/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2009-2409.patch
ViewVC logotype

Annotation of /rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2009-2409.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Tue Feb 18 03:03:08 2014 UTC (10 years, 9 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Initial import

1 wellsi 1.1 Skip signature validation on selfsigned certificates and
2     drop MD2 algorithm from the list of algorithms added to
3     EVP tables by default. (CVE-2009-2409)
4     diff -up openssl-fips-0.9.8e/crypto/evp/c_alld.c.nomd2 openssl-fips-0.9.8e/crypto/evp/c_alld.c
5     --- openssl-fips-0.9.8e/crypto/evp/c_alld.c.nomd2 2009-04-15 13:48:51.000000000 +0200
6     +++ openssl-fips-0.9.8e/crypto/evp/c_alld.c 2010-01-14 09:24:00.000000000 +0100
7     @@ -69,9 +69,6 @@ void OpenSSL_add_all_digests(void)
8     if (!FIPS_mode())
9     {
10     #endif
11     -#ifndef OPENSSL_NO_MD2
12     - EVP_add_digest(EVP_md2());
13     -#endif
14     #ifndef OPENSSL_NO_MD4
15     EVP_add_digest(EVP_md4());
16     #endif
17     diff -up openssl-fips-0.9.8e/crypto/x509/x509_vfy.c.nomd2 openssl-fips-0.9.8e/crypto/x509/x509_vfy.c
18     --- openssl-fips-0.9.8e/crypto/x509/x509_vfy.c.nomd2 2009-04-15 13:48:51.000000000 +0200
19     +++ openssl-fips-0.9.8e/crypto/x509/x509_vfy.c 2010-01-14 09:22:49.000000000 +0100
20     @@ -1013,7 +1013,11 @@ static int internal_verify(X509_STORE_CT
21     while (n >= 0)
22     {
23     ctx->error_depth=n;
24     - if (!xs->valid)
25     +
26     + /* Skip signature check for self signed certificates. It
27     + * doesn't add any security and just wastes time.
28     + */
29     + if (!xs->valid && xs != xi)
30     {
31     if ((pkey=X509_get_pubkey(xi)) == NULL)
32     {
33     @@ -1023,13 +1027,6 @@ static int internal_verify(X509_STORE_CT
34     if (!ok) goto end;
35     }
36     else if (X509_verify(xs,pkey) <= 0)
37     - /* XXX For the final trusted self-signed cert,
38     - * this is a waste of time. That check should
39     - * optional so that e.g. 'openssl x509' can be
40     - * used to detect invalid self-signatures, but
41     - * we don't verify again and again in SSL
42     - * handshakes and the like once the cert has
43     - * been declared trusted. */
44     {
45     ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
46     ctx->current_cert=xs;
47     diff -up openssl-fips-0.9.8e/ssl/ssl_algs.c.nomd2 openssl-fips-0.9.8e/ssl/ssl_algs.c
48     --- openssl-fips-0.9.8e/ssl/ssl_algs.c.nomd2 2009-04-15 14:09:42.000000000 +0200
49     +++ openssl-fips-0.9.8e/ssl/ssl_algs.c 2010-01-14 09:23:10.000000000 +0100
50     @@ -94,9 +94,6 @@ int SSL_library_init(void)
51     EVP_add_cipher(EVP_seed_cbc());
52     #endif
53    
54     -#ifndef OPENSSL_NO_MD2
55     - EVP_add_digest(EVP_md2());
56     -#endif
57     #ifndef OPENSSL_NO_MD5
58     EVP_add_digest(EVP_md5());
59     EVP_add_digest_alias(SN_md5,"ssl2-md5");

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed