core/openssl to 1.0.1e-5

core/openssl/PKGBUILD

@@ -9,7 +9,7 @@ _ver=1.0.1e
 # use a pacman compatible version scheme
 pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
 #pkgver=$_ver
-pkgrel=4
+pkgrel=5
 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
 arch=('i686' 'x86_64')
 url='https://www.openssl.org'
@@ -21,11 +21,15 @@ backup=('etc/ssl/openssl.cnf')
 source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz"
         'no-rpath.patch'
         'ca-dir.patch'
-        'openssl-1.0.1e-fix_pod_syntax-1.patch')
+        'openssl-1.0.1e-fix_pod_syntax-1.patch'
+        'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch'
+        'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch')
 md5sums=('66bf6f10f060d561929de96f9dfe5b8c'
          'dc78d3d06baffc16217519242ce92478'
          '3bf51be3a1bbd262be46dc619f92aa90'
-         '88d3bef4bbdc640b0412315d8d347bdf')
+         '88d3bef4bbdc640b0412315d8d347bdf'
+         'ae7848bb152b8834ceff30c8c480d422'
+         'c5cc62a47cef72f4e5ad119a88e97ae4')
 
 prepare() {
 	cd $srcdir/$pkgname-$_ver
@@ -36,6 +40,12 @@ prepare() {
 	patch -p0 -i $srcdir/ca-dir.patch
 
 	patch -p1 -i $srcdir/openssl-1.0.1e-fix_pod_syntax-1.patch
+	# OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER
+	# http://rt.openssl.org/Ticket/Display.html?id=2984
+	patch -p1 -i $srcdir/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
+	# Communication problems with 1.0.1e
+	# http://rt.openssl.org/Ticket/Display.html?id=3002
+	patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
 }
 
 build() {

core/openssl/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch

@@ -0,0 +1,31 @@
+From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+PR:2984
+(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
+---
+ ssl/s3_cbc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ 	unsigned padding_length, good, to_check, i;
+ 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ 	/* Check if version requires explicit IV */
+-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ 		{
+ 		/* These lengths are all public so we can test them in
+ 		 * non-constant time.
+-- 
+1.8.4.2
+

core/openssl/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch

@@ -0,0 +1,32 @@
+From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Mon, 18 Mar 2013 19:29:41 +0100
+Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
+
+PR: 3002
+(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc)
+---
+ crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index 483e04b..fb2c884 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ 
+ 				if (res!=SHA_CBLOCK) continue;
+ 
+-				mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
++				/* j is not incremented yet */
++				mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
+ 				data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ 				sha1_block_data_order(&key->md,data,1);
+-				mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
++				mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
+ 				pmac->u[0] |= key->md.h0 & mask;
+ 				pmac->u[1] |= key->md.h1 & mask;
+ 				pmac->u[2] |= key->md.h2 & mask;
+-- 
+1.8.4.2
+