--- openssl-0.9.8a.orig/config +++ openssl-0.9.8a/config @@ -162,8 +162,8 @@ echo "${MACHINE}-whatever-linux1"; exit 0 ;; - GNU*) - echo "hurd-x86"; exit 0; + GNU:*|GNU/*:*) + echo "${MACHINE}-gnuish"; exit 0; ;; LynxOS:*) --- openssl-0.9.8a.orig/crypto/ripemd/ripemd.h +++ openssl-0.9.8a/crypto/ripemd/ripemd.h @@ -59,6 +59,7 @@ #ifndef HEADER_RIPEMD_H #define HEADER_RIPEMD_H +#include #include #ifdef __cplusplus --- openssl-0.9.8a.orig/crypto/x86_64cpuid.pl +++ openssl-0.9.8a/crypto/x86_64cpuid.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl $output=shift; $win64a=1 if ($output =~ /win64a\.[s|asm]/); --- openssl-0.9.8a.orig/crypto/opensslconf.h +++ openssl-0.9.8a/crypto/opensslconf.h @@ -7,6 +7,9 @@ #ifndef OPENSSL_NO_GMP # define OPENSSL_NO_GMP #endif +#ifndef OPENSSL_NO_IDEA +# define OPENSSL_NO_IDEA +#endif #ifndef OPENSSL_NO_KRB5 # define OPENSSL_NO_KRB5 #endif @@ -18,6 +21,9 @@ #endif #endif /* OPENSSL_DOING_MAKEDEPEND */ +#ifndef OPENSSL_THREADS +# define OPENSSL_THREADS +#endif #ifndef OPENSSL_NO_DYNAMIC_ENGINE # define OPENSSL_NO_DYNAMIC_ENGINE #endif @@ -30,6 +36,9 @@ # if defined(OPENSSL_NO_GMP) && !defined(NO_GMP) # define NO_GMP # endif +# if defined(OPENSSL_NO_IDEA) && !defined(NO_IDEA) +# define NO_IDEA +# endif # if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5) # define NO_KRB5 # endif @@ -41,6 +50,8 @@ # endif #endif +#define OPENSSL_CPUID_OBJ + /* crypto/opensslconf.h.in */ /* Generate 80386 code? */ @@ -48,8 +59,8 @@ #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) -#define ENGINESDIR "/usr/local/ssl/lib/engines" -#define OPENSSLDIR "/usr/local/ssl" +#define ENGINESDIR "/usr/lib/ssl/engines" +#define OPENSSLDIR "/usr/lib/ssl" #endif #endif @@ -80,14 +91,14 @@ * - Intel P6 because partial register stalls are very expensive; * - elder Alpha because it lacks byte load/store instructions; */ -#define RC4_INT unsigned int +#define RC4_INT unsigned char #endif #if !defined(RC4_CHUNK) /* * This enables code handling data aligned at natural CPU word * boundary. See crypto/rc4/rc4_enc.c for further details. */ -#undef RC4_CHUNK +#define RC4_CHUNK unsigned long #endif #endif @@ -95,7 +106,7 @@ /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a * %20 speed up (longs are 8 bytes, int's are 4). */ #ifndef DES_LONG -#define DES_LONG unsigned long +#define DES_LONG unsigned int #endif #endif @@ -109,9 +120,9 @@ /* The prime number generation stuff may not work when * EIGHT_BIT but I don't care since I've only used this mode * for debuging the bignum libraries */ -#undef SIXTY_FOUR_BIT_LONG +#define SIXTY_FOUR_BIT_LONG #undef SIXTY_FOUR_BIT -#define THIRTY_TWO_BIT +#undef THIRTY_TWO_BIT #undef SIXTEEN_BIT #undef EIGHT_BIT #endif @@ -125,7 +136,7 @@ #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) #define CONFIG_HEADER_BF_LOCL_H -#undef BF_PTR +#define BF_PTR2 #endif /* HEADER_BF_LOCL_H */ #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) @@ -155,7 +166,7 @@ /* Unroll the inner loop, this sometimes helps, sometimes hinders. * Very mucy CPU dependant */ #ifndef DES_UNROLL -#undef DES_UNROLL +#define DES_UNROLL #endif /* These default values were supplied by --- openssl-0.9.8a.orig/crypto/aes/asm/aes-586.pl +++ openssl-0.9.8a/crypto/aes/asm/aes-586.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl # # ==================================================================== # Written by Andy Polyakov for the OpenSSL --- openssl-0.9.8a.orig/crypto/asn1/tasn_dec.c +++ openssl-0.9.8a/crypto/asn1/tasn_dec.c @@ -826,6 +826,7 @@ } else if (ret == -1) return -1; + ret = 0; /* SEQUENCE, SET and "OTHER" are left in encoded form */ if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) --- openssl-0.9.8a.orig/crypto/asn1/charmap.pl +++ openssl-0.9.8a/crypto/asn1/charmap.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/local/bin/perl use strict; --- openssl-0.9.8a.orig/crypto/ec/ec.h +++ openssl-0.9.8a/crypto/ec/ec.h @@ -93,6 +93,9 @@ #endif +#define OPENSSL_ECC_MAX_FIELD_BITS 661 + + typedef enum { /* values as defined in X9.62 (ECDSA) and elsewhere */ POINT_CONVERSION_COMPRESSED = 2, @@ -482,6 +485,7 @@ #define EC_R_D2I_ECPKPARAMETERS_FAILURE 117 #define EC_R_DISCRIMINANT_IS_ZERO 118 #define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119 +#define EC_R_FIELD_TOO_LARGE 138 #define EC_R_GROUP2PKPARAMETERS_FAILURE 120 #define EC_R_I2D_ECPKPARAMETERS_FAILURE 121 #define EC_R_INCOMPATIBLE_OBJECTS 101 @@ -492,7 +496,9 @@ #define EC_R_INVALID_FIELD 103 #define EC_R_INVALID_FORM 104 #define EC_R_INVALID_GROUP_ORDER 122 +#define EC_R_INVALID_PENTANOMIAL_BASIS 132 #define EC_R_INVALID_PRIVATE_KEY 123 +#define EC_R_INVALID_TRINOMIAL_BASIS 137 #define EC_R_MISSING_PARAMETERS 124 #define EC_R_MISSING_PRIVATE_KEY 125 #define EC_R_NOT_A_NIST_PRIME 135 --- openssl-0.9.8a.orig/crypto/ec/ec_asn1.c +++ openssl-0.9.8a/crypto/ec/ec_asn1.c @@ -741,6 +741,7 @@ EC_GROUP *ret = NULL; BIGNUM *p = NULL, *a = NULL, *b = NULL; EC_POINT *point=NULL; + long field_bits; if (!params->fieldID || !params->fieldID->fieldType || !params->fieldID->p.ptr) @@ -779,6 +780,13 @@ char_two = params->fieldID->p.char_two; + field_bits = char_two->m; + if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE); + goto err; + } + if ((p = BN_new()) == NULL) { ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_MALLOC_FAILURE); @@ -799,6 +807,13 @@ } tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis); + + if (!(char_two->m > tmp_long && tmp_long > 0)) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_TRINOMIAL_BASIS); + goto err; + } + /* create the polynomial */ if (!BN_set_bit(p, (int)char_two->m)) goto err; @@ -817,6 +832,13 @@ ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR); goto err; } + + if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0)) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_PENTANOMIAL_BASIS); + goto err; + } + /* create the polynomial */ if (!BN_set_bit(p, (int)char_two->m)) goto err; if (!BN_set_bit(p, (int)penta->k1)) goto err; @@ -858,6 +880,20 @@ ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); goto err; } + + if (BN_is_negative(p) || BN_is_zero(p)) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD); + goto err; + } + + field_bits = BN_num_bits(p); + if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE); + goto err; + } + /* create the EC_GROUP structure */ ret = EC_GROUP_new_curve_GFp(p, a, b, NULL); if (ret == NULL) @@ -909,6 +945,16 @@ ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB); goto err; } + if (BN_is_negative(a) || BN_is_zero(a)) + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER); + goto err; + } + if (BN_num_bits(a) > (int)field_bits + 1) /* Hasse bound */ + { + ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER); + goto err; + } /* extract the cofactor (optional) */ if (params->cofactor == NULL) --- openssl-0.9.8a.orig/crypto/ec/ec_err.c +++ openssl-0.9.8a/crypto/ec/ec_err.c @@ -188,6 +188,7 @@ {ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),"d2i ecpkparameters failure"}, {ERR_REASON(EC_R_DISCRIMINANT_IS_ZERO) ,"discriminant is zero"}, {ERR_REASON(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),"ec group new by name failure"}, +{ERR_REASON(EC_R_FIELD_TOO_LARGE) ,"field too large"}, {ERR_REASON(EC_R_GROUP2PKPARAMETERS_FAILURE),"group2pkparameters failure"}, {ERR_REASON(EC_R_I2D_ECPKPARAMETERS_FAILURE),"i2d ecpkparameters failure"}, {ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS) ,"incompatible objects"}, @@ -198,7 +199,9 @@ {ERR_REASON(EC_R_INVALID_FIELD) ,"invalid field"}, {ERR_REASON(EC_R_INVALID_FORM) ,"invalid form"}, {ERR_REASON(EC_R_INVALID_GROUP_ORDER) ,"invalid group order"}, +{ERR_REASON(EC_R_INVALID_PENTANOMIAL_BASIS),"invalid pentanomial basis"}, {ERR_REASON(EC_R_INVALID_PRIVATE_KEY) ,"invalid private key"}, +{ERR_REASON(EC_R_INVALID_TRINOMIAL_BASIS),"invalid trinomial basis"}, {ERR_REASON(EC_R_MISSING_PARAMETERS) ,"missing parameters"}, {ERR_REASON(EC_R_MISSING_PRIVATE_KEY) ,"missing private key"}, {ERR_REASON(EC_R_NOT_A_NIST_PRIME) ,"not a NIST prime"}, --- openssl-0.9.8a.orig/crypto/dsa/dsa_err.c +++ openssl-0.9.8a/crypto/dsa/dsa_err.c @@ -89,8 +89,10 @@ static ERR_STRING_DATA DSA_str_reasons[]= { +{ERR_REASON(DSA_R_BAD_Q_VALUE) ,"bad q value"}, {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"}, {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, +{ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {0,NULL} }; --- openssl-0.9.8a.orig/crypto/dsa/dsa.h +++ openssl-0.9.8a/crypto/dsa/dsa.h @@ -84,6 +84,8 @@ #endif #endif +#define OPENSSL_DSA_MAX_MODULUS_BITS 10000 + #define DSA_FLAG_CACHE_MONT_P 0x01 #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA * implementation now uses constant time @@ -270,8 +272,10 @@ #define DSA_F_SIG_CB 114 /* Reason codes. */ +#define DSA_R_BAD_Q_VALUE 102 #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 #define DSA_R_MISSING_PARAMETERS 101 +#define DSA_R_MODULUS_TOO_LARGE 103 #ifdef __cplusplus } --- openssl-0.9.8a.orig/crypto/dsa/dsa_ossl.c +++ openssl-0.9.8a/crypto/dsa/dsa_ossl.c @@ -304,6 +304,18 @@ return -1; } + if (BN_num_bits(dsa->q) != 160) + { + DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE); + return -1; + } + + if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) + { + DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE); + return -1; + } + BN_init(&u1); BN_init(&u2); BN_init(&t1); --- openssl-0.9.8a.orig/crypto/sha/sha.h +++ openssl-0.9.8a/crypto/sha/sha.h @@ -59,6 +59,7 @@ #ifndef HEADER_SHA_H #define HEADER_SHA_H +#include #include #ifdef __cplusplus --- openssl-0.9.8a.orig/crypto/sha/asm/sha1-ia64.pl +++ openssl-0.9.8a/crypto/sha/asm/sha1-ia64.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl # # ==================================================================== # Written by Andy Polyakov for the OpenSSL --- openssl-0.9.8a.orig/crypto/sha/asm/sha512-sse2.pl +++ openssl-0.9.8a/crypto/sha/asm/sha512-sse2.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl # # ==================================================================== # Written by Andy Polyakov for the OpenSSL --- openssl-0.9.8a.orig/crypto/sha/asm/sha512-ia64.pl +++ openssl-0.9.8a/crypto/sha/asm/sha512-ia64.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl # # ==================================================================== # Written by Andy Polyakov for the OpenSSL --- openssl-0.9.8a.orig/crypto/x86cpuid.pl +++ openssl-0.9.8a/crypto/x86cpuid.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl push(@INC,"perlasm"); require "x86asm.pl"; --- openssl-0.9.8a.orig/crypto/md5/asm/md5-sparcv9.S +++ openssl-0.9.8a/crypto/md5/asm/md5-sparcv9.S @@ -74,14 +74,14 @@ #define Dval R8 #if defined(MD5_BLOCK_DATA_ORDER) -# if defined(OPENSSL_SYSNAME_ULTRASPARC) +/*# if defined(OPENSSL_SYSNAME_ULTRASPARC)*/ # define LOAD lda # define X(i) [%i1+i*4]%asi # define md5_block md5_block_asm_data_order_aligned # define ASI_PRIMARY_LITTLE 0x88 -# else +/*# else # error "MD5_BLOCK_DATA_ORDER is supported only on UltraSPARC!" -# endif +# endif*/ #else # define LOAD ld # define X(i) [%i1+i*4] --- openssl-0.9.8a.orig/crypto/md5/asm/md5-x86_64.pl +++ openssl-0.9.8a/crypto/md5/asm/md5-x86_64.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/local/bin/perl # # MD5 optimized for AMD64. # --- openssl-0.9.8a.orig/crypto/md5/md5.h +++ openssl-0.9.8a/crypto/md5/md5.h @@ -59,6 +59,7 @@ #ifndef HEADER_MD5_H #define HEADER_MD5_H +#include #include #ifdef __cplusplus --- openssl-0.9.8a.orig/crypto/bn/asm/ppc.pl +++ openssl-0.9.8a/crypto/bn/asm/ppc.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl # # Implemented as a Perl wrapper as we want to support several different # architectures with single file. We pick up the target based on the --- openssl-0.9.8a.orig/crypto/bn/asm/sparcv8plus.S +++ openssl-0.9.8a/crypto/bn/asm/sparcv8plus.S @@ -162,10 +162,14 @@ * BN_ULONG w; */ bn_mul_add_words: + sra %o2,%g0,%o2 ! signx %o2 brgz,a %o2,.L_bn_mul_add_words_proceed lduw [%o1],%g2 retl clr %o0 + nop + nop + nop .L_bn_mul_add_words_proceed: srl %o3,%g0,%o3 ! clruw %o3 @@ -260,10 +264,14 @@ * BN_ULONG w; */ bn_mul_words: + sra %o2,%g0,%o2 ! signx %o2 brgz,a %o2,.L_bn_mul_words_proceeed lduw [%o1],%g2 retl clr %o0 + nop + nop + nop .L_bn_mul_words_proceeed: srl %o3,%g0,%o3 ! clruw %o3 @@ -344,10 +352,14 @@ * int n; */ bn_sqr_words: + sra %o2,%g0,%o2 ! signx %o2 brgz,a %o2,.L_bn_sqr_words_proceeed lduw [%o1],%g2 retl clr %o0 + nop + nop + nop .L_bn_sqr_words_proceeed: andcc %o2,-4,%g0 @@ -445,6 +457,7 @@ * int n; */ bn_add_words: + sra %o3,%g0,%o3 ! signx %o3 brgz,a %o3,.L_bn_add_words_proceed lduw [%o1],%o4 retl @@ -454,7 +467,6 @@ andcc %o3,-4,%g0 bz,pn %icc,.L_bn_add_words_tail addcc %g0,0,%g0 ! clear carry flag - nop .L_bn_add_words_loop: ! wow! 32 aligned! dec 4,%o3 @@ -523,6 +535,7 @@ * int n; */ bn_sub_words: + sra %o3,%g0,%o3 ! signx %o3 brgz,a %o3,.L_bn_sub_words_proceed lduw [%o1],%o4 retl @@ -532,7 +545,6 @@ andcc %o3,-4,%g0 bz,pn %icc,.L_bn_sub_words_tail addcc %g0,0,%g0 ! clear carry flag - nop .L_bn_sub_words_loop: ! wow! 32 aligned! dec 4,%o3 --- openssl-0.9.8a.orig/crypto/bn/bn_mont.c +++ openssl-0.9.8a/crypto/bn/bn_mont.c @@ -123,7 +123,6 @@ max=(nl+al+1); /* allow for overflow (no?) XXX */ if (bn_wexpand(r,max) == NULL) goto err; - if (bn_wexpand(ret,max) == NULL) goto err; r->neg=a->neg^n->neg; np=n->d; @@ -175,19 +174,70 @@ } bn_correct_top(r); - /* mont->ri will be a multiple of the word size */ -#if 0 - BN_rshift(ret,r,mont->ri); -#else - ret->neg = r->neg; - x=ri; + /* mont->ri will be a multiple of the word size and below code + * is kind of BN_rshift(ret,r,mont->ri) equivalent */ + if (r->top <= ri) + { + ret->top=0; + retn=1; + goto err; + } + al=r->top-ri; + +# define BRANCH_FREE 1 +# if BRANCH_FREE + if (bn_wexpand(ret,ri) == NULL) goto err; + x=0-(((al-ri)>>(sizeof(al)*8-1))&1); + ret->top=x=(ri&~x)|(al&x); /* min(ri,al) */ + ret->neg=r->neg; + rp=ret->d; - ap= &(r->d[x]); - if (r->top < x) - al=0; - else - al=r->top-x; + ap=&(r->d[ri]); + + { + size_t m1,m2; + + v=bn_sub_words(rp,ap,np,ri); + /* this ----------------^^ works even in alri) nrp=rp; else nrp=ap; */ + /* in other words if subtraction result is real, then + * trick unconditional memcpy below to perform in-place + * "refresh" instead of actual copy. */ + m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1); /* al>(sizeof(al)*8-1))&1); /* al>ri */ + m1|=m2; /* (al!=ri) */ + m1|=(0-(size_t)v); /* (al!=ri || v) */ + m1&=~m2; /* (al!=ri || v) && !al>ri */ + nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1)); + } + + /* 'itop=al; + ret->neg=r->neg; + + rp=ret->d; + ap=&(r->d[ri]); al-=4; for (i=0; iri)) goto err; #endif /* MONT_WORD */ +#if !defined(BRANCH_FREE) || BRANCH_FREE==0 if (BN_ucmp(ret, &(mont->N)) >= 0) { if (!BN_usub(ret,ret,&(mont->N))) goto err; } +#endif retn=1; bn_check_top(ret); err: --- openssl-0.9.8a.orig/crypto/md2/md2.h +++ openssl-0.9.8a/crypto/md2/md2.h @@ -59,6 +59,7 @@ #ifndef HEADER_MD2_H #define HEADER_MD2_H +#include #include /* OPENSSL_NO_MD2, MD2_INT */ #ifdef OPENSSL_NO_MD2 #error MD2 is disabled. --- openssl-0.9.8a.orig/crypto/dh/dh.h +++ openssl-0.9.8a/crypto/dh/dh.h @@ -73,6 +73,8 @@ #include #endif +#define OPENSSL_DH_MAX_MODULUS_BITS 10000 + #define DH_FLAG_CACHE_MONT_P 0x01 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH * implementation now uses constant time @@ -214,6 +216,7 @@ #define DH_F_DHPARAMS_PRINT 100 #define DH_F_DHPARAMS_PRINT_FP 101 #define DH_F_DH_BUILTIN_GENPARAMS 106 +#define DH_F_DH_COMPUTE_KEY 107 #define DH_F_DH_NEW_METHOD 105 #define DH_F_GENERATE_KEY 103 #define DH_F_GENERATE_PARAMETERS 104 @@ -222,6 +225,7 @@ #define DH_R_BAD_GENERATOR 101 #define DH_R_NO_PRIVATE_VALUE 100 #define DH_R_INVALID_PUBKEY 102 +#define DH_R_MODULUS_TOO_LARGE 103 #ifdef __cplusplus } --- openssl-0.9.8a.orig/crypto/dh/dh_err.c +++ openssl-0.9.8a/crypto/dh/dh_err.c @@ -74,6 +74,7 @@ {ERR_FUNC(DH_F_DHPARAMS_PRINT), "DHparams_print"}, {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"}, +{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"}, {ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"}, {ERR_FUNC(DH_F_GENERATE_KEY), "GENERATE_KEY"}, {ERR_FUNC(DH_F_GENERATE_PARAMETERS), "GENERATE_PARAMETERS"}, @@ -85,6 +86,7 @@ {ERR_REASON(DH_R_BAD_GENERATOR) ,"bad generator"}, {ERR_REASON(DH_R_NO_PRIVATE_VALUE) ,"no private value"}, {ERR_REASON(DH_R_INVALID_PUBKEY) ,"invalid public key"}, +{ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {0,NULL} }; --- openssl-0.9.8a.orig/crypto/dh/dh_key.c +++ openssl-0.9.8a/crypto/dh/dh_key.c @@ -173,12 +173,18 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { - BN_CTX *ctx; + BN_CTX *ctx = NULL; BN_MONT_CTX *mont=NULL; BIGNUM *tmp; int ret= -1; int check_result; + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) + { + DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE); + goto err; + } + ctx = BN_CTX_new(); if (ctx == NULL) goto err; BN_CTX_start(ctx); --- openssl-0.9.8a.orig/crypto/pkcs7/pk7_mime.c +++ openssl-0.9.8a/crypto/pkcs7/pk7_mime.c @@ -335,9 +335,9 @@ if(strcmp(hdr->value, "application/x-pkcs7-signature") && strcmp(hdr->value, "application/pkcs7-signature")) { - sk_MIME_HEADER_pop_free(headers, mime_hdr_free); PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_SIG_INVALID_MIME_TYPE); ERR_add_error_data(2, "type: ", hdr->value); + sk_MIME_HEADER_pop_free(headers, mime_hdr_free); sk_BIO_pop_free(parts, BIO_vfree); return NULL; } --- openssl-0.9.8a.orig/crypto/bio/bss_conn.c +++ openssl-0.9.8a/crypto/bio/bss_conn.c @@ -469,7 +469,7 @@ break; case BIO_C_DO_STATE_MACHINE: /* use this one to start the connection */ - if (!(data->state != BIO_CONN_S_OK)) + if (data->state != BIO_CONN_S_OK) ret=(long)conn_state(b,data); else ret=1; --- openssl-0.9.8a.orig/crypto/rc4/asm/rc4-x86_64.pl +++ openssl-0.9.8a/crypto/rc4/asm/rc4-x86_64.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl # # ==================================================================== # Written by Andy Polyakov for the OpenSSL --- openssl-0.9.8a.orig/crypto/md4/md4.h +++ openssl-0.9.8a/crypto/md4/md4.h @@ -59,6 +59,7 @@ #ifndef HEADER_MD4_H #define HEADER_MD4_H +#include #include #ifdef __cplusplus --- openssl-0.9.8a.orig/crypto/rsa/rsa_err.c +++ openssl-0.9.8a/crypto/rsa/rsa_err.c @@ -137,6 +137,7 @@ {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"}, {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, {ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, +{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"}, {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, --- openssl-0.9.8a.orig/crypto/rsa/rsa_eay.c +++ openssl-0.9.8a/crypto/rsa/rsa_eay.c @@ -168,6 +168,28 @@ unsigned char *buf=NULL; BN_CTX *ctx=NULL; + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; + } + + if (BN_ucmp(rsa->n, rsa->e) <= 0) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + + /* for large moduli, enforce exponent limit */ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) + { + if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + } + if ((ctx=BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); f = BN_CTX_get(ctx); @@ -574,6 +596,28 @@ unsigned char *buf=NULL; BN_CTX *ctx=NULL; + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; + } + + if (BN_ucmp(rsa->n, rsa->e) <= 0) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + + /* for large moduli, enforce exponent limit */ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS) + { + if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE); + return -1; + } + } + if((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); f = BN_CTX_get(ctx); --- openssl-0.9.8a.orig/crypto/rsa/rsa_sign.c +++ openssl-0.9.8a/crypto/rsa/rsa_sign.c @@ -185,6 +185,23 @@ sig=d2i_X509_SIG(NULL,&p,(long)i); if (sig == NULL) goto err; + + /* Excess data can be used to create forgeries */ + if(p != s+i) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + + /* Parameters to the signature algorithm can also be used to + create forgeries */ + if(sig->algor->parameter + && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + sigtype=OBJ_obj2nid(sig->algor->algorithm); --- openssl-0.9.8a.orig/crypto/rsa/rsa.h +++ openssl-0.9.8a/crypto/rsa/rsa.h @@ -159,6 +159,11 @@ BN_BLINDING *mt_blinding; }; +#define OPENSSL_RSA_MAX_MODULUS_BITS 16384 + +#define OPENSSL_RSA_SMALL_MODULUS_BITS 3072 +#define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "small" modulus only */ + #define RSA_3 0x3L #define RSA_F4 0x10001L @@ -413,6 +418,7 @@ #define RSA_R_OAEP_DECODING_ERROR 121 #define RSA_R_SLEN_RECOVERY_FAILED 135 #define RSA_R_PADDING_CHECK_FAILED 114 +#define RSA_R_MODULUS_TOO_LARGE 105 #define RSA_R_P_NOT_PRIME 128 #define RSA_R_Q_NOT_PRIME 129 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 --- openssl-0.9.8a.orig/crypto/perlasm/x86_64-xlate.pl +++ openssl-0.9.8a/crypto/perlasm/x86_64-xlate.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl # Ascetic x86_64 AT&T to MASM assembler translator by . # --- openssl-0.9.8a.orig/debian/control +++ openssl-0.9.8a/debian/control @@ -0,0 +1,69 @@ +Source: openssl +Build-Depends: debhelper (>= 4.2.0), binutils (>= 2.14.90.0.7), zlib1g-dev, m4, bc +Section: utils +Priority: optional +Maintainer: Debian OpenSSL Team +Uploaders: Christoph Martin , Kurt Roeckx +Standards-Version: 3.6.1 + +Package: openssl +Priority: optional +Architecture: any +Depends: ${shlibs:Depends}, ${perl:Depends} +Conflicts: ssleay (<< 0.9.2b) +Suggests: ca-certificates +Description: Secure Socket Layer (SSL) binary and related cryptographic tools + This package contains the openssl binary and related tools. + . + It is part of the OpenSSL implementation of SSL. + . + You need it to perform certain cryptographic actions like: + o Creation of RSA, DH and DSA Key Parameters + o Creation of X.509 Certificates, CSRs and CRLs + o Calculation of Message Digests + o Encryption and Decryption with Ciphers + o SSL/TLS Client and Server Tests + o Handling of S/MIME signed or encrypted Mail + +Package: libssl0.9.8 +Section: libs +Priority: important +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Conflicts: ssleay (<< 0.9.2b), libssl, openssl (<< 0.9.6-2), libssl096-dev (<< 0.9.6-2) +Description: SSL shared libraries + libssl and libcrypto shared libraries needed by programs like + apache-ssl, telnet-ssl and openssh. + . + It is part of the OpenSSL implementation of SSL. + +Package: libcrypto0.9.8-udeb +XC-Package-Type: udeb +Section: debian-installer +Priority: optional +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Provides: libssl0.9.8 +Description: crypto shared library - udeb + libcrypto shared library. + . + Do not install it on a normal system. + +Package: libssl-dev +Section: libdevel +Priority: optional +Architecture: any +Depends: libssl0.9.8 (= ${Source-Version}), zlib1g-dev +Conflicts: ssleay (<< 0.9.2b), libssl08-dev, libssl09-dev, libssl095a-dev, libssl096-dev +Description: SSL development libraries, header files and documentation + libssl and libcrypt development libraries, header files and manpages + . + It is part of the OpenSSL implementation of SSL. + +Package: libssl0.9.8-dbg +Section: libdevel +Priority: extra +Architecture: any +Depends: libssl0.9.8 (= ${Source-Version}) +Description: Symbol tables for libssl and libcrypt + This package is part of the OpenSSL implementation of SSL. --- openssl-0.9.8a.orig/debian/openssl.postinst +++ openssl-0.9.8a/debian/openssl.postinst @@ -0,0 +1,9 @@ +#!/bin/sh -e + +if [ ! -e /usr/lib/ssl ] +then + echo Linking /usr/lib/ssl to /etc/ssl + ln -sf /etc/ssl /usr/lib/ssl +fi + +#DEBHELPER# --- openssl-0.9.8a.orig/debian/openssl.preinst +++ openssl-0.9.8a/debian/openssl.preinst @@ -0,0 +1,36 @@ +#!/bin/sh -e + +if [ -L /etc/ssl ] +then + echo Removing obsolete link /etc/ssl + rm /etc/ssl +fi +if [ ! -d /etc/ssl ] +then + echo Creating directory /etc/ssl + mkdir /etc/ssl +fi +if [ -d /usr/lib/ssl ] +then + for file in lib certs private + do + if [ -e /usr/lib/ssl/$file -a ! -L /usr/lib/ssl/$file ] + then + echo Moving $file from /usr/lib/ssl to /etc/ssl + cp -av /usr/lib/ssl/$file /etc/ssl || true + rm -fr /usr/lib/ssl/$file + fi + done +fi +if [ -L /usr/lib/ssl ] +then + echo Removeing obsolete link /usr/lib/ssl + rm /usr/lib/ssl +fi +if [ -e /etc/ssl/lib/openssl.cnf ] +then + echo Moving openssl.cnf + mv /etc/ssl/lib/openssl.cnf /etc/ssl/ +fi + +#DEBHELPER# --- openssl-0.9.8a.orig/debian/rules +++ openssl-0.9.8a/debian/rules @@ -0,0 +1,173 @@ +#!/usr/bin/make -f +# Sample debian.rules file - for GNU Hello (1.3). +# Copyright 1994,1995 by Ian Jackson. +# I hereby give you perpetual unlimited permission to copy, +# modify and relicense this file, provided that you do not remove +# my name from the file itself. (I assert my moral right of +# paternity under the Copyright, Designs and Patents Act 1988.) +# This file may have to be extensively modified +# +# Modified to be a prototype for debmake by Christoph Lameter +SHELL=/bin/bash +export DH_COMPAT=3 + +package=openssl + +# For generating the manpages +export VERSION=$(shell dpkg-parsechangelog | grep '^Version:' | sed -e 's/^.*://' -e 's/-.*//') + +# The binary architeture +DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH) + +CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib +OPT_alpha = ev4 ev5 +OPT_i386 = i486 i586 i686/cmov +OPT_sparc = v8 v9 +ARCHOPTS = OPT_$(DEB_HOST_ARCH) +OPTS = $($(ARCHOPTS)) +WANTED_LIBC_VERSION = 2.3.1-10 + +build: + dh_testdir + perl util/perlpath.pl /usr/bin +# perl util/ssldir.pl /usr/lib/ssl +# chmod +x debian/libtool + ./Configure no-shared $(CONFARGS) debian-$(DEB_HOST_ARCH) + make -f Makefile DIRS="crypto ssl" all + -make test + mv libcrypto.a libcrypto.static + mv libssl.a libssl.static + make -f Makefile DIRS="crypto ssl" clean + test -z "$(OPTS)" || for opt in $(OPTS); \ + do \ + set -xe; \ + ./Configure shared $(CONFARGS) debian-$(DEB_HOST_ARCH)-$$opt; \ + make -f Makefile DIRS="crypto ssl" all; \ + make test || /bin/true; \ + mkdir -p $$opt; \ + mv libcrypto.so* libssl.so* $$opt/; \ + make -f Makefile DIRS="crypto ssl" clean; \ + done + ./Configure shared $(CONFARGS) debian-$(DEB_HOST_ARCH) + #make -f Makefile depend + ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ +# make -f Makefile linux-shared + make -f Makefile all + -make test +# strip apps/openssl +# make -f Makefile clean DIRS="crypto ssl" +# ./Configure --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 debian-$(DEB_HOST_ARCH) +# make -f Makefile all DIRS="crypto ssl" + touch build + +clean: + dh_testdir + dh_testroot + -rm -f build + -perl util/perlpath.pl /usr/bin + -./Configure $(CONFARGS) debian-$(DEB_HOST_ARCH) + -make -f Makefile clean clean-shared + #-make -f Makefile dclean + -perl util/perlpath.pl /usr/local/bin/perl +# perl util/ssldir.pl /usr/local/ssl + -rm -f test/.rnd test/testkey.pem test/testreq.pem test/certCA.srl + -rm -f util/mk1mf.bak Makefile.bak `find . -name Makefile.save` + -rm -f crypto/pem/ctx_size + -rm -f `find . -name "*~"` + -rm -f `find . -name "*.orig" -o -name "*.rej"` + -rm -f certs/*.0 certs/*.1 +# -rm -rf debian/tmp debian/files* core `find debian/* -type d` + -rm -rf core $(OPTS) + -rm doc/*.pod + -rm -f libcrypto.* libssl.* + -cd test && rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bntest ectest ecdsatest ecdhtest ideatest md2test md4test md5test hmactest rc2test rc4test rc5test destest shatest sha1test sha256t sha512t mdc2test rmdtest randtest dhtest enginetest bftest casttest ssltest exptest dsatest rsa_test evp_test *.ss *.srl log dummytest newkey.pem + dh_clean + +binary-indep: build + dh_testdir + dh_testroot +# There are no architecture-independent files to be uploaded +# generated by this package. If there were any they would be +# made here. + +binary-arch: build + dh_testdir + dh_testroot + dh_clean +# -rm -rf debian/tmp `find debian/* -type d` + install -d debian/tmp debian/libssl0.9.8 debian/libssl-dev +# cd debian/tmp && install -d `cat ../dirs` +# cd debian/libssl09 && install -d `cat ../libssl09.dirs` +# cd debian/libssl09-dev && install -d `cat ../libssl09-dev.dirs` + dh_installdirs +#openssl install + make -f Makefile install INSTALL_PREFIX=`pwd`/debian/tmp +# rm debian/tmp/usr/share/man/man1/openssl.1 +# rm debian/tmp/usr/share/man/man3/crypto.3 +# rm debian/tmp/usr/share/man/man3/ssl.3 +# rm debian/tmp/usr/lib/libcrypto.a +# rm debian/tmp/usr/lib/libssl.a + # pic static libraries, nobody should need them +# mv debian/tmp/usr/lib/libcrypto.a debian/tmp/usr/lib/libcrypto_pic.a +# mv debian/tmp/usr/lib/libssl.a debian/tmp/usr/lib/libssl_pic.a + cp -pf libcrypto.static debian/tmp/usr/lib/libcrypto.a + cp -pf libssl.static debian/tmp/usr/lib/libssl.a +# mv debian/tmp/usr/lib/ssl/bin debian/tmp/usr/bin/ssl +# (cd debian/tmp/usr/lib/ssl; ln -s /usr/bin/ssl bin) +# mv debian/tmp/usr/lib/ssl/include debian/tmp/usr/include/ssl +# (cd debian/tmp/usr/lib/ssl; ln -s /usr/include/ssl include) +# chmod -x debian/tmp/usr/lib/*.so.* +# mv debian/tmp/usr/lib/*.a debian/libssl09-dev/usr/lib/ +# mv debian/tmp/usr/lib/*.so debian/libssl09-dev/usr/lib/ +# mv debian/tmp/usr/lib/*.so.*.*.* debian/libssl09/usr/lib/ +# mv debian/tmp/usr/lib/*.la debian/libssl09-dev/usr/lib/ +# mv debian/tmp/usr/include debian/libssl09-dev/usr/ + mkdir -p debian/tmp/etc/ssl + mv debian/tmp/usr/lib/ssl/{certs,openssl.cnf,private} debian/tmp/etc/ssl/ + ln -s /etc/ssl/{certs,openssl.cnf,private} debian/tmp/usr/lib/ssl/ + cp -pf debian/tmp/usr/lib/libcrypto.so.* debian/libcrypto0.9.8-udeb/usr/lib/ + cp -auv lib*.so* debian/tmp/usr/lib/ +# cp -auv lib*.a debian/tmp/usr/lib/ + for opt in $(OPTS); do set -xe; mkdir -p debian/tmp/usr/lib/$$opt; cp -auv $$opt/lib*.so* debian/tmp/usr/lib/$$opt/; done + install debian/copyright debian/libssl0.9.8/usr/share/doc/libssl0.9.8/ + install debian/changelog debian/libssl0.9.8/usr/share/doc/libssl0.9.8/changelog.Debian + install debian/copyright debian/libssl-dev/usr/share/doc/libssl-dev/ + install debian/changelog debian/libssl-dev/usr/share/doc/libssl-dev/changelog.Debian +# (cd debian/tmp/usr/doc/openssl/doc; for f in *.doc*; do mv "$$f" "$$(echo $$f | sed -e 's/doc/txt/')";done) +# (cd doc; for f in *; do install "$$f" ../debian/tmp/usr/share/doc/openssl/doc/"$$(echo $$f | sed -e 's/doc/txt/')";done) +# debstd -u CHANGES* LICENSE README NEWS + dh_installdocs CHANGES.SSLeay LICENSE README NEWS debian/README.optimization + dh_installexamples + dh_installchangelogs CHANGES +# dh_installmenu +# dh_installcron + dh_installman -popenssl + dh_installdebconf +# dh_undocumented c_rehash.1 + dh_movefiles +# rmdir debian/tmp/usr/lib/ssl/lib +# rmdir debian/tmp/usr/include/openssl +# rmdir debian/tmp/usr/include +# for opt in $(OPTS); do set -xe; rm -fr debian/tmp/usr/lib/$$opt; done + dh_compress + chmod 700 debian/openssl/etc/ssl/private + dh_fixperms -X etc/ssl/private + dh_strip --dbg-package=libssl0.9.8 + dh_perl -d +# dh_suidregister + dh_makeshlibs -V "libssl0.9.8 (>= 0.9.8a-1)" + dh_shlibdeps -L libssl0.9.8 -l debian/libssl0.9.8/usr/lib + dh_gencontrol + dh_installdeb + dh_md5sums + dh_builddeb + echo -en "\a" + +# Below here is fairly generic really + +binary: binary-indep binary-arch + +source diff: + @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false + +.PHONY: binary binary-arch binary-indep clean --- openssl-0.9.8a.orig/debian/po/da.po +++ openssl-0.9.8a/debian/po/da.po @@ -0,0 +1,70 @@ +# translation of openssl_0.9.7d-1_templates.po to Danish +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# Claus Hindsgaul , 2004. +# +msgid "" +msgstr "" +"Project-Id-Version: openssl_0.9.7d-1_templates\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2004-04-02 16:08+0200\n" +"Last-Translator: Claus Hindsgaul \n" +"Language-Team: Danish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.3.1\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "Hvilke services skal genstartes, så de benytter de nye biblioteker?" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"Der lukket nogle sikkerhedshuller i denne version af openssl. Disse huller " +"bliver ikke lukket i dine services før de er blevet genstartet. Bemærk at " +"det ikke vil påvirke eksisterende forbindelser at genstarte ssh." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"Herunder ser du en liste over fundne services, som bør genstartes. Ret " +"listen, hvis du mener at den ikke er korrekt. Servicenavnene skal være " +"identiske med skriptnavnene i /etc/init.d, og skal adskilles med mellemrum. " +"Hvis du sletter listen, vil ingen services blive genstartet." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Hvis andre services begynder at fejle på mystisk vis efter denne " +"opgradering, kan det være nødvendigt også at genstarte disse. Vi anbefaler " +"dig kraftigt at genstarte din maskine for at undgå SSL-relaterede problemer." --- openssl-0.9.8a.orig/debian/po/pt_BR.po +++ openssl-0.9.8a/debian/po/pt_BR.po @@ -0,0 +1,69 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: openssl\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2004-04-04 15:21-0300\n" +"Last-Translator: André Luís Lopes \n" +"Language-Team: Debian-BR Project \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "Quais serviços devem ser reiniciados para utilizar novas bibliotecas ?" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"Falhas de segurança foram corrigidas nesta versão. Alguns serviços podem não " +"utilizar estas correções até que sejam reiniciados. Note : reiniciar o sshd " +"não afetará nenhuma conexão já estabelecida." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"A seguir será exibida uma lista de serviços que foram detectados e que " +"precisam ser reiniciados. Por favor, corrija a lista caso você tenha certeza " +"que ela esteja incorreta. Os nomes dos serviços devem ser idênticos aos " +"nomes dos scripts sob o diretório /etc/init.d e devem estar separados por " +"espaços. Caso você esvazie a lista, nenhum serviço será reiniciado." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Caso outros serviços comecem a falhar misteriosamente após esta atualização, " +"pode ser necessário reiniciá-los também. Recomendados fortemente que você " +"reinicie sua máquina para evitar problemas relacionados a SSL." --- openssl-0.9.8a.orig/debian/po/POTFILES.in +++ openssl-0.9.8a/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] libssl0.9.8.templates --- openssl-0.9.8a.orig/debian/po/cs.po +++ openssl-0.9.8a/debian/po/cs.po @@ -0,0 +1,68 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: openssl\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2004-09-26 17:40+0200\n" +"Last-Translator: Miroslav Kure \n" +"Language-Team: Czech \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-2\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "Které slu¾by se mají restartovat, aby zaèaly vyu¾ívat nové knihovny?" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"V této verzi balíku byly opraveny bezbeènostní chyby. Tyto opravy se v " +"programech projeví a¾ po jejich restartu. Poznámka: restart sshd by nemìl " +"ovlivnit stávající spojení." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"Následuje seznam rozpoznaných slu¾eb, které je tøeba restartovat. Pokud se " +"vám zdá, ¾e je tento seznam chybný, mù¾ete jej opravit. Názvy slu¾eb musí " +"být shodné s názvy skriptù v adresáøi /etc/init.d a musí být oddìleny " +"mezerami. Pokud seznam vyma¾ete, nebude restartována ¾ádná slu¾ba." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Jestli¾e po této aktualizaci zaènou selhávat nìkteré slu¾by, mo¾ná bude " +"nutné je takté¾ restartovat. Abyste se vyhnuli problémùm spojených se SSL, " +"doporuèujeme restartovat celý poèítaè." --- openssl-0.9.8a.orig/debian/po/nl.po +++ openssl-0.9.8a/debian/po/nl.po @@ -0,0 +1,71 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: openssl 0.9.7d-5\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2004-08-01 18:31+0100\n" +"Last-Translator: Luk Claes \n" +"Language-Team: Debian l10n Dutch \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "" +"Welke diensten moeten herstart worden om ze de nieuwe bibliotheken te laten " +"gebruiken?" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"Er zijn veiligheidslekken gedicht in deze release. Diensten gebruiken deze " +"versie misschien niet totdat ze herstart zijn. Merk op: sshd herstarten zou " +"geen effect mogen hebben op bestaande verbindingen." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"Hierna volgt een lijst van gedetecteerde diensten die herstart moeten " +"worden. Verbeter de lijst, als u denkt dat ze incorrect is. De namen moeten " +"overeenkomen met de script-namen in /etc/init.d en moeten gescheiden worden " +"door spaties. Als u de lijst ledigt, dan zullen er geen diensten worden " +"herstart." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Als er andere diensten mysterieus beginnen te falen na deze opwaardering, " +"kan het nodig zijn om ze ook te herstarten. Er wordt u ten zeerste " +"aanbevolen uw machine te herstarten om SSL-gerelateerde problemen te " +"vermijden." --- openssl-0.9.8a.orig/debian/po/vi.po +++ openssl-0.9.8a/debian/po/vi.po @@ -0,0 +1,61 @@ +# Vietnamese translation for openssl. +# Copyright © 2005 Free Software Foundation, Inc. +# Clytie Siddall , 2005. +# +msgid "" +msgstr "" +"Project-Id-Version: openssl 0.9.7g-1\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2005-07-03 12:49+0930\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0\n" +"X-Generator: LocFactoryEditor 1.2.2\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "Äể dùng những thÆ° viên má»›i, cần phải khởi chạy lại dịch vụ nào?" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"Phiên bản phát hành này đã sá»­a má»™t số lá»— hổng bảo mật rồi. Dịch vụ sẽ dùng " +"mã đã sá»­a chỉ sau khi khởi chạy lại thôi. Ghi chú: khởi chạy lại sshd nên " +"không làm ảnh hưởng đến sá»± kết nối hiện thá»i nào." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"Theo đây có má»™t danh sách dịch vụ đã phát hiện mà cần phải khởi chạy lại. " +"Bạn hãy sá»­a danh sách nếu chÆ°a đúng. Tên dịch vụ phải là cùng má»™t tên vá»›i " +"tên tập lệnh trong «/etc/init.d», những tên định giá»›i bằng dấu cách. Nếu bạn " +"xóa hết danh sách thì sẽ không khởi chạy lại dịch vụ nào." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Nếu dịch vụ khác má»›i bị lá»—i má»™t cách lạ sau việc nâng cấp này, có lẽ bạn " +"cÅ©ng cần phải khởi chạy lại chúng. Khuyến khích nặng bạn khởi Ä‘á»™ng máy này " +"để tránh lá»—i liên quan đến SSL." --- openssl-0.9.8a.orig/debian/po/es.po +++ openssl-0.9.8a/debian/po/es.po @@ -0,0 +1,85 @@ +# openssl translation to spanish +# Copyright (C) 2004 Software in the Public Interest +# This file is distributed under the same license as the openssl package. +# +# Changes: +# - Initial translation +# Lucas Wall , 2004 +# +# +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Equipo de traducción al español, por favor lean antes de traducir +# los siguientes documentos: +# +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish/coordinacion +# especialmente las notas de traducción en +# http://www.debian.org/intl/spanish/notas +# +# - La guía de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +msgid "" +msgstr "" +"Project-Id-Version: openssl 0.9.7d-3\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2004-06-12 15:23-0300\n" +"Last-Translator: Lucas Wall \n" +"Language-Team: Debian Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "" +"¿Qué servicios desea reiniciar para que utilicen las nuevas bibliotecas?" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"En esta versión se han solucionado problemas de seguridad. Los servicios " +"afectados no gozarán de los arreglos hasta que no se hayan reiniciado. Nota: " +"reiniciar el servicio «sshd» no afectará ninguna de las conexiones " +"existentes." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"Una lista de los servicios que deben ser reiniciados se presenta a " +"continuación. Si cree que no es correcta haga los ajustes necesarios. Los " +"nombres de los servicios deben ser iguales a los nombres de los ficheros en " +"«/etc/init.d» y debe estar separados por espacios. Ningún servicio será " +"reiniciado si deja la lista en blanco." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Si, tras esta actualización, otros servicios comienzan a fallar en forma " +"misteriosa puede ser necesario reiniciarlos también. Para evitar problemas " +"relacionados con «SSL» se le recomienda reiniciar su sistema." --- openssl-0.9.8a.orig/debian/po/ca.po +++ openssl-0.9.8a/debian/po/ca.po @@ -0,0 +1,59 @@ +# openssl (debconf) translation to Catalan. +# Copyright (C) 2004 Free Software Foundation, Inc. +# Aleix Badia i Bosch , 2004 +msgid "" +msgstr "" +"Project-Id-Version: openssl_0.9.7d-1_templates\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2004-04-08 19:46GMT\n" +"Last-Translator: Aleix Badia i Bosch \n" +"Language-Team: Catalan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "" +"Quina serveis s'han de reiniciar perquè utilitzin les noves biblioteques?" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"Aquesta versió resol els errors de seguretat. Els serveis no utilitzaran les " +"correccions fins que no s'hagin reiniciat. Nota: reiniciant l'sshd no " +"s'afectarà cap connexió existent." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"És una llista de serveis que s'ha detectat que s'haurien de reiniciar, " +"corregiu-la si és incorrecta. El nom dels serveis hauria de ser idèntic als " +"noms de les seqüències del directori /etc/init.d i haurien d'estar separats " +"per espais. Si suprimiu la llista no es reiniciarà cap servei." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Si després de l'actualització d'altres serveis fallen de forma inexplicable, " +"probablement també sigui necessari reiniciar-los. Us recomanem que per " +"evitar els problemes relacionats amb l'SSL reinicieu l'ordinador." --- openssl-0.9.8a.orig/debian/po/ja.po +++ openssl-0.9.8a/debian/po/ja.po @@ -0,0 +1,69 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +# +msgid "" +msgstr "" +"Project-Id-Version: openssl 0.9.7d-1\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2004-03-24 23:41+0900\n" +"Last-Translator: Hideki Yamane \n" +"Language-Team: Japanese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=EUC-JP\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "¤É¤Î¥µ¡¼¥Ó¥¹¤ò¿·¤·¤¤¥é¥¤¥Ö¥é¥ê¤ò»È¤¦¤¿¤á¤ËºÆµ¯Æ°¤·¤Þ¤¹¤«?" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"º£²ó¤Î¥ê¥ê¡¼¥¹¤Ç¥»¥­¥å¥ê¥Æ¥£¥Û¡¼¥ë¤¬½¤Àµ¤µ¤ì¤Þ¤·¤¿¡£³Æ¥µ¡¼¥Ó¥¹¤ÏºÆµ¯Æ°¤ò¹Ô¤¦" +"¤Þ¤Ç¤³¤Î½¤Àµ¤µ¤ì¤¿¥é¥¤¥Ö¥é¥ê¤òÍøÍѤ·¤Þ¤»¤ó¡£Ãí°Õ: sshd ¤ÎºÆµ¯Æ°¤Ï¸½¾õ¤ÎÀܳ¤Ë" +"¤Ï²¿¤é±Æ¶Á¤·¤Þ¤»¤ó¡£" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"°Ê²¼¤¬ºÆµ¯Æ°¤¬É¬ÍפÀ¤ÈȽÃǤµ¤ì¤¿¥µ¡¼¥Ó¥¹¤Î¥ê¥¹¥È¤Ç¤¹¡£´Ö°ã¤Ã¤Æ¤¤¤ë¤È»×¤Ã¤¿¤é" +"½¤Àµ¤·¤Æ¤¯¤À¤µ¤¤¡£¥µ¡¼¥Ó¥¹Ì¾¤Ï /etc/init.d ¤Ë¤¢¤ë¥¹¥¯¥ê¥×¥È¤Î̾Á°¤ò»Ø¤·¡¢¶õÇò" +"¤Ç¶èÀÚ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£¥ê¥¹¥È¤¬¶õ¤Î¾ì¹ç¤Ï¡¢¥µ¡¼¥Ó¥¹¤ÎºÆµ¯Æ°¤ÏɬÍפ¢¤ê¤Þ¤»" +"¤ó¡£" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"¾¤Î¥µ¡¼¥Ó¥¹¤¬¤³¤³¤Ç¤Î¥¢¥Ã¥×¥°¥ì¡¼¥É¤Î¸å¤Ë²¿¸Î¤«¥¨¥é¡¼¤òµ¯¤³¤·»Ï¤á¤¿¾ì¹ç¡¢¤½" +"¤ì¤é¤âºÆµ¯Æ°¤¹¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£SSL ´ØÏ¢¤Î¥È¥é¥Ö¥ë¤òÈò¤±¤ë¤¿¤á¤Ë¥Þ¥·¥ó¤òºÆµ¯" +"Æ°¤¹¤ë¤Î¤ò¶¯¤¯¤ª´«¤á¤·¤Þ¤¹¡£" --- openssl-0.9.8a.orig/debian/po/it.po +++ openssl-0.9.8a/debian/po/it.po @@ -0,0 +1,62 @@ +# openssl po-debconf translation to Italian (it) +# Copyright (C) 2006 Software in the Public Interest +# This file is distributed under the same license as the openssl package. +# Luca Monducci , 2006. +# +msgid "" +msgstr "" +"Project-Id-Version: openssl 0.9.8a italian debconf templates\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2005-12-15 05:03-0700\n" +"PO-Revision-Date: 2006-01-26 20:57+0100\n" +"Last-Translator: Luca Monducci \n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl0.9.8.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "" +"Servizi da riavviare per fare in modo che utilizzino le nuove librerie" + +#. Type: string +#. Description +#: ../libssl0.9.8.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"In questa release sono stati corretti dei problemi di sicureza. I servizi " +"che non utilizzano queste correzioni se non sono riavviati. Nota: il " +"riavvio di sshd non influenza nessuna delle connessioni esistenti." + +#. Type: string +#. Description +#: ../libssl0.9.8.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"Segue un elenco dei servizi che devono essere riavviati, se nell'elenco si " +"riscontrano degli errori si devono correggere. I nomi dei servizi devono " +"essere identiti ai nomi degli script in /etc/init.d e devono essere " +"separati con degli spazi. Se l'elenco è vuoto non verrà riaviato nessun " +"servizio." + +#. Type: string +#. Description +#: ../libssl0.9.8.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Se dopo questo aggiornamento si risconstrano dei problemi con altri " +"servizi potrebbe essere necessario riavviarli. Si raccomanda di riavviare " +"la macchina per evitare qualsiasi problema legato a SSL." --- openssl-0.9.8a.orig/debian/po/fr.po +++ openssl-0.9.8a/debian/po/fr.po @@ -0,0 +1,69 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: openssl_0.9.7c-5\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2003-10-22 21:37+0200\n" +"Last-Translator: Michel Grentzinger \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "Services à redémarrer afin d'utiliser les nouvelles bibliothèques" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"Des failles de sécurité on été corrigées dans cette version. Les services ne " +"devraient pas utiliser ces correctifs tant qu'ils n'auront pas été " +"redémarrés. Note : le redémarrage de sshd n'affectera aucune connexion " +"existante." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"La liste suivante recense tous les services devant être redémarrés. Veuillez " +"corriger la liste si vous pensez qu'elle contient des erreurs. Les noms des " +"services doivent être identiques aux noms des scripts présents dans /etc/" +"init.d et doivent être séparés par des espaces. Si vous effacez la liste, " +"aucun service ne sera redémarré." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Si d'autres services ne fonctionnent plus correctement après cette mise à " +"jour, il est sans doute nécessaire de les redémarrer de la même façon. Il " +"est fortement recommandé de redémarrer votre machine pour éviter les " +"problèmes liés à SSL." --- openssl-0.9.8a.orig/debian/po/templates.pot +++ openssl-0.9.8a/debian/po/templates.pot @@ -0,0 +1,59 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" --- openssl-0.9.8a.orig/debian/po/sv.po +++ openssl-0.9.8a/debian/po/sv.po @@ -0,0 +1,61 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# Developers do not need to manually edit POT or PO files. +# , fuzzy +# +# +msgid "" +msgstr "" +"Project-Id-Version: openssl 0.9.7g-2\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2004-03-22 18:34+0100\n" +"PO-Revision-Date: 2005-09-28 19:22-0700\n" +"Last-Translator: Daniel Nylander \n" +"Language-Team: Swedish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-1\n" +"Content-Transfer-Encoding: 8bit" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "Which services should be restarted to make them use the new libraries?" +msgstr "Vilka tjänster ska startas om för att få dom att använda de nya biblioteken?" + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Security holes were fixed with this release. Services may not use these " +"fixes until they are restarted. Note: restarting sshd should not affect any " +"existing connections." +msgstr "" +"Säkerhetshålen fixades i denna versionen. Tjänster kommer inte att använda denna version förrän de har startats om. Notera: startar du om sshd kommer inte fixen aktiveras för redan etablerade anslutningar." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"Following is a list of detected services that need to be restarted. Please " +"correct the list, if you think it is incorrect. The services names must be " +"identical to the script names in /etc/init.d and must be separated by " +"spaces. If you clear the list, no services will be restarted." +msgstr "" +"Följande är en lista på upptäcka tjänster som behöver startas om. Vänligen undersök listan och du tror den är felaktig. Namnen på tjänsterna måste vara identiska som skriptnamnen i /etc/init.d och måste separeras med mellanslag. Om du rensar listan kommer inga tjänster att startas om." + +#. Type: string +#. Description +#: ../libssl0.9.7.templates:3 +msgid "" +"If other services begin to fail mysteriously after this upgrade, it may be " +"necessary to restart them too. We strongly recommend you to reboot your " +"machine to avoid the SSL related trouble." +msgstr "" +"Om andra tjänster börjar att få underliga problem efter denna uppgradering kanske de måste startas om också. Vi rekommenderar att du startar om din maskin för att inte få SSL-relaterade problem." + --- openssl-0.9.8a.orig/debian/README.debian +++ openssl-0.9.8a/debian/README.debian @@ -0,0 +1,52 @@ +openssl for DEBIAN +---------------------- + +openssl replaces ssleay. + +The application links to openssl like req, ca, verify and s_client +have been removed. + +Instead of `` please call now `openssl ` + +eg: +instead of `req` please call `openssl req` + +NOTE: The libssl library version for debian-i386 is optimized for +486-processors and better. It will not run on 386-processors. + +---- +Self-signed certs and webservers: + +If you get with a selfsigned certificate and a webserver: + > "The certificate is not approved for the attempted operation." + +Bodo_Moeller@public.uni-hamburg.de (Bodo Moeller) writes: +>Probably you are using a CA certificate for your server; if you use +>"openssl req" to generate a new key and self-signed certificate with +>the default openssl.cnf, the certificate you get includes certain +>X.509v3 extensions that make it unfit for use as a server certificate. +>This was not so with earlier versions of the software because back +>then there was far less X.509v3 support. +> +>To look at the certificate some HTTPS server presents to its cliens, +>use "openssl s_client -port 443 -host your.server", store the output +>(at least the part from "-----BEGIN CERTIFICATE-----" up to "-----END +>CERTIFICATE-----", including these separators) in a file and use +>"openssl x509 -in the_file_you_just_stored -text" to look at it in +>readable form. If it has in the "X509v3 extensions section" any of +>the following entries, it is not usable as a server certificate: +> +> X509v3 Basic Constraints: +> CA:TRUE +> +> X509v3 Key Usage: +> Certificate Sign, CRL Sign +> +>To quickly create a new server key and certificate that works with +>Netscape, you can just copy the original openssl.cnf file and comment +>out the "x509_extensions" entry in the "[ req ]" section. +>The, use "openssl req ..." as before to create a new certificate and +>key. + + +Christoph Martin , Wed, 31 Mar 1999 16:00:51 +0200 --- openssl-0.9.8a.orig/debian/openssl.files +++ openssl-0.9.8a/debian/openssl.files @@ -0,0 +1,9 @@ +usr/share/man/man1 +usr/share/man/man5 +usr/share/man/man7 +usr/bin +usr/lib/ssl/misc +usr/lib/ssl/certs +usr/lib/ssl/openssl.cnf +usr/lib/ssl/private +etc/ssl --- openssl-0.9.8a.orig/debian/libssl-dev.files +++ openssl-0.9.8a/debian/libssl-dev.files @@ -0,0 +1,7 @@ +usr/lib/libssl.so +usr/lib/libcrypto.so +usr/lib/libssl.a +usr/lib/libcrypto.a +usr/lib/pkgconfig +usr/include +usr/share/man/man3 --- openssl-0.9.8a.orig/debian/changelog +++ openssl-0.9.8a/debian/changelog @@ -0,0 +1,876 @@ +openssl (0.9.8a-7ubuntu0.6) dapper-security; urgency=low + + * SECURITY UPDATE: clients treat malformed signatures as good when verifying + server DSA and ECDSA certificates + - update apps/speed.c, apps/spkac.c, apps/verify.c, apps/x509.c, + ssl/s2_clnt.c, ssl/s2_srvr.c, ssl/s3_clnt.c, s3_srvr.c, and + ssl/ssltest.c to properly check the return code of EVP_VerifyFinal() + - patch based on upstream patch for #2008-016 + - CVE-2008-5077 + + -- Jamie Strandboge Tue, 06 Jan 2009 01:04:53 -0600 + +openssl (0.9.8a-7ubuntu0.5) dapper-security; urgency=low + + * SECURITY UPDATE: DTLS implementation can lead to remote code execution. + * ssl/{ssl_err,d1_both}.c, ssl/{dtls1,ssl}.h: patched inline with upstream + fixes backported thanks to Ludwig Nussel. + * References + http://www.openssl.org/news/secadv_20071012.txt + CVE-2007-4995 + + -- Kees Cook Fri, 19 Oct 2007 09:59:38 -0700 + +openssl (0.9.8a-7ubuntu0.4) dapper-security; urgency=low + + [ Jamie Strandboge ] + * SECURITY UPDATE: off-by-one error in SSL_get_shared_ciphers() results in + buffer overflow + * ssl/ssl_lib.c: applied upstream patch from openssl CVS thanks to + Stephan Hermann + * References: + CVE-2007-5135 + http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded + Fixes LP: #146269 + + [ Kees Cook ] + * SECURITY UPDATE: side-channel attacks via BN_from_montgomery function. + * crypto/bn/bn_mont.c: upstream patch from openssl CVS thanks to Debian. + * References + CVE-2007-3108 + + -- Kees Cook Fri, 28 Sep 2007 13:10:15 -0700 + +openssl (0.9.8a-7ubuntu0.3) dapper-security; urgency=low + + * crypto/dh/dh_key.c: Fix return value to prevent free'ing an uninit'ed + pointer. + + -- Martin Pitt Wed, 4 Oct 2006 10:30:54 +0200 + +openssl (0.9.8a-7ubuntu0.2) dapper-security; urgency=low + + * SECURITY UPDATE: Remote arbitrary code execution, remote DoS. + * crypto/asn1/tasn_dec.c, asn1_d2i_ex_primitive(): Initialize 'ret' to avoid + an infinite loop in some circumstances. [CVE-2006-2937] + * ssl/ssl_lib.c, SSL_get_shared_ciphers(): Fix len comparison to correctly + handle invalid long cipher list strings. [CVE-2006-3738] + * ssl/s2_clnt.c, get_server_hello(): Check for NULL session certificate to + avoid client crash with malicious server responses. [CVE-2006-4343] + * Certain types of public key could take disproportionate amounts of time to + process. Apply patch from Bodo Moeller to impose limits to public key type + values (similar to Mozilla's libnss). Fixes CPU usage/memory DoS. [CVE-2006-2940] + * Updated patch in previous package version to fix a few corner-case + regressions. (This reverts the changes to rsa_eay.c/rsa.h/rsa_err.c, which + were determined to not be necessary). + + -- Martin Pitt Wed, 27 Sep 2006 10:26:23 +0000 + +openssl (0.9.8a-7ubuntu0.1) dapper-security; urgency=low + + * SECURITY UPDATE: signature forgery in some cases. + * Apply http://www.openssl.org/news/patch-CVE-2006-4339.txt: + - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent + applications from incorrectly verifying the certificate. + * References: + CVE-2006-4339 + http://www.openssl.org/news/secadv_20060905.txt + + -- Martin Pitt Tue, 5 Sep 2006 11:40:08 +0000 + +openssl (0.9.8a-7build1) dapper; urgency=low + + * Fake sync from Debian to resolve a problem with establishing TCP + connections over the BIO API, add a new debconf translation, and + resolve a build failure with libio-socket-ssl-perl. + + -- Adam Conrad Wed, 29 Mar 2006 19:01:40 +1100 + +openssl (0.9.8a-7) unstable; urgency=high + + * Add italian debconf templates. Thanks to Luca Monducci. + (Closes: #350249) + * Change the debconf question to use version 0.9.8-3 + instead of 0.9.8-1, since that's the last version + with a security fix. + * Call conn_state() if the BIO is not in the BIO_CONN_S_OK state + (Closes: #352047). RC bug affecting testing, so urgency high. + + -- Kurt Roeckx Sat, 9 Feb 2006 19:07:56 +0100 + +openssl (0.9.8a-6) unstable; urgency=low + + * Remove empty postinst/preinst/prerm scripts. There is no need + to have empty ones, debhelper will add them when needed. + * Remove the static pic libraries. Nobody should be linking + it's shared libraries static to libssl or libcrypto. + This was added for opensc who now links to it shared. + * Do not assume that in case the sequence number is 0 and the + packet has an odd number of bytes that the other side has + the block padding bug, but try to check that it actually + has the bug. The wrong detection of this bug resulted + in an "decryption failed or bad record mac" error in case + both sides were using zlib compression. (Closes: #338006) + + -- Kurt Roeckx Mon, 21 Jan 2006 16:25:41 +0100 + +openssl (0.9.8a-5) unstable; urgency=low + + * Stop ssh from crashing randomly on sparc (Closes: #335912) + Patch from upstream cvs. + + -- Kurt Roeckx Tue, 13 Dec 2005 21:37:42 +0100 + +openssl (0.9.8a-4) unstable; urgency=low + + * Call dh_makeshlibs with the proper version instead of putting + it in shlibs.local, which doesn't seem to do anything. 0.9.8a-1 + added symbol versioning, so it should have bumped the shlibs. + (Closes: #338284) + * The openssl package had a duplicate dependency on libssl0.9.8, + only require the version as required by the shlibs. + * Make libssl-dev depend on zlib1g-dev, since it's now required for + static linking. (Closes: #338313) + * Generate .pc files that make use of Libs.private, so things only + link to the libraries they should when linking shared. + * Use -m64 instead of -bpowerpc64-linux on ppc64. (Closes: #335486) + * Make powerpc and ppc64 use the assembler version for bn. ppc64 + had the location in the string wrong, powerpc had it missing. + * Add includes for stddef to get size_t in md2.h, md4.h, md5.h, + ripemd.h and sha.h. (Closes: #333101) + * Run make test for each of the versions we build, make it + not fail the build process if an error is found. + * Add build dependency on bc for the regression tests. + + -- Kurt Roeckx Wed, 13 Nov 2005 16:01:05 +0100 + +openssl (0.9.8a-3) unstable; urgency=high + + * Link to libz instead of dynamicly loading it. It gets loaded + at the moment the library is initialised, so there is no point + in not linking to it. It's now failing in some cases since + it's not opened by it's soname, but by the symlink to it. + This should hopefully solve most of the bugs people have reported + since the move to libssl0.9.8. + (Closes: #334180, #336140, #335271) + * Urgency set to high because it fixes a grave bug affecting testing. + + -- Kurt Roeckx Tue, 1 Nov 2005 14:56:40 +0100 + +openssl (0.9.8a-2) unstable; urgency=low + + * Add Build-Dependency on m4, since sparc needs it to generate + it's assembler files. (Closes: #334542) + * Don't use rc4-x86_64.o on amd64 for now, it seems to be broken + and causes a segfault. (Closes: #334501, #334502) + + -- Kurt Roeckx Tue, 18 Oct 2005 19:05:53 +0200 + +openssl (0.9.8a-1) unstable; urgency=low + + Christoph Martin: + * fix asm entries for some architectures, fixing #332758 properly. + * add noexecstack option to i386 subarch + * include symbol versioning in Configure (closes: #330867) + * include debian-armeb arch (closes: #333579) + * include new upstream patches; includes some minor fixes + * fix dh_shlibdeps line, removing the redundant dependency on + libssl0.9.8 (closes: #332755) + * add swedish debconf template (closes: #330554) + + Kurt Roeckx: + * Also add noexecstack option for amd64, since it now has an + executable stack with the assembler fixes for amd64. + + -- Christoph Martin Mon, 17 Oct 2005 17:01:06 +0200 + +openssl (0.9.8-3) unstable; urgency=low + + * Apply security fix for CAN-2005-2969. (Closes: #333500) + * Change priority of -dbg package to extra. + + -- Kurt Roeckx Wed, 12 Oct 2005 22:38:58 +0200 + +openssl (0.9.8-2) unstable; urgency=low + + * Don't use arch specific assembler. Should fix build failure on + ia64, sparc and amd64. (Closes: #332758) + * Add myself to the uploaders. + + -- Kurt Roeckx Mon, 10 Oct 2005 19:22:36 +0200 + +openssl (0.9.8-1) unstable; urgency=low + + * New upstream release (closes: #311826) + + -- Christoph Martin Thu, 29 Sep 2005 14:20:04 +0200 + +openssl (0.9.7g-3) unstable; urgency=low + + * change Configure line for debian-freebsd-i386 to debian-kfreebsd-i386 + (closes: #327692) + * include -dbg version. That implies compiling with -g and without + -fomit-frame-pointer (closes: #293823, #153811) + + -- Christoph Martin Fri, 23 Sep 2005 13:51:57 +0200 + +openssl (0.9.7g-2) unstable; urgency=low + + * really include nl translation + * remove special ia64 code from rc4 code to make the abi compatible to + older 0.9.7 versions (closes: #310489, #309274) + * fix compile flag for debian-ppc64 (closes: #318750) + * small fix in libssl0.9.7.postinst (closes: #239956) + * fix pk7_mime.c to prevent garbled messages because of to early memory + free (closes: #310184) + * include vietnamese debconf translation (closes: #316689) + * make optimized i386 libraries have non executable stack (closes: + #321721) + * remove leftover files from ssleay + * move from dh_installmanpages to dh_installman + * change Maintainer to pkg-openssl-devel@lists.alioth.debian.org + + -- Christoph Martin Wed, 7 Sep 2005 15:32:54 +0200 + +openssl (0.9.7g-1) unstable; urgency=low + + * New upstream release + * Added support for proxy certificates according to RFC 3820. + Because they may be a security thread to unaware applications, + they must be explicitely allowed in run-time. See + docs/HOWTO/proxy_certificates.txt for further information. + * Prompt for pass phrases when appropriate for PKCS12 input format. + * Back-port of selected performance improvements from development + branch, as well as improved support for PowerPC platforms. + * Add lots of checks for memory allocation failure, error codes to indicate + failure and freeing up memory if a failure occurs. + * Perform some character comparisons of different types in X509_NAME_cmp: + this is needed for some certificates that reencode DNs into UTF8Strings + (in violation of RFC3280) and can't or wont issue name rollover + certificates. + * corrected watchfile + * added upstream source url (closes: #292904) + * fix typo in CA.pl.1 (closes: #290271) + * change debian-powerpc64 to debian-ppc64 and adapt the configure + options to be the same like upstream (closes: #289841) + * include -signcert option in CA.pl usage + * compile with zlib-dynamic to use system zlib (closes: #289872) + + -- Christoph Martin Mon, 9 May 2005 23:32:03 +0200 + +openssl (0.9.7e-3) unstable; urgency=high + + * really fix der_chop. The fix from -1 was not really included (closes: + #281212) + * still fixes security problem CAN-2004-0975 etc. + - tempfile raise condition in der_chop + - Avoid a race condition when CRLs are checked in a multi threaded + environment. + + -- Christoph Martin Thu, 16 Dec 2004 18:41:29 +0100 + +openssl (0.9.7e-2) unstable; urgency=high + + * fix perl path in der_chop and c_rehash (closes: #281212) + * still fixes security problem CAN-2004-0975 etc. + - tempfile raise condition in der_chop + - Avoid a race condition when CRLs are checked in a multi threaded + environment. + + -- Christoph Martin Sun, 14 Nov 2004 20:16:21 +0100 + +openssl (0.9.7e-1) unstable; urgency=high + + * SECURITY UPDATE: fix insecure temporary file handling + * apps/der_chop: + - replaced $$-style creation of temporary files with + File::Temp::tempfile() + - removed unused temporary file name in do_certificate() + * References: + CAN-2004-0975 (closes: #278260) + * fix ASN1_STRING_to_UTF8 with UTF8 (closes: #260357) + * New upstream release with security fixes + - Avoid a race condition when CRLs are checked in a multi threaded + environment. + - Various fixes to s3_pkt.c so alerts are sent properly. + - Reduce the chances of duplicate issuer name and serial numbers (in + violation of RFC3280) using the OpenSSL certificate creation + utilities. + * depends openssl on perl-base instead of perl (closes: #280225) + * support powerpc64 in Configure (closes: #275224) + * include cs translation (closes: #273517) + * include nl translation (closes: #272479) + * Fix default dir of c_rehash (closes: #253126) + + -- Christoph Martin Fri, 12 Nov 2004 14:11:15 +0100 + +openssl (0.9.7d-5) unstable; urgency=low + + * Make S/MIME encrypt work again (backport from CVS) (closes: #241407, + #241386) + + -- Christoph Martin Mon, 26 Jul 2004 17:22:42 +0200 + +openssl (0.9.7d-4) unstable; urgency=low + + * add Catalan translation (closes: #248749) + * add Spanish translation (closes: #254561) + * include NMU fixes: see below + * decrease optimisation level for debian-arm to work around gcc bug + (closes: #253848) (thanks to Steve Langasek and Thom May) + * Add libcrypto0.9.7-udeb. (closes: #250010) (thanks to Bastian Blank) + * Add watchfile + + -- Christoph Martin Wed, 14 Jul 2004 14:31:02 +0200 + +openssl (0.9.7d-3) unstable; urgency=low + + * rename -pic.a libraries to _pic.a (closes: #250016) + + -- Christoph Martin Mon, 24 May 2004 17:02:29 +0200 + +openssl (0.9.7d-2) unstable; urgency=low + + * include PIC libs (libcrypto-pic.a and libssl-pic.a) to libssl-dev + (closes: #246928, #243999) + * add racoon to restart list (closes: #242652) + * add Brazilian, Japanese and Danish translations (closes: #242087, + #241830, #241705) + + -- Christoph Martin Tue, 11 May 2004 10:13:49 +0200 + +openssl (0.9.7d-1) unstable; urgency=high + + * new upstream + * fixes security holes (http://www.openssl.org/news/secadv_20040317.txt) + (closes: #238661) + * includes support for debian-amd64 (closes: #235551, #232310) + * fix typo in pem.pod (closes: #219873) + * fix typo in libssl0.9.7.templates (closes: #224690) + * openssl suggests ca-certificates (closes: #217180) + * change debconf template to gettext format (closes: #219013) + * include french debconf template (closes: #219014) + + -- Christoph Martin Thu, 18 Mar 2004 16:18:43 +0100 + +openssl (0.9.7c-5) unstable; urgency=low + + * include openssl.pc into libssl-dev (closes: #212545) + + -- Christoph Martin Thu, 16 Oct 2003 16:31:32 +0200 + +openssl (0.9.7c-4) unstable; urgency=low + + * change question to restart services to debconf (closes: #214840) + * stop using dh_undocumented (closes: #214831) + + -- Christoph Martin Fri, 10 Oct 2003 15:40:48 +0200 + +openssl (0.9.7c-3) unstable; urgency=low + + * fix POSIX conformance for head in libssl0.9.7.postinst (closes: + #214700) + + -- Christoph Martin Wed, 8 Oct 2003 14:02:38 +0200 + +openssl (0.9.7c-2) unstable; urgency=low + + * add filerc macro to libssl0.9.7.postinst (closes: #213906) + * restart spamassassins spamd on upgrade (closes: #214106) + * restart more services on upgrade + * fix EVP_BytesToKey manpage (closes: #213715) + + -- Christoph Martin Tue, 7 Oct 2003 15:01:32 +0200 + +openssl (0.9.7c-1) unstable; urgency=high + + * upstream security fix (closes: #213451) + - Fix various bugs revealed by running the NISCC test suite: + Stop out of bounds reads in the ASN1 code when presented with + invalid tags (CAN-2003-0543 and CAN-2003-0544). + Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545). + If verify callback ignores invalid public key errors don't try to check + certificate signature with the NULL public key. + - In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate + if the server requested one: as stated in TLS 1.0 and SSL 3.0 + specifications. + * more minor upstream bugfixes + * fix formatting in c_issuer (closes: #190026) + * fix Debian-FreeBSD support (closes: #200381) + * restart some services in postinst to make them use the new libraries + * remove duplicated openssl.1, crypto.3 and ssl.3 (closes: #198594) + + -- Christoph Martin Wed, 1 Oct 2003 08:54:27 +0200 + +openssl (0.9.7b-2) unstable; urgency=high + + * fix permission of /etc/ssl/private to 700 again + * change section of libssl-dev to libdevel + + -- Christoph Martin Wed, 23 Apr 2003 11:13:24 +0200 + +openssl (0.9.7b-1) unstable; urgency=high + + * upstream security fix + - Countermeasure against the Klima-Pokorny-Rosa extension of + Bleichbacher's attack on PKCS #1 v1.5 padding: treat + a protocol version number mismatch like a decryption error + in ssl3_get_client_key_exchange (ssl/s3_srvr.c). (CAN-2003-0131) + (closes: #189087) + - Turn on RSA blinding by default in the default implementation + to avoid a timing attack. Applications that don't want it can call + RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. + They would be ill-advised to do so in most cases. (CAN-2003-0147) + - Change RSA blinding code so that it works when the PRNG is not + seeded (in this case, the secret RSA exponent is abused as + an unpredictable seed -- if it is not unpredictable, there + is no point in blinding anyway). Make RSA blinding thread-safe + by remembering the creator's thread ID in rsa->blinding and + having all other threads use local one-time blinding factors + (this requires more computation than sharing rsa->blinding, but + avoids excessive locking; and if an RSA object is not shared + between threads, blinding will still be very fast). + for more details see the CHANGES file + + -- Christoph Martin Wed, 16 Apr 2003 10:32:57 +0200 + +openssl (0.9.7a-1) unstable; urgency=high + + * upstream Security fix + - In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked + via timing by performing a MAC computation even if incorrrect + block cipher padding has been found. This is a countermeasure + against active attacks where the attacker has to distinguish + between bad padding and a MAC verification error. (CAN-2003-0078) + for more details see the CHANGES file + + -- Christoph Martin Fri, 21 Feb 2003 22:39:40 +0100 + +openssl (0.9.7-4) unstable; urgency=low + + * use DH_COMPAT=3 to build + * move i686 to i686/cmov to fix problems on Via C3. For that to work we + have to depend on the newest libc6 on i386 (closes: #177891) + * fix bug in ui_util.c (closes: #177615) + * fix typo in md5.h (closes: #178112) + + -- Christoph Martin Fri, 24 Jan 2003 10:22:56 +0100 + +openssl (0.9.7-3) unstable; urgency=low + + * enable build of ultrasparc code on non ultrasparc machines (closes: + #177024) + + -- Christoph Martin Fri, 17 Jan 2003 08:22:13 +0100 + +openssl (0.9.7-2) unstable; urgency=low + + * include changes between 0.9.6g-9 and -10 + * fix problem in build-process on i386 with libc6 version number + + -- Christoph Martin Mon, 13 Jan 2003 14:26:56 +0100 + +openssl (0.9.7-1) unstable; urgency=low + + * new upstream + * includes engine support + * a lot of bugfixes and enhancements, see the CHANGES file + * include AES encryption + * makes preview of certificate configurable (closes: #176059) + * fix x509 manpage (closes: #168070) + * fix declaration of ERR_load_PEM_string in pem.h (closes: #141360) + + -- Christoph Martin Sat, 11 Jan 2003 09:12:16 +0100 + +openssl (0.9.6g-10) unstable; urgency=low + + * fix problem in build-process on i386 with libc6 version number + (closes: #167096) + + -- Christoph Martin Mon, 4 Nov 2002 12:27:21 +0100 + +openssl (0.9.6g-9) unstable; urgency=low + + * fix typo in i386 libc6 depend (sigh) (closes: #163848) + + -- Christoph Martin Tue, 8 Oct 2002 23:29:20 +0200 + +openssl (0.9.6g-8) unstable; urgency=low + + * fix libc6 depends. Only needed for i386 (closes: #163701) + * remove SHLIB section for bsds from Configure (closes: #163585) + + -- Christoph Martin Tue, 8 Oct 2002 10:57:35 +0200 + +openssl (0.9.6g-7) unstable; urgency=low + + * enable i686 optimisation and depend on fixed glibc (closes: #163500) + * remove transition package ssleay + * include optimisation vor sparcv8 (closes: #139996) + * improve optimisation vor sparcv9 + + -- Christoph Martin Sun, 6 Oct 2002 14:07:12 +0200 + +openssl (0.9.6g-6) unstable; urgency=low + + * temporarily disable i686 optimisation (See bug in glibc #161788) + + -- Christoph Martin Sat, 21 Sep 2002 18:56:49 +0200 + +openssl (0.9.6g-5) unstable; urgency=low + + * i486 can use i586 assembler + * include set -xe in the for loops in the rules files to make it abort + on error (closes: #161768) + + -- Christoph Martin Sat, 21 Sep 2002 16:23:11 +0200 + +openssl (0.9.6g-4) unstable; urgency=low + + * fix optimization for alpha and sparc + * add optimization for i486 + + -- Christoph Martin Fri, 20 Sep 2002 22:36:19 +0200 + +openssl (0.9.6g-3) unstable; urgency=low + + * add optimized libraries for i586, i686, ev4, ev5 and v9 (closes: #139783) + + -- Christoph Martin Thu, 19 Sep 2002 18:33:04 +0200 + +openssl (0.9.6g-2) unstable; urgency=low + + * fix manpage names (closes: #156717, #156718, #156719, #156721) + + -- Christoph Martin Thu, 15 Aug 2002 11:26:37 +0200 + +openssl (0.9.6g-1) unstable; urgency=low + + * new upstream version + * Use proper error handling instead of 'assertions' in buffer + overflow checks added in 0.9.6e. This prevents DoS (the + assertions could call abort()). (closes: #155985, #156495) + * Fix ASN1 checks. Check for overflow by comparing with LONG_MAX + and get fix the header length calculation. + * include support for new sh* architectures (closes: #155117) + + -- Christoph Martin Wed, 14 Aug 2002 13:59:22 +0200 + +openssl (0.9.6e-1) unstable; urgency=high + + * fixes remote exploits (see DSA-136-1) + + -- Christoph Martin Tue, 30 Jul 2002 18:32:28 +0200 + +openssl (0.9.6d-1) unstable; urgency=low + + * new upstream (minor) version + * includes Configure lines for debian-*bsd-* (closes: #130413) + * fix wrong prototype for BN_pseudo_rand_range in BN_rand(3ssl) (closes: + #144586) + * fix typos in package description (closes: #141469) + * fix typo in SSL_CTX_set_cert_store manpage (closes: #135297) + + -- Christoph Martin Mon, 3 Jun 2002 19:42:10 +0200 + +openssl (0.9.6c-2) unstable; urgency=low + + * moved from non-US to main + + -- Christoph Martin Tue, 19 Mar 2002 14:48:39 +0100 + +openssl (0.9.6c-1) unstable; urgency=low + + * new upstream version with a lot of bugfixes + * remove directory /usr/include/openssl from openssl package (closes: + bug #121226) + * remove selfdepends from libssl0.9.6 + * link openssl binary shared again + + -- Christoph Martin Sat, 5 Jan 2002 19:04:31 +0100 + +openssl (0.9.6b-4) unstable; urgency=low + + * build with -D_REENTRANT for threads support on all architectures + (closes: #112329, #119239) + + -- Christoph Martin Sat, 24 Nov 2001 12:17:51 +0100 + +openssl (0.9.6b-3) unstable; urgency=low + + * disable idea, mdc2 and rc5 because they are not free (closes: #65368) + * ready to be moved from nonus to main + + -- Christoph Martin Wed, 21 Nov 2001 17:51:41 +0100 + +openssl (0.9.6b-2) unstable; urgency=high + + * fix definition of crypt in des.h (closes: #107533) + * fix descriptions (closes: #109503) + + -- Christoph Martin Mon, 17 Sep 2001 15:38:27 +0200 + +openssl (0.9.6b-1) unstable; urgency=medium + + * new upstream fixes some security issues (closes: #105835, #100146) + * added support for s390 (closes: #105681) + * added support for sh (closes: #100003) + * change priority of libssl096 to standard as ssh depends on it (closes: + #105440) + * don't optimize for i486 to support i386. (closes: #104127, #82194) + + -- Christoph Martin Fri, 20 Jul 2001 15:52:42 +0200 + +openssl (0.9.6a-3) unstable; urgency=medium + + * add perl-base to builddeps + * include static libraries in libssl-dev (closes: #93688) + + -- Christoph Martin Mon, 14 May 2001 20:16:06 +0200 + +openssl (0.9.6a-2) unstable; urgency=medium + + * change Architecture of ssleay from any to all (closes: #92913) + * depend libssl-dev on the exact same version of libssl0.9.6 (closes: + #88939) + * remove lib{crypto,ssl}.a from openssl (closes: #93666) + * rebuild with newer gcc to fix atexit problem (closes: #94036) + + -- Christoph Martin Wed, 2 May 2001 12:28:39 +0200 + +openssl (0.9.6a-1) unstable; urgency=medium + + * new upstream, fixes some security bugs (closes: #90584) + * fix typo in s_server manpage (closes: #89756) + + -- Christoph Martin Tue, 10 Apr 2001 12:13:11 +0200 + +openssl (0.9.6-2) unstable; urgency=low + + * policy: reorganisation of package names: libssl096 -> libssl0.9.6, + libssl096-dev -> libssl-dev (closes: #83426) + * libssl0.9.6 drops replaces libssl09 (Closes: #83425) + * install upstream CHANGES files (Closes: #83430) + * added support for hppa and ia64 (Closes: #88790) + * move man3 manpages to libssl-dev (Closes: #87546) + * fix formating problem in rand_add(1) (Closes: #87547) + * remove manpage duplicates (Closes: #87545, #74986) + * make package descriptions clearer (Closes: #83518, #83444) + * increase default emailAddress_max from 40 to 60 (Closes: #67238) + * removed RSAREF warning (Closes: #84122) + + -- Christoph Martin Thu, 8 Mar 2001 14:24:00 +0100 + +openssl (0.9.6-1) unstable; urgency=low + + * New upstream version (Thanks to Enrique Zanardi ) + (closes: #72388) + * Add support for debian-hurd (closes: #76032) + + -- Christoph Martin Mon, 13 Nov 2000 22:30:46 +0100 + +openssl (0.9.5a-5) unstable; urgency=low + + * move manpages in standard directories with section ssl (closes: + #72152, #69809) + + -- Christoph Martin Thu, 5 Oct 2000 19:56:20 +0200 + +openssl (0.9.5a-4) unstable; urgency=low + + * include edg_rand_bytes patch from and for apache-ssl + + -- Christoph Martin Sat, 23 Sep 2000 16:48:06 +0200 + +openssl (0.9.5a-3) unstable; urgency=low + + * fix call to dh_makeshlibs to create correct shlibs file and make + dependend programs link correctly (closes: Bug#61658) + * include a note in README.debian concerning the location of the + subcommand manpages (closes: Bug#69809) + + -- Christoph Martin Sat, 16 Sep 2000 19:10:50 +0200 + +openssl (0.9.5a-2) unstable; urgency=low + + * try to fix the sharedlib problem. change soname of library + (closes: Bug#4622, #66102, #66538, #66123) + + -- Christoph Martin Wed, 12 Jul 2000 03:26:30 +0200 + +openssl (0.9.5a-1) unstable; urgency=low + + * new upstream version (major changes see file NEWS) (closes: Bug#63976, + #65239, #65358) + * new library package libssl095a because of probably changed library + interface (closes: Bug#46222) + * added architecture mips and mipsel (closes: Bug#62437, #60366) + * provide shlibs.local file in build to help build if libraries are not + yet installed (closes: Bug#63984) + + -- Christoph Martin Sun, 11 Jun 2000 15:17:35 +0200 + +openssl (0.9.4-5) frozen unstable; urgency=medium + + * cleanup of move of doc directories to /usr/share/doc (closes: + Bug#56430) + * lintian issues (closes: Bug#49358) + * move demos from openssl to libssl09-dev (closes: Bug#59201) + * move to debhelpers + + -- Christoph Martin Sat, 11 Mar 2000 10:38:04 +0100 + +openssl (0.9.4-4) unstable; urgency=medium + + * Added 'debian-arm' in 'Configure'. (closes: Bug#54251, #54766) + * Fixed Configure for 'debian-m68k' (closes: Bug#53636) + + -- Christoph Martin Sat, 15 Jan 2000 13:16:18 +0100 + +openssl (0.9.4-3) unstable; urgency=low + + * define symbol SSLeay_add_ssl_algorithms for backward compatibility + (closes: Bug#46882) + * remove manpages from /usr/doc/openssl (closes: Bug#46791) + + -- Christoph Martin Thu, 14 Oct 1999 16:51:08 +0200 + +openssl (0.9.4-2) unstable; urgency=low + + * include some more docu in pod format (Bug #43933) + * removed -mv8 from sparc flags (Bug #44769) + + -- Christoph Martin Tue, 14 Sep 1999 22:04:06 +0200 + +openssl (0.9.4-1) unstable; urgency=low + + * new upstream version (Closes: #42926) + + -- Christoph Martin Sat, 28 Aug 1999 17:04:23 +0200 + +openssl (0.9.3a-1) unstable; urgency=low + + * new upstream version (Bug #38345, #38627) + * sparc is big-endian (Bug #39973) + + -- Christoph Martin Wed, 7 Jul 1999 16:03:37 +0200 + +openssl (0.9.2b-3) unstable; urgency=low + + * correct move conffiles to /etc/ssl (Bug #38570) + + -- Christoph Martin Mon, 31 May 1999 21:08:07 +0200 + +openssl (0.9.2b-2) unstable; urgency=low + + * added convenience package ssleay to help upgrade to openssl (Bug + #37185, #37623, #36326) + * added some missing dependencies from libssl09 (Bug #36681, #35867, + #36326) + * move lib*.so to libssl09-dev (Bug #36761) + * corrected version numbers of library files + * introduce link from /usr/lib/ssl to /etc/ssl (Bug #36710) + + -- Christoph Martin Sun, 23 May 1999 14:57:48 +0200 + +openssl (0.9.2b-1) unstable; urgency=medium + + * First openssl version + + -- Christoph Martin Wed, 31 Mar 1999 15:54:26 +0200 + +ssleay (0.9.0b-2) unstable; urgency=low + + * Include message about the (not)usage of RSAREF (#24409) + * Move configfiles from /usr/lib/ssl to /etc/ssl (#26406) + * Change definitions for sparc (#26487) + * Added missing dependency (#28591) + * Make debian/libtool executable (#29708) + * /etc/ssl/lib/ssleay.cnf is now a confile (#32624) + + -- Christoph Martin Sun, 21 Mar 1999 19:41:04 +0100 + +ssleay (0.9.0b-1) unstable; urgency=low + + * new upstream version (Bug #21227, #25971) + * build shared libraries with -fPIC (Bug #20027) + * support sparc architecture (Bug #28467) + + -- Christoph Martin Tue, 13 Oct 1998 10:20:13 +0200 + +ssleay (0.8.1-7) frozen unstable; urgency=high + + * security fix patch to 0.8.1b (bug #24022) + + -- Christoph Martin Mon, 6 Jul 1998 15:42:15 +0200 + +ssleay (0.8.1-6) frozen unstable; urgency=low + + * second try to fix bug #15235 (copyright was still missing) + + -- Christoph Martin Mon, 22 Jun 1998 08:56:27 +0200 + +ssleay (0.8.1-5) frozen unstable; urgency=high + + * changed /dev/random to /dev/urandom (Bug #23169, #17817) + * copyright contains now the full licence (Bug #15235) + * fixed bug #19410 (md5sums-lists-nonexisting-file) + * added demos to /usr/doc (Bug #17372) + * fixed type in package description (Bug #18969) + * fixed bug in adding documentation (Bug #21463) + * added patch for support of debian-powerpc (Bug #21579) + + -- Christoph Martin Thu, 18 Jun 1998 23:09:13 +0200 + +ssleay (0.8.1-4) unstable; urgency=low + + * purged dependency from libc5 + + -- Christoph Martin Tue, 11 Nov 1997 15:31:50 +0100 + +ssleay (0.8.1-3) unstable; urgency=low + + * changed packagename libssl to libssl08 to get better dependancies + + -- Christoph Martin Fri, 7 Nov 1997 14:23:17 +0100 + +ssleay (0.8.1-2) unstable; urgency=low + + * linked shared libraries against libc6 + * use /dev/random for randomseed + + -- Christoph Martin Wed, 5 Nov 1997 11:21:40 +0100 + +ssleay (0.8.1-1) unstable; urgency=low + + * new upstream version + + -- Christoph Martin Thu, 16 Oct 1997 16:15:43 +0200 + +ssleay (0.6.6-2) unstable; urgency=low + + * cleanup in diffs + * removed INSTALL from docs (bug #13205) + * split libssl and libssl-dev (but #13735) + + -- Christoph Martin Wed, 15 Oct 1997 17:38:38 +0200 + +ssleay (0.6.6-1) unstable; urgency=low + + * New upstream version + * added shared libraries for libcrypto and libssl + + -- Christoph Martin Thu, 26 Jun 1997 19:26:14 +0200 + +ssleay (0.6.4-2) unstable; urgency=low + + * changed doc filenames from .doc to .txt to be able to read them + over with webbrowser + + -- Christoph Martin Tue, 25 Feb 1997 14:02:53 +0100 + +ssleay (0.6.4-1) unstable; urgency=low + + * Initial Release. + + -- Christoph Martin Fri, 22 Nov 1996 21:29:51 +0100 --- openssl-0.9.8a.orig/debian/openssl.dirs +++ openssl-0.9.8a/debian/openssl.dirs @@ -0,0 +1,5 @@ +usr/share/doc/openssl/doc +usr/bin +usr/lib +etc/ssl/certs +etc/ssl/private --- openssl-0.9.8a.orig/debian/libssl-dev.dirs +++ openssl-0.9.8a/debian/libssl-dev.dirs @@ -0,0 +1,3 @@ +usr/lib +usr/share/doc/libssl-dev +usr/share/man --- openssl-0.9.8a.orig/debian/openssl.docs +++ openssl-0.9.8a/debian/openssl.docs @@ -0,0 +1 @@ +doc --- openssl-0.9.8a.orig/debian/libssl0.9.8.files +++ openssl-0.9.8a/debian/libssl0.9.8.files @@ -0,0 +1,4 @@ +usr/lib/*.so.*.*.* +usr/lib/*/*.so.*.*.* +usr/lib/i686/cmov/*.so.*.*.* +usr/lib/ssl/engines --- openssl-0.9.8a.orig/debian/libssl-dev.docs +++ openssl-0.9.8a/debian/libssl-dev.docs @@ -0,0 +1 @@ +demos --- openssl-0.9.8a.orig/debian/libssl0.9.8.postinst +++ openssl-0.9.8a/debian/libssl0.9.8.postinst @@ -0,0 +1,139 @@ +#!/bin/sh -e + +. /usr/share/debconf/confmodule + +package_name() +{ + echo $(basename $0 .postinst) +} + +# element() is a helper function for file-rc: +element() { + local element list IFS + + element="$1" + + [ "$2" = "in" ] && shift + list="$2" + [ "$list" = "-" ] && return 1 + [ "$list" = "*" ] && return 0 + + IFS="," + set -- $list + case $element in + "$1"|"$2"|"$3"|"$4"|"$5"|"$6"|"$7"|"$8"|"$9") + return 0 + esac + return 1 +} + +# filerc (runlevel, service) returns /etc/init.d/service, if service is +# running in $runlevel: +filerc() { + local runlevel basename + runlevel=$1 + basename=$2 + while read LINE + do + case $LINE in + \#*|"") continue + esac + + set -- $LINE + SORT_NO="$1"; STOP="$2"; START="$3"; CMD="$4" + [ "$CMD" = "/etc/init.d/$basename" ] || continue + + if element "$runlevel" in "$START" || element "S" in "$START" + then + echo "/etc/init.d/$basename" + return 0 + fi + done < /etc/runlevel.conf + echo "" +} + +if [ "$1" = "configure" ] +then + if [ ! -z "$2" ]; then + if dpkg --compare-versions "$2" lt 0.9.8-3; then + echo -n "Checking for services that may need to be restarted..." + + check="sendmail ssh" + check="$check apache2-common ssh-nonfree exim4" + check="$check apache-ssl libapache-mod-ssl openvpn spamassassin" + check="$check courier-imap-ssl courier-mta-ssl courier-pop-ssl" + check="$check postfix-tls cyrus21-imapd cyrus21-pop3d" + check="$check postgresql racoon" + # Only get the ones that are installed, and configured + check=$(dpkg -s $check 2> /dev/null | sed '/^$/{N;/^\n$/D;}' | awk 'BEGIN{RS="\n\n";FS="\n"}{if ( $2 ~ /Status: .* installed$/ ) { print $1 } }' | cut -f 2 -d ' ') + # apache2 ships its init script in apache2-common, but the + # script is apache2 + check=$(echo $check | sed 's/apache2-common/apache2/g') + # For mod-ssl apache has to be restarted + check=$(echo $check | sed 's/libapache-mod-ssl/apache/g') + rl=$(runlevel | awk '{print $2}') + for service in $check; do + if [ -f /usr/share/file-rc/rc -o -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then + idl=$(filerc $rl $service) + else + idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1) + fi + if [ -n "$idl" ] && [ -x $idl ]; then + services="$service $services" + fi + done + echo "done." + if [ -n "$services" ]; then + db_version 2.0 + + db_reset libssl0.9.8/restart-services + db_set libssl0.9.8/restart-services "$services" + db_input critical libssl0.9.8/restart-services || true + db_go || true + db_get libssl0.9.8/restart-services + # Arghhh, close all the stupid debconf pipes + db_stop + + if [ "x$RET" != "x" ] + then + services=$RET + answer=yes + else + answer=no + fi + echo + if [ "$answer" = yes ] && [ "$services" != "" ]; then + echo "Restarting services possibly affected by the upgrade:" + failed="" + for service in $services; do + idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1) + echo -n " $service: stopping..." + $idl stop > /dev/null 2>&1 || true + sleep 1 + echo -n "starting..." + if $idl start > /dev/null 2>&1; then + echo "done." + else + echo "FAILED! ($?)" + failed="$service $failed" + fi + done + echo + if [ -n "$failed" ]; then + # Ruh roh, George + echo "The following services failed to start: $failed" + echo + echo "You will need to start these manually by running \`/etc/init.d/ start'" + echo "If the service still fails to start, you may need to file a bug on" + echo "$(package_name) or the service involved." + else + echo "Services restarted successfully." + fi + echo + fi + fi + fi # end upgrading and $2 lt 0.9.8-3 + fi # Upgrading +fi + +#DEBHELPER# --- openssl-0.9.8a.orig/debian/README.optimization +++ openssl-0.9.8a/debian/README.optimization @@ -0,0 +1,32 @@ +openssl ships optimized libraries for some cpus. The loading of these +libraries depends on the ability of the dynamic linker to automaticly +search additional directories depending on the cpu. If you want to +find out which are these directories for your computer, run the +following command: + +LD_LIBRARY_PATH=/usr/lib strace true 2>&1 | fgrep "open(\"/usr/lib" + +On a Pentium III this gives: + +open("/usr/lib/i686/mmx/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) +open("/usr/lib/i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) +open("/usr/lib/mmx/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) +open("/usr/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) + +Following is a list of cpus, library paths and possible optimizations: + +486 /usr/lib/i486 -march=i486 -mcpu=i486 +asm +Pentium /usr/lib/i586 -march=i586 -mcpu=i586 +asm +Pentium MMX /usr/lib/i586 -march=i586 -mcpu=i586 +asm +Pentium II /usr/lib/i686 -march=i686 -mcpu=i686 +asm +Pentium III /usr/lib/i686 -march=i686 -mcpu=i686 +asm +AMD-K6 /usr/lib/i586 -march=i586 -mcpu=i586 +asm +AMD-K7 /usr/lib/i686 -march=i686 -mcpu=i686 +asm + +Sparc v8 /usr/lib/v8 -mcpu=v8 +asm +Sparc v9 /usr/lib/v9 -mcpu=v9 -Wa,-Av8plus +asm + +Alpha EV4 /usr/lib/ev4 -mcpu=ev4 +Alpha EV5 /usr/lib/ev5 -mcpu=ev5 + ++asm means that the handcrafted 586 assembler routines can be used. --- openssl-0.9.8a.orig/debian/libssl0.9.8.dirs +++ openssl-0.9.8a/debian/libssl0.9.8.dirs @@ -0,0 +1,2 @@ +usr/lib +usr/share/doc/libssl0.9.8 --- openssl-0.9.8a.orig/debian/watch +++ openssl-0.9.8a/debian/watch @@ -0,0 +1,2 @@ +version=2 +ftp://ftp.openssl.org/source/openssl-(\d+\.\d+\.\d+[a-z]?)\.tar\.gz --- openssl-0.9.8a.orig/debian/libcrypto0.9.8-udeb.dirs +++ openssl-0.9.8a/debian/libcrypto0.9.8-udeb.dirs @@ -0,0 +1 @@ +usr/lib --- openssl-0.9.8a.orig/debian/copyright +++ openssl-0.9.8a/debian/copyright @@ -0,0 +1,135 @@ +This package was debianized by Christoph Martin martin@uni-mainz.de on +Fri, 22 Nov 1996 21:29:51 +0100. + +Copyright (c) 1998-2004 The OpenSSL Project +Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson + +The upstream sources were obtained from http://www.openssl.org/ + + + LICENSE ISSUES + ============== + + The OpenSSL toolkit stays under a dual license, i.e. both the conditions of + the OpenSSL License and the original SSLeay license apply to the toolkit. + See below for the actual license texts. Actually both licenses are BSD-style + Open Source licenses. In case of any license issues related to OpenSSL + please contact openssl-core@openssl.org. + + OpenSSL License + --------------- + +/* ==================================================================== + * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + Original SSLeay License + ----------------------- + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + --- openssl-0.9.8a.orig/debian/libssl0.9.8.templates +++ openssl-0.9.8a/debian/libssl0.9.8.templates @@ -0,0 +1,15 @@ +Template: libssl0.9.8/restart-services +Type: string +_Description: Which services should be restarted to make them use the new libraries? + Security holes were fixed with this release. Services may not use these + fixes until they are restarted. Note: restarting sshd should not affect any + existing connections. + . + Following is a list of detected services that need to be restarted. Please + correct the list, if you think it is incorrect. The services names must be + identical to the script names in /etc/init.d and must be separated by + spaces. If you clear the list, no services will be restarted. + . + If other services begin to fail mysteriously after this upgrade, it may be + necessary to restart them too. We strongly recommend you to reboot your + machine to avoid the SSL related trouble. --- openssl-0.9.8a.orig/tools/c_rehash +++ openssl-0.9.8a/tools/c_rehash @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # Perl c_rehash script, scan all files in a directory @@ -6,7 +6,7 @@ my $openssl; -my $dir = "/usr/local/ssl"; +my $dir = "/usr/lib/ssl"; if(defined $ENV{OPENSSL}) { $openssl = $ENV{OPENSSL}; --- openssl-0.9.8a.orig/doc/Makefile +++ openssl-0.9.8a/doc/Makefile @@ -0,0 +1,40 @@ +VERSION = + +#PODS = $(wildcard *.pod) +#MANS = $(addsuffix .man, $(basename $(PODS))) + +MANS = openssl.1 ssl.3 crypto.3 + +P2M = pod2man --center='OpenSSL Documentation' --release="OpenSSL $(VERSION)" + +all: manpages + +.PHONY: manpages + +manpages: openssl.1 crypto.3 ssl.3 + +openssl.1: + $(P2M) --section=1 openssl.pod > openssl.1 + +crypto.3: + $(P2M) --section=3 crypto.pod > crypto.3 + +ssl.3: + $(P2M) --section=3 ssl.pod > ssl.3 + +.PHONY: install +install: + mkdir -p $(INSTALL_PREFIX)$(INSTALLTOP)/share/man/man1 + mkdir -p $(INSTALL_PREFIX)$(INSTALLTOP)/share/man/man3 + install -m 644 -p openssl.1 $(INSTALL_PREFIX)$(INSTALLTOP)/share/man/man1 + install -m 644 -p crypto.3 $(INSTALL_PREFIX)$(INSTALLTOP)/share/man/man3 + install -m 644 -p ssl.3 $(INSTALL_PREFIX)$(INSTALLTOP)/share/man/man3 + rm -f $(MANS) + +.PHONY: clean +clean: + rm -f $(MANS) + +.PHONY: realclean +realclean: + -$(MAKE) clean --- openssl-0.9.8a.orig/ssl/ssl_err.c +++ openssl-0.9.8a/ssl/ssl_err.c @@ -87,6 +87,7 @@ {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"}, {ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "DTLS1_GET_RECORD"}, {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"}, +{ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"}, {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"}, {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"}, {ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "DTLS1_READ_BYTES"}, --- openssl-0.9.8a.orig/ssl/s3_clnt.c +++ openssl-0.9.8a/ssl/s3_clnt.c @@ -883,7 +883,7 @@ } i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) + if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) #ifndef OPENSSL_NO_KRB5 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) != (SSL_aKRB5|SSL_kKRB5) @@ -1368,7 +1368,7 @@ EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); - if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) + if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; @@ -1386,7 +1386,7 @@ EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); - if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) + if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; --- openssl-0.9.8a.orig/ssl/ssltest.c +++ openssl-0.9.8a/ssl/ssltest.c @@ -2072,7 +2072,7 @@ if (cb_arg->proxy_auth) { - if (ok) + if (ok > 0) { const char *cond_end = NULL; --- openssl-0.9.8a.orig/ssl/s3_srvr.c +++ openssl-0.9.8a/ssl/s3_srvr.c @@ -2017,7 +2017,7 @@ if (kssl_ctx->client_princ) { - int len = strlen(kssl_ctx->client_princ); + size_t len = strlen(kssl_ctx->client_princ); if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) { s->session->krb5_client_princ_len = len; @@ -2476,7 +2476,7 @@ else { i=ssl_verify_cert_chain(s,sk); - if (!i) + if (i <= 0) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); --- openssl-0.9.8a.orig/ssl/ssl_lib.c +++ openssl-0.9.8a/ssl/ssl_lib.c @@ -1201,7 +1201,6 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) { char *p; - const char *cp; STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int i; @@ -1214,20 +1213,21 @@ sk=s->session->ciphers; for (i=0; iname; *cp; ) + n=strlen(c->name); + if (n+1 > len) { - if (len-- == 0) - { - *p='\0'; - return(buf); - } - else - *(p++)= *(cp++); + if (p != buf) + --p; + *p='\0'; + return buf; } + strcpy(p,c->name); + p+=n; *(p++)=':'; + len-=n+1; } p[-1]='\0'; return(buf); --- openssl-0.9.8a.orig/ssl/t1_enc.c +++ openssl-0.9.8a/ssl/t1_enc.c @@ -632,7 +632,9 @@ { /* First packet is even in size, so check */ if ((memcmp(s->s3->read_sequence, - "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) + "\0\0\0\0\0\0\0\0",8) == 0) && + !(ii & 1) && + rec->data[l-i] != ii) s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) i--; --- openssl-0.9.8a.orig/ssl/d1_both.c +++ openssl-0.9.8a/ssl/d1_both.c @@ -138,38 +138,40 @@ unsigned long frag_len); static int dtls1_retransmit_buffered_messages(SSL *s); static long dtls1_get_message_fragment(SSL *s, int st1, int stn, - long max, int *ok); -static void dtls1_process_handshake_fragment(SSL *s, int frag_len); + long max, int *ok); static hm_fragment * dtls1_hm_fragment_new(unsigned long frag_len) - { - hm_fragment *frag = NULL; - unsigned char *buf = NULL; - - frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment)); - if ( frag == NULL) - return NULL; - - buf = (unsigned char *)OPENSSL_malloc(frag_len - + DTLS1_HM_HEADER_LENGTH); - if ( buf == NULL) - { - OPENSSL_free(frag); - return NULL; - } - - frag->fragment = buf; + { + hm_fragment *frag = NULL; + unsigned char *buf = NULL; + + frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment)); + if ( frag == NULL) + return NULL; + + if (frag_len) + { + buf = (unsigned char *)OPENSSL_malloc(frag_len); + if ( buf == NULL) + { + OPENSSL_free(frag); + return NULL; + } + } - return frag; - } + /* zero length fragment gets zero frag->fragment */ + frag->fragment = buf; + + return frag; + } static void dtls1_hm_fragment_free(hm_fragment *frag) - { - OPENSSL_free(frag->fragment); - OPENSSL_free(frag); - } + { + if (frag->fragment) OPENSSL_free(frag->fragment); + OPENSSL_free(frag); + } /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ int dtls1_do_write(SSL *s, int type) @@ -180,7 +182,7 @@ /* AHA! Figure out the MTU, and stick to the right size */ if ( ! (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) - { + { s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); @@ -207,7 +209,7 @@ mtu = curr_mtu; else if ( ( ret = BIO_flush(SSL_get_wbio(s))) <= 0) return ret; - + if ( BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu) { ret = BIO_flush(SSL_get_wbio(s)); @@ -254,11 +256,11 @@ s->init_off -= DTLS1_HM_HEADER_LENGTH; s->init_num += DTLS1_HM_HEADER_LENGTH; - /* write atleast DTLS1_HM_HEADER_LENGTH bytes */ + /* write atleast DTLS1_HM_HEADER_LENGTH bytes */ if ( len <= DTLS1_HM_HEADER_LENGTH) len += DTLS1_HM_HEADER_LENGTH; } - + dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH); @@ -286,18 +288,40 @@ } else { - + /* bad if this assert fails, only part of the handshake * message got sent. but why would this happen? */ - OPENSSL_assert(len == (unsigned int)ret); - + OPENSSL_assert(len == (unsigned int)ret); + if (type == SSL3_RT_HANDSHAKE && ! s->d1->retransmitting) + { /* should not be done for 'Hello Request's, but in that case * we'll ignore the result anyway */ - ssl3_finish_mac(s, - (unsigned char *)&s->init_buf->data[s->init_off + - DTLS1_HM_HEADER_LENGTH], ret - DTLS1_HM_HEADER_LENGTH); - + unsigned char *p = &s->init_buf->data[s->init_off]; + const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; + int len; + + if (frag_off == 0 && s->client_version != DTLS1_BAD_VER) + { + /* reconstruct message header is if it + * is being sent in single fragment */ + *p++ = msg_hdr->type; + l2n3(msg_hdr->msg_len,p); + s2n (msg_hdr->seq,p); + l2n3(0,p); + l2n3(msg_hdr->msg_len,p); + p -= DTLS1_HM_HEADER_LENGTH; + len = ret; + } + else + { + p += DTLS1_HM_HEADER_LENGTH; + len = ret - DTLS1_HM_HEADER_LENGTH; + } + + ssl3_finish_mac(s, p, len); + } + if (ret == s->init_num) { if (s->msg_callback) @@ -307,7 +331,7 @@ s->init_off = 0; /* done writing this message */ s->init_num = 0; - + return(1); } s->init_off+=ret; @@ -327,6 +351,7 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) { int i, al; + struct hm_header_st *msg_hdr; /* s3->tmp is used to store messages that are unexpected, caused * by the absence of an optional handshake message */ @@ -344,25 +369,56 @@ s->init_num = (int)s->s3->tmp.message_size; return s->init_num; } - + + msg_hdr = &s->d1->r_msg_hdr; do { - if ( s->d1->r_msg_hdr.frag_off == 0) + if ( msg_hdr->frag_off == 0) { /* s->d1->r_message_header.msg_len = 0; */ - memset(&(s->d1->r_msg_hdr), 0x00, sizeof(struct hm_header_st)); + memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); } i = dtls1_get_message_fragment(s, st1, stn, max, ok); if ( i == DTLS1_HM_BAD_FRAGMENT || - i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ + i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ continue; else if ( i <= 0 && !*ok) return i; - if (s->d1->r_msg_hdr.msg_len == (unsigned int)s->init_num - DTLS1_HM_HEADER_LENGTH) + /* Note that s->init_sum is used as a counter summing + * up fragments' lengths: as soon as they sum up to + * handshake packet length, we assume we have got all + * the fragments. Overlapping fragments would cause + * premature termination, so we don't expect overlaps. + * Well, handling overlaps would require something more + * drastic. Indeed, as it is now there is no way to + * tell if out-of-order fragment from the middle was + * the last. '>=' is the best/least we can do to control + * the potential damage caused by malformed overlaps. */ + if ((unsigned int)s->init_num >= msg_hdr->msg_len) { - memset(&(s->d1->r_msg_hdr), 0x00, sizeof(struct hm_header_st)); + unsigned char *p = s->init_buf->data; + unsigned long msg_len = msg_hdr->msg_len; + + /* reconstruct message header as if it was + * sent in single fragment */ + *(p++) = msg_hdr->type; + l2n3(msg_len,p); + s2n (msg_hdr->seq,p); + l2n3(0,p); + l2n3(msg_len,p); + if (s->client_version != DTLS1_BAD_VER) + p -= DTLS1_HM_HEADER_LENGTH, + msg_len += DTLS1_HM_HEADER_LENGTH; + + ssl3_finish_mac(s, p, msg_len); + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, + p, msg_len, + s, s->msg_callback_arg); + + memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); s->d1->handshake_read_seq++; /* we just read a handshake message from the other side: @@ -379,11 +435,11 @@ * first data segment, but is there a better way? */ dtls1_clear_record_buffer(s); - s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; - return s->init_num - DTLS1_HM_HEADER_LENGTH; + s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; + return s->init_num; } else - s->d1->r_msg_hdr.frag_off = i; + msg_hdr->frag_off = i; } while(1) ; f_err: @@ -393,161 +449,183 @@ } -static int -dtls1_retrieve_buffered_fragment(SSL *s, unsigned long *copied) - { - /* (0) check whether the desired fragment is available - * if so: - * (1) copy over the fragment to s->init_buf->data[] - * (2) update s->init_num - */ - pitem *item; - hm_fragment *frag; - unsigned long overlap; - unsigned char *p; - - item = pqueue_peek(s->d1->buffered_messages); - if ( item == NULL) - return 0; - - frag = (hm_fragment *)item->data; - - if ( s->d1->handshake_read_seq == frag->msg_header.seq && - frag->msg_header.frag_off <= (unsigned int)s->init_num - DTLS1_HM_HEADER_LENGTH) - { - pqueue_pop(s->d1->buffered_messages); - overlap = s->init_num - DTLS1_HM_HEADER_LENGTH - - frag->msg_header.frag_off; - - p = frag->fragment; - - memcpy(&s->init_buf->data[s->init_num], - p + DTLS1_HM_HEADER_LENGTH + overlap, - frag->msg_header.frag_len - overlap); - - OPENSSL_free(frag->fragment); - OPENSSL_free(frag); - pitem_free(item); - - *copied = frag->msg_header.frag_len - overlap; - return *copied; - } - else - return 0; - } +static int dtls1_preprocess_fragment(SSL *s,struct hm_header_st *msg_hdr,int max) + { + size_t frag_off,frag_len,msg_len; + msg_len = msg_hdr->msg_len; + frag_off = msg_hdr->frag_off; + frag_len = msg_hdr->frag_len; -static int -dtls1_buffer_handshake_fragment(SSL *s, struct hm_header_st* msg_hdr) -{ - hm_fragment *frag = NULL; - pitem *item = NULL; - PQ_64BIT seq64; + /* sanity checking */ + if ( (frag_off+frag_len) > msg_len) + { + SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); + return SSL_AD_ILLEGAL_PARAMETER; + } - frag = dtls1_hm_fragment_new(msg_hdr->frag_len); - if ( frag == NULL) - goto err; + if ( (frag_off+frag_len) > (unsigned long)max) + { + SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); + return SSL_AD_ILLEGAL_PARAMETER; + } - memcpy(frag->fragment, &(s->init_buf->data[s->init_num]), - msg_hdr->frag_len + DTLS1_HM_HEADER_LENGTH); + if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */ + { + /* msg_len is limited to 2^24, but is effectively checked + * against max above */ + if (!BUF_MEM_grow_clean(s->init_buf,(int)msg_len+DTLS1_HM_HEADER_LENGTH)) + { + SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,ERR_R_BUF_LIB); + return SSL_AD_INTERNAL_ERROR; + } - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + s->s3->tmp.message_size = msg_len; + s->d1->r_msg_hdr.msg_len = msg_len; + s->s3->tmp.message_type = msg_hdr->type; + s->d1->r_msg_hdr.type = msg_hdr->type; + s->d1->r_msg_hdr.seq = msg_hdr->seq; + } + else if (msg_len != s->d1->r_msg_hdr.msg_len) + { + /* They must be playing with us! BTW, failure to enforce + * upper limit would open possibility for buffer overrun. */ + SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); + return SSL_AD_ILLEGAL_PARAMETER; + } - pq_64bit_init(&seq64); - pq_64bit_assign_word(&seq64, msg_hdr->seq); + return 0; /* no error */ + } - item = pitem_new(seq64, frag); - if ( item == NULL) - goto err; - pq_64bit_free(&seq64); +static int +dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) + { + /* (0) check whether the desired fragment is available + * if so: + * (1) copy over the fragment to s->init_buf->data[] + * (2) update s->init_num + */ + pitem *item; + hm_fragment *frag; + int al; - pqueue_insert(s->d1->buffered_messages, item); - return 1; + *ok = 0; + item = pqueue_peek(s->d1->buffered_messages); + if ( item == NULL) + return 0; -err: - if ( frag != NULL) dtls1_hm_fragment_free(frag); - if ( item != NULL) OPENSSL_free(item); - return 0; -} + frag = (hm_fragment *)item->data; + if ( s->d1->handshake_read_seq == frag->msg_header.seq) + { + pqueue_pop(s->d1->buffered_messages); -static void -dtls1_process_handshake_fragment(SSL *s, int frag_len) - { - unsigned char *p; + al=dtls1_preprocess_fragment(s,&frag->msg_header,max); - p = (unsigned char *)s->init_buf->data; + if (al==0) /* no alert */ + { + unsigned char *p = s->init_buf->data+DTLS1_HM_HEADER_LENGTH; + memcpy(&p[frag->msg_header.frag_off], + frag->fragment,frag->msg_header.frag_len); + } - ssl3_finish_mac(s, &p[s->init_num - frag_len], frag_len); - } + dtls1_hm_fragment_free(frag); + pitem_free(item); + + if (al==0) + { + *ok = 1; + return frag->msg_header.frag_len; + } + + ssl3_send_alert(s,SSL3_AL_FATAL,al); + s->init_num = 0; + *ok = 0; + return -1; + } + else + return 0; + } static int -dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st *msg_hdr, int *ok) - { - int i; - unsigned char *p; - - /* make sure there's enough room to read this fragment */ - if ( (int)msg_hdr->frag_len && !BUF_MEM_grow_clean(s->init_buf, - (int)msg_hdr->frag_len + DTLS1_HM_HEADER_LENGTH + s->init_num)) - { - SSLerr(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE,ERR_R_BUF_LIB); - goto err; - } +dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) +{ + int i=-1; + hm_fragment *frag = NULL; + pitem *item = NULL; + PQ_64BIT seq64; + unsigned long frag_len = msg_hdr->frag_len; - p = (unsigned char *)s->init_buf->data; + if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) + goto err; - /* read the body of the fragment (header has already been read */ - if ( msg_hdr->frag_len > 0) + if (msg_hdr->seq <= s->d1->handshake_read_seq) { - i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, - &p[s->init_num], - msg_hdr->frag_len,0); - if (i <= 0) + unsigned char devnull [256]; + + while (frag_len) { - *ok = 0; - return i; + i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, + devnull, + frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0); + if (i<=0) goto err; + frag_len -= i; } } - if ( msg_hdr->seq > s->d1->handshake_read_seq) - dtls1_buffer_handshake_fragment(s, msg_hdr); - else - OPENSSL_assert(msg_hdr->seq < s->d1->handshake_read_seq); + frag = dtls1_hm_fragment_new(frag_len); + if ( frag == NULL) + goto err; + + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + + if (frag_len) + { + /* read the body of the fragment (header has already been read */ + i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, + frag->fragment,frag_len,0); + if (i<=0 || i!=frag_len) + goto err; + } + + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); + + item = pitem_new(seq64, frag); + pq_64bit_free(&seq64); + if ( item == NULL) + goto err; + + pqueue_insert(s->d1->buffered_messages, item); + return DTLS1_HM_FRAGMENT_RETRY; - return DTLS1_HM_FRAGMENT_RETRY; err: - *ok = 0; - return -1; - } + if ( frag != NULL) dtls1_hm_fragment_free(frag); + if ( item != NULL) OPENSSL_free(item); + *ok = 0; + return i; + } static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) { - unsigned char *p; + unsigned char wire[DTLS1_HM_HEADER_LENGTH]; unsigned long l, frag_off, frag_len; int i,al; struct hm_header_st msg_hdr; - unsigned long overlap; - - /* see if we have the required fragment already */ - if (dtls1_retrieve_buffered_fragment(s, &l)) - { - /* compute MAC, remove fragment headers */ - dtls1_process_handshake_fragment(s, l); - s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; - s->state = stn; - return 1; - } - /* get a handshake fragment from the record layer */ - p = (unsigned char *)s->init_buf->data; + /* see if we have the required fragment already */ + if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) + { + if (*ok) s->init_num += frag_len; + return frag_len; + } - /* read handshake message header */ - i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num], + /* read handshake message header */ + i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,wire, DTLS1_HM_HEADER_LENGTH, 0); if (i <= 0) /* nbio, or an error */ { @@ -555,130 +633,61 @@ *ok = 0; return i; } - OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH); - p += s->init_num; - /* parse the message fragment header */ - - dtls1_get_message_header(p, &msg_hdr); - - /* - * if this is a future (or stale) message it gets buffered - * (or dropped)--no further processing at this time - */ - if ( msg_hdr.seq != s->d1->handshake_read_seq) - return dtls1_process_out_of_seq_message(s, &msg_hdr, ok); + /* parse the message fragment header */ + dtls1_get_message_header(wire, &msg_hdr); - l = msg_hdr.msg_len; - frag_off = msg_hdr.frag_off; - frag_len = msg_hdr.frag_len; + /* + * if this is a future (or stale) message it gets buffered + * (or dropped)--no further processing at this time + */ + if ( msg_hdr.seq != s->d1->handshake_read_seq) + return dtls1_process_out_of_seq_message(s, &msg_hdr, ok); - /* sanity checking */ - if ( frag_off + frag_len > l) - { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); - goto f_err; - } + l = msg_hdr.msg_len; + frag_off = msg_hdr.frag_off; + frag_len = msg_hdr.frag_len; if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && - p[0] == SSL3_MT_HELLO_REQUEST) - { - /* The server may always send 'Hello Request' messages -- - * we are doing a handshake anyway now, so ignore them - * if their format is correct. Does not count for - * 'Finished' MAC. */ - if (p[1] == 0 && p[2] == 0 &&p[3] == 0) - { - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - p, DTLS1_HM_HEADER_LENGTH, s, - s->msg_callback_arg); - - s->init_num = 0; - return dtls1_get_message_fragment(s, st1, stn, - max, ok); - } - else /* Incorrectly formated Hello request */ - { - al=SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE); - goto f_err; - } - } - - /* XDTLS: do a sanity check on the fragment */ - - s->init_num += i; - - if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */ + wire[0] == SSL3_MT_HELLO_REQUEST) { - /* BUF_MEM_grow takes an 'int' parameter */ - if (l > (INT_MAX-DTLS1_HM_HEADER_LENGTH)) + /* The server may always send 'Hello Request' messages -- + * we are doing a handshake anyway now, so ignore them + * if their format is correct. Does not count for + * 'Finished' MAC. */ + if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); - goto f_err; - } - if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l - + DTLS1_HM_HEADER_LENGTH)) - { - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,ERR_R_BUF_LIB); - goto err; + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, + wire, DTLS1_HM_HEADER_LENGTH, s, + s->msg_callback_arg); + + s->init_num = 0; + return dtls1_get_message_fragment(s, st1, stn, + max, ok); } - /* Only do this test when we're reading the expected message. - * Stale messages will be dropped and future messages will be buffered */ - if ( l > (unsigned long)max) + else /* Incorrectly formated Hello request */ { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE); goto f_err; } - - s->s3->tmp.message_size=l; } - if ( frag_len > (unsigned long)max) - { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); - goto f_err; - } - if ( frag_len + s->init_num > (INT_MAX - DTLS1_HM_HEADER_LENGTH)) - { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); - goto f_err; - } - - if ( frag_len & !BUF_MEM_grow_clean(s->init_buf, (int)frag_len - + DTLS1_HM_HEADER_LENGTH + s->init_num)) - { - SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,ERR_R_BUF_LIB); - goto err; - } - - if ( s->d1->r_msg_hdr.frag_off == 0) - { - s->s3->tmp.message_type = msg_hdr.type; - s->d1->r_msg_hdr.type = msg_hdr.type; - s->d1->r_msg_hdr.msg_len = l; - /* s->d1->r_msg_hdr.seq = seq_num; */ - } + if ((al=dtls1_preprocess_fragment(s,&msg_hdr,max))) + goto f_err; /* XDTLS: ressurect this when restart is in place */ s->state=stn; - - /* next state (stn) */ - p = (unsigned char *)s->init_buf->data; if ( frag_len > 0) { + unsigned char *p=s->init_buf->data+DTLS1_HM_HEADER_LENGTH; + i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, - &p[s->init_num], - frag_len,0); - /* XDTLS: fix this--message fragments cannot span multiple packets */ + &p[frag_off],frag_len,0); + /* XDTLS: fix this--message fragments cannot span multiple packets */ if (i <= 0) { s->rwstate=SSL_READING; @@ -689,70 +698,23 @@ else i = 0; - /* XDTLS: an incorrectly formatted fragment should cause the - * handshake to fail */ + /* XDTLS: an incorrectly formatted fragment should cause the + * handshake to fail */ OPENSSL_assert(i == (int)frag_len); -#if 0 - /* Successfully read a fragment. - * It may be (1) out of order, or - * (2) it's a repeat, in which case we dump it - * (3) the one we are expecting next (maybe with overlap) - * If it is next one, it may overlap with previously read bytes - */ - - /* case (1): buffer the future fragment - * (we can treat fragments from a future message the same - * as future fragments from the message being currently read, since - * they are sematically simply out of order. - */ - if ( msg_hdr.seq > s->d1->handshake_read_seq || - frag_off > s->init_num - DTLS1_HM_HEADER_LENGTH) - { - dtls1_buffer_handshake_fragment(s, &msg_hdr); - return DTLS1_HM_FRAGMENT_RETRY; - } - - /* case (2): drop the entire fragment, and try again */ - if ( msg_hdr.seq < s->d1->handshake_read_seq || - frag_off + frag_len < s->init_num - DTLS1_HM_HEADER_LENGTH) - { - s->init_num -= DTLS1_HM_HEADER_LENGTH; - return DTLS1_HM_FRAGMENT_RETRY; - } -#endif - - /* case (3): received a immediately useful fragment. Determine the - * possible overlap and copy the fragment. - */ - overlap = (s->init_num - DTLS1_HM_HEADER_LENGTH) - frag_off; - - /* retain the header for the first fragment */ - if ( s->init_num > DTLS1_HM_HEADER_LENGTH) - { - memmove(&(s->init_buf->data[s->init_num]), - &(s->init_buf->data[s->init_num + DTLS1_HM_HEADER_LENGTH + overlap]), - frag_len - overlap); - - s->init_num += frag_len - overlap; - } - else - s->init_num += frag_len; - - dtls1_process_handshake_fragment(s, frag_len - overlap); - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, - (size_t)s->init_num, s, - s->msg_callback_arg); - *ok=1; + *ok = 1; - return s->init_num; + /* Note that s->init_num is *not* used as current offset in + * s->init_buf->data, but as a counter summing up fragments' + * lengths: as soon as they sum up to handshake packet + * length, we assume we have got all the fragments. */ + s->init_num += frag_len; + return frag_len; f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); - s->init_num = 0; -err: + s->init_num = 0; + *ok=0; return(-1); } @@ -790,7 +752,7 @@ /* buffer the message to handle re-xmits */ dtls1_buffer_message(s, 0); - + s->state=b; } @@ -816,9 +778,14 @@ *p++=SSL3_MT_CCS; s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; s->d1->next_handshake_write_seq++; - s2n(s->d1->handshake_write_seq,p); - s->init_num=DTLS1_CCS_HEADER_LENGTH; + + if (s->client_version == DTLS1_BAD_VER) + { + s2n(s->d1->handshake_write_seq,p); + s->init_num+=2; + } + s->init_off=0; dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, @@ -915,316 +882,315 @@ } int dtls1_read_failed(SSL *s, int code) - { - DTLS1_STATE *state; - BIO *bio; - int send_alert = 0; - - if ( code > 0) - { - fprintf( stderr, "invalid state reached %s:%d", __FILE__, __LINE__); - return 1; - } - - bio = SSL_get_rbio(s); - if ( ! BIO_dgram_recv_timedout(bio)) - { - /* not a timeout, none of our business, - let higher layers handle this. in fact it's probably an error */ - return code; - } - - if ( ! SSL_in_init(s)) /* done, no need to send a retransmit */ - { - BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); - return code; - } - - state = s->d1; - state->timeout.num_alerts++; - if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) - { - /* fail the connection, enough alerts have been sent */ - SSLerr(SSL_F_DTLS1_READ_FAILED,SSL_R_READ_TIMEOUT_EXPIRED); - return 0; - } - - state->timeout.read_timeouts++; - if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) - { - send_alert = 1; - state->timeout.read_timeouts = 1; - } + { + DTLS1_STATE *state; + BIO *bio; + int send_alert = 0; + + if ( code > 0) + { + fprintf( stderr, "invalid state reached %s:%d", __FILE__, __LINE__); + return 1; + } + + bio = SSL_get_rbio(s); + if ( ! BIO_dgram_recv_timedout(bio)) + { + /* not a timeout, none of our business, + let higher layers handle this. in fact it's probably an error */ + return code; + } + + if ( ! SSL_in_init(s)) /* done, no need to send a retransmit */ + { + BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); + return code; + } + + state = s->d1; + state->timeout.num_alerts++; + if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) + { + /* fail the connection, enough alerts have been sent */ + SSLerr(SSL_F_DTLS1_READ_FAILED,SSL_R_READ_TIMEOUT_EXPIRED); + return 0; + } + + state->timeout.read_timeouts++; + if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) + { + send_alert = 1; + state->timeout.read_timeouts = 1; + } + - #if 0 /* for now, each alert contains only one record number */ - item = pqueue_peek(state->rcvd_records); - if ( item ) - { - /* send an alert immediately for all the missing records */ - } - else + item = pqueue_peek(state->rcvd_records); + if ( item ) + { + /* send an alert immediately for all the missing records */ + } + else #endif #if 0 /* no more alert sending, just retransmit the last set of messages */ - if ( send_alert) - ssl3_send_alert(s,SSL3_AL_WARNING, - DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); + if ( send_alert) + ssl3_send_alert(s,SSL3_AL_WARNING, + DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); #endif - return dtls1_retransmit_buffered_messages(s) ; - } + return dtls1_retransmit_buffered_messages(s) ; + } static int dtls1_retransmit_buffered_messages(SSL *s) - { - pqueue sent = s->d1->sent_messages; - piterator iter; - pitem *item; - hm_fragment *frag; - int found = 0; - - iter = pqueue_iterator(sent); - - for ( item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) - { - frag = (hm_fragment *)item->data; - if ( dtls1_retransmit_message(s, frag->msg_header.seq, 0, &found) <= 0 && - found) - { - fprintf(stderr, "dtls1_retransmit_message() failed\n"); - return -1; - } - } + { + pqueue sent = s->d1->sent_messages; + piterator iter; + pitem *item; + hm_fragment *frag; + int found = 0; - return 1; - } + iter = pqueue_iterator(sent); + + for ( item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) + { + frag = (hm_fragment *)item->data; + if ( dtls1_retransmit_message(s, frag->msg_header.seq, 0, &found) <= 0 && + found) + { + fprintf(stderr, "dtls1_retransmit_message() failed\n"); + return -1; + } + } + + return 1; + } #if 0 static dtls1_message_buffer * dtls1_message_buffer_new(unsigned int len) - { - dtls1_message_buffer *msg_buf; + { + dtls1_message_buffer *msg_buf; - msg_buf = (dtls1_message_buffer *) - OPENSSL_malloc(sizeof(dtls1_message_buffer)); - if ( msg_buf == NULL) - return NULL; - - memset(msg_buf, 0x00, sizeof(dtls1_message_buffer)); - - msg_buf->data = (unsigned char *) OPENSSL_malloc(len); - if ( msg_buf->data == NULL) - { - OPENSSL_free(msg_buf); - return NULL; - } - - memset(msg_buf->data, 0x00, len); - return msg_buf; - } + msg_buf = (dtls1_message_buffer *) + OPENSSL_malloc(sizeof(dtls1_message_buffer)); + if ( msg_buf == NULL) + return NULL; + + memset(msg_buf, 0x00, sizeof(dtls1_message_buffer)); + + msg_buf->data = (unsigned char *) OPENSSL_malloc(len); + if ( msg_buf->data == NULL) + { + OPENSSL_free(msg_buf); + return NULL; + } + + memset(msg_buf->data, 0x00, len); + return msg_buf; + } #endif #if 0 static void dtls1_message_buffer_free(dtls1_message_buffer *msg_buf) - { - if (msg_buf != NULL) - { - OPENSSL_free(msg_buf->data); - OPENSSL_free(msg_buf); - } - } + { + if (msg_buf != NULL) + { + OPENSSL_free(msg_buf->data); + OPENSSL_free(msg_buf); + } + } #endif int dtls1_buffer_message(SSL *s, int is_ccs) - { - pitem *item; - hm_fragment *frag; + { + pitem *item; + hm_fragment *frag; PQ_64BIT seq64; - /* this function is called immediately after a message has - * been serialized */ - OPENSSL_assert(s->init_off == 0); - - frag = dtls1_hm_fragment_new(s->init_num); - - memcpy(frag->fragment, s->init_buf->data, s->init_num); - - if ( is_ccs) - { - OPENSSL_assert(s->d1->w_msg_hdr.msg_len + - DTLS1_CCS_HEADER_LENGTH == (unsigned int)s->init_num); - } - else - { - OPENSSL_assert(s->d1->w_msg_hdr.msg_len + - DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num); - } - - frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; - frag->msg_header.seq = s->d1->w_msg_hdr.seq; - frag->msg_header.type = s->d1->w_msg_hdr.type; - frag->msg_header.frag_off = 0; - frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; - frag->msg_header.is_ccs = is_ccs; - - pq_64bit_init(&seq64); - pq_64bit_assign_word(&seq64, frag->msg_header.seq); - - item = pitem_new(seq64, frag); - pq_64bit_free(&seq64); - if ( item == NULL) - { - dtls1_hm_fragment_free(frag); - return 0; - } + /* this function is called immediately after a message has + * been serialized */ + OPENSSL_assert(s->init_off == 0); + + frag = dtls1_hm_fragment_new(s->init_num); + + memcpy(frag->fragment, s->init_buf->data, s->init_num); + + if ( is_ccs) + { + OPENSSL_assert(s->d1->w_msg_hdr.msg_len + + DTLS1_CCS_HEADER_LENGTH <= (unsigned int)s->init_num); + } + else + { + OPENSSL_assert(s->d1->w_msg_hdr.msg_len + + DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num); + } + + frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; + frag->msg_header.seq = s->d1->w_msg_hdr.seq; + frag->msg_header.type = s->d1->w_msg_hdr.type; + frag->msg_header.frag_off = 0; + frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; + frag->msg_header.is_ccs = is_ccs; + + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, frag->msg_header.seq); + + item = pitem_new(seq64, frag); + pq_64bit_free(&seq64); + if ( item == NULL) + { + dtls1_hm_fragment_free(frag); + return 0; + } #if 0 - fprintf( stderr, "buffered messge: \ttype = %xx\n", msg_buf->type); - fprintf( stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len); - fprintf( stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num); + fprintf( stderr, "buffered messge: \ttype = %xx\n", msg_buf->type); + fprintf( stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len); + fprintf( stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num); #endif - pqueue_insert(s->d1->sent_messages, item); - return 1; - } + pqueue_insert(s->d1->sent_messages, item); + return 1; + } int dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, - int *found) - { - int ret; - /* XDTLS: for now assuming that read/writes are blocking */ - pitem *item; - hm_fragment *frag ; - unsigned long header_length; + int *found) + { + int ret; + /* XDTLS: for now assuming that read/writes are blocking */ + pitem *item; + hm_fragment *frag ; + unsigned long header_length; PQ_64BIT seq64; - /* - OPENSSL_assert(s->init_num == 0); - OPENSSL_assert(s->init_off == 0); - */ - - /* XDTLS: the requested message ought to be found, otherwise error */ - pq_64bit_init(&seq64); - pq_64bit_assign_word(&seq64, seq); - - item = pqueue_find(s->d1->sent_messages, seq64); - pq_64bit_free(&seq64); - if ( item == NULL) - { - fprintf(stderr, "retransmit: message %d non-existant\n", seq); - *found = 0; - return 0; - } - - *found = 1; - frag = (hm_fragment *)item->data; - - if ( frag->msg_header.is_ccs) - header_length = DTLS1_CCS_HEADER_LENGTH; - else - header_length = DTLS1_HM_HEADER_LENGTH; - - memcpy(s->init_buf->data, frag->fragment, - frag->msg_header.msg_len + header_length); - s->init_num = frag->msg_header.msg_len + header_length; - - dtls1_set_message_header_int(s, frag->msg_header.type, - frag->msg_header.msg_len, frag->msg_header.seq, 0, - frag->msg_header.frag_len); - - s->d1->retransmitting = 1; - ret = dtls1_do_write(s, frag->msg_header.is_ccs ? - SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); - s->d1->retransmitting = 0; - - BIO_flush(SSL_get_wbio(s)); - return ret; - } + /* + OPENSSL_assert(s->init_num == 0); + OPENSSL_assert(s->init_off == 0); + */ + + /* XDTLS: the requested message ought to be found, otherwise error */ + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, seq); + + item = pqueue_find(s->d1->sent_messages, seq64); + pq_64bit_free(&seq64); + if ( item == NULL) + { + fprintf(stderr, "retransmit: message %d non-existant\n", seq); + *found = 0; + return 0; + } + + *found = 1; + frag = (hm_fragment *)item->data; + + if ( frag->msg_header.is_ccs) + header_length = DTLS1_CCS_HEADER_LENGTH; + else + header_length = DTLS1_HM_HEADER_LENGTH; + + memcpy(s->init_buf->data, frag->fragment, + frag->msg_header.msg_len + header_length); + s->init_num = frag->msg_header.msg_len + header_length; + + dtls1_set_message_header_int(s, frag->msg_header.type, + frag->msg_header.msg_len, frag->msg_header.seq, 0, + frag->msg_header.frag_len); + + s->d1->retransmitting = 1; + ret = dtls1_do_write(s, frag->msg_header.is_ccs ? + SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); + s->d1->retransmitting = 0; + + (void)BIO_flush(SSL_get_wbio(s)); + return ret; + } /* call this function when the buffered messages are no longer needed */ void dtls1_clear_record_buffer(SSL *s) - { - pitem *item; - - for(item = pqueue_pop(s->d1->sent_messages); - item != NULL; item = pqueue_pop(s->d1->sent_messages)) - { - dtls1_hm_fragment_free((hm_fragment *)item->data); - pitem_free(item); - } - } + { + pitem *item; + + for(item = pqueue_pop(s->d1->sent_messages); + item != NULL; item = pqueue_pop(s->d1->sent_messages)) + { + dtls1_hm_fragment_free((hm_fragment *)item->data); + pitem_free(item); + } + } unsigned char * dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt, - unsigned long len, unsigned long frag_off, unsigned long frag_len) - { - if ( frag_off == 0) - { - s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; - s->d1->next_handshake_write_seq++; - } - - dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, - frag_off, frag_len); - - return p += DTLS1_HM_HEADER_LENGTH; - } + unsigned long len, unsigned long frag_off, unsigned long frag_len) + { + if ( frag_off == 0) + { + s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; + s->d1->next_handshake_write_seq++; + } + + dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, + frag_off, frag_len); + + return p += DTLS1_HM_HEADER_LENGTH; + } /* don't actually do the writing, wait till the MTU has been retrieved */ static void dtls1_set_message_header_int(SSL *s, unsigned char mt, - unsigned long len, unsigned short seq_num, unsigned long frag_off, - unsigned long frag_len) - { - struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; - - msg_hdr->type = mt; - msg_hdr->msg_len = len; - msg_hdr->seq = seq_num; - msg_hdr->frag_off = frag_off; - msg_hdr->frag_len = frag_len; -} + unsigned long len, unsigned short seq_num, unsigned long frag_off, + unsigned long frag_len) + { + struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; + + msg_hdr->type = mt; + msg_hdr->msg_len = len; + msg_hdr->seq = seq_num; + msg_hdr->frag_off = frag_off; + msg_hdr->frag_len = frag_len; + } static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, - unsigned long frag_len) - { - struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; - - msg_hdr->frag_off = frag_off; - msg_hdr->frag_len = frag_len; - } + unsigned long frag_len) + { + struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; + + msg_hdr->frag_off = frag_off; + msg_hdr->frag_len = frag_len; + } static unsigned char * dtls1_write_message_header(SSL *s, unsigned char *p) - { - struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; - - *p++ = msg_hdr->type; - l2n3(msg_hdr->msg_len, p); - - s2n(msg_hdr->seq, p); - l2n3(msg_hdr->frag_off, p); - l2n3(msg_hdr->frag_len, p); - - return p; - } + { + struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; + + *p++ = msg_hdr->type; + l2n3(msg_hdr->msg_len, p); + + s2n(msg_hdr->seq, p); + l2n3(msg_hdr->frag_off, p); + l2n3(msg_hdr->frag_len, p); + + return p; + } static unsigned int dtls1_min_mtu(void) - { - return - g_probable_mtu[(sizeof(g_probable_mtu) / - sizeof(g_probable_mtu[0])) - 1]; - } + { + return (g_probable_mtu[(sizeof(g_probable_mtu) / + sizeof(g_probable_mtu[0])) - 1]); + } static unsigned int dtls1_guess_mtu(unsigned int curr_mtu) @@ -1237,27 +1203,26 @@ for ( i = 0; i < sizeof(g_probable_mtu)/sizeof(g_probable_mtu[0]); i++) if ( curr_mtu > g_probable_mtu[i]) return g_probable_mtu[i]; - + return curr_mtu; } void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) - { - memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); - msg_hdr->type = *(data++); - n2l3(data, msg_hdr->msg_len); - - n2s(data, msg_hdr->seq); - n2l3(data, msg_hdr->frag_off); - n2l3(data, msg_hdr->frag_len); - } + { + memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); + msg_hdr->type = *(data++); + n2l3(data, msg_hdr->msg_len); + + n2s(data, msg_hdr->seq); + n2l3(data, msg_hdr->frag_off); + n2l3(data, msg_hdr->frag_len); + } void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr) - { - memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st)); - - ccs_hdr->type = *(data++); - n2s(data, ccs_hdr->seq); -} + { + memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st)); + + ccs_hdr->type = *(data++); + } --- openssl-0.9.8a.orig/ssl/ssl.h +++ openssl-0.9.8a/ssl/ssl.h @@ -1572,6 +1572,7 @@ #define SSL_F_DTLS1_SEND_SERVER_HELLO 1022 #define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 1023 #define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 1024 +#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 1028 #define SSL_F_GET_CLIENT_FINISHED 105 #define SSL_F_GET_CLIENT_HELLO 106 #define SSL_F_GET_CLIENT_MASTER_KEY 107 --- openssl-0.9.8a.orig/ssl/s2_clnt.c +++ openssl-0.9.8a/ssl/s2_clnt.c @@ -520,7 +520,8 @@ CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509); } - if (s->session->peer != s->session->sess_cert->peer_key->x509) + if (s->session->sess_cert == NULL + || s->session->peer != s->session->sess_cert->peer_key->x509) /* can't happen */ { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); @@ -1043,7 +1044,7 @@ i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) + if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); goto err; --- openssl-0.9.8a.orig/ssl/s2_srvr.c +++ openssl-0.9.8a/ssl/s2_srvr.c @@ -1054,7 +1054,7 @@ i=ssl_verify_cert_chain(s,sk); - if (i) /* we like the packet, now check the chksum */ + if (i > 0) /* we like the packet, now check the chksum */ { EVP_MD_CTX ctx; EVP_PKEY *pkey=NULL; @@ -1083,7 +1083,7 @@ EVP_PKEY_free(pkey); EVP_MD_CTX_cleanup(&ctx); - if (i) + if (i > 0) { if (s->session->peer != NULL) X509_free(s->session->peer); --- openssl-0.9.8a.orig/ssl/dtls1.h +++ openssl-0.9.8a/ssl/dtls1.h @@ -67,9 +67,8 @@ extern "C" { #endif -#define DTLS1_VERSION 0x0100 -#define DTLS1_VERSION_MAJOR 0x01 -#define DTLS1_VERSION_MINOR 0x00 +#define DTLS1_VERSION 0xFEFF +#define DTLS1_BAD_VER 0x0100 #define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 110 @@ -83,7 +82,7 @@ #define DTLS1_HM_BAD_FRAGMENT -2 #define DTLS1_HM_FRAGMENT_RETRY -3 -#define DTLS1_CCS_HEADER_LENGTH 3 +#define DTLS1_CCS_HEADER_LENGTH 1 #define DTLS1_AL_HEADER_LENGTH 7 --- openssl-0.9.8a.orig/VMS/VMSify-conf.pl +++ openssl-0.9.8a/VMS/VMSify-conf.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/local/bin/perl use strict; use warnings; --- openssl-0.9.8a.orig/Makefile +++ openssl-0.9.8a/Makefile @@ -11,11 +11,11 @@ SHLIB_VERSION_HISTORY= SHLIB_MAJOR=0 SHLIB_MINOR=9.8 -SHLIB_EXT= -PLATFORM=dist -OPTIONS= no-gmp no-krb5 no-mdc2 no-rc5 no-shared no-zlib no-zlib-dynamic -CONFIGURE_ARGS=dist -SHLIB_TARGET= +SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR) +PLATFORM=debian-amd64 +OPTIONS=--prefix=/usr --openssldir=/usr/lib/ssl enable-zlib no-gmp no-idea no-krb5 no-mdc2 no-rc5 no-shared no-zlib-dynamic +CONFIGURE_ARGS=--prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib debian-amd64 +SHLIB_TARGET=linux-shared # HERE indicates where this Makefile lives. This can be used to indicate # where sub-Makefiles are expected to be. Currently has very limited usage, @@ -26,10 +26,10 @@ # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/. # Normally it is left empty. INSTALL_PREFIX= -INSTALLTOP=/usr/local/ssl +INSTALLTOP=/usr # Do not edit this manually. Use Configure --openssldir=DIR do change this! -OPENSSLDIR=/usr/local/ssl +OPENSSLDIR=/usr/lib/ssl # NO_IDEA - Define to build without the IDEA algorithm # NO_RC4 - Define to build without the RC4 algorithm @@ -59,19 +59,19 @@ # equal 4. # PKCS1_CHECK - pkcs1 tests. -CC= cc -CFLAG= -O -DEPFLAG= -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 +CC= gcc +CFLAG= -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int -DMD5_ASM +DEPFLAG= -DOPENSSL_NO_GMP -DOPENSSL_NO_IDEA -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 PEX_LIBS= -EX_LIBS= +EX_LIBS= -ldl -lz EXE_EXT= ARFLAGS= AR=ar $(ARFLAGS) r RANLIB= /usr/bin/ranlib -PERL= /usr/local/bin/perl +PERL= /usr/bin/perl TAR= tar TARFLAGS= --no-recursion -MAKEDEPPROG=makedepend +MAKEDEPPROG= gcc # We let the C compiler driver to take care of .s files. This is done in # order to be excused from maintaining a separate set of architecture @@ -86,15 +86,15 @@ PROCESSOR= # CPUID module collects small commonly used assembler snippets -CPUID_OBJ= -BN_ASM= bn_asm.o +CPUID_OBJ= x86_64cpuid.o +BN_ASM= x86_64-gcc.o DES_ENC= des_enc.o fcrypt_b.o AES_ASM_OBJ= aes_core.o aes_cbc.o BF_ENC= bf_enc.o CAST_ENC= c_enc.o RC4_ENC= rc4_enc.o RC5_ENC= rc5_enc.o -MD5_ASM_OBJ= +MD5_ASM_OBJ= md5-x86_64.o SHA1_ASM_OBJ= RMD160_ASM_OBJ= @@ -102,14 +102,14 @@ KRB5_INCLUDES= LIBKRB5= -DIRS= crypto ssl engines apps test tools +DIRS= crypto ssl engines apps tools SHLIBDIRS= crypto ssl # dirs in crypto to build SDIRS= \ objects \ md2 md4 md5 sha hmac ripemd \ - des aes rc2 rc4 idea bf cast \ + des aes rc2 rc4 bf cast \ bn ec rsa dsa ecdsa dh ecdh dso engine \ buffer bio stack lhash rand err \ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \ @@ -123,10 +123,10 @@ MAKEFILE= Makefile -MANDIR=$(OPENSSLDIR)/man +MANDIR=/usr/share/man MAN1=1 MAN3=3 -MANSUFFIX= +MANSUFFIX=ssl SHELL=/bin/sh TOP= . @@ -137,8 +137,8 @@ SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_LIBS= -SHARED_LIBS_LINK_EXTS= -SHARED_LDFLAGS= +SHARED_LIBS_LINK_EXTS=.so +SHARED_LDFLAGS=-m64 -Wl,--version-script=openssl.ld GENERAL= Makefile BASENAME= openssl @@ -289,7 +289,8 @@ echo 'Description: OpenSSL cryptography library'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \ + echo 'Libs: -L$${libdir} -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc libssl.pc: Makefile @@ -302,7 +303,8 @@ echo 'Description: Secure Sockets Layer and cryptography libraries'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ + echo 'Libs: -L$${libdir} -lssl'; \ + echo 'Libs.private: -lcrypto $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc openssl.pc: Makefile @@ -315,7 +317,8 @@ echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ + echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc Makefile: Makefile.org Configure config @@ -459,7 +462,7 @@ install_sw: @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib \ - $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \ + $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ --- openssl-0.9.8a.orig/os2/backwardify.pl +++ openssl-0.9.8a/os2/backwardify.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/local/bin/perl use strict; # Use as $0 --- openssl-0.9.8a.orig/openssl.ld +++ openssl-0.9.8a/openssl.ld @@ -0,0 +1,5 @@ +OPENSSL_0.9.8 { + global: + *; +}; + --- openssl-0.9.8a.orig/Netware/do_tests.pl +++ openssl-0.9.8a/Netware/do_tests.pl @@ -1,4 +1,4 @@ -# perl script to run OpenSSL tests +#!/usr/local/bin/perl my $base_path = "\\openssl"; --- openssl-0.9.8a.orig/demos/tunala/configure.in +++ openssl-0.9.8a/demos/tunala/configure.in @@ -1,4 +1,4 @@ -dnl Process this file with autoconf to produce a configure script. +#!/usr/local/bin/perl AC_INIT(tunala.c) AM_CONFIG_HEADER(config.h) AM_INIT_AUTOMAKE(tunala, 0.0.1-dev) --- openssl-0.9.8a.orig/ms/uplink.pl +++ openssl-0.9.8a/ms/uplink.pl @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/local/bin/perl # # For Microsoft CL this is implemented as inline assembler. So that # even though this script can generate even Win32 code, we'll be --- openssl-0.9.8a.orig/util/extract-names.pl +++ openssl-0.9.8a/util/extract-names.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl $/ = ""; # Eat a paragraph at once. while() { --- openssl-0.9.8a.orig/util/mkstack.pl +++ openssl-0.9.8a/util/mkstack.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/local/bin/perl # This is a utility that searches out "DECLARE_STACK_OF()" # declarations in .h and .c files, and updates/creates/replaces --- openssl-0.9.8a.orig/util/pl/netware.pl +++ openssl-0.9.8a/util/pl/netware.pl @@ -1,4 +1,4 @@ -# Metrowerks Codewarrior for NetWare +#!/usr/local/bin/perl # # The import files and other misc imports needed to link --- openssl-0.9.8a.orig/util/extract-section.pl +++ openssl-0.9.8a/util/extract-section.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/local/bin/perl while() { if (/=for\s+comment\s+openssl_manual_section:(\S+)/) --- openssl-0.9.8a.orig/util/selftest.pl +++ openssl-0.9.8a/util/selftest.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/local/bin/perl # # Run the test suite and generate a report # --- openssl-0.9.8a.orig/util/clean-depend.pl +++ openssl-0.9.8a/util/clean-depend.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/local/bin/perl # Clean the dependency list in a makefile of standard includes... # Written by Ben Laurie 19 Jan 1999 --- openssl-0.9.8a.orig/util/pod2man.pl +++ openssl-0.9.8a/util/pod2man.pl @@ -1,4 +1,4 @@ -: #!/usr/bin/perl-5.005 +#!/usr/local/bin/perl eval 'exec /usr/bin/perl -S $0 ${1+"$@"}' if $running_under_some_shell; --- openssl-0.9.8a.orig/util/mkdef.pl +++ openssl-0.9.8a/util/mkdef.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/local/bin/perl # # generate a .def file # --- openssl-0.9.8a.orig/util/mkerr.pl +++ openssl-0.9.8a/util/mkerr.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/local/bin/perl my $config = "crypto/err/openssl.ec"; my $debug = 0; --- openssl-0.9.8a.orig/engines/Makefile +++ openssl-0.9.8a/engines/Makefile @@ -91,12 +91,12 @@ for l in $(LIBNAMES); do \ ( echo installing $$l; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ - cp lib$$l.so $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so.new; \ + cp lib$$l.so $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.so.new; \ else \ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so.new; \ fi; \ - chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.so ); \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.so.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.so.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.so ); \ done; \ fi --- openssl-0.9.8a.orig/engines/openssl.ld +++ openssl-0.9.8a/engines/openssl.ld @@ -0,0 +1,5 @@ +OPENSSL_0.9.8 { + global: + *; +}; + --- openssl-0.9.8a.orig/Makefile.org +++ openssl-0.9.8a/Makefile.org @@ -100,7 +100,7 @@ KRB5_INCLUDES= LIBKRB5= -DIRS= crypto ssl engines apps test tools +DIRS= crypto ssl engines apps tools SHLIBDIRS= crypto ssl # dirs in crypto to build @@ -121,10 +121,10 @@ MAKEFILE= Makefile -MANDIR=$(OPENSSLDIR)/man +MANDIR=/usr/share/man MAN1=1 MAN3=3 -MANSUFFIX= +MANSUFFIX=ssl SHELL=/bin/sh TOP= . @@ -287,7 +287,8 @@ echo 'Description: OpenSSL cryptography library'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \ + echo 'Libs: -L$${libdir} -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc libssl.pc: Makefile @@ -300,7 +301,8 @@ echo 'Description: Secure Sockets Layer and cryptography libraries'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ + echo 'Libs: -L$${libdir} -lssl'; \ + echo 'Libs.private: -lcrypto $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc openssl.pc: Makefile @@ -313,7 +315,8 @@ echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ + echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc Makefile: Makefile.org Configure config @@ -457,7 +460,7 @@ install_sw: @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib \ - $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \ + $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ --- openssl-0.9.8a.orig/Configure +++ openssl-0.9.8a/Configure @@ -1,4 +1,4 @@ -: +#!/usr/local/bin/perl eval 'exec perl -S $0 ${1+"$@"}' if $running_under_some_shell; ## @@ -118,7 +118,8 @@ my $x86_coff_asm="x86cpuid-cof.o:bn86-cof.o co86-cof.o:dx86-cof.o yx86-cof.o:ax86-cof.o:bx86-cof.o:mx86-cof.o:sx86-cof.o s512sse2-cof.o:cx86-cof.o:rx86-cof.o:rm86-cof.o:r586-cof.o"; my $x86_out_asm="x86cpuid-out.o:bn86-out.o co86-out.o:dx86-out.o yx86-out.o:ax86-out.o:bx86-out.o:mx86-out.o:sx86-out.o s512sse2-out.o:cx86-out.o:rx86-out.o:rm86-out.o:r586-out.o"; -my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o::::md5-x86_64.o:::rc4-x86_64.o::"; +#my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o::::md5-x86_64.o:::rc4-x86_64.o::"; +my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o::::md5-x86_64.o:::::"; my $ia64_asm=":bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o:::sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o::"; my $no_asm="::::::::::"; @@ -308,6 +309,44 @@ "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared:::.so", "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared::-msym:.so", +# Debian GNU/* (various architectures) +"debian-alpha","gcc:-DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-alpha-ev4","gcc:-DTERMIO -O3 -mcpu=ev4 -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-alpha-ev5","gcc:-DTERMIO -O3 -mcpu=ev5 -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-arm","gcc:-DL_ENDIAN -DTERMIO -O2 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-armeb","gcc:-DB_ENDIAN -DTERMIO -O2 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +#"debian-amd64","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-amd64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +#"debian-freebsd-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-kfreebsd-i386","gcc:-DL_ENDIAN -DTERMIOS -O3 -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-hppa","gcc:-DB_ENDIAN -DTERMIO -O2 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-hurd-i386","gcc:-DL_ENDIAN -DTERMIOS -O3 -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-ia64","gcc:-DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +#"debian-i386","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC", +"debian-i386","gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-i386-i486","gcc:-DL_ENDIAN -DTERMIO -O3 -march=i486 -mcpu=i486 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-i386-i586","gcc:-DL_ENDIAN -DTERMIO -O3 -march=i586 -mcpu=i586 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-i386-i686/cmov","gcc:-DL_ENDIAN -DTERMIO -O3 -march=i686 -mcpu=i686 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-m68k","gcc:-DB_ENDIAN -DTERMIO -O2 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-netbsd-i386", "gcc:-DL_ENDIAN -DTERMIOS -O3 -g -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-netbsd-m68k", "gcc:-DB_ENDIAN -DTERMIOS -O3 -g -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-netbsd-sparc", "gcc:-DB_ENDIAN -DTERMIOS -O3 -g -mv8 -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-openbsd-alpha","gcc:-DTERMIOS -O3 -g::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-openbsd-i386", "gcc:-DL_ENDIAN -DTERMIOS -O3 -g -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-openbsd-mips","gcc:-O2 -g -DL_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-powerpc","gcc:-DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_UNROLL DES_RISC2 DES_PTR MD2_CHAR RC4_INDEX::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh4eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + #### #### Variety of LINUX:-) #### @@ -476,7 +515,7 @@ # Cygwin "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32", "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_coff_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a", -"debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a", +-"debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a", # NetWare from David Ward (dsward@novell.com) - requires MetroWerks NLM development tools # netware-clib => legacy CLib c-runtime support @@ -1243,6 +1282,8 @@ $shlib_minor=$2; } +$shared_ldflag .= " -Wl,--version-script=openssl.ld"; + open(IN,'$Makefile.new") || die "unable to create $Makefile.new:$!\n"; @@ -1311,7 +1352,8 @@ elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; - s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; +# s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/; } elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) { @@ -1430,7 +1472,7 @@ if (/^#define\s+OPENSSLDIR/) { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } elsif (/^#define\s+ENGINESDIR/) - { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; } + { print OUT "#define ENGINESDIR \"$prefix/lib/ssl/engines\"\n"; } elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" if $export_var_as_fn; --- openssl-0.9.8a.orig/apps/verify.c +++ openssl-0.9.8a/apps/verify.c @@ -266,7 +266,7 @@ ret=0; end: - if (i) + if (i > 0) { fprintf(stdout,"OK\n"); ret=1; @@ -367,4 +367,3 @@ ERR_clear_error(); return(ok); } - --- openssl-0.9.8a.orig/apps/spkac.c +++ openssl-0.9.8a/apps/spkac.c @@ -285,7 +285,7 @@ pkey = NETSCAPE_SPKI_get_pubkey(spki); if(verify) { i = NETSCAPE_SPKI_verify(spki, pkey); - if(i) BIO_printf(bio_err, "Signature OK\n"); + if (i > 0) BIO_printf(bio_err, "Signature OK\n"); else { BIO_printf(bio_err, "Signature Failure\n"); ERR_print_errors(bio_err); --- openssl-0.9.8a.orig/apps/CA.pl.in +++ openssl-0.9.8a/apps/CA.pl.in @@ -65,6 +65,7 @@ foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; exit 0; } elsif (/^-newcert$/) { # create a certificate @@ -161,6 +162,7 @@ } else { print STDERR "Unknown arg $_\n"; print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; exit 1; } } --- openssl-0.9.8a.orig/apps/x509.c +++ openssl-0.9.8a/apps/x509.c @@ -1144,7 +1144,7 @@ /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); - if (!reqfile && !X509_verify_cert(&xsc)) + if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; if (!X509_check_private_key(xca,pkey)) --- openssl-0.9.8a.orig/apps/CA.pl +++ openssl-0.9.8a/apps/CA.pl @@ -65,6 +65,7 @@ foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; exit 0; } elsif (/^-newcert$/) { # create a certificate @@ -161,6 +162,7 @@ } else { print STDERR "Unknown arg $_\n"; print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; exit 1; } } --- openssl-0.9.8a.orig/apps/speed.c +++ openssl-0.9.8a/apps/speed.c @@ -1937,7 +1937,7 @@ { ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num, rsa_key[j]); - if (ret == 0) + if (ret <= 0) { BIO_printf(bio_err, "RSA verify failure\n");