rpms/openssl/devel openssl-0.9.7a-can-2005-2969.patch, NONE, 1.1 openssl-0.9.7f-defaults.patch, 1.1, 1.2 openssl.spec, 1.59, 1.60

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Oct 12 12:01:34 UTC 2005 

Author: tmraz

Update of /cvs/dist/rpms/openssl/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv19937

Modified Files:
	openssl-0.9.7f-defaults.patch openssl.spec 
Added Files:
	openssl-0.9.7a-can-2005-2969.patch 
Log Message:
* Wed Oct 12 2005 Tomas Mraz <tmraz at redhat.com> 0.9.7f-10
- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which
  disables the countermeasure against man in the middle attack in SSLv2
  (#169863)
- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)


openssl-0.9.7a-can-2005-2969.patch:
 doc/ssl/SSL_CTX_set_options.pod |    2 +-
 ssl/s23_srvr.c                  |    7 +------
 ssl/ssl.h                       |    2 +-
 3 files changed, 3 insertions(+), 8 deletions(-)

--- NEW FILE openssl-0.9.7a-can-2005-2969.patch ---
Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL).  This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
idea.
Index: doc/ssl/SSL_CTX_set_options.pod
===================================================================
RCS file: /e/openssl/cvs/openssl/doc/ssl/SSL_CTX_set_options.pod,v
retrieving revision 1.9.2.4
diff -u -r1.9.2.4 SSL_CTX_set_options.pod
--- doc/ssl/SSL_CTX_set_options.pod	22 Mar 2005 17:54:13 -0000	1.9.2.4
+++ doc/ssl/SSL_CTX_set_options.pod	23 Sep 2005 03:38:43 -0000
@@ -86,7 +86,7 @@
 
 =item SSL_OP_MSIE_SSLV2_RSA_PADDING
 
-...
+This option has no effect now.
 
 =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 
Index: ssl/s23_srvr.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/s23_srvr.c,v
retrieving revision 1.41.2.6
diff -u -r1.41.2.6 s23_srvr.c
--- ssl/s23_srvr.c	31 Jan 2005 01:33:35 -0000	1.41.2.6
+++ ssl/s23_srvr.c	23 Sep 2005 03:38:44 -0000
@@ -268,9 +268,6 @@
 	int n=0,j;
 	int type=0;
 	int v[2];
-#ifndef OPENSSL_NO_RSA
-	int use_sslv2_strong=0;
-#endif
 
 	if (s->state ==	SSL23_ST_SR_CLNT_HELLO_A)
 		{
@@ -528,9 +525,7 @@
 			}
 
 		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
-		if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
-			use_sslv2_strong ||
-			(s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
+		if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
 			s->s2->ssl2_rollback=0;
 		else
 			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
Index: ssl/ssl.h
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/ssl.h,v
retrieving revision 1.126.2.23
diff -u -r1.126.2.23 ssl.h
--- ssl/ssl.h	10 Jun 2005 20:00:39 -0000	1.126.2.23
+++ ssl/ssl.h	23 Sep 2005 03:38:47 -0000
@@ -467,7 +467,7 @@
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect due to CAN-2005-2969 */
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
 #define SSL_OP_TLS_D5_BUG				0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L

openssl-0.9.7f-defaults.patch:
 openssl.cnf |   16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

Index: openssl-0.9.7f-defaults.patch
===================================================================
RCS file: /cvs/dist/rpms/openssl/devel/openssl-0.9.7f-defaults.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- openssl-0.9.7f-defaults.patch	27 Apr 2005 10:48:43 -0000	1.1
+++ openssl-0.9.7f-defaults.patch	12 Oct 2005 12:01:15 -0000	1.2
@@ -1,6 +1,23 @@
---- openssl-0.9.7f/apps/openssl.cnf.defaults	2004-05-13 23:38:37.000000000 +0200
-+++ openssl-0.9.7f/apps/openssl.cnf	2005-04-27 11:40:02.651321967 +0200
-@@ -116,23 +116,26 @@
+--- openssl-0.9.7f/apps/openssl.cnf.defaults	2005-10-12 11:43:43.000000000 +0200
++++ openssl-0.9.7f/apps/openssl.cnf	2005-10-12 13:39:11.000000000 +0200
+@@ -67,7 +67,7 @@
+ 
+ default_days	= 365			# how long to certify for
+ default_crl_days= 30			# how long before next CRL
+-default_md	= md5			# which md to use.
++default_md	= sha1			# which md to use.
+ preserve	= no			# keep passed DN ordering
+ 
+ # A few difference way of specifying how similar the request should look
+@@ -99,6 +99,7 @@
+ ####################################################################
+ [ req ]
+ default_bits		= 1024
++default_md		= sha1
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+@@ -116,23 +117,26 @@
  # MASK:XXXX a literal mask value.
  # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  # so use this option with caution!
@@ -31,7 +48,7 @@
  
  # we can do this but it is not needed normally :-)
  #1.organizationName		= Second Organization Name (eg, company)
-@@ -141,7 +144,7 @@
+@@ -141,7 +145,7 @@
  organizationalUnitName		= Organizational Unit Name (eg, section)
  #organizationalUnitName_default	=
  


Index: openssl.spec
===================================================================
RCS file: /cvs/dist/rpms/openssl/devel/openssl.spec,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -r1.59 -r1.60
--- openssl.spec	23 Aug 2005 15:28:52 -0000	1.59
+++ openssl.spec	12 Oct 2005 12:01:16 -0000	1.60
@@ -8,7 +8,7 @@
 %define soversion 5
 
 # Number of threads to spawn when testing some threading fixes.
-#%define thread_test_threads %{?threads:%{threads}}%{!?threads:100}
+#%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
 
 # Arches on which we need to prevent arch conflicts on opensslconf.h, must
 # also be handled in opensslconf-new.h.
@@ -22,7 +22,7 @@
 Summary: The OpenSSL toolkit.
 Name: openssl
 Version: 0.9.7f
-Release: 9
+Release: 10
 Source: openssl-%{version}-usa.tar.bz2
 Source1: hobble-openssl
 Source2: Makefile.certificate
@@ -55,6 +55,7 @@
 Patch48: openssl-0.9.7f-dsa-consttime.patch
 Patch49: openssl-0.9.7f-bn-ppc-div.patch
 Patch50: openssl-0.9.7f-apps-initialize.patch
+Patch51: openssl-0.9.7a-can-2005-2969.patch
 
 License: BSDish
 Group: System Environment/Libraries
@@ -140,6 +141,8 @@
 %patch48 -p1 -b .dsa-consttime
 %patch49 -p1 -b .ppc-div
 %patch50 -p1 -b .apps-initialize
+# CAN-2005-2969
+%patch51 -p0 -b .ssl2-rollback
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -407,6 +410,12 @@
 %postun -p /sbin/ldconfig
 
 %changelog
+* Wed Oct 12 2005 Tomas Mraz <tmraz at redhat.com> 0.9.7f-10
+- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which
+  disables the countermeasure against man in the middle attack in SSLv2
+  (#169863)
+- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)
+
 * Tue Aug 23 2005 Tomas Mraz <tmraz at redhat.com> 0.9.7f-9
 - add *.so.soversion as symlinks in /lib (#165264)
 - remove unpackaged symlinks (#159595)

More information about the fedora-cvs-commits mailing list