Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-08-25 11:03:07
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-07-27
08:25:53.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-08-25
11:03:36.000000000 +0200
@@ -1,0 +2,63 @@
+Thu Aug 21 15:05:43 UTC 2014 - meiss...@suse.com
+
+- openssl.keyring: the 1.0.1i release was done by
+ Matt Caswell <m...@openssl.org> UK 0E604491
+
+-------------------------------------------------------------------
+Thu Aug 14 10:27:07 UTC 2014 - vci...@suse.com
+
+- rename README.SuSE (old spelling) to README.SUSE (bnc#889013)
+
+-------------------------------------------------------------------
+Wed Aug 13 17:43:21 UTC 2014 - vci...@suse.com
+
+- update to 1.0.1i
+ * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
+ SRP code can be overrun an internal buffer. Add sanity check that
+ g, A, B < N to SRP code.
+ (CVE-2014-3512)
+ * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
+ TLS 1.0 instead of higher protocol versions when the ClientHello message
+ is badly fragmented. This allows a man-in-the-middle attacker to force a
+ downgrade to TLS 1.0 even if both the server and the client support a
+ higher protocol version, by modifying the client's TLS records.
+ (CVE-2014-3511)
+ * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+ to a denial of service attack. A malicious server can crash the client
+ with a null pointer dereference (read) by specifying an anonymous (EC)DH
+ ciphersuite and sending carefully crafted handshake messages.
+ (CVE-2014-3510)
+ * By sending carefully crafted DTLS packets an attacker could cause openssl
+ to leak memory. This can be exploited through a Denial of Service attack.
+ (CVE-2014-3507)
+ * An attacker can force openssl to consume large amounts of memory whilst
+ processing DTLS handshake messages. This can be exploited through a
+ Denial of Service attack.
+ (CVE-2014-3506)
+ * An attacker can force an error condition which causes openssl to crash
+ whilst processing DTLS packets due to memory being freed twice. This
+ can be exploited through a Denial of Service attack.
+ (CVE-2014-3505)
+ * If a multithreaded client connects to a malicious server using a resumed
+ session and the server sends an ec point format extension it could write
+ up to 255 bytes to freed memory.
+ (CVE-2014-3509)
+ * A malicious server can crash an OpenSSL client with a null pointer
+ dereference (read) by specifying an SRP ciphersuite even though it was not
+ properly negotiated with the client. This can be exploited through a
+ Denial of Service attack.
+ (CVE-2014-5139)
+ * A flaw in OBJ_obj2txt may cause pretty printing functions such as
+ X509_name_oneline, X509_name_print_ex et al. to leak some information
+ from the stack. Applications may be affected if they echo pretty printing
+ output to the attacker.
+ (CVE-2014-3508)
+ * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
+- refreshed patches:
+ * openssl-1.0.1e-new-fips-reqs.patch
+ * 0005-libssl-Hide-library-private-symbols.patch
+ (thanks to Marcus Meissner)
+
+-------------------------------------------------------------------
Old:
----
README.SuSE
openssl-1.0.1h.tar.gz
openssl-1.0.1h.tar.gz.asc
New:
----
README.SUSE
openssl-1.0.1i.tar.gz
openssl-1.0.1i.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl.spec ++++++
--- /var/tmp/diff_new_pack.enj1Ob/_old 2014-08-25 11:03:37.000000000 +0200
+++ /var/tmp/diff_new_pack.enj1Ob/_new 2014-08-25 11:03:37.000000000 +0200
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version: 1.0.1h
+Version: 1.0.1i
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
@@ -42,7 +42,7 @@
# to get mtime of file:
Source1: openssl.changes
Source2: baselibs.conf
-Source10: README.SuSE
+Source10: README.SUSE
Source11: README-FIPS.txt
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
@@ -467,7 +467,7 @@
%files -f filelist
%defattr(-, root, root)
%doc CHANGE* INSTAL* AVAILABLE_CIPHERS
-%doc LICENSE NEWS README README.SuSE README-FIPS.txt
+%doc LICENSE NEWS README README.SUSE README-FIPS.txt
%dir %{ssletcdir}
%config (noreplace) %{ssletcdir}/openssl.cnf
%attr(700,root,root) %{ssletcdir}/private
++++++ 0005-libssl-Hide-library-private-symbols.patch ++++++
--- /var/tmp/diff_new_pack.enj1Ob/_old 2014-08-25 11:03:37.000000000 +0200
+++ /var/tmp/diff_new_pack.enj1Ob/_new 2014-08-25 11:03:37.000000000 +0200
@@ -16,8 +16,10 @@
ssl/t1_lib.c | 6 ++----
8 files changed, 23 insertions(+), 12 deletions(-)
---- openssl-1.0.1g.orig/ssl/d1_lib.c
-+++ openssl-1.0.1g/ssl/d1_lib.c
+Index: openssl-1.0.1i/ssl/d1_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/d1_lib.c
++++ openssl-1.0.1i/ssl/d1_lib.c
@@ -67,8 +67,7 @@
#endif
@@ -28,7 +30,7 @@
SSL3_ENC_METHOD DTLSv1_enc_data={
dtls1_enc,
-@@ -468,7 +467,7 @@ static void get_current_time(struct time
+@@ -471,7 +470,7 @@ static void get_current_time(struct time
#endif
}
@@ -37,8 +39,10 @@
{
int ret;
---- openssl-1.0.1g.orig/ssl/kssl_lcl.h
-+++ openssl-1.0.1g/ssl/kssl_lcl.h
+Index: openssl-1.0.1i/ssl/kssl_lcl.h
+===================================================================
+--- openssl-1.0.1i.orig/ssl/kssl_lcl.h
++++ openssl-1.0.1i/ssl/kssl_lcl.h
@@ -61,6 +61,10 @@
#include <openssl/kssl.h>
@@ -60,8 +64,10 @@
+#endif
+
#endif /* KSSL_LCL_H */
---- openssl-1.0.1g.orig/ssl/s23_srvr.c
-+++ openssl-1.0.1g/ssl/s23_srvr.c
+Index: openssl-1.0.1i/ssl/s23_srvr.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/s23_srvr.c
++++ openssl-1.0.1i/ssl/s23_srvr.c
@@ -120,7 +120,7 @@
#endif
@@ -80,8 +86,10 @@
{
char buf_space[11]; /* Request this many bytes in initial read.
* We can detect SSL 3.0/TLS 1.0 Client Hellos
---- openssl-1.0.1g.orig/ssl/s2_lib.c
-+++ openssl-1.0.1g/ssl/s2_lib.c
+Index: openssl-1.0.1i/ssl/s2_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/s2_lib.c
++++ openssl-1.0.1i/ssl/s2_lib.c
@@ -116,7 +116,6 @@
#include <openssl/evp.h>
#include <openssl/md5.h>
@@ -90,8 +98,10 @@
#define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
---- openssl-1.0.1g.orig/ssl/s3_lib.c
-+++ openssl-1.0.1g/ssl/s3_lib.c
+Index: openssl-1.0.1i/ssl/s3_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/s3_lib.c
++++ openssl-1.0.1i/ssl/s3_lib.c
@@ -162,7 +162,6 @@
#include <openssl/dh.h>
#endif
@@ -100,8 +110,10 @@
#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
---- openssl-1.0.1g.orig/ssl/ssl_lib.c
-+++ openssl-1.0.1g/ssl/ssl_lib.c
+Index: openssl-1.0.1i/ssl/ssl_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/ssl_lib.c
++++ openssl-1.0.1i/ssl/ssl_lib.c
@@ -160,7 +160,6 @@
#include <openssl/engine.h>
#endif
@@ -110,8 +122,10 @@
SSL3_ENC_METHOD ssl3_undef_enc_method={
/* evil casts, but these functions are only called if there's a library
bug */
---- openssl-1.0.1g.orig/ssl/ssl_locl.h
-+++ openssl-1.0.1g/ssl/ssl_locl.h
+Index: openssl-1.0.1i/ssl/ssl_locl.h
+===================================================================
+--- openssl-1.0.1i.orig/ssl/ssl_locl.h
++++ openssl-1.0.1i/ssl/ssl_locl.h
@@ -165,6 +165,10 @@
#include <openssl/ssl.h>
#include <openssl/symhacks.h>
@@ -123,21 +137,25 @@
#ifdef OPENSSL_BUILD_SHLIBSSL
# undef OPENSSL_EXTERN
# define OPENSSL_EXTERN OPENSSL_EXPORT
-@@ -1174,4 +1178,12 @@ void tls_fips_digest_extra(
- const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
- const unsigned char *data, size_t data_len, size_t orig_len);
+@@ -1194,5 +1198,14 @@ int srp_verify_server_param(SSL *s, int
+ #define tls1_process_heartbeat SSL_test_functions()->p_tls1_process_heartbeat
+ #define dtls1_process_heartbeat
SSL_test_functions()->p_dtls1_process_heartbeat
+int private_tls1_PRF(long digest_mask, const void *seed1, int seed1_len,
const void *seed2, int seed2_len,
+ const void *seed3, int seed3_len, const void *seed4, int
seed4_len, const void *seed5, int seed5_len,
+ const unsigned char *sec, int slen, unsigned char *out1,
unsigned char *out2, int olen);
+
+ #endif
++
+#if defined(__GNUC__) && __GNUC__ >= 4
+#pragma GCC visibility pop
+#endif
+
#endif
---- openssl-1.0.1g.orig/ssl/t1_lib.c
-+++ openssl-1.0.1g/ssl/t1_lib.c
+Index: openssl-1.0.1i/ssl/t1_lib.c
+===================================================================
+--- openssl-1.0.1i.orig/ssl/t1_lib.c
++++ openssl-1.0.1i/ssl/t1_lib.c
@@ -117,7 +117,6 @@
#include <openssl/rand.h>
#include "ssl_locl.h"
++++++ README.SUSE ++++++
Please note that the man pages for the openssl libraries and tools
have been placed in a package on its own right: openssl-doc Please
install the openssl-doc package if you need the man pages, HTML
documentation or sample C programs.
The C header files and static libraries have also been extracted, they
can now be found in the openssl-devel package.
Your SuSE Team.
++++++ openssl-1.0.1e-new-fips-reqs.patch ++++++
--- /var/tmp/diff_new_pack.enj1Ob/_old 2014-08-25 11:03:37.000000000 +0200
+++ /var/tmp/diff_new_pack.enj1Ob/_new 2014-08-25 11:03:37.000000000 +0200
@@ -1,7 +1,7 @@
-Index: openssl-1.0.1g/crypto/bn/bn_rand.c
+Index: openssl-1.0.1i/crypto/bn/bn_rand.c
===================================================================
---- openssl-1.0.1g.orig/crypto/bn/bn_rand.c
-+++ openssl-1.0.1g/crypto/bn/bn_rand.c
+--- openssl-1.0.1i.orig/crypto/bn/bn_rand.c 2014-08-07 16:22:48.583087630
+0200
++++ openssl-1.0.1i/crypto/bn/bn_rand.c 2014-08-07 16:22:49.458098281 +0200
@@ -138,9 +138,12 @@ static int bnrand(int pseudorand, BIGNUM
goto err;
}
@@ -18,10 +18,10 @@
if (pseudorand)
{
-Index: openssl-1.0.1g/crypto/dh/dh_gen.c
+Index: openssl-1.0.1i/crypto/dh/dh_gen.c
===================================================================
---- openssl-1.0.1g.orig/crypto/dh/dh_gen.c
-+++ openssl-1.0.1g/crypto/dh/dh_gen.c
+--- openssl-1.0.1i.orig/crypto/dh/dh_gen.c 2014-08-07 16:22:48.583087630
+0200
++++ openssl-1.0.1i/crypto/dh/dh_gen.c 2014-08-07 16:22:49.458098281 +0200
@@ -125,7 +125,7 @@ static int dh_builtin_genparams(DH *ret,
return 0;
}
@@ -31,10 +31,10 @@
{
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
goto err;
-Index: openssl-1.0.1g/crypto/dh/dh.h
+Index: openssl-1.0.1i/crypto/dh/dh.h
===================================================================
---- openssl-1.0.1g.orig/crypto/dh/dh.h
-+++ openssl-1.0.1g/crypto/dh/dh.h
+--- openssl-1.0.1i.orig/crypto/dh/dh.h 2014-08-07 16:22:48.583087630 +0200
++++ openssl-1.0.1i/crypto/dh/dh.h 2014-08-07 16:22:49.458098281 +0200
@@ -78,6 +78,7 @@
#endif
@@ -43,10 +43,10 @@
#define DH_FLAG_CACHE_MONT_P 0x01
#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-Index: openssl-1.0.1g/crypto/dh/dh_check.c
+Index: openssl-1.0.1i/crypto/dh/dh_check.c
===================================================================
---- openssl-1.0.1g.orig/crypto/dh/dh_check.c
-+++ openssl-1.0.1g/crypto/dh/dh_check.c
+--- openssl-1.0.1i.orig/crypto/dh/dh_check.c 2014-08-07 16:22:48.584087643
+0200
++++ openssl-1.0.1i/crypto/dh/dh_check.c 2014-08-07 16:22:49.458098281
+0200
@@ -134,7 +134,33 @@ int DH_check_pub_key(const DH *dh, const
BN_sub_word(q,1);
if (BN_cmp(pub_key,q)>=0)
@@ -67,24 +67,24 @@
+ }
+ if (!BN_is_one(q))
+ {
-+ /* it would be more correct to add new return flag
++ /* it would be more correct to add new return flag
+ * for this test, but we do not want to do it
+ * so just error out
+ */
+ BN_CTX_free(ctx);
+ goto err;
+ }
-+
++
+ BN_CTX_free(ctx);
+ }
+#endif
ok = 1;
err:
if (q != NULL) BN_free(q);
-Index: openssl-1.0.1g/crypto/dsa/dsa_gen.c
+Index: openssl-1.0.1i/crypto/dsa/dsa_gen.c
===================================================================
---- openssl-1.0.1g.orig/crypto/dsa/dsa_gen.c
-+++ openssl-1.0.1g/crypto/dsa/dsa_gen.c
+--- openssl-1.0.1i.orig/crypto/dsa/dsa_gen.c 2014-08-07 16:22:48.584087643
+0200
++++ openssl-1.0.1i/crypto/dsa/dsa_gen.c 2014-08-07 16:22:49.458098281
+0200
@@ -159,7 +159,6 @@ int dsa_builtin_paramgen(DSA *ret, size_
}
@@ -93,10 +93,10 @@
(bits != 2048 || qbits != 224) &&
(bits != 2048 || qbits != 256) &&
(bits != 3072 || qbits != 256))
-Index: openssl-1.0.1g/crypto/dsa/dsa.h
+Index: openssl-1.0.1i/crypto/dsa/dsa.h
===================================================================
---- openssl-1.0.1g.orig/crypto/dsa/dsa.h
-+++ openssl-1.0.1g/crypto/dsa/dsa.h
+--- openssl-1.0.1i.orig/crypto/dsa/dsa.h 2014-08-07 16:22:48.584087643
+0200
++++ openssl-1.0.1i/crypto/dsa/dsa.h 2014-08-07 16:22:49.458098281 +0200
@@ -89,6 +89,7 @@
#endif
@@ -118,10 +118,10 @@
#define DSA_is_prime(n, callback, cb_arg) \
BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
-Index: openssl-1.0.1g/crypto/dsa/dsa_key.c
+Index: openssl-1.0.1i/crypto/dsa/dsa_key.c
===================================================================
---- openssl-1.0.1g.orig/crypto/dsa/dsa_key.c
-+++ openssl-1.0.1g/crypto/dsa/dsa_key.c
+--- openssl-1.0.1i.orig/crypto/dsa/dsa_key.c 2014-08-07 16:22:48.584087643
+0200
++++ openssl-1.0.1i/crypto/dsa/dsa_key.c 2014-08-07 16:22:49.458098281
+0200
@@ -122,7 +122,7 @@ static int dsa_builtin_keygen(DSA *dsa)
#ifdef OPENSSL_FIPS
@@ -131,10 +131,10 @@
{
DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
goto err;
-Index: openssl-1.0.1g/crypto/fips/fips_dh_selftest.c
+Index: openssl-1.0.1i/crypto/fips/fips_dh_selftest.c
===================================================================
---- /dev/null
-+++ openssl-1.0.1g/crypto/fips/fips_dh_selftest.c
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ openssl-1.0.1i/crypto/fips/fips_dh_selftest.c 2014-08-07
16:22:49.458098281 +0200
@@ -0,0 +1,162 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@@ -145,7 +145,7 @@
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
++ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
@@ -298,10 +298,10 @@
+ return ret;
+ }
+#endif
-Index: openssl-1.0.1g/crypto/fips/fips_drbg_rand.c
+Index: openssl-1.0.1i/crypto/fips/fips_drbg_rand.c
===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips_drbg_rand.c
-+++ openssl-1.0.1g/crypto/fips/fips_drbg_rand.c
+--- openssl-1.0.1i.orig/crypto/fips/fips_drbg_rand.c 2014-08-07
16:22:48.584087643 +0200
++++ openssl-1.0.1i/crypto/fips/fips_drbg_rand.c 2014-08-07
16:22:49.458098281 +0200
@@ -77,7 +77,8 @@ static int fips_drbg_bytes(unsigned char
int rv = 0;
unsigned char *adin = NULL;
@@ -382,10 +382,10 @@
}
static const RAND_METHOD rand_drbg_meth =
-Index: openssl-1.0.1g/crypto/fips/fips.h
+Index: openssl-1.0.1i/crypto/fips/fips.h
===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips.h
-+++ openssl-1.0.1g/crypto/fips/fips.h
+--- openssl-1.0.1i.orig/crypto/fips/fips.h 2014-08-07 16:22:48.584087643
+0200
++++ openssl-1.0.1i/crypto/fips/fips.h 2014-08-07 16:22:49.459098294 +0200
@@ -96,6 +96,7 @@ void FIPS_corrupt_dsa_keygen(void);
int FIPS_selftest_dsa(void);
int FIPS_selftest_ecdsa(void);
@@ -394,10 +394,10 @@
void FIPS_corrupt_rng(void);
void FIPS_rng_stick(void);
void FIPS_x931_stick(int onoff);
-Index: openssl-1.0.1g/crypto/fips/fips_post.c
+Index: openssl-1.0.1i/crypto/fips/fips_post.c
===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips_post.c
-+++ openssl-1.0.1g/crypto/fips/fips_post.c
+--- openssl-1.0.1i.orig/crypto/fips/fips_post.c 2014-08-07
16:22:48.584087643 +0200
++++ openssl-1.0.1i/crypto/fips/fips_post.c 2014-08-07 16:22:49.459098294
+0200
@@ -99,6 +99,8 @@ int FIPS_selftest(void)
rv = 0;
if (!FIPS_selftest_dsa())
@@ -407,10 +407,10 @@
if (!FIPS_selftest_ecdh())
rv = 0;
return rv;
-Index: openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c
+Index: openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c
===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips_rsa_selftest.c
-+++ openssl-1.0.1g/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.0.1i.orig/crypto/fips/fips_rsa_selftest.c 2014-08-07
16:22:48.585087655 +0200
++++ openssl-1.0.1i/crypto/fips/fips_rsa_selftest.c 2014-08-07
16:22:49.459098294 +0200
@@ -340,6 +340,42 @@ static const unsigned char kat_RSA_X931_
0x60, 0x83, 0x18, 0x88, 0xA3, 0xF5, 0x59, 0xC3
};
@@ -480,10 +480,10 @@
RSA_free(key);
return ret;
}
-Index: openssl-1.0.1g/crypto/fips/Makefile
+Index: openssl-1.0.1i/crypto/fips/Makefile
===================================================================
---- openssl-1.0.1g.orig/crypto/fips/Makefile
-+++ openssl-1.0.1g/crypto/fips/Makefile
+--- openssl-1.0.1i.orig/crypto/fips/Makefile 2014-08-07 16:22:48.585087655
+0200
++++ openssl-1.0.1i/crypto/fips/Makefile 2014-08-07 16:22:49.459098294
+0200
@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c
fips_rand.c \
fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c
fips_drbg_hmac.c \
@@ -502,10 +502,10 @@
LIBCRYPTO=-L.. -lcrypto
-Index: openssl-1.0.1g/crypto/modes/gcm128.c
+Index: openssl-1.0.1i/crypto/modes/gcm128.c
===================================================================
---- openssl-1.0.1g.orig/crypto/modes/gcm128.c
-+++ openssl-1.0.1g/crypto/modes/gcm128.c
+--- openssl-1.0.1i.orig/crypto/modes/gcm128.c 2014-08-07 16:22:48.585087655
+0200
++++ openssl-1.0.1i/crypto/modes/gcm128.c 2014-08-07 16:22:49.459098294
+0200
@@ -906,6 +906,10 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT
# endif
#endif
@@ -528,10 +528,10 @@
mlen += len;
if (mlen>((U64(1)<<36)-32) || (sizeof(len)==8 && mlen<len))
return -1;
-Index: openssl-1.0.1g/crypto/modes/modes_lcl.h
+Index: openssl-1.0.1i/crypto/modes/modes_lcl.h
===================================================================
---- openssl-1.0.1g.orig/crypto/modes/modes_lcl.h
-+++ openssl-1.0.1g/crypto/modes/modes_lcl.h
+--- openssl-1.0.1i.orig/crypto/modes/modes_lcl.h 2014-08-07
16:22:48.585087655 +0200
++++ openssl-1.0.1i/crypto/modes/modes_lcl.h 2014-08-07 16:22:49.459098294
+0200
@@ -114,6 +114,8 @@ struct gcm128_context {
unsigned int mres, ares;
block128_f block;
@@ -541,10 +541,10 @@
};
struct xts128_context {
-Index: openssl-1.0.1g/crypto/rand/md_rand.c
+Index: openssl-1.0.1i/crypto/rand/md_rand.c
===================================================================
---- openssl-1.0.1g.orig/crypto/rand/md_rand.c
-+++ openssl-1.0.1g/crypto/rand/md_rand.c
+--- openssl-1.0.1i.orig/crypto/rand/md_rand.c 2014-08-07 16:22:44.906042872
+0200
++++ openssl-1.0.1i/crypto/rand/md_rand.c 2014-08-07 16:25:51.798310523
+0200
@@ -143,12 +143,6 @@ static long md_count[2]={0,0};
static double entropy=0;
static int initialized=0;
@@ -558,7 +558,7 @@
#ifdef PREDICT
int rand_predictable=0;
-@@ -196,7 +190,7 @@ static void ssleay_rand_add(const void *
+@@ -195,7 +189,7 @@ static void ssleay_rand_add(const void *
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
EVP_MD_CTX m;
@@ -567,7 +567,7 @@
if (!num)
return;
-@@ -216,19 +210,8 @@ static void ssleay_rand_add(const void *
+@@ -215,19 +209,8 @@ static void ssleay_rand_add(const void *
* hash function.
*/
@@ -588,7 +588,7 @@
st_idx=state_index;
/* use our own copies of the counters so that even
-@@ -260,7 +243,8 @@ static void ssleay_rand_add(const void *
+@@ -259,7 +242,8 @@ static void ssleay_rand_add(const void *
md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0);
@@ -598,7 +598,7 @@
EVP_MD_CTX_init(&m);
for (i=0; i<num; i+=MD_DIGEST_LENGTH)
-@@ -311,7 +295,7 @@ static void ssleay_rand_add(const void *
+@@ -310,7 +294,7 @@ static void ssleay_rand_add(const void *
}
EVP_MD_CTX_cleanup(&m);
@@ -607,7 +607,7 @@
/* Don't just copy back local_md into md -- this could mean that
* other thread's seeding remains without effect (except for
* the incremented counter). By XORing it we keep at least as
-@@ -322,7 +306,8 @@ static void ssleay_rand_add(const void *
+@@ -321,7 +305,8 @@ static void ssleay_rand_add(const void *
}
if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */
entropy += add;
@@ -617,7 +617,7 @@
#if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
assert(md_c[1] == md_count[1]);
-@@ -347,6 +332,7 @@ static int ssleay_rand_bytes(unsigned ch
+@@ -346,6 +331,7 @@ int ssleay_rand_bytes(unsigned char *buf
pid_t curr_pid = getpid();
#endif
int do_stir_pool = 0;
@@ -625,55 +625,52 @@
#ifdef PREDICT
if (rand_predictable)
-@@ -387,13 +373,8 @@ static int ssleay_rand_bytes(unsigned ch
- /* NB: in FIPS mode we are already under a lock */
- if (!FIPS_mode())
- #endif
+@@ -382,14 +368,7 @@ int ssleay_rand_bytes(unsigned char *buf
+ * are fed into the hash function and the results are kept in the
+ * global 'md'.
+ */
+- if (lock)
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-
+-
- /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
- CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
- CRYPTO_THREADID_current(&locking_threadid);
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
- crypto_lock_rand = 1;
-+ locked = private_RAND_lock(1);
++ locked = private_RAND_lock(1);
/* always poll for external entropy in FIPS mode, drbg provides the
* expansion
-@@ -467,12 +448,11 @@ static int ssleay_rand_bytes(unsigned ch
+@@ -463,10 +442,8 @@ int ssleay_rand_bytes(unsigned char *buf
md_count[0] += 1;
- /* before unlocking, we must clear 'crypto_lock_rand' */
- crypto_lock_rand = 0;
- #ifdef OPENSSL_FIPS
- if (!FIPS_mode())
- #endif
+- if (lock)
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+ if (locked)
-+ private_RAND_lock(0);
++ if (locked)
++ private_RAND_lock(0);
while (num > 0)
{
-@@ -527,13 +507,15 @@ static int ssleay_rand_bytes(unsigned ch
- #ifdef OPENSSL_FIPS
- if (!FIPS_mode())
- #endif
+@@ -518,12 +495,11 @@ int ssleay_rand_bytes(unsigned char *buf
+ MD_Init(&m);
+ MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+ MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+- if (lock)
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-+ locked = private_RAND_lock(1);
++ locked = private_RAND_lock(1);
MD_Update(&m,md,MD_DIGEST_LENGTH);
MD_Final(&m,md);
- #ifdef OPENSSL_FIPS
- if (!FIPS_mode())
- #endif
+- if (lock)
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-+
-+ if (locked)
-+ private_RAND_lock(0);
++ if (locked)
++ private_RAND_lock(0);
EVP_MD_CTX_cleanup(&m);
if (ok)
-@@ -563,32 +545,10 @@ static int ssleay_rand_pseudo_bytes(unsi
+@@ -553,32 +529,10 @@ static int ssleay_rand_pseudo_bytes(unsi
static int ssleay_rand_status(void)
{
@@ -708,7 +705,7 @@
if (!initialized)
{
-@@ -598,13 +558,8 @@ static int ssleay_rand_status(void)
+@@ -588,13 +542,8 @@ static int ssleay_rand_status(void)
ret = entropy >= ENTROPY_NEEDED;
@@ -724,10 +721,10 @@
return ret;
}
-Index: openssl-1.0.1g/crypto/rand/rand.h
+Index: openssl-1.0.1i/crypto/rand/rand.h
===================================================================
---- openssl-1.0.1g.orig/crypto/rand/rand.h
-+++ openssl-1.0.1g/crypto/rand/rand.h
+--- openssl-1.0.1i.orig/crypto/rand/rand.h 2014-08-07 16:22:48.586087667
+0200
++++ openssl-1.0.1i/crypto/rand/rand.h 2014-08-07 16:22:49.459098294 +0200
@@ -124,6 +124,8 @@ void RAND_set_fips_drbg_type(int type, i
int RAND_init_fips(void);
#endif
@@ -737,10 +734,10 @@
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
-Index: openssl-1.0.1g/crypto/rand/rand_lcl.h
+Index: openssl-1.0.1i/crypto/rand/rand_lcl.h
===================================================================
---- openssl-1.0.1g.orig/crypto/rand/rand_lcl.h
-+++ openssl-1.0.1g/crypto/rand/rand_lcl.h
+--- openssl-1.0.1i.orig/crypto/rand/rand_lcl.h 2014-08-07 16:22:48.586087667
+0200
++++ openssl-1.0.1i/crypto/rand/rand_lcl.h 2014-08-07 16:22:49.459098294
+0200
@@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H
#define HEADER_RAND_LCL_H
@@ -750,11 +747,11 @@
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) &&
!defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
-Index: openssl-1.0.1g/crypto/rand/rand_lib.c
+Index: openssl-1.0.1i/crypto/rand/rand_lib.c
===================================================================
---- openssl-1.0.1g.orig/crypto/rand/rand_lib.c
-+++ openssl-1.0.1g/crypto/rand/rand_lib.c
-@@ -181,6 +181,41 @@ int RAND_status(void)
+--- openssl-1.0.1i.orig/crypto/rand/rand_lib.c 2014-08-07 16:22:48.586087667
+0200
++++ openssl-1.0.1i/crypto/rand/rand_lib.c 2014-08-07 16:22:49.460098306
+0200
+@@ -182,6 +182,41 @@ int RAND_status(void)
return 0;
}
@@ -796,7 +793,7 @@
#ifdef OPENSSL_FIPS
/* FIPS DRBG initialisation code. This sets up the DRBG for use by the
-@@ -239,12 +274,16 @@ static int drbg_rand_add(DRBG_CTX *ctx,
+@@ -240,12 +275,16 @@ static int drbg_rand_add(DRBG_CTX *ctx,
double entropy)
{
RAND_SSLeay()->add(in, inlen, entropy);
@@ -813,10 +810,10 @@
return 1;
}
-Index: openssl-1.0.1g/crypto/rsa/rsa_gen.c
+Index: openssl-1.0.1i/crypto/rsa/rsa_gen.c
===================================================================
---- openssl-1.0.1g.orig/crypto/rsa/rsa_gen.c
-+++ openssl-1.0.1g/crypto/rsa/rsa_gen.c
+--- openssl-1.0.1i.orig/crypto/rsa/rsa_gen.c 2014-08-07 16:22:44.906042872
+0200
++++ openssl-1.0.1i/crypto/rsa/rsa_gen.c 2014-08-07 16:22:49.460098306
+0200
@@ -1,5 +1,6 @@
/* crypto/rsa/rsa_gen.c */
/* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com)
@@ -914,7 +911,7 @@
+ r = BN_is_prime_fasttest_ex(rsa->p, pbits>1024?4:5,
ctx, 0, cb);
+ if (r == -1 || (test && r <= 0)) goto err;
+ if (r > 0) break;
-+ }
++ }
+
+ if(!BN_GENCB_call(cb, 2, n++))
+ goto err;
@@ -952,7 +949,7 @@
+ r = BN_is_prime_fasttest_ex(rsa->q, pbits>1024?4:5,
ctx, 0, cb);
+ if (r == -1 || (test && r <= 0)) goto err;
+ if (r > 0) break;
-+ }
++ }
+
+ if(!BN_GENCB_call(cb, 2, n++))
+ goto err;
@@ -1084,10 +1081,10 @@
ok=1;
err:
if (ok == -1)
-Index: openssl-1.0.1g/ssl/t1_enc.c
+Index: openssl-1.0.1i/ssl/t1_enc.c
===================================================================
---- openssl-1.0.1g.orig/ssl/t1_enc.c
-+++ openssl-1.0.1g/ssl/t1_enc.c
+--- openssl-1.0.1i.orig/ssl/t1_enc.c 2014-08-07 16:22:48.587087679 +0200
++++ openssl-1.0.1i/ssl/t1_enc.c 2014-08-07 16:22:49.460098306 +0200
@@ -291,6 +291,27 @@ static int tls1_PRF(long digest_mask,
err:
return ret;
++++++ openssl.keyring ++++++
--- /var/tmp/diff_new_pack.enj1Ob/_old 2014-08-25 11:03:37.000000000 +0200
+++ /var/tmp/diff_new_pack.enj1Ob/_new 2014-08-25 11:03:37.000000000 +0200
@@ -147,3 +147,40 @@
TInCFx1evwVXM3s6
=eP1B
-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
+hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
+iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
+2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
+N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
+UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0IE1hdHQgQ2Fzd2VsbCA8
+ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsDBgsJCAcDAgYVCAIJ
+CgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+viob8935Uirei4Fv
+nzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeARGwWTQYGmFmrNRWZ
+2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAjeU8uSarmeZgGVMAI
+nsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE5Q7wnnoRXdLyNet0
+AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R4gYFS/xGfTgocPUD
+Z4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO5vISJkZvqE5UtB9N
+YXR0IENhc3dlbGwgPG1hdHRAb3BlbnNzbC5vcmc+iQE4BBMBAgAiBQJT3r68AhsD
+BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkaA9B/9ZRCV36+uq
+3b7JMjotM1NAEb1Fx425pmJGexE5HV4e1Wv045/NU96cJq9xeCHCxjSw8+BIOu8W
+6v0/K67BDzseZ1f5kZ1E/e1JrELi50dsCxm0QbtuBSjO6F9ykL4CHSVncRxybI6R
+glYhNZiBQEQM5Tfuqd7T250MwDY0cu4vz2FP54hnalXDIXJ2Ql+Re2B+sOrdGZmB
+95tUHkRJ1qn8bu3sh7CL3mzICkyP2zBvGeypS2YWvR8KxV0ADyEk+rH3NW5SifSD
+VAzPYiug0f7pZMO3tIZhy6o1qmLOT88l3qDZ7D1ybevcIgA2Ko+CjQyHTadUaBfa
+n29ZxPgzOq4GuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg
+icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM
+k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6
+2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex
+F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ
+P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC
+AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v
+Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb
+SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x
+dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL
+HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2
+8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2g==
+=Q8X3
+-----END PGP PUBLIC KEY BLOCK-----
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
