[Pkg-openssl-changes] r893 - in openssl/branches/1.1.0/debian: . patches

Sebastian Andrzej Siewior bigeasy at moszumanska.debian.org
Sun Jan 29 20:03:37 UTC 2017 

Author: bigeasy
Date: 2017-01-29 20:03:37 +0000 (Sun, 29 Jan 2017)
New Revision: 893

Added:
   openssl/branches/1.1.0/debian/patches/Add-a-couple-of-test-to-check-CRL-fingerprint.patch
   openssl/branches/1.1.0/debian/patches/Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch
   openssl/branches/1.1.0/debian/patches/X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch
Modified:
   openssl/branches/1.1.0/debian/changelog
   openssl/branches/1.1.0/debian/patches/series
Log:
A fix for the perl / X509 sha1 bug



Modified: openssl/branches/1.1.0/debian/changelog
===================================================================
--- openssl/branches/1.1.0/debian/changelog	2017-01-29 19:47:00 UTC (rev 892)
+++ openssl/branches/1.1.0/debian/changelog	2017-01-29 20:03:37 UTC (rev 893)
@@ -1,7 +1,12 @@
 openssl (1.1.0d-2) UNRELEASED; urgency=medium
 
   * Fix building of arch and all packages in a minimal environment
-    (Closes: #852900)
+    (Closes: #852900).
+  * Fix precomputing SHA1 by adding the following patches from upstream:
+    - Add-a-couple-of-test-to-check-CRL-fingerprint.patch
+    - Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch
+    - X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch
+    (Closes: #852920).
 
  -- Sebastian Andrzej Siewior <sebastian at breakpoint.cc>  Sun, 29 Jan 2017 20:32:07 +0100
 

Added: openssl/branches/1.1.0/debian/patches/Add-a-couple-of-test-to-check-CRL-fingerprint.patch
===================================================================
--- openssl/branches/1.1.0/debian/patches/Add-a-couple-of-test-to-check-CRL-fingerprint.patch	                        (rev 0)
+++ openssl/branches/1.1.0/debian/patches/Add-a-couple-of-test-to-check-CRL-fingerprint.patch	2017-01-29 20:03:37 UTC (rev 893)
@@ -0,0 +1,45 @@
+From: Richard Levitte <levitte at openssl.org>
+Date: Sat, 28 Jan 2017 18:24:40 +0100
+Subject: [PATCH 3/3] Add a couple of test to check CRL fingerprint
+
+BTS: #852920
+
+Reviewed-by: Kurt Roeckx <kurt at openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/2314)
+(cherry picked from commit 929860d0e6112f5c7766d9ea036c3f8bd8d3d719)
+---
+ test/recipes/25-test_crl.t |   19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/test/recipes/25-test_crl.t
++++ b/test/recipes/25-test_crl.t
+@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_fil
+ 
+ setup("test_crl");
+ 
+-plan tests => 3;
++plan tests => 5;
+ 
+ require_ok(srctop_file('test','recipes','tconversion.pl'));
+ 
+@@ -24,3 +24,20 @@ subtest 'crl conversions' => sub {
+ };
+ 
+ ok(run(test(['crltest'])));
++
++ok(compare1stline([qw{openssl crl -noout -fingerprint -in},
++                   srctop_file('test', 'testcrl.pem')],
++                  'SHA1 Fingerprint=BA:F4:1B:AD:7A:9B:2F:09:16:BC:60:A7:0E:CE:79:2E:36:00:E7:B2'));
++ok(compare1stline([qw{openssl crl -noout -fingerprint -sha256 -in},
++                   srctop_file('test', 'testcrl.pem')],
++                  'SHA256 Fingerprint=B3:A9:FD:A7:2E:8C:3D:DF:D0:F1:C3:1A:96:60:B5:FD:B0:99:7C:7F:0E:E4:34:F5:DB:87:62:36:BC:F1:BC:1B'));
++
++sub compare1stline {
++    my ($cmdarray, $str) = @_;
++    my @lines = run(app($cmdarray), capture => 1);
++
++    return 1 if $lines[0] =~ m|^\Q${str}\E\R$|;
++    note "Got      ", $lines[0];
++    note "Expected ", $str;
++    return 0;
++}

Added: openssl/branches/1.1.0/debian/patches/Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch
===================================================================
--- openssl/branches/1.1.0/debian/patches/Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch	                        (rev 0)
+++ openssl/branches/1.1.0/debian/patches/Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch	2017-01-29 20:03:37 UTC (rev 893)
@@ -0,0 +1,23 @@
+From: Richard Levitte <levitte at openssl.org>
+Date: Sat, 28 Jan 2017 18:02:12 +0100
+Subject: [PATCH 2/3] Document what EXFLAG_SET is for in x509v3.h
+
+BTS: #852920
+
+Reviewed-by: Kurt Roeckx <kurt at openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/2314)
+(cherry picked from commit 2d60c923141e7853c268364f26195343a5e995bf)
+---
+ include/openssl/x509v3.h |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/openssl/x509v3.h
++++ b/include/openssl/x509v3.h
+@@ -355,6 +355,7 @@ struct ISSUING_DIST_POINT_st {
+ # define EXFLAG_SI               0x20
+ # define EXFLAG_V1               0x40
+ # define EXFLAG_INVALID          0x80
++/* EXFLAG_SET is set to indicate that some values have been precomputed */
+ # define EXFLAG_SET              0x100
+ # define EXFLAG_CRITICAL         0x200
+ # define EXFLAG_PROXY            0x400

Added: openssl/branches/1.1.0/debian/patches/X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch
===================================================================
--- openssl/branches/1.1.0/debian/patches/X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch	                        (rev 0)
+++ openssl/branches/1.1.0/debian/patches/X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch	2017-01-29 20:03:37 UTC (rev 893)
@@ -0,0 +1,40 @@
+From: Richard Levitte <levitte at openssl.org>
+Date: Sat, 28 Jan 2017 17:43:17 +0100
+Subject: [PATCH 1/3] X509_CRL_digest() - ensure precomputed sha1 hash before
+ returning it
+
+X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
+present.  This also makes sure there's an appropriate flag to check.
+
+BTS: #852920
+
+Reviewed-by: Kurt Roeckx <kurt at openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/2314)
+(cherry picked from commit 6195848b2eea627c47f74b63eb2ba3dc3d5b6436)
+---
+ crypto/x509/x_all.c |    2 +-
+ crypto/x509/x_crl.c |    2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/crypto/x509/x_all.c
++++ b/crypto/x509/x_all.c
+@@ -377,7 +377,7 @@ int X509_digest(const X509 *data, const
+ int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
+                     unsigned char *md, unsigned int *len)
+ {
+-    if (type == EVP_sha1()) {
++    if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) {
+         /* Asking for SHA1; always computed in CRL d2i. */
+         if (len != NULL)
+             *len = sizeof(data->sha1_hash);
+--- a/crypto/x509/x_crl.c
++++ b/crypto/x509/x_crl.c
+@@ -226,6 +226,8 @@ static int crl_cb(int operation, ASN1_VA
+             if (crl->meth->crl_init(crl) == 0)
+                 return 0;
+         }
++
++        crl->flags |= EXFLAG_SET;
+         break;
+ 
+     case ASN1_OP_FREE_POST:

Modified: openssl/branches/1.1.0/debian/patches/series
===================================================================
--- openssl/branches/1.1.0/debian/patches/series	2017-01-29 19:47:00 UTC (rev 892)
+++ openssl/branches/1.1.0/debian/patches/series	2017-01-29 20:03:37 UTC (rev 893)
@@ -4,3 +4,6 @@
 pic.patch
 c_rehash-compat.patch
 #padlock_conf.patch
+X509_CRL_digest-ensure-precomputed-sha1-hash-before-.patch
+Document-what-EXFLAG_SET-is-for-in-x509v3.h.patch
+Add-a-couple-of-test-to-check-CRL-fingerprint.patch

More information about the Pkg-openssl-changes mailing list