SF.net SVN: gar:[23382] csw/mgar/pkg/openssl1/trunk
wahwah at users.sourceforge.net
wahwah at users.sourceforge.net
Tue Apr 8 17:58:39 CEST 2014
Revision: 23382
http://sourceforge.net/p/gar/code/23382
Author: wahwah
Date: 2014-04-08 15:58:37 +0000 (Tue, 08 Apr 2014)
Log Message:
-----------
openssl1/trunk: I'm almost sure this won't work.
Modified Paths:
--------------
csw/mgar/pkg/openssl1/trunk/Makefile
csw/mgar/pkg/openssl1/trunk/checksums
csw/mgar/pkg/openssl1/trunk/files/changelog.CSW
Added Paths:
-----------
csw/mgar/pkg/openssl1/trunk/files/CVE-2014-0076.patch
csw/mgar/pkg/openssl1/trunk/files/CVE-2014-0160.patch
Modified: csw/mgar/pkg/openssl1/trunk/Makefile
===================================================================
--- csw/mgar/pkg/openssl1/trunk/Makefile 2014-04-08 13:45:24 UTC (rev 23381)
+++ csw/mgar/pkg/openssl1/trunk/Makefile 2014-04-08 15:58:37 UTC (rev 23382)
@@ -10,10 +10,12 @@
# software causes damage.
#####################################################################
+# Note: This build recipe does not work with parallel gmake (-j N) invocation.
+
###### Package information #######
NAME = openssl
-VERSION = 1.0.1g
+VERSION = 1.0.1f
GARTYPE = v2
SONAME=$(shell echo $(VERSION) | tr -d '[a-z]')
@@ -39,19 +41,19 @@
SPKG_DESC_CSWlibssl1-0-0 = Openssl 1.0 runtime libraries
PKGFILES_CSWlibssl1-0-0 = $(PKGFILES_RT)
PKGFILES_CSWlibssl1-0-0 += $(libdir)(/[^/]*)?/openssl-1.0.0/engines/.*
-PKGFILES_CSWlibssl1-0-0 += $(prefix)/etc/ssl/private $(prefix)/etc/ssl/certs
-PKGFILES_CSWlibssl1-0-0 += $(docdir)/libssl1_0_0/.*
+PKGFILES_CSWlibssl1-0-0 += $(prefix)/etc/ssl/private $(prefix)/etc/ssl/certs
+PKGFILES_CSWlibssl1-0-0 += $(docdir)/libssl1_0_0/.*
RUNTIME_DEP_PKGS_CSWlibssl-dev = CSWlibssl1-0-0
SPKG_DESC_CSWlibssl-dev = Openssl 1.0 development support files
-PKGFILES_CSWlibssl-dev = $(PKGFILES_DEVEL)
+PKGFILES_CSWlibssl-dev = $(PKGFILES_DEVEL)
PKGFILES_CSWlibssl-dev += $(docdir)/libssl_dev/.*
RUNTIME_DEP_PKGS_CSWopenssl-utils = CSWlibssl1-0-0
SPKG_DESC_CSWopenssl-utils = Openssl 1.0 binaries and related tools
-PKGFILES_CSWopenssl-utils = $(bindir)/[^/]* $(bindir)/.*/openssl
-PKGFILES_CSWopenssl-utils += $(mandir)/man1/.* $(mandir)/man5/.* $(mandir)/man7/.*
-PKGFILES_CSWopenssl-utils += $(prefix)/ssl/misc/.*
+PKGFILES_CSWopenssl-utils = $(bindir)/[^/]* $(bindir)/.*/openssl
+PKGFILES_CSWopenssl-utils += $(mandir)/man1/.* $(mandir)/man5/.* $(mandir)/man7/.*
+PKGFILES_CSWopenssl-utils += $(prefix)/ssl/misc/.*
PKGFILES_CSWopenssl-utils += $(prefix)/ssl/openssl\.cnf.*
PKGFILES_CSWopenssl-utils += $(sysconfdir)/ssl/openssl\.cnf.*
PKGFILES_CSWopenssl-utils += $(docdir)/openssl_utils/.*
@@ -79,7 +81,7 @@
MASTER_SITES = http://www.openssl.org/source/
-DISTFILES = $(NAME)-$(VERSION).tar.gz
+DISTFILES = $(NAME)-$(VERSION).tar.gz
DISTFILES += changelog.CSW README.CSW
DISTFILES += map.openssl.libcrypto map.openssl.libssl map.openssl.engines
@@ -89,12 +91,12 @@
ENGINES = 4758cca aep atalla cswift gmp chil nuron sureware ubsec padlock capi
# configure targets patchs needs to be different for Solaris 9 as some map files
-# are not available
+# are not available
ifeq ($(shell /usr/bin/uname -r),5.9)
PATCH_SUFFIX = .SunOS5.9
endif
-# This patch is taken from https://hg.openindiana.org/upstream/oracle/userland-gate/
+# This patch is taken from https://hg.openindiana.org/upstream/oracle/userland-gate/
# original file: components/openssl/openssl-1.0.1/patches/18-compiler_opts.patch
# I think they are smarter than me to figure what are the best compiler options
PATCHFILES = optimized_configure_targets.patch$(PATCH_SUFFIX)
@@ -104,6 +106,11 @@
# (wonder if they are really worth it)
PATCHFILES += more_configure_targets.patch$(PATCH_SUFFIX)
+
+PATCHFILES += CVE-2014-0076.patch
+PATCHFILES += CVE-2014-0160.patch
+
+
#PATCHFILES += fix-test-failure.patch
# We install engines libraries in /opt/csw/lib/engines/1.0.0/
@@ -123,7 +130,7 @@
PATCHFILES += block_bad_certificates.patch
# Add old-style certificates hash generation to maintain compatibilies
-# with gnutls and programs linked with openssl 0.9.8
+# with gnutls and programs linked with openssl 0.9.8
# Patch taken from Debian
PATCHFILES += c_rehash-compat.patch
@@ -131,7 +138,7 @@
# crazy during library migration
PATCHFILES += 0007-enables-symbols-versioning.patch
-# openssl currently only uses issetugid on freebsd and openbsd
+# openssl currently only uses issetugid on freebsd and openbsd
# althought it is also available on Solaris 10
# We make issetugid support configurable via preprocessor flag
# to be able to enable it for Solaris
@@ -144,7 +151,7 @@
ENGINES += pk11
endif
-# support for sparc t4 crypto engine
+# support for sparc t4 crypto engine
# see http://bubbva.blogspot.fr/2011/11/exciting-crypto-advances-with-t4.html
# https://blogs.oracle.com/DanX/entry/sparc_t4_openssl_engine
# patch taken from https://hg.openindiana.org/upstream/oracle/userland-gate/
@@ -167,7 +174,7 @@
BUILD64 = 1
ISAEXEC = 1
-# The list of instructions set for which we will
+# The list of instructions set for which we will
# provide optimized libraries and binaries
EXTRA_BUILD_ISAS_i386 = pentium_pro amd64
EXTRA_BUILD_ISAS_sparc = sparcv8plus+vis sparcv9
@@ -175,7 +182,7 @@
# the openssl build system doesn't honor bindir
# as it doesn't install 64 bits binaries in bin/{amd64,sparcv9}
-# we fix this at the merge step
+# we fix this at the merge step
EXTRA_MERGE_DIRS_isa-amd64 = $(bindir_install)
EXTRA_MERGE_DIRS_isa-sparcv9 = $(bindir_install)
@@ -215,10 +222,10 @@
# but openssl doesn't use it by default so we manually enable it
CONFIGURE_FLAGS = -DHAVE_ISSETUGID
-# PKCS11 Patch also works on sparc64 athena processors thanks for the FJAES
+# PKCS11 Patch also works on sparc64 athena processors thanks for the FJAES
# instruction set. The presence of this instruction set is checked at runtime
# by looking for the AV_SPARC_JFAES instruction set bit, unfortunately the
-# corresponding macro in not present in Solaris 9-11 headers, so we manually
+# corresponding macro in not present in Solaris 9-11 headers, so we manually
# define it.
CONFIGURE_FLAGS += -DAV_SPARC_FJAES=0
@@ -235,8 +242,8 @@
# PKCS11 is only for Solaris 10 so we must create solaris 10 specific packages
ifneq ($(shell /usr/bin/uname -r),5.9)
- CONFIGURE_ARGS += --pk11-libname=$(abspath /usr/lib/$(MM_LIBDIR)/libpkcs11.so)
-endif
+ CONFIGURE_ARGS += --pk11-libname=$(abspath /usr/lib/$(MM_LIBDIR)/libpkcs11.so)
+endif
# For now we want the sun perl to be used
EXTRA_CONFIGURE_ENV += PERL="/usr/bin/perl"
@@ -245,7 +252,7 @@
# with the shell command added by the t4 patch
EXTRA_CONFIGURE_ENV += MAKE="/opt/csw/bin/gmake"
-# The new compiler options taken from https://hg.openindiana.org/upstream/oracle/userland-gate/
+# The new compiler options taken from https://hg.openindiana.org/upstream/oracle/userland-gate/
# added "-z defs" to the linker options. That causes object compilation to fail because
# they are not linked against libc and libdl (for Sol9). This is workaround until I find a better fix.
EXTRA_LD_OPTIONS = -lc -ldl
@@ -257,7 +264,7 @@
# library files are not automatically stripped
STRIP_DIRS = $(DESTDIR)/$(libdir) $(DESTDIR)/$(libdir)/openssl-$(SONAME)/engines/
-TEST_SCRIPTS =
+TEST_SCRIPTS =
include gar/category.mk
@@ -277,20 +284,20 @@
pre-configure-modulated:
echo " ==> Creating configure script"
cd $(WORKSRC) && ln -nf Configure configure
- ln -nf $(WORKDIR)/map.openssl.libcrypto $(WORKSRC)/map.openssl.libcrypto
- ln -nf $(WORKDIR)/map.openssl.libssl $(WORKSRC)/map.openssl.libssl
+ ln -nf $(WORKDIR)/map.openssl.libcrypto $(WORKSRC)/map.openssl.libcrypto
+ ln -nf $(WORKDIR)/map.openssl.libssl $(WORKSRC)/map.openssl.libssl
for ENGINE in $(ENGINES); do \
ln -nf $(WORKDIR)/map.openssl.engines $(WORKSRC)/engines/map.openssl.lib$$ENGINE; \
- done
+ done
ln -nf $(WORKDIR)/map.openssl.engines $(WORKSRC)/engines/ccgost/map.openssl.libgost
@$(MAKECOOKIE)
-install-conf-misc:
+install-conf-misc:
if [ -f "$(PKGROOT)$(prefix)/ssl/openssl.cnf" ] && [ ! -h "$(PKGROOT)$(prefix)/ssl/openssl.cnf" ]; then \
ginstall -d "$(PKGROOT)$(sysconfdir)/ssl"; \
mv "$(PKGROOT)$(prefix)/ssl/openssl.cnf" $(PKGROOT)$(sysconfdir)/ssl/openssl.cnf.CSW; \
ln -sf ../../..$(sysconfdir)/ssl/openssl.cnf $(PKGROOT)$(prefix)/ssl/openssl.cnf; \
- fi
+ fi
[ ! -d "$(PKGROOT)$(sysconfdir)/ssl/misc" ] || \
mv "$(PKGROOT)$(sysconfdir)/ssl/misc" "$(PKGROOT)/$(prefix)/ssl/"
@@ -302,5 +309,6 @@
done
@$(MAKECOOKIE)
-post-merge-all: merge-doc install-conf-misc
+post-merge-all: merge-doc install-conf-misc
+SPKG_REVSTAMP := $(SPKG_REVSTAMP)_rev=heartbleed
Modified: csw/mgar/pkg/openssl1/trunk/checksums
===================================================================
--- csw/mgar/pkg/openssl1/trunk/checksums 2014-04-08 13:45:24 UTC (rev 23381)
+++ csw/mgar/pkg/openssl1/trunk/checksums 2014-04-08 15:58:37 UTC (rev 23382)
@@ -1 +1 @@
-de62b43dfcd858e66a74bee1c834e959 openssl-1.0.1g.tar.gz
+f26b09c028a0541cab33da697d522b25 openssl-1.0.1f.tar.gz
Added: csw/mgar/pkg/openssl1/trunk/files/CVE-2014-0076.patch
===================================================================
--- csw/mgar/pkg/openssl1/trunk/files/CVE-2014-0076.patch (rev 0)
+++ csw/mgar/pkg/openssl1/trunk/files/CVE-2014-0076.patch 2014-04-08 15:58:37 UTC (rev 23382)
@@ -0,0 +1,167 @@
+Description: fix side-channel attack on Montgomery ladder implementation
+Origin: upstream, http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4b7a4ba29cafa432fc4266fe6e59e60bc1c96332
+Origin: upstream, http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=40acdb192e035f463d3c39c23fd8a68cf54df378
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742923
+
+Index: openssl-1.0.1f/crypto/bn/bn.h
+===================================================================
+--- openssl-1.0.1f.orig/crypto/bn/bn.h 2014-01-06 08:47:42.000000000 -0500
++++ openssl-1.0.1f/crypto/bn/bn.h 2014-04-07 15:37:00.924343048 -0400
+@@ -538,6 +538,8 @@
+ BIGNUM *BN_mod_sqrt(BIGNUM *ret,
+ const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+
++void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
++
+ /* Deprecated versions */
+ #ifndef OPENSSL_NO_DEPRECATED
+ BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
+@@ -774,11 +776,20 @@
+
+ #define bn_fix_top(a) bn_check_top(a)
+
++#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
++#define bn_wcheck_size(bn, words) \
++ do { \
++ const BIGNUM *_bnum2 = (bn); \
++ assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
++ } while(0)
++
+ #else /* !BN_DEBUG */
+
+ #define bn_pollute(a)
+ #define bn_check_top(a)
+ #define bn_fix_top(a) bn_correct_top(a)
++#define bn_check_size(bn, bits)
++#define bn_wcheck_size(bn, words)
+
+ #endif
+
+Index: openssl-1.0.1f/crypto/bn/bn_lib.c
+===================================================================
+--- openssl-1.0.1f.orig/crypto/bn/bn_lib.c 2014-01-06 08:47:42.000000000 -0500
++++ openssl-1.0.1f/crypto/bn/bn_lib.c 2014-04-07 15:37:00.924343048 -0400
+@@ -824,3 +824,55 @@
+ }
+ return bn_cmp_words(a,b,cl);
+ }
++
++/*
++ * Constant-time conditional swap of a and b.
++ * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
++ * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
++ * and that no more than nwords are used by either a or b.
++ * a and b cannot be the same number
++ */
++void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
++ {
++ BN_ULONG t;
++ int i;
++
++ bn_wcheck_size(a, nwords);
++ bn_wcheck_size(b, nwords);
++
++ assert(a != b);
++ assert((condition & (condition - 1)) == 0);
++ assert(sizeof(BN_ULONG) >= sizeof(int));
++
++ condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
++
++ t = (a->top^b->top) & condition;
++ a->top ^= t;
++ b->top ^= t;
++
++#define BN_CONSTTIME_SWAP(ind) \
++ do { \
++ t = (a->d[ind] ^ b->d[ind]) & condition; \
++ a->d[ind] ^= t; \
++ b->d[ind] ^= t; \
++ } while (0)
++
++
++ switch (nwords) {
++ default:
++ for (i = 10; i < nwords; i++)
++ BN_CONSTTIME_SWAP(i);
++ /* Fallthrough */
++ case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
++ case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
++ case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
++ case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
++ case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
++ case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
++ case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
++ case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
++ case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
++ case 1: BN_CONSTTIME_SWAP(0);
++ }
++#undef BN_CONSTTIME_SWAP
++}
+Index: openssl-1.0.1f/crypto/ec/ec2_mult.c
+===================================================================
+--- openssl-1.0.1f.orig/crypto/ec/ec2_mult.c 2014-01-06 08:47:42.000000000 -0500
++++ openssl-1.0.1f/crypto/ec/ec2_mult.c 2014-04-07 15:37:00.924343048 -0400
+@@ -208,11 +208,15 @@
+ return ret;
+ }
+
++
+ /* Computes scalar*point and stores the result in r.
+ * point can not equal r.
+- * Uses algorithm 2P of
++ * Uses a modified algorithm 2P of
+ * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
+ * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
++ *
++ * To protect against side-channel attack the function uses constant time swap,
++ * avoiding conditional branches.
+ */
+ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+ const EC_POINT *point, BN_CTX *ctx)
+@@ -246,6 +250,11 @@
+ x2 = &r->X;
+ z2 = &r->Y;
+
++ bn_wexpand(x1, group->field.top);
++ bn_wexpand(z1, group->field.top);
++ bn_wexpand(x2, group->field.top);
++ bn_wexpand(z2, group->field.top);
++
+ if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
+ if (!BN_one(z1)) goto err; /* z1 = 1 */
+ if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
+@@ -270,16 +279,12 @@
+ word = scalar->d[i];
+ while (mask)
+ {
+- if (word & mask)
+- {
+- if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
+- if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
+- }
+- else
+- {
+- if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
+- if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
+- }
++ BN_consttime_swap(word & mask, x1, x2, group->field.top);
++ BN_consttime_swap(word & mask, z1, z2, group->field.top);
++ if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
++ if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
++ BN_consttime_swap(word & mask, x1, x2, group->field.top);
++ BN_consttime_swap(word & mask, z1, z2, group->field.top);
+ mask >>= 1;
+ }
+ mask = BN_TBIT;
+Index: openssl-1.0.1f/util/libeay.num
+===================================================================
+--- openssl-1.0.1f.orig/util/libeay.num 2014-01-06 09:35:55.000000000 -0500
++++ openssl-1.0.1f/util/libeay.num 2014-04-07 15:37:03.976343033 -0400
+@@ -3511,6 +3511,7 @@
+ d2i_ASIdOrRange 3904 EXIST::FUNCTION:RFC3779
+ i2d_ASIdentifiers 3905 EXIST::FUNCTION:RFC3779
+ CRYPTO_memcmp 3906 EXIST::FUNCTION:
++BN_consttime_swap 3907 EXIST::FUNCTION:
+ SEED_decrypt 3908 EXIST::FUNCTION:SEED
+ SEED_encrypt 3909 EXIST::FUNCTION:SEED
+ SEED_cbc_encrypt 3910 EXIST::FUNCTION:SEED
Added: csw/mgar/pkg/openssl1/trunk/files/CVE-2014-0160.patch
===================================================================
--- csw/mgar/pkg/openssl1/trunk/files/CVE-2014-0160.patch (rev 0)
+++ csw/mgar/pkg/openssl1/trunk/files/CVE-2014-0160.patch 2014-04-08 15:58:37 UTC (rev 23382)
@@ -0,0 +1,94 @@
+Description: fix memory disclosure in TLS heartbeat extension
+Origin: upstream, http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
+
+Index: openssl-1.0.1c/ssl/d1_both.c
+===================================================================
+--- openssl-1.0.1c.orig/ssl/d1_both.c 2014-04-07 15:44:25.208340860 -0400
++++ openssl-1.0.1c/ssl/d1_both.c 2014-04-07 15:44:25.204340860 -0400
+@@ -1458,26 +1458,36 @@
+ unsigned int payload;
+ unsigned int padding = 16; /* Use minimum padding */
+
+- /* Read type and payload length first */
+- hbtype = *p++;
+- n2s(p, payload);
+- pl = p;
+-
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
+ &s->s3->rrec.data[0], s->s3->rrec.length,
+ s, s->msg_callback_arg);
+
++ /* Read type and payload length first */
++ if (1 + 2 + 16 > s->s3->rrec.length)
++ return 0; /* silently discard */
++ hbtype = *p++;
++ n2s(p, payload);
++ if (1 + 2 + payload + 16 > s->s3->rrec.length)
++ return 0; /* silently discard per RFC 6520 sec. 4 */
++ pl = p;
++
+ if (hbtype == TLS1_HB_REQUEST)
+ {
+ unsigned char *buffer, *bp;
++ unsigned int write_length = 1 /* heartbeat type */ +
++ 2 /* heartbeat length */ +
++ payload + padding;
+ int r;
+
++ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
++ return 0;
++
+ /* Allocate memory for the response, size is 1 byte
+ * message type, plus 2 bytes payload length, plus
+ * payload, plus padding
+ */
+- buffer = OPENSSL_malloc(1 + 2 + payload + padding);
++ buffer = OPENSSL_malloc(write_length);
+ bp = buffer;
+
+ /* Enter response type, length and copy payload */
+@@ -1488,11 +1498,11 @@
+ /* Random padding */
+ RAND_pseudo_bytes(bp, padding);
+
+- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
++ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
+
+ if (r >= 0 && s->msg_callback)
+ s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
+- buffer, 3 + payload + padding,
++ buffer, write_length,
+ s, s->msg_callback_arg);
+
+ OPENSSL_free(buffer);
+Index: openssl-1.0.1c/ssl/t1_lib.c
+===================================================================
+--- openssl-1.0.1c.orig/ssl/t1_lib.c 2014-04-07 15:44:25.208340860 -0400
++++ openssl-1.0.1c/ssl/t1_lib.c 2014-04-07 15:44:25.204340860 -0400
+@@ -2441,16 +2441,20 @@
+ unsigned int payload;
+ unsigned int padding = 16; /* Use minimum padding */
+
+- /* Read type and payload length first */
+- hbtype = *p++;
+- n2s(p, payload);
+- pl = p;
+-
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
+ &s->s3->rrec.data[0], s->s3->rrec.length,
+ s, s->msg_callback_arg);
+
++ /* Read type and payload length first */
++ if (1 + 2 + 16 > s->s3->rrec.length)
++ return 0; /* silently discard */
++ hbtype = *p++;
++ n2s(p, payload);
++ if (1 + 2 + payload + 16 > s->s3->rrec.length)
++ return 0; /* silently discard per RFC 6520 sec. 4 */
++ pl = p;
++
+ if (hbtype == TLS1_HB_REQUEST)
+ {
+ unsigned char *buffer, *bp;
Modified: csw/mgar/pkg/openssl1/trunk/files/changelog.CSW
===================================================================
--- csw/mgar/pkg/openssl1/trunk/files/changelog.CSW 2014-04-08 13:45:24 UTC (rev 23381)
+++ csw/mgar/pkg/openssl1/trunk/files/changelog.CSW 2014-04-08 15:58:37 UTC (rev 23382)
@@ -1,3 +1,9 @@
+openssl (1.0.1g,rev=2014.04.08) unstable
+
+ * 1.0.1g does not build. Revert to 1.0.1f and add backported changes.
+
+ -- Maciej Blizinski <maciej at opencsw.org> Tue, 08 Apr 2014 16:07:48 +0100
+
openssl (1.0.1g,rev=2014.04.07) unstable
* New upstream release.
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
More information about the devel
mailing list