/[smeserver]/rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2009-2409.patch
ViewVC logotype

Contents of /rpms/openssl/sme8/openssl-fips-0.9.8e-cve-2009-2409.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Feb 18 03:03:08 2014 UTC (10 years, 8 months ago) by wellsi
Branch: MAIN
CVS Tags: openssl-0_9_8e-28_el5_sme, openssl-0_9_8e-33_1_el5_sme, openssl-0_9_8e-32_1_el5_sme, openssl-0_9_8e-27_1_el5_sme, openssl-0_9_8e-27_el5_10_1, openssl-0_9_8e-31_1_el5_sme, HEAD
Branch point for: upstream
Initial import

1 Skip signature validation on selfsigned certificates and
2 drop MD2 algorithm from the list of algorithms added to
3 EVP tables by default. (CVE-2009-2409)
4 diff -up openssl-fips-0.9.8e/crypto/evp/c_alld.c.nomd2 openssl-fips-0.9.8e/crypto/evp/c_alld.c
5 --- openssl-fips-0.9.8e/crypto/evp/c_alld.c.nomd2 2009-04-15 13:48:51.000000000 +0200
6 +++ openssl-fips-0.9.8e/crypto/evp/c_alld.c 2010-01-14 09:24:00.000000000 +0100
7 @@ -69,9 +69,6 @@ void OpenSSL_add_all_digests(void)
8 if (!FIPS_mode())
9 {
10 #endif
11 -#ifndef OPENSSL_NO_MD2
12 - EVP_add_digest(EVP_md2());
13 -#endif
14 #ifndef OPENSSL_NO_MD4
15 EVP_add_digest(EVP_md4());
16 #endif
17 diff -up openssl-fips-0.9.8e/crypto/x509/x509_vfy.c.nomd2 openssl-fips-0.9.8e/crypto/x509/x509_vfy.c
18 --- openssl-fips-0.9.8e/crypto/x509/x509_vfy.c.nomd2 2009-04-15 13:48:51.000000000 +0200
19 +++ openssl-fips-0.9.8e/crypto/x509/x509_vfy.c 2010-01-14 09:22:49.000000000 +0100
20 @@ -1013,7 +1013,11 @@ static int internal_verify(X509_STORE_CT
21 while (n >= 0)
22 {
23 ctx->error_depth=n;
24 - if (!xs->valid)
25 +
26 + /* Skip signature check for self signed certificates. It
27 + * doesn't add any security and just wastes time.
28 + */
29 + if (!xs->valid && xs != xi)
30 {
31 if ((pkey=X509_get_pubkey(xi)) == NULL)
32 {
33 @@ -1023,13 +1027,6 @@ static int internal_verify(X509_STORE_CT
34 if (!ok) goto end;
35 }
36 else if (X509_verify(xs,pkey) <= 0)
37 - /* XXX For the final trusted self-signed cert,
38 - * this is a waste of time. That check should
39 - * optional so that e.g. 'openssl x509' can be
40 - * used to detect invalid self-signatures, but
41 - * we don't verify again and again in SSL
42 - * handshakes and the like once the cert has
43 - * been declared trusted. */
44 {
45 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
46 ctx->current_cert=xs;
47 diff -up openssl-fips-0.9.8e/ssl/ssl_algs.c.nomd2 openssl-fips-0.9.8e/ssl/ssl_algs.c
48 --- openssl-fips-0.9.8e/ssl/ssl_algs.c.nomd2 2009-04-15 14:09:42.000000000 +0200
49 +++ openssl-fips-0.9.8e/ssl/ssl_algs.c 2010-01-14 09:23:10.000000000 +0100
50 @@ -94,9 +94,6 @@ int SSL_library_init(void)
51 EVP_add_cipher(EVP_seed_cbc());
52 #endif
53
54 -#ifndef OPENSSL_NO_MD2
55 - EVP_add_digest(EVP_md2());
56 -#endif
57 #ifndef OPENSSL_NO_MD5
58 EVP_add_digest(EVP_md5());
59 EVP_add_digest_alias(SN_md5,"ssl2-md5");

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed