debian/patches/dtls_version.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1e/debian/patches/dtls_version.patch 2013-03-18 20:28:32.000000000 +0100 @@ -0,0 +1,25 @@ +From: David Woodhouse <[email protected]> +Date: Tue, 12 Feb 2013 14:55:32 +0000 +Subject: Check DTLS_BAD_VER for version number. +Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253 +Bug-Debian: http://bugs.debian.org/701826 +Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest + +The version check for DTLS1_VERSION was redundant as +DTLS1_VERSION > TLS1_1_VERSION, however we do need to +check for DTLS1_BAD_VER for compatibility. + +diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c +index 02edf3f..443a31e 100644 +--- a/ssl/s3_cbc.c ++++ b/ssl/s3_cbc.c +@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, + unsigned padding_length, good, to_check, i; + const unsigned overhead = 1 /* padding length byte */ + mac_size; + /* Check if version requires explicit IV */ +- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) ++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) + { + /* These lengths are all public so we can test them in + * non-constant time. + diff -Nru openssl-1.0.1e/debian/patches/get_certificate.patch openssl-1.0.1e/debian/patches/get_certificate.patch --- openssl-1.0.1e/debian/patches/get_certificate.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1e/debian/patches/get_certificate.patch 2013-03-18 20:36:30.000000000 +0100 @@ -0,0 +1,27 @@ +From: "Dr. Stephen Henson" <[email protected]> +Date: Mon, 11 Feb 2013 18:24:03 +0000 +Subject: Fix for SSL_get_certificate +Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=147dbb2fe3bead7a10e2f280261b661ce7af7adc +Bug-Debian: http://bugs.debian.org/703031 + + +Now we set the current certificate to the one used by a server +there is no need to call ssl_get_server_send_cert which will +fail if we haven't sent a certificate yet. + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 14d143d..ff5a85a 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s) + /* Fix this function so that it takes an optional type parameter */ + X509 *SSL_get_certificate(const SSL *s) + { +- if (s->server) +- return(ssl_get_server_send_cert(s)); +- else if (s->cert != NULL) ++ if (s->cert != NULL) + return(s->cert->key->x509); + else + return(NULL); + diff -Nru openssl-1.0.1e/debian/patches/series openssl-1.0.1e/debian/patches/series --- openssl-1.0.1e/debian/patches/series 2013-02-11 19:39:36.000000000 +0100 +++ openssl-1.0.1e/debian/patches/series 2013-03-18 20:36:46.000000000 +0100 @@ -32,3 +32,7 @@ #padlock_conf.patch default_bits.patch ssltest_no_sslv2.patch +cpuid.patch +aesni-mac.patch +dtls_version.patch +get_certificate.patch diff -Nru openssl-1.0.1e/debian/rules openssl-1.0.1e/debian/rules --- openssl-1.0.1e/debian/rules 2012-07-17 11:49:15.000000000 +0200 +++ openssl-1.0.1e/debian/rules 2013-03-10 21:54:40.000000000 +0100 @@ -137,7 +137,7 @@ dh_strip -a --dbg-package=libssl1.0.0 dh_perl -a -d dpkg-gensymbols -Pdebian/libssl1.0.0/ -plibssl1.0.0 -c4 - dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.0)" --add-udeb="libcrypto1.0.0-udeb" + dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.1d)" --add-udeb="libcrypto1.0.0-udeb" dh_shlibdeps -a -L libssl1.0.0 -l debian/libssl1.0.0/usr/lib/$(DEB_HOST_MULTIARCH) dh_gencontrol -a dh_installdeb -a
