Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2014-05-14 10:26:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl" Changes: -------- --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-05-09 06:57:36.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-05-14 10:26:09.000000000 +0200 @@ -1,0 +2,25 @@ +Fri May 9 04:42:46 UTC 2014 - [email protected] + +- Add upstream patches fixing coverity scan issues: +* 0018-fix-coverity-issues-966593-966596.patch +* 0020-Initialize-num-properly.patch +* 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch +* 0023-evp-prevent-underflow-in-base64-decoding.patch +* 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch +* 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch + +- Update 0001-libcrypto-Hide-library-private-symbols.patch + to cover more private symbols, now 98% complete and probably + not much more can be done to fix the rest of the ill-defined API. + +- openssl-fips-hidden.patch new, hides private symbols added by the + FIPS patches. + +- openssl-no-egd.patch disable the EGD (entropy gathering daemon) + interface, we have no EGD in the distro and obtaining entropy from + a place other than /dev/*random, the hardware rng or the openSSL + internal PRNG is an extremely bad & dangerous idea. + +- use secure_getenv instead of getenv everywhere. + +------------------------------------------------------------------- New: ---- 0018-fix-coverity-issues-966593-966596.patch 0020-Initialize-num-properly.patch 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch 0023-evp-prevent-underflow-in-base64-decoding.patch 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch openssl-fips-hidden.patch openssl-no-egd.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.9ImmWn/_old 2014-05-14 10:26:11.000000000 +0200 +++ /var/tmp/diff_new_pack.9ImmWn/_new 2014-05-14 10:26:11.000000000 +0200 @@ -72,6 +72,14 @@ Patch24: 0012-Fix-eckey_priv_encode.patch Patch25: 0017-Double-free-in-i2o_ECPublicKey.patch Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch +Patch27: 0018-fix-coverity-issues-966593-966596.patch +Patch28: 0020-Initialize-num-properly.patch +Patch29: 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch +Patch30: 0023-evp-prevent-underflow-in-base64-decoding.patch +Patch31: 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch +Patch32: 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch +Patch33: openssl-no-egd.patch +Patch34: openssl-fips-hidden.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -185,6 +193,14 @@ %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -222,6 +238,11 @@ sed -i -e "s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES|" crypto/Makefile %build + +%if 0%{suse_version} >= 1230 +find -type f -name "*.c" -exec sed -i -e "s@getenv@secure_getenv@g" {} + +%endif + %ifarch armv5el armv5tel export MACHINE=armv5el %endif @@ -236,7 +257,7 @@ no-ssl2 \ enable-rfc3779 \ %endif -%ifarch x86_64 +%ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif enable-camellia \ ++++++ 0001-libcrypto-Hide-library-private-symbols.patch ++++++ --- /var/tmp/diff_new_pack.9ImmWn/_old 2014-05-14 10:26:11.000000000 +0200 +++ /var/tmp/diff_new_pack.9ImmWn/_new 2014-05-14 10:26:11.000000000 +0200 @@ -37,8 +37,6 @@ crypto/x509v3/pcy_int.h | 3 +++ 31 files changed, 85 insertions(+), 17 deletions(-) -Index: openssl-1.0.1g/apps/Makefile -=================================================================== --- openssl-1.0.1g.orig/apps/Makefile +++ openssl-1.0.1g/apps/Makefile @@ -20,7 +20,7 @@ EXE_EXT= @@ -50,8 +48,6 @@ GENERAL=Makefile makeapps.com install.com -Index: openssl-1.0.1g/crypto/asn1/asn1_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/asn1/asn1_locl.h +++ openssl-1.0.1g/crypto/asn1/asn1_locl.h @@ -58,6 +58,8 @@ @@ -69,8 +65,6 @@ }; + +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/bn/bn_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/bn/bn_lcl.h +++ openssl-1.0.1g/crypto/bn/bn_lcl.h @@ -483,6 +483,8 @@ extern "C" { @@ -91,8 +85,6 @@ #ifdef __cplusplus } #endif -Index: openssl-1.0.1g/crypto/camellia/cmll_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/camellia/cmll_locl.h +++ openssl-1.0.1g/crypto/camellia/cmll_locl.h @@ -68,6 +68,8 @@ @@ -110,8 +102,6 @@ CAMELLIA_KEY *key); +#pragma GCC visibility pop #endif /* #ifndef HEADER_CAMELLIA_LOCL_H */ -Index: openssl-1.0.1g/crypto/cast/cast_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/cast/cast_lcl.h +++ openssl-1.0.1g/crypto/cast/cast_lcl.h @@ -217,6 +217,7 @@ @@ -127,8 +117,6 @@ extern const CAST_LONG CAST_S_table6[256]; extern const CAST_LONG CAST_S_table7[256]; +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/cms/cms_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/cms/cms_lcl.h +++ openssl-1.0.1g/crypto/cms/cms_lcl.h @@ -426,6 +426,8 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerA @@ -150,8 +138,6 @@ #ifdef __cplusplus } #endif -Index: openssl-1.0.1g/crypto/des/des_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/des/des_locl.h +++ openssl-1.0.1g/crypto/des/des_locl.h @@ -421,10 +421,12 @@ @@ -167,8 +153,6 @@ #ifdef OPENSSL_SMALL_FOOTPRINT #undef DES_UNROLL -Index: openssl-1.0.1g/crypto/dsa/dsa_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/dsa/dsa_locl.h +++ openssl-1.0.1g/crypto/dsa/dsa_locl.h @@ -57,4 +57,4 @@ @@ -177,8 +161,6 @@ unsigned char *seed_out, - int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); + int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) __attribute__ ((visibility ("hidden"))); -Index: openssl-1.0.1g/crypto/ec/ec_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ec/ec_lcl.h +++ openssl-1.0.1g/crypto/ec/ec_lcl.h @@ -88,6 +88,8 @@ @@ -196,8 +178,6 @@ #endif + +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/ecdh/ech_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ecdh/ech_locl.h +++ openssl-1.0.1g/crypto/ecdh/ech_locl.h @@ -58,6 +58,8 @@ @@ -216,8 +196,6 @@ - +#pragma GCC visibility pop #endif /* HEADER_ECH_LOCL_H */ -Index: openssl-1.0.1g/crypto/ecdsa/ecs_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ecdsa/ecs_locl.h +++ openssl-1.0.1g/crypto/ecdsa/ecs_locl.h @@ -61,6 +61,8 @@ @@ -236,8 +214,6 @@ +#pragma GCC visibility pop + #endif /* HEADER_ECS_LOCL_H */ -Index: openssl-1.0.1g/crypto/engine/eng_int.h -=================================================================== --- openssl-1.0.1g.orig/crypto/engine/eng_int.h +++ openssl-1.0.1g/crypto/engine/eng_int.h @@ -68,6 +68,8 @@ @@ -256,8 +232,6 @@ - +#pragma GCC visibility pop #endif /* HEADER_ENGINE_INT_H */ -Index: openssl-1.0.1g/crypto/engine/eng_rsax.c -=================================================================== --- openssl-1.0.1g.orig/crypto/engine/eng_rsax.c +++ openssl-1.0.1g/crypto/engine/eng_rsax.c @@ -262,7 +262,7 @@ static int mod_exp_pre_compute_data_512( @@ -269,8 +243,6 @@ typedef struct st_e_rsax_mod_ctx { -Index: openssl-1.0.1g/crypto/evp/e_aes.c -=================================================================== --- openssl-1.0.1g.orig/crypto/evp/e_aes.c +++ openssl-1.0.1g/crypto/evp/e_aes.c @@ -108,6 +108,8 @@ typedef struct @@ -318,8 +290,6 @@ static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { -Index: openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c -=================================================================== --- openssl-1.0.1g.orig/crypto/evp/e_aes_cbc_hmac_sha1.c +++ openssl-1.0.1g/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -97,6 +97,8 @@ typedef struct @@ -340,8 +310,6 @@ #define data(ctx) ((EVP_AES_HMAC_SHA1 *)(ctx)->cipher_data) static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, -Index: openssl-1.0.1g/crypto/evp/evp_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/evp/evp_locl.h +++ openssl-1.0.1g/crypto/evp/evp_locl.h @@ -263,6 +263,8 @@ const EVP_CIPHER *EVP_##cname##_ecb(void @@ -362,8 +330,6 @@ #ifdef OPENSSL_FIPS #ifdef OPENSSL_DOING_MAKEDEPEND -Index: openssl-1.0.1g/crypto/md4/md4_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/md4/md4_locl.h +++ openssl-1.0.1g/crypto/md4/md4_locl.h @@ -65,7 +65,7 @@ @@ -375,8 +341,6 @@ #define DATA_ORDER_IS_LITTLE_ENDIAN -Index: openssl-1.0.1g/crypto/md5/md5_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/md5/md5_locl.h +++ openssl-1.0.1g/crypto/md5/md5_locl.h @@ -74,7 +74,7 @@ @@ -388,8 +352,6 @@ #define DATA_ORDER_IS_LITTLE_ENDIAN -Index: openssl-1.0.1g/crypto/modes/modes_lcl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/modes/modes_lcl.h +++ openssl-1.0.1g/crypto/modes/modes_lcl.h @@ -83,6 +83,8 @@ typedef unsigned char u8; @@ -407,8 +369,6 @@ }; - +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/o_str.h -=================================================================== --- openssl-1.0.1g.orig/crypto/o_str.h +++ openssl-1.0.1g/crypto/o_str.h @@ -61,8 +61,12 @@ @@ -424,8 +384,6 @@ +#pragma GCC visibility pop + #endif -Index: openssl-1.0.1g/crypto/o_time.h -=================================================================== --- openssl-1.0.1g.orig/crypto/o_time.h +++ openssl-1.0.1g/crypto/o_time.h @@ -61,7 +61,11 @@ @@ -440,8 +398,6 @@ +#pragma GCC visibility pop + #endif -Index: openssl-1.0.1g/crypto/ripemd/rmd_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ripemd/rmd_locl.h +++ openssl-1.0.1g/crypto/ripemd/rmd_locl.h @@ -76,7 +76,7 @@ @@ -453,8 +409,6 @@ #define DATA_ORDER_IS_LITTLE_ENDIAN -Index: openssl-1.0.1g/crypto/rsa/rsa_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/rsa/rsa_locl.h +++ openssl-1.0.1g/crypto/rsa/rsa_locl.h @@ -1,4 +1,4 @@ @@ -463,8 +417,6 @@ const unsigned char *sigbuf, size_t siglen, - RSA *rsa); + RSA *rsa) __attribute__ ((visibility ("hidden"))); -Index: openssl-1.0.1g/crypto/sha/sha256.c -=================================================================== --- openssl-1.0.1g.orig/crypto/sha/sha256.c +++ openssl-1.0.1g/crypto/sha/sha256.c @@ -110,7 +110,7 @@ int SHA224_Final (unsigned char *md, SHA @@ -476,8 +428,6 @@ #include "md32_common.h" -Index: openssl-1.0.1g/crypto/sha/sha512.c -=================================================================== --- openssl-1.0.1g.orig/crypto/sha/sha512.c +++ openssl-1.0.1g/crypto/sha/sha512.c @@ -94,7 +94,7 @@ fips_md_init(SHA512) @@ -489,8 +439,6 @@ int SHA512_Final (unsigned char *md, SHA512_CTX *c) { -Index: openssl-1.0.1g/crypto/sha/sha_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/sha/sha_locl.h +++ openssl-1.0.1g/crypto/sha/sha_locl.h @@ -108,7 +108,7 @@ static void sha_block_data_order (SHA_CT @@ -502,8 +450,6 @@ #else # error "Either SHA_0 or SHA_1 must be defined." -Index: openssl-1.0.1g/crypto/store/str_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/store/str_locl.h +++ openssl-1.0.1g/crypto/store/str_locl.h @@ -62,6 +62,8 @@ @@ -522,8 +468,6 @@ - +#pragma GCC visibility pop #endif -Index: openssl-1.0.1g/crypto/ui/ui_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/ui/ui_locl.h +++ openssl-1.0.1g/crypto/ui/ui_locl.h @@ -66,6 +66,8 @@ @@ -542,8 +486,6 @@ - +#pragma GCC visibility pop #endif -Index: openssl-1.0.1g/crypto/whrlpool/wp_locl.h -=================================================================== --- openssl-1.0.1g.orig/crypto/whrlpool/wp_locl.h +++ openssl-1.0.1g/crypto/whrlpool/wp_locl.h @@ -1,3 +1,3 @@ @@ -551,8 +493,6 @@ -void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t); +void whirlpool_block(WHIRLPOOL_CTX *,const void *,size_t) __attribute__ ((visibility ("hidden"))); -Index: openssl-1.0.1g/crypto/x509v3/ext_dat.h -=================================================================== --- openssl-1.0.1g.orig/crypto/x509v3/ext_dat.h +++ openssl-1.0.1g/crypto/x509v3/ext_dat.h @@ -57,6 +57,8 @@ @@ -572,8 +512,6 @@ /* Number of standard extensions */ #define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *)) -Index: openssl-1.0.1g/crypto/x509v3/pcy_int.h -=================================================================== --- openssl-1.0.1g.orig/crypto/x509v3/pcy_int.h +++ openssl-1.0.1g/crypto/x509v3/pcy_int.h @@ -56,6 +56,7 @@ @@ -590,10 +528,19 @@ const X509_POLICY_CACHE *policy_cache_set(X509 *x); + +#pragma GCC visibility pop -Index: openssl-1.0.1g/crypto/modes/gcm128.c -=================================================================== --- openssl-1.0.1g.orig/crypto/modes/gcm128.c +++ openssl-1.0.1g/crypto/modes/gcm128.c +@@ -567,8 +567,8 @@ static void gcm_ghash_4bit(u64 Xi[2],con + } + #endif + #else +-void gcm_gmult_4bit(u64 Xi[2],const u128 Htable[16]); +-void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len); ++void gcm_gmult_4bit(u64 Xi[2],const u128 Htable[16]) __attribute__ ((visibility ("hidden"))); ++void gcm_ghash_4bit(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len) __attribute__ ((visibility ("hidden"))); + #endif + + #define GCM_MUL(ctx,Xi) gcm_gmult_4bit(ctx->Xi.u,ctx->Htable) @@ -651,9 +651,9 @@ static void gcm_gmult_1bit(u64 Xi[2],con # define GCM_FUNCREF_4BIT extern unsigned int OPENSSL_ia32cap_P[2]; @@ -607,8 +554,6 @@ # if defined(__i386) || defined(__i386__) || defined(_M_IX86) # define GHASH_ASM_X86 -Index: openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c -=================================================================== --- openssl-1.0.1g.orig/crypto/evp/e_rc4_hmac_md5.c +++ openssl-1.0.1g/crypto/evp/e_rc4_hmac_md5.c @@ -78,7 +78,7 @@ typedef struct @@ -620,3 +565,207 @@ #define data(ctx) ((EVP_RC4_HMAC_MD5 *)(ctx)->cipher_data) +--- openssl-1.0.1g.orig/crypto/cmac/cm_ameth.c ++++ openssl-1.0.1g/crypto/cmac/cm_ameth.c +@@ -73,6 +73,7 @@ static void cmac_key_free(EVP_PKEY *pkey + CMAC_CTX_free(cmctx); + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = + { + EVP_PKEY_CMAC, +--- openssl-1.0.1g.orig/crypto/evp/pmeth_lib.c ++++ openssl-1.0.1g/crypto/evp/pmeth_lib.c +@@ -70,7 +70,7 @@ + typedef int sk_cmp_fn_type(const char * const *a, const char * const *b); + + DECLARE_STACK_OF(EVP_PKEY_METHOD) +-STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; ++static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; + + extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth; + extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth; +--- openssl-1.0.1g.orig/crypto/cmac/cm_pmeth.c ++++ openssl-1.0.1g/crypto/cmac/cm_pmeth.c +@@ -188,6 +188,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C + return -2; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD cmac_pkey_meth = + { + EVP_PKEY_CMAC, +--- openssl-1.0.1g.orig/crypto/rand/md_rand.c ++++ openssl-1.0.1g/crypto/rand/md_rand.c +@@ -164,7 +164,7 @@ static int ssleay_rand_nopseudo_bytes(un + static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num); + static int ssleay_rand_status(void); + +-RAND_METHOD rand_ssleay_meth={ ++static RAND_METHOD rand_ssleay_meth={ + ssleay_rand_seed, + ssleay_rand_nopseudo_bytes, + ssleay_rand_cleanup, +--- openssl-1.0.1g.orig/crypto/dh/dh_ameth.c ++++ openssl-1.0.1g/crypto/dh/dh_ameth.c +@@ -466,6 +466,7 @@ int DHparams_print(BIO *bp, const DH *x) + return do_dh_print(bp, x, 4, NULL, 0); + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD dh_asn1_meth = + { + EVP_PKEY_DH, +--- openssl-1.0.1g.orig/crypto/dh/dh_pmeth.c ++++ openssl-1.0.1g/crypto/dh/dh_pmeth.c +@@ -217,6 +217,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + return 1; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD dh_pkey_meth = + { + EVP_PKEY_DH, +--- openssl-1.0.1g.orig/crypto/dsa/dsa_ameth.c ++++ openssl-1.0.1g/crypto/dsa/dsa_ameth.c +@@ -639,7 +639,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, + } + + /* NB these are sorted in pkey_id order, lowest first */ +- ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = + { + +--- openssl-1.0.1g.orig/crypto/dsa/dsa_pmeth.c ++++ openssl-1.0.1g/crypto/dsa/dsa_pmeth.c +@@ -281,6 +281,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX + return DSA_generate_key(pkey->pkey.dsa); + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD dsa_pkey_meth = + { + EVP_PKEY_DSA, +--- openssl-1.0.1g.orig/crypto/ec/ec_ameth.c ++++ openssl-1.0.1g/crypto/ec/ec_ameth.c +@@ -625,6 +625,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, + + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = + { + EVP_PKEY_EC, +--- openssl-1.0.1g.orig/crypto/ec/ec_pmeth.c ++++ openssl-1.0.1g/crypto/ec/ec_pmeth.c +@@ -304,6 +304,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * + return EC_KEY_generate_key(pkey->pkey.ec); + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD ec_pkey_meth = + { + EVP_PKEY_EC, +--- openssl-1.0.1g.orig/crypto/hmac/hm_ameth.c ++++ openssl-1.0.1g/crypto/hmac/hm_ameth.c +@@ -138,6 +138,7 @@ static int old_hmac_encode(const EVP_PKE + + #endif + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = + { + EVP_PKEY_HMAC, +--- openssl-1.0.1g.orig/crypto/hmac/hm_pmeth.c ++++ openssl-1.0.1g/crypto/hmac/hm_pmeth.c +@@ -235,6 +235,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C + return -2; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD hmac_pkey_meth = + { + EVP_PKEY_HMAC, +--- openssl-1.0.1g.orig/crypto/rsa/rsa_ameth.c ++++ openssl-1.0.1g/crypto/rsa/rsa_ameth.c +@@ -657,6 +657,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx + return 2; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = + { + { +--- openssl-1.0.1g.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.0.1g/crypto/rsa/rsa_pmeth.c +@@ -685,6 +685,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX + return ret; + } + ++__attribute__ ((visibility ("hidden"))) + const EVP_PKEY_METHOD rsa_pkey_meth = + { + EVP_PKEY_RSA, +--- openssl-1.0.1g.orig/crypto/objects/obj_xref.c ++++ openssl-1.0.1g/crypto/objects/obj_xref.c +@@ -60,7 +60,7 @@ + #include "obj_xref.h" + + DECLARE_STACK_OF(nid_triple) +-STACK_OF(nid_triple) *sig_app, *sigx_app; ++static STACK_OF(nid_triple) *sig_app, *sigx_app; + + static int sig_cmp(const nid_triple *a, const nid_triple *b) + { +--- openssl-1.0.1g.orig/crypto/pem/pem_lib.c ++++ openssl-1.0.1g/crypto/pem/pem_lib.c +@@ -80,7 +80,7 @@ const char PEM_version[]="PEM" OPENSSL_V + + static int load_iv(char **fromp,unsigned char *to, int num); + static int check_pem(const char *nm, const char *name); +-int pem_check_suffix(const char *pem_str, const char *suffix); ++int pem_check_suffix(const char *pem_str, const char *suffix) __attribute__ ((visibility ("hidden"))); + + int PEM_def_callback(char *buf, int num, int w, void *key) + { +--- openssl-1.0.1g.orig/crypto/asn1/tasn_prn.c ++++ openssl-1.0.1g/crypto/asn1/tasn_prn.c +@@ -72,7 +72,7 @@ + + /* ASN1_PCTX routines */ + +-ASN1_PCTX default_pctx = ++static ASN1_PCTX default_pctx = + { + ASN1_PCTX_FLAGS_SHOW_ABSENT, /* flags */ + 0, /* nm_flags */ +--- openssl-1.0.1g.orig/crypto/bn/bn_exp.c ++++ openssl-1.0.1g/crypto/bn/bn_exp.c +@@ -684,11 +684,11 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr + { + void bn_mul_mont_gather5(BN_ULONG *rp,const BN_ULONG *ap, + const void *table,const BN_ULONG *np, +- const BN_ULONG *n0,int num,int power); ++ const BN_ULONG *n0,int num,int power) __attribute__ ((visibility ("hidden"))); + void bn_scatter5(const BN_ULONG *inp,size_t num, +- void *table,size_t power); ++ void *table,size_t power) __attribute__ ((visibility ("hidden"))); + void bn_gather5(BN_ULONG *out,size_t num, +- void *table,size_t power); ++ void *table,size_t power) __attribute__ ((visibility ("hidden"))); + + BN_ULONG *np=mont->N.d, *n0=mont->n0; + +--- openssl-1.0.1g.orig/crypto/bn/bn_gf2m.c ++++ openssl-1.0.1g/crypto/bn/bn_gf2m.c +@@ -220,7 +220,7 @@ static void bn_GF2m_mul_2x2(BN_ULONG *r, + r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */ + } + #else +-void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1, BN_ULONG b0); ++void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1, BN_ULONG b0) __attribute__ ((visibility ("hidden"))); + #endif + + /* Add polynomials a and b and store result in r; r could be a or b, a and b ++++++ 0018-fix-coverity-issues-966593-966596.patch ++++++ >From 7b7b18c57e899201338d91083bc49cc8c5a915fc Mon Sep 17 00:00:00 2001 From: Tim Hudson <[email protected]> Date: Mon, 5 May 2014 06:41:22 +1000 Subject: [PATCH 18/23] - fix coverity issues 966593-966596 --- crypto/srp/srp_vfy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 4a3d13e..fdca19f 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -93,6 +93,9 @@ static int t_fromb64(unsigned char *a, const char *src) else a[i] = loc - b64table; ++i; } + /* if nothing valid to process we have a zero length response */ + if (i == 0) + return 0; size = i; i = size - 1; j = size; -- 1.8.4.5 ++++++ 0020-Initialize-num-properly.patch ++++++ >From a41d5174e27c99d1caefd76a8e927c814ede509e Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" <[email protected]> Date: Tue, 6 May 2014 14:07:37 +0100 Subject: [PATCH 20/23] Initialize num properly. PR#3289 PR#3345 (cherry picked from commit 3ba1e406c2309adb427ced9815ebf05f5b58d155) --- crypto/evp/bio_b64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c index ac6d441..16863fe 100644 --- a/crypto/evp/bio_b64.c +++ b/crypto/evp/bio_b64.c @@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl) else if (ctx->start) { q=p=(unsigned char *)ctx->tmp; + num = 0; for (j=0; j<i; j++) { if (*(q++) != '\n') continue; -- 1.8.4.5 ++++++ 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch ++++++ >From d8afda60a991791f27cfac79186b1f8a4f4e30a0 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe <[email protected]> Date: Sun, 4 May 2014 16:19:22 -0400 Subject: [PATCH 22/23] bignum: allow concurrent BN_MONT_CTX_set_locked() The lazy-initialisation of BN_MONT_CTX was serialising all threads, as noted by Daniel Sands and co at Sandia. This was to handle the case that 2 or more threads race to lazy-init the same context, but stunted all scalability in the case where 2 or more threads are doing unrelated things! We favour the latter case by punishing the former. The init work gets done by each thread that finds the context to be uninitialised, and we then lock the "set" logic after that work is done - the winning thread's work gets used, the losing threads throw away what they've done. Signed-off-by: Geoff Thorpe <[email protected]> --- crypto/bn/bn_mont.c | 46 ++++++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 20 deletions(-) diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index 427b5cf..ee8532c 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -478,32 +478,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, const BIGNUM *mod, BN_CTX *ctx) { - int got_write_lock = 0; BN_MONT_CTX *ret; CRYPTO_r_lock(lock); - if (!*pmont) + ret = *pmont; + CRYPTO_r_unlock(lock); + if (ret) + return ret; + + /* We don't want to serialise globally while doing our lazy-init math in + * BN_MONT_CTX_set. That punishes threads that are doing independent + * things. Instead, punish the case where more than one thread tries to + * lazy-init the same 'pmont', by having each do the lazy-init math work + * independently and only use the one from the thread that wins the race + * (the losers throw away the work they've done). */ + ret = BN_MONT_CTX_new(); + if (!ret) + return NULL; + if (!BN_MONT_CTX_set(ret, mod, ctx)) { - CRYPTO_r_unlock(lock); - CRYPTO_w_lock(lock); - got_write_lock = 1; + BN_MONT_CTX_free(ret); + return NULL; + } - if (!*pmont) - { - ret = BN_MONT_CTX_new(); - if (ret && !BN_MONT_CTX_set(ret, mod, ctx)) - BN_MONT_CTX_free(ret); - else - *pmont = ret; - } + /* The locked compare-and-set, after the local work is done. */ + CRYPTO_w_lock(lock); + if (*pmont) + { + BN_MONT_CTX_free(ret); + ret = *pmont; } - - ret = *pmont; - - if (got_write_lock) - CRYPTO_w_unlock(lock); else - CRYPTO_r_unlock(lock); - + *pmont = ret; + CRYPTO_w_unlock(lock); return ret; } -- 1.8.4.5 ++++++ 0023-evp-prevent-underflow-in-base64-decoding.patch ++++++ >From d0666f289ac013094bbbf547bfbcd616199b7d2d Mon Sep 17 00:00:00 2001 From: Geoff Thorpe <[email protected]> Date: Sun, 4 May 2014 18:44:14 -0400 Subject: [PATCH 23/23] evp: prevent underflow in base64 decoding This patch resolves RT ticket #2608. Thanks to Robert Dugal for originally spotting this, and to David Ramos for noticing that the ball had been dropped. Signed-off-by: Geoff Thorpe <[email protected]> --- crypto/evp/encode.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index 28546a8..4654bdc 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, v=EVP_DecodeBlock(out,d,n); n=0; if (v < 0) { rv=0; goto end; } + if (eof > v) { rv=-1; goto end; } ret+=(v-eof); } else -- 1.8.4.5 ++++++ 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch ++++++ >From c6a47f988c19093e4716d58dbed92938c18e1640 Mon Sep 17 00:00:00 2001 From: Matt Caswell <[email protected]> Date: Wed, 7 May 2014 23:21:02 +0100 Subject: [PATCH 24/25] Fixed NULL pointer dereference in PKCS7_dataDecode reported by David Ramos in PR#3339 --- crypto/pkcs7/pk7_doit.c | 5 +++++ crypto/pkcs7/pkcs7.h | 1 + crypto/pkcs7/pkcs7err.c | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 4c12a9d..d91aa11 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -440,6 +440,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) { case NID_pkcs7_signed: data_body=PKCS7_get_octet_string(p7->d.sign->contents); + if (!PKCS7_is_detached(p7) && data_body == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE); + goto err; + } md_sk=p7->d.sign->md_algs; break; case NID_pkcs7_signedAndEnveloped: diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h index e4d4431..04f6037 100644 --- a/crypto/pkcs7/pkcs7.h +++ b/crypto/pkcs7/pkcs7.h @@ -453,6 +453,7 @@ void ERR_load_PKCS7_strings(void); #define PKCS7_R_ERROR_SETTING_CIPHER 121 #define PKCS7_R_INVALID_MIME_TYPE 131 #define PKCS7_R_INVALID_NULL_POINTER 143 +#define PKCS7_R_INVALID_SIGNED_DATA_TYPE 155 #define PKCS7_R_MIME_NO_CONTENT_TYPE 132 #define PKCS7_R_MIME_PARSE_ERROR 133 #define PKCS7_R_MIME_SIG_PARSE_ERROR 134 diff --git a/crypto/pkcs7/pkcs7err.c b/crypto/pkcs7/pkcs7err.c index d0af32a..f3db08e 100644 --- a/crypto/pkcs7/pkcs7err.c +++ b/crypto/pkcs7/pkcs7err.c @@ -1,6 +1,6 @@ /* crypto/pkcs7/pkcs7err.c */ /* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -130,6 +130,7 @@ static ERR_STRING_DATA PKCS7_str_reasons[]= {ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"}, {ERR_REASON(PKCS7_R_INVALID_MIME_TYPE) ,"invalid mime type"}, {ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"}, +{ERR_REASON(PKCS7_R_INVALID_SIGNED_DATA_TYPE),"invalid signed data type"}, {ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"}, {ERR_REASON(PKCS7_R_MIME_PARSE_ERROR) ,"mime parse error"}, {ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"}, -- 1.8.4.5 ++++++ 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch ++++++ >From 6a60b414318ec4315ee016c3e15777c448603115 Mon Sep 17 00:00:00 2001 From: Tim Hudson <[email protected]> Date: Mon, 5 May 2014 08:22:42 +1000 Subject: [PATCH 25/25] fix coverity issue 966597 - error line is not always initialised --- ssl/ssl_asn1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 38540be..4775003 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -408,6 +408,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, if (os.length != 3) { c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH; + c.line=__LINE__; goto err; } id=0x02000000L| @@ -420,6 +421,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, if (os.length != 2) { c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH; + c.line=__LINE__; goto err; } id=0x03000000L| @@ -429,6 +431,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, else { c.error=SSL_R_UNKNOWN_SSL_VERSION; + c.line=__LINE__; goto err; } @@ -521,6 +524,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, if (os.length > SSL_MAX_SID_CTX_LENGTH) { c.error=SSL_R_BAD_LENGTH; + c.line=__LINE__; goto err; } else -- 1.8.4.5 ++++++ openssl-fips-hidden.patch ++++++ --- openssl-1.0.1g.orig/crypto/fips/fips_rand_lcl.h +++ openssl-1.0.1g/crypto/fips/fips_rand_lcl.h @@ -51,6 +51,8 @@ * ==================================================================== */ +#pragma GCC visibility push(hidden) + typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; @@ -217,3 +219,5 @@ const struct evp_cipher_st *FIPS_get_cip #define FIPS_digestupdate EVP_DigestUpdate #define FIPS_digestfinal EVP_DigestFinal #define M_EVP_MD_size EVP_MD_size + +#pragma GCC visibility pop --- openssl-1.0.1g.orig/crypto/fips/fips_rsa_x931g.c +++ openssl-1.0.1g/crypto/fips/fips_rsa_x931g.c @@ -65,7 +65,7 @@ #ifdef OPENSSL_FIPS #include <openssl/fips.h> -extern int fips_check_rsa(RSA *rsa); +extern int fips_check_rsa(RSA *rsa) __attribute__ ((visibility ("hidden"))); #endif /* X9.31 RSA key derivation and generation */ ++++++ openssl-no-egd.patch ++++++ --- openssl-1.0.1g.orig/crypto/rand/rand_egd.c +++ openssl-1.0.1g/crypto/rand/rand_egd.c @@ -95,7 +95,7 @@ * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. */ -#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS) +#if defined(__linux__) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) { return(-1); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
