[rpms/openssl] rebase_40beta: add missing initialization of str in aes_ccm_init_key (#853963)

[Tomas Mraz <tmraz@fedoraproject.org>]

            A new commit has been pushed.

            Repo   : rpms/openssl
            Branch : rebase_40beta
            Commit : c015bd1b1e91ba0c86e94dd39377fb42aea2af30
            Author : Tomas Mraz <tmraz@fedoraproject.org>
            Date   : 2012-09-07T10:48:56+02:00
            Stats  : +123/-1 in 3 file(s)
            URL    : https://src.fedoraproject.org/rpms/openssl/c/c015bd1b1e91ba0c86e94dd39377fb42aea2af30?branch=rebase_40beta

            Log:
            add missing initialization of str in aes_ccm_init_key (#853963)

- add important patches from upstream CVS

---
diff --git a/openssl-1.0.1c-backports2.patch b/openssl-1.0.1c-backports2.patch
new file mode 100644
index 0000000..a6477e7
--- /dev/null
+++ b/openssl-1.0.1c-backports2.patch
@@ -0,0 +1,103 @@
+diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c
+--- openssl-1.0.1c/apps/cms.c.backports2	2012-01-05 14:46:27.000000000 +0100
++++ openssl-1.0.1c/apps/cms.c	2012-09-07 10:34:42.000000000 +0200
+@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv)
+ 		else if (!strcmp(*args,"-camellia256"))
+ 				cipher = EVP_camellia_256_cbc();
+ #endif
++		else if (!strcmp (*args, "-debug_decrypt")) 
++				flags |= CMS_DEBUG_DECRYPT;
+ 		else if (!strcmp (*args, "-text")) 
+ 				flags |= CMS_TEXT;
+ 		else if (!strcmp (*args, "-nointern")) 
+@@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv)
+ 	ret = 4;
+ 	if (operation == SMIME_DECRYPT)
+ 		{
++		if (flags & CMS_DEBUG_DECRYPT)
++			CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
+ 
+ 		if (secret_key)
+ 			{
+diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/bn_lcl.h
+--- openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2	2012-09-06 17:25:22.000000000 +0200
++++ openssl-1.0.1c/crypto/bn/bn_lcl.h	2012-09-07 10:22:43.000000000 +0200
+@@ -282,16 +282,23 @@ extern "C" {
+ #  endif
+ # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
+ #  if defined(__GNUC__) && __GNUC__>=2
+-#   define BN_UMULT_HIGH(a,b)	({	\
++#   if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */
++#     define BN_UMULT_HIGH(a,b)		 (((__uint128_t)(a)*(b))>>64)
++#     define BN_UMULT_LOHI(low,high,a,b) ({	\
++	__uint128_t ret=(__uint128_t)(a)*(b);	\
++	(high)=ret>>64; (low)=ret;	 })
++#   else
++#     define BN_UMULT_HIGH(a,b)	({	\
+ 	register BN_ULONG ret;		\
+ 	asm ("dmultu	%1,%2"		\
+ 	     : "=h"(ret)		\
+ 	     : "r"(a), "r"(b) : "l");	\
+ 	ret;			})
+-#   define BN_UMULT_LOHI(low,high,a,b)	\
++#     define BN_UMULT_LOHI(low,high,a,b)\
+ 	asm ("dmultu	%2,%3"		\
+ 	     : "=l"(low),"=h"(high)	\
+ 	     : "r"(a), "r"(b));
++#    endif
+ #  endif
+ # endif		/* cpu */
+ #endif		/* OPENSSL_NO_ASM */
+diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/modes/gcm128.c
+--- openssl-1.0.1c/crypto/modes/gcm128.c.backports2	2012-01-25 18:56:24.000000000 +0100
++++ openssl-1.0.1c/crypto/modes/gcm128.c	2012-09-07 10:24:56.000000000 +0200
+@@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT
+ 	void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16])	= ctx->gmult;
+ #endif
+ 
+-	if (ctx->mres)
++	if (ctx->mres || ctx->ares)
+ 		GCM_MUL(ctx,Xi);
+ 
+ 	if (is_endian.little) {
+diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c
+--- openssl-1.0.1c/ssl/ssl_cert.c.backports2	2011-05-11 15:37:52.000000000 +0200
++++ openssl-1.0.1c/ssl/ssl_cert.c	2012-09-07 10:33:54.000000000 +0200
+@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT
+ 	{
+ 	/* Set digest values to defaults */
+ #ifndef OPENSSL_NO_DSA
+-	cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
++	cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
+ #endif
+ #ifndef OPENSSL_NO_RSA
+ 	cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
+ 	cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
+ #endif
+ #ifndef OPENSSL_NO_ECDSA
+-	cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
++	cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
+ #endif
+ 	}
+ 
+diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c
+--- openssl-1.0.1c/ssl/t1_lib.c.backports2	2012-03-21 22:32:57.000000000 +0100
++++ openssl-1.0.1c/ssl/t1_lib.c	2012-09-07 10:33:54.000000000 +0200
+@@ -2414,7 +2414,7 @@ int tls1_process_sigalgs(SSL *s, const u
+ 	 */
+ #ifndef OPENSSL_NO_DSA
+ 	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
+-		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
++		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
+ #endif
+ #ifndef OPENSSL_NO_RSA
+ 	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
+@@ -2425,7 +2425,7 @@ int tls1_process_sigalgs(SSL *s, const u
+ #endif
+ #ifndef OPENSSL_NO_ECDSA
+ 	if (!c->pkeys[SSL_PKEY_ECC].digest)
+-		c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
++		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
+ #endif
+ 	return 1;
+ 	}

diff --git a/openssl-1.0.1c-ccm-init-str.patch b/openssl-1.0.1c-ccm-init-str.patch
new file mode 100644
index 0000000..bc89723
--- /dev/null
+++ b/openssl-1.0.1c-ccm-init-str.patch
@@ -0,0 +1,11 @@
+diff -up openssl-1.0.1c/crypto/evp/e_aes.c.init-str openssl-1.0.1c/crypto/evp/e_aes.c
+--- openssl-1.0.1c/crypto/evp/e_aes.c.init-str	2012-09-06 17:20:45.000000000 +0200
++++ openssl-1.0.1c/crypto/evp/e_aes.c	2012-09-06 17:18:30.000000000 +0200
+@@ -1216,6 +1216,7 @@ static int aes_ccm_init_key(EVP_CIPHER_C
+ 			vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
+ 			CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
+ 					&cctx->ks, (block128_f)vpaes_encrypt);
++			cctx->str = NULL;
+ 			cctx->key_set = 1;
+ 			break;
+ 			}

diff --git a/openssl.spec b/openssl.spec
index 02f9e66..8307ed4 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
 Name: openssl
 Version: 1.0.1c
 # Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 6%{?dist}
+Release: 7%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -70,6 +70,8 @@ Patch68: openssl-1.0.1c-secure-getenv.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.1-beta2-padlock64.patch
 Patch82: openssl-1.0.1c-backports.patch
+Patch83: openssl-1.0.1c-ccm-init-str.patch
+Patch84: openssl-1.0.1c-backports2.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -172,6 +174,8 @@ from other formats to the formats used by the OpenSSL toolkit.
 
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .backports
+%patch83 -p1 -b .init-str
+%patch84 -p1 -b .backports2
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -425,6 +429,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Fri Sep  7 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-7
+- add missing initialization of str in aes_ccm_init_key (#853963)
+- add important patches from upstream CVS
+
 * Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.0.1c-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild