[Pkg-openssl-changes] r680 - in openssl/branches/wheezy/debian: . patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Sun Jun 15 11:30:46 UTC 2014 

Author: kroeckx
Date: 2014-06-15 11:30:45 +0000 (Sun, 15 Jun 2014)
New Revision: 680

Modified:
   openssl/branches/wheezy/debian/changelog
   openssl/branches/wheezy/debian/patches/ECDHE-ECDSA_Safari.patch
Log:
define SSL_OP_MSIE_SSLV2_RSA_PADDING to 0


Modified: openssl/branches/wheezy/debian/changelog
===================================================================
--- openssl/branches/wheezy/debian/changelog	2014-06-15 11:30:22 UTC (rev 679)
+++ openssl/branches/wheezy/debian/changelog	2014-06-15 11:30:45 UTC (rev 680)
@@ -5,6 +5,8 @@
   * Fix CVE-2012-4929 (CRiME) by disabling zlib compression by default.
     It can be enabled again by setting the environment variable
     OPENSSL_NO_DEFAULT_ZLIB.  (Closes: #728055)
+  * Update ECDHE-ECDSA_Safari.patch to define SSL_OP_MSIE_SSLV2_RSA_PADDING
+    again but to 0 so things keep building.  (Closes: #751457)
 
  -- Kurt Roeckx <kurt at roeckx.be>  Sun, 15 Jun 2014 12:31:21 +0200
 

Modified: openssl/branches/wheezy/debian/patches/ECDHE-ECDSA_Safari.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/ECDHE-ECDSA_Safari.patch	2014-06-15 11:30:22 UTC (rev 679)
+++ openssl/branches/wheezy/debian/patches/ECDHE-ECDSA_Safari.patch	2014-06-15 11:30:45 UTC (rev 680)
@@ -6,11 +6,11 @@
 Origin: upstream, commit:4b61f6d2a675fdb57dc93991e7b332a745b44d1f, commit:937f125efc80d7a4e80a5a02ec0eae02ea0b55ac, commit:f4a51970d245a61e991a0c2e196853e81a1a6c53
 
 
-diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
-index cc588f3..fded060 100644
---- a/doc/ssl/SSL_CTX_set_options.pod
-+++ b/doc/ssl/SSL_CTX_set_options.pod
-@@ -88,9 +88,10 @@ As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
+Index: openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod
+===================================================================
+--- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_options.pod
++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod
+@@ -88,9 +88,10 @@ As of OpenSSL 0.9.8q and 1.0.0c, this op
  
  ...
  
@@ -23,10 +23,10 @@
  
  =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
  
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index e7c5dcb..c2428f4 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
+Index: openssl-1.0.1e/ssl/s3_lib.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/s3_lib.c
++++ openssl-1.0.1e/ssl/s3_lib.c
 @@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s)
  		s->s3->tmp.ecdh = NULL;
  		}
@@ -39,7 +39,7 @@
  
  	rp = s->s3->rbuf.buf;
  	wp = s->s3->wbuf.buf;
-@@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+@@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, S
  		ii=sk_SSL_CIPHER_find(allow,c);
  		if (ii >= 0)
  			{
@@ -53,11 +53,11 @@
  			ret=sk_SSL_CIPHER_value(allow,ii);
  			break;
  			}
-diff --git a/ssl/ssl.h b/ssl/ssl.h
-index 593579e..c48990e 100644
---- a/ssl/ssl.h
-+++ b/ssl/ssl.h
-@@ -555,7 +555,7 @@ struct ssl_session_st
+Index: openssl-1.0.1e/ssl/ssl.h
+===================================================================
+--- openssl-1.0.1e.orig/ssl/ssl.h
++++ openssl-1.0.1e/ssl/ssl.h
+@@ -555,11 +555,14 @@ struct ssl_session_st
  #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
  #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
  #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
@@ -66,10 +66,17 @@
  #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
  #define SSL_OP_TLS_D5_BUG				0x00000100L
  #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L
-diff --git a/ssl/ssl3.h b/ssl/ssl3.h
-index 247e88c..208b392 100644
---- a/ssl/ssl3.h
-+++ b/ssl/ssl3.h
+ 
++/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
++#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x0
++
+ /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
+  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
+  * the workaround is not needed.  Unfortunately some broken SSL/TLS
+Index: openssl-1.0.1e/ssl/ssl3.h
+===================================================================
+--- openssl-1.0.1e.orig/ssl/ssl3.h
++++ openssl-1.0.1e/ssl/ssl3.h
 @@ -539,6 +539,15 @@ typedef struct ssl3_state_st
  	/* Set if we saw the Next Protocol Negotiation extension from our peer. */
  	int next_proto_neg_seen;
@@ -86,11 +93,11 @@
  	} SSL3_STATE;
  
  #endif
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index e08088c..f671d1d 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -866,6 +866,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
+Index: openssl-1.0.1e/ssl/t1_lib.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/t1_lib.c
++++ openssl-1.0.1e/ssl/t1_lib.c
+@@ -866,6 +866,89 @@ unsigned char *ssl_add_serverhello_tlsex
  	return ret;
  	}
  
@@ -180,7 +187,7 @@
  int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
  	{
  	unsigned short type;
-@@ -886,6 +969,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
+@@ -886,6 +969,11 @@ int ssl_parse_clienthello_tlsext(SSL *s,
  	                       SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
  #endif

More information about the Pkg-openssl-changes mailing list