public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: applied upstream fixes (fix regression in X509_CRL_digest)
@ 2026-06-09 12:43 Tomas Mraz
0 siblings, 0 replies; only message in thread
From: Tomas Mraz @ 2026-06-09 12:43 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : d00e0a59041fd36d425768f9a7515515d395ab66
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2017-02-01T15:56:59+01:00
Stats : +153/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/d00e0a59041fd36d425768f9a7515515d395ab66?branch=rebase_40beta
Log:
applied upstream fixes (fix regression in X509_CRL_digest)
---
diff --git a/openssl-1.1.0-backports.patch b/openssl-1.1.0-backports.patch
new file mode 100644
index 0000000..1db6e65
--- /dev/null
+++ b/openssl-1.1.0-backports.patch
@@ -0,0 +1,147 @@
+From 3f60b8fbdc9b17572a86457fe5b11437c0d3fbc2 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Thu, 26 Jan 2017 17:11:14 +0000
+Subject: [PATCH] Use correct signature algorithm list when sending or
+ checking.
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/2297)
+---
+ ssl/ssl_locl.h | 2 +-
+ ssl/statem/statem_srvr.c | 2 +-
+ ssl/t1_lib.c | 12 ++++++------
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index 4079b31..9a997cf 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -2062,7 +2062,7 @@ __owur size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
+ const unsigned char *psig, size_t psiglen);
+ __owur int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
+ __owur int tls1_process_sigalgs(SSL *s);
+-__owur size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
++__owur size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
+ __owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
+ const unsigned char *sig, EVP_PKEY *pkey);
+ void ssl_set_client_disabled(SSL *s);
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index d36d194..ad89e93 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -2002,7 +2002,7 @@ int tls_construct_certificate_request(SSL *s)
+ if (SSL_USE_SIGALGS(s)) {
+ const unsigned char *psigs;
+ unsigned char *etmp = p;
+- nl = tls12_get_psigalgs(s, &psigs);
++ nl = tls12_get_psigalgs(s, 1, &psigs);
+ /* Skip over length for now */
+ p += 2;
+ nl = tls12_copy_sigalgs(s, p, psigs, nl);
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 1205f99..b75e568 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -711,7 +711,7 @@ static const unsigned char suiteb_sigalgs[] = {
+ tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
+ };
+ #endif
+-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
++size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
+ {
+ /*
+ * If Suite B mode use Suite B sigalgs only, ignore any other
+@@ -733,7 +733,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
+ }
+ #endif
+ /* If server use client authentication sigalgs if not NULL */
+- if (s->server && s->cert->client_sigalgs) {
++ if (s->server == sent && s->cert->client_sigalgs) {
+ *psigs = s->cert->client_sigalgs;
+ return s->cert->client_sigalgslen;
+ } else if (s->cert->conf_sigalgs) {
+@@ -797,7 +797,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
+ #endif
+
+ /* Check signature matches a type we sent */
+- sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
++ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
+ for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
+ if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
+ break;
+@@ -1189,7 +1189,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
+ size_t salglen;
+ const unsigned char *salg;
+ unsigned char *etmp;
+- salglen = tls12_get_psigalgs(s, &salg);
++ salglen = tls12_get_psigalgs(s, 1, &salg);
+
+ /*-
+ * check for enough space.
+@@ -3396,7 +3396,7 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
+ * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
+ * down calls to security callback only check if we have to.
+ */
+- sigalgslen = tls12_get_psigalgs(s, &sigalgs);
++ sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
+ for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
+ switch (sigalgs[1]) {
+ #ifndef OPENSSL_NO_RSA
+@@ -3491,7 +3491,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
+ conf = c->conf_sigalgs;
+ conflen = c->conf_sigalgslen;
+ } else
+- conflen = tls12_get_psigalgs(s, &conf);
++ conflen = tls12_get_psigalgs(s, 0, &conf);
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
+ pref = conf;
+ preflen = conflen;
+--
+2.9.3
+
+From b431b094330da3e54805c49fb262192e34bc3864 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Sat, 28 Jan 2017 17:43:17 +0100
+Subject: [PATCH] X509_CRL_digest() - ensure precomputed sha1 hash before
+ returning it
+
+X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
+present. This also makes sure there's an appropriate flag to check.
+
+Reviewed-by: Kurt Roeckx <kurt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/2314)
+(cherry picked from commit 6195848b2eea627c47f74b63eb2ba3dc3d5b6436)
+---
+ crypto/x509/x_all.c | 2 +-
+ crypto/x509/x_crl.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
+index 59f96a5..124dd2d 100644
+--- a/crypto/x509/x_all.c
++++ b/crypto/x509/x_all.c
+@@ -377,7 +377,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
+ int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
+ unsigned char *md, unsigned int *len)
+ {
+- if (type == EVP_sha1()) {
++ if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) {
+ /* Asking for SHA1; always computed in CRL d2i. */
+ if (len != NULL)
+ *len = sizeof(data->sha1_hash);
+diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
+index da9c6b6..dbed850 100644
+--- a/crypto/x509/x_crl.c
++++ b/crypto/x509/x_crl.c
+@@ -226,6 +226,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+ if (crl->meth->crl_init(crl) == 0)
+ return 0;
+ }
++
++ crl->flags |= EXFLAG_SET;
+ break;
+
+ case ASN1_OP_FREE_POST:
+--
+2.9.3
+
diff --git a/openssl.spec b/openssl.spec
index 75d63f3..b57e345 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.0d
-Release: 1%{?dist}
+Release: 2%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -61,6 +61,7 @@ Patch42: openssl-1.1.0-fips.patch
Patch43: openssl-1.1.0-afalg-eventfd2.patch
Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
# Backported fixes including security fixes
+Patch60: openssl-1.1.0-backports.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -161,6 +162,7 @@ cp %{SOURCE13} test/
%patch43 -p1 -b .eventfd2
%patch44 -p1 -b .preserve-nl
+%patch60 -p1 -b .backports
%build
# Figure out which flags we want to use.
@@ -428,6 +430,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Wed Feb 1 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0d-2
+- applied upstream fixes (fix regression in X509_CRL_digest)
+
* Thu Jan 26 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0d-1
- update to upstream version 1.1.0d
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:43 [rpms/openssl] rebase_40beta: applied upstream fixes (fix regression in X509_CRL_digest) Tomas Mraz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox