Bug#703362: unblock: openssl/1.0.1e-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock openssl/1.0.1e-2, it fixes a bunch of issues fixed
in upstream git since the 1.0.1e release.
debdiff attached.
Kurt
diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog
--- openssl-1.0.1e/debian/changelog 2013-02-11 19:40:07.000000000 +0100
+++ openssl-1.0.1e/debian/changelog 2013-03-18 20:37:14.000000000 +0100
@@ -1,3 +1,13 @@
+openssl (1.0.1e-2) unstable; urgency=high
+
+ * Bump shlibs. It's needed for the udeb.
+ * Make cpuid work on cpu's that don't set ecx (Closes: #699692)
+ * Fix problem with AES-NI causing bad record mac (Closes: #701868, #702635, #678353)
+ * Fix problem with DTLS version check (Closes: #701826)
+ * Fix segfault in SSL_get_certificate (Closes: #703031)
+
+ -- Kurt Roeckx <kurt@roeckx.be> Mon, 18 Mar 2013 20:37:11 +0100
+
openssl (1.0.1e-1) unstable; urgency=high
* New upstream version (Closes: #699889)
diff -Nru openssl-1.0.1e/debian/patches/aesni-mac.patch openssl-1.0.1e/debian/patches/aesni-mac.patch
--- openssl-1.0.1e/debian/patches/aesni-mac.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/aesni-mac.patch 2013-03-18 20:19:47.000000000 +0100
@@ -0,0 +1,26 @@
+From: Andy Polyakov <appro@openssl.org>
+Date: Mon, 18 Mar 2013 19:29:41 +0100
+Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9ab3ce124616cb12bd39c6aa1e1bde0f46969b29
+Bug-Debian: http://bugs.debian.org/701868
+Bug: http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index 483e04b..fb2c884 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+
+ if (res!=SHA_CBLOCK) continue;
+
+- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
++ /* j is not incremented yet */
++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
+ pmac->u[0] |= key->md.h0 & mask;
+ pmac->u[1] |= key->md.h1 & mask;
+ pmac->u[2] |= key->md.h2 & mask;
+
diff -Nru openssl-1.0.1e/debian/patches/cpuid.patch openssl-1.0.1e/debian/patches/cpuid.patch
--- openssl-1.0.1e/debian/patches/cpuid.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/cpuid.patch 2013-03-10 21:54:05.000000000 +0100
@@ -0,0 +1,27 @@
+From: Andy Polyakov <appro@openssl.org>
+Date: Mon, 4 Mar 2013 19:05:04 +0000 (+0100)
+Subject: x86cpuid.pl: make it work with older CPUs.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=5702e965d759dde8a098d8108660721ba2b93a7d
+Bug-Debian: http://bugs.debian.org/699692
+Bug: http://rt.openssl.org/Ticket/Display.html?id=3005&user=guest&pass=guest
+
+diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
+index 3b6c469..e8a7518 100644
+--- a/crypto/x86cpuid.pl
++++ b/crypto/x86cpuid.pl
+@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ &inc ("esi"); # number of cores
+
+ &mov ("eax",1);
++ &xor ("ecx","ecx");
+ &cpuid ();
+ &bt ("edx",28);
+ &jnc (&label("generic"));
+@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+
+ &set_label("nocacheinfo");
+ &mov ("eax",1);
++ &xor ("ecx","ecx");
+ &cpuid ();
+ &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0
+ &cmp ("ebp",0);
diff -Nru openssl-1.0.1e/debian/patches/dtls_version.patch openssl-1.0.1e/debian/patches/dtls_version.patch
--- openssl-1.0.1e/debian/patches/dtls_version.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/dtls_version.patch 2013-03-18 20:28:32.000000000 +0100
@@ -0,0 +1,25 @@
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253
+Bug-Debian: http://bugs.debian.org/701826
+Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ unsigned padding_length, good, to_check, i;
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ /* These lengths are all public so we can test them in
+ * non-constant time.
+
diff -Nru openssl-1.0.1e/debian/patches/get_certificate.patch openssl-1.0.1e/debian/patches/get_certificate.patch
--- openssl-1.0.1e/debian/patches/get_certificate.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-1.0.1e/debian/patches/get_certificate.patch 2013-03-18 20:36:30.000000000 +0100
@@ -0,0 +1,27 @@
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Mon, 11 Feb 2013 18:24:03 +0000
+Subject: Fix for SSL_get_certificate
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=147dbb2fe3bead7a10e2f280261b661ce7af7adc
+Bug-Debian: http://bugs.debian.org/703031
+
+
+Now we set the current certificate to the one used by a server
+there is no need to call ssl_get_server_send_cert which will
+fail if we haven't sent a certificate yet.
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 14d143d..ff5a85a 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
+ /* Fix this function so that it takes an optional type parameter */
+ X509 *SSL_get_certificate(const SSL *s)
+ {
+- if (s->server)
+- return(ssl_get_server_send_cert(s));
+- else if (s->cert != NULL)
++ if (s->cert != NULL)
+ return(s->cert->key->x509);
+ else
+ return(NULL);
+
diff -Nru openssl-1.0.1e/debian/patches/series openssl-1.0.1e/debian/patches/series
--- openssl-1.0.1e/debian/patches/series 2013-02-11 19:39:36.000000000 +0100
+++ openssl-1.0.1e/debian/patches/series 2013-03-18 20:36:46.000000000 +0100
@@ -32,3 +32,7 @@
#padlock_conf.patch
default_bits.patch
ssltest_no_sslv2.patch
+cpuid.patch
+aesni-mac.patch
+dtls_version.patch
+get_certificate.patch
diff -Nru openssl-1.0.1e/debian/rules openssl-1.0.1e/debian/rules
--- openssl-1.0.1e/debian/rules 2012-07-17 11:49:15.000000000 +0200
+++ openssl-1.0.1e/debian/rules 2013-03-10 21:54:40.000000000 +0100
@@ -137,7 +137,7 @@
dh_strip -a --dbg-package=libssl1.0.0
dh_perl -a -d
dpkg-gensymbols -Pdebian/libssl1.0.0/ -plibssl1.0.0 -c4
- dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.0)" --add-udeb="libcrypto1.0.0-udeb"
+ dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.1d)" --add-udeb="libcrypto1.0.0-udeb"
dh_shlibdeps -a -L libssl1.0.0 -l debian/libssl1.0.0/usr/lib/$(DEB_HOST_MULTIARCH)
dh_gencontrol -a
dh_installdeb -a
Reply to: