diff -Nru openssl-1.0.1i/debian/changelog openssl-1.0.1i/debian/changelog --- openssl-1.0.1i/debian/changelog 2014-08-07 00:22:03.000000000 +0200 +++ openssl-1.0.1i/debian/changelog 2014-08-07 19:38:25.000000000 +0200 @@ -1,3 +1,35 @@ +openssl (1.0.1i-1ubuntu1) utopic; urgency=low + + * Merge from Debian unstable (LP: #1354110). Remaining changes: + - debian/libssl1.0.0.postinst: + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* + - debian/rules: Enable optimized 64bit elliptic curve code contributed + by Google. + + * Dropped changes: + - debian/patches/{CVE-2014-0076,CVE-2014-0160,CVE-2010-5298,CVE-2014-0198, + CVE-2014-0195,CVE-2014-0221,CVE-2014-0224-1,CVE-2014-0224-2,CVE-2014-3470, + CVE-2014-0224-3,CVE-2014-0224-regression,CVE-2014-0224-regression2}.patch + addressed upstream + + -- Gianfranco Costamagna Thu, 07 Aug 2014 19:29:55 +0200 + openssl (1.0.1i-1) unstable; urgency=high * New upstream release @@ -86,6 +118,110 @@ -- Kurt Roeckx Mon, 07 Apr 2014 23:17:42 +0200 +openssl (1.0.1f-1ubuntu6) utopic; urgency=medium + + * SECURITY UPDATE: regression with certain renegotiations (LP: #1332643) + - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after + sending finished ssl/s3_clnt.c. + + -- Marc Deslauriers Fri, 20 Jun 2014 13:51:23 -0400 + +openssl (1.0.1f-1ubuntu5) utopic; urgency=medium + + * SECURITY UPDATE: regression with tls_session_secret_cb (LP: #1329297) + - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using + tls_session_secret_cb for session resumption in ssl/s3_clnt.c. + + -- Marc Deslauriers Thu, 12 Jun 2014 08:23:12 -0400 + +openssl (1.0.1f-1ubuntu4) utopic; urgency=medium + + * SECURITY UPDATE: arbitrary code execution via DTLS invalid fragment + - debian/patches/CVE-2014-0195.patch: add consistency check for DTLS + fragments in ssl/d1_both.c. + - CVE-2014-0195 + * SECURITY UPDATE: denial of service via DTLS recursion flaw + - debian/patches/CVE-2014-0221.patch: handle DTLS hello request without + recursion in ssl/d1_both.c. + - CVE-2014-0221 + * SECURITY UPDATE: MITM via change cipher spec + - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec + when it is expected in ssl/s3_clnt.c, ssl/s3_pkt.c, ssl/s3_srvr.c, + ssl/ssl3.h. + - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master + secrets in ssl/s3_pkt.c. + - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in + ssl/s3_clnt.c. + - CVE-2014-0224 + * SECURITY UPDATE: denial of service via ECDH null session cert + - debian/patches/CVE-2014-3470.patch: check session_cert is not NULL + before dereferencing it in ssl/s3_clnt.c. + - CVE-2014-3470 + + -- Marc Deslauriers Thu, 05 Jun 2014 08:39:17 -0400 + +openssl (1.0.1f-1ubuntu3) utopic; urgency=medium + + * SECURITY UPDATE: denial of service via use after free + - debian/patches/CVE-2010-5298.patch: check s->s3->rbuf.left before + releasing buffers in ssl/s3_pkt.c. + - CVE-2010-5298 + * SECURITY UPDATE: denial of service via null pointer dereference + - debian/patches/CVE-2014-0198.patch: if buffer was released, get a new + one in ssl/s3_pkt.c. + - CVE-2014-0198 + + -- Marc Deslauriers Fri, 02 May 2014 15:18:26 -0400 + +openssl (1.0.1f-1ubuntu2) trusty; urgency=medium + + * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation + - debian/patches/CVE-2014-0076.patch: add and use constant time swap in + crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c, + util/libeay.num. + - CVE-2014-0076 + * SECURITY UPDATE: memory disclosure in TLS heartbeat extension + - debian/patches/CVE-2014-0160.patch: use correct lengths in + ssl/d1_both.c, ssl/t1_lib.c. + - CVE-2014-0160 + + -- Marc Deslauriers Mon, 07 Apr 2014 15:37:53 -0400 + +openssl (1.0.1f-1ubuntu1) trusty; urgency=low + + * Merge with Debian, remaining changes. + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* + - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly + code. + - debian/rules: Enable optimized 64bit elliptic curve code contributed + by Google. + * Dropped changes: + - debian/patches/arm64-support: included in debian-targets.patch + - debian/patches/no_default_rdrand.patch: upstream + - debian/patches/openssl-1.0.1e-env-zlib.patch: zlib is now completely + disabled in debian/rules + + -- Marc Deslauriers Wed, 08 Jan 2014 15:57:24 -0500 + openssl (1.0.1f-1) unstable; urgency=high * New upstream version @@ -127,6 +263,34 @@ -- Kurt Roeckx Sun, 22 Dec 2013 19:25:35 +0100 +openssl (1.0.1e-4ubuntu4) trusty; urgency=low + + * debian/patches/no_default_rdrand.patch: Don't use rdrand engine as + default unless explicitly requested. + + -- Marc Deslauriers Thu, 19 Dec 2013 15:39:22 -0500 + +openssl (1.0.1e-4ubuntu3) trusty; urgency=medium + + * Update debian configuration. + + -- Matthias Klose Thu, 05 Dec 2013 14:34:48 +0100 + +openssl (1.0.1e-4ubuntu2) trusty; urgency=low + + * Re-enable full TLSv1.2 support (LP: #1257877) + - debian/patches/tls12_workarounds.patch: disable patch to re-enable + full TLSv1.2 support. Most problematic sites have been fixed now, and + we really want proper TLSv1.2 support in an LTS. + + -- Marc Deslauriers Wed, 04 Dec 2013 12:33:44 -0500 + +openssl (1.0.1e-4ubuntu1) trusty; urgency=low + + * Merge with Debian; remaining changes same as in 1.0.1e-3ubuntu1. + + -- Matthias Klose Wed, 04 Dec 2013 11:28:00 +0100 + openssl (1.0.1e-4) unstable; urgency=low [ Peter Michael Green ] @@ -149,6 +313,50 @@ -- Kurt Roeckx Fri, 01 Nov 2013 17:11:53 +0100 +openssl (1.0.1e-3ubuntu1) saucy; urgency=low + + * Merge with Debian, remaining changes. + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + - debian/patches/tls12_workarounds.patch: Workaround large client hello + issues when TLS 1.1 and lower is in use + - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* + - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly + code. + - debian/patches/arm64-support: Add basic arm64 support (no assembler) + - debian/rules: Enable optimized 64bit elliptic curve code contributed + by Google. + * debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2 + in test suite since we disable it in the client. + * Disable compression to avoid CRIME systemwide (CVE-2012-4929). + * Dropped changes: + - debian/patches/ubuntu_deb676533_arm_asm.patch, applied in Debian. + + -- Matthias Klose Mon, 15 Jul 2013 14:07:52 +0200 + openssl (1.0.1e-3) unstable; urgency=low * Move to /usr/include/$(DEB_HOST_MULTIARCH), and @@ -163,6 +371,66 @@ -- Kurt Roeckx Mon, 20 May 2013 16:56:06 +0200 +openssl (1.0.1e-2ubuntu1.1) saucy-security; urgency=low + + * SECURITY UPDATE: Disable compression to avoid CRIME systemwide + (LP: #1187195) + - CVE-2012-4929 + - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of + zlib to compress SSL/TLS unless the environment variable + OPENSSL_DEFAULT_ZLIB is set in the environment during library + initialization. + - Introduced to assist with programs not yet updated to provide their own + controls on compression, such as Postfix + - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch + + -- Seth Arnold Mon, 03 Jun 2013 18:14:05 -0700 + +openssl (1.0.1e-2ubuntu1) saucy; urgency=low + + * Resynchronise with Debian unstable. Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + - debian/patches/tls12_workarounds.patch: Workaround large client hello + issues when TLS 1.1 and lower is in use + - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* + - debian/patches/ubuntu_deb676533_arm_asm.patch: Enable arm assembly + code. + - debian/patches/arm64-support: Add basic arm64 support (no assembler) + - debian/rules: Enable optimized 64bit elliptic curve code contributed + by Google. + * debian/patches/tls12_workarounds.patch: updated to also disable TLS 1.2 + in test suite since we disable it in the client. + * Dropped changes: + - debian/patches/CVE-2013-0169.patch: upstream. + - debian/patches/fix_key_decoding_deadlock.patch: upstream. + - debian/patches/CVE-2013-0166.patch: upstream. + + -- Marc Deslauriers Tue, 21 May 2013 16:31:47 -0400 + openssl (1.0.1e-2) unstable; urgency=high * Bump shlibs. It's needed for the udeb. @@ -190,6 +458,104 @@ -- Kurt Roeckx Sun, 09 Sep 2012 08:43:40 +0200 +openssl (1.0.1c-4ubuntu8) raring; urgency=low + + * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack + - debian/patches/CVE-2013-0169.patch: re-enabled patch and added extra + commit from upstream to fix regression. + - CVE-2013-0169 + + -- Marc Deslauriers Tue, 19 Mar 2013 14:33:14 -0400 + +openssl (1.0.1c-4ubuntu7) raring; urgency=low + + * Enable optimized 64bit elliptic curve code contributed by Google. (LP: #1018522) + + -- Dmitrijs Ledkovs Thu, 07 Mar 2013 15:36:16 +0000 + +openssl (1.0.1c-4ubuntu6) raring; urgency=low + + * debian/patches/fix_key_decoding_deadlock.patch: Fix possible deadlock + when decoding public keys. (LP: #1066032) + + -- Marc Deslauriers Wed, 06 Mar 2013 08:11:19 -0500 + +openssl (1.0.1c-4ubuntu5) raring; urgency=low + + * REGRESSION FIX: decryption errors on AES-NI hardware (LP: #1134873, + LP: #1133333) + - debian/patches/CVE-2013-0169.patch: disabled for now until fix is + available from upstream. + + -- Marc Deslauriers Thu, 28 Feb 2013 11:01:29 -0500 + +openssl (1.0.1c-4ubuntu4) raring; urgency=low + + * SECURITY UPDATE: denial of service via invalid OCSP key + - debian/patches/CVE-2013-0166.patch: properly handle NULL key in + crypto/asn1/a_verify.c, crypto/ocsp/ocsp_vfy.c. + - CVE-2013-0166 + * SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack + - debian/patches/CVE-2013-0169.patch: massive code changes + - CVE-2013-0169 + * SECURITY UPDATE: denial of service via AES-NI and crafted CBC data + - Fix included in CVE-2013-0169 patch + - CVE-2012-2686 + + -- Marc Deslauriers Tue, 19 Feb 2013 13:25:24 -0500 + +openssl (1.0.1c-4ubuntu3) raring; urgency=low + + * Add basic arm64 support (no assembler) (LP: #1102107) + + -- Wookey Sun, 20 Jan 2013 17:30:15 +0000 + +openssl (1.0.1c-4ubuntu2) raring; urgency=low + + * Enable arm assembly code. (LP: #1083498) (Closes: #676533) + + -- Dmitrijs Ledkovs Wed, 28 Nov 2012 00:08:45 +0000 + +openssl (1.0.1c-4ubuntu1) raring; urgency=low + + * Resynchronise with Debian (LP: #1077228). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. + - debian/patches/tls12_workarounds.patch: Workaround large client hello + issues when TLS 1.1 and lower is in use + - debian/control: Mark Debian Vcs-* as XS-Debian-Vcs-* + * Dropped changes: + - Drop openssl-doc in favour of the libssl-doc package introduced by + Debian. Add Conflicts/Replaces until the next LTS release. + + Drop the Conflicts/Replaces because 12.04 LTS was 'the next LTS + release' + + -- Tyler Hicks Fri, 09 Nov 2012 14:49:13 -0800 + openssl (1.0.1c-4) unstable; urgency=low * Fix the configure rules for alpha (Closes: #672710) @@ -204,6 +570,61 @@ -- Kurt Roeckx Tue, 17 Jul 2012 11:49:19 +0200 +openssl (1.0.1c-3ubuntu2) quantal; urgency=low + + [ Tyler Hicks ] + * debian/patches/tls12_workarounds.patch: Readd the change to check + TLS1_get_client_version rather than TLS1_get_version to fix incorrect + client hello cipher list truncation when TLS 1.1 and lower is in use. + (LP: #1051892) + + [ Micah Gersten ] + * Mark Debian Vcs-* as XS-Debian-Vcs-* + - update debian/control + + -- Tyler Hicks Thu, 04 Oct 2012 10:34:57 -0700 + +openssl (1.0.1c-3ubuntu1) quantal; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. + - debian/patches/tls12_workarounds.patch: workaround large client hello + issue: Compile with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and + with -DOPENSSL_NO_TLS1_2_CLIENT. + * Dropped upstreamed patches: + - debian/patches/CVE-2012-2110.patch + - debian/patches/CVE-2012-2110b.patch + - debian/patches/CVE-2012-2333.patch + - debian/patches/CVE-2012-0884-extra.patch + - most of debian/patches/tls12_workarounds.patch + + -- Marc Deslauriers Fri, 29 Jun 2012 13:01:30 -0400 + openssl (1.0.1c-3) unstable; urgency=low * Disable padlock engine again, causes problems for hosts not supporting it. @@ -259,6 +680,93 @@ -- Kurt Roeckx Thu, 19 Apr 2012 19:54:12 +0200 +openssl (1.0.1-4ubuntu6) quantal; urgency=low + + * SECURITY UPDATE: denial of service attack in DTLS, TLS v1.1 and + TLS v1.2 implementation + - debian/patches/CVE_2012-2333.patch: guard for integer overflow + before skipping explicit IV + - CVE-2012-2333 + * debian/patches/CVE-2012-0884-extra.patch: initialize tkeylen + properly when encrypting CMS messages. + + -- Steve Beattie Thu, 24 May 2012 16:05:04 -0700 + +openssl (1.0.1-4ubuntu5) precise-proposed; urgency=low + + * debian/patches/CVE-2012-2110b.patch: Use correct error code in + BUF_MEM_grow_clean() + + -- Jamie Strandboge Tue, 24 Apr 2012 08:29:32 -0500 + +openssl (1.0.1-4ubuntu4) precise-proposed; urgency=low + + * Check TLS1_get_client_version rather than TLS1_get_version for client + hello cipher list truncation, in a further attempt to get things working + again for everyone (LP: #986147). + + -- Colin Watson Tue, 24 Apr 2012 14:05:50 +0100 + +openssl (1.0.1-4ubuntu3) precise-proposed; urgency=low + + * SECURITY UPDATE: fix various overflows + - debian/patches/CVE-2012-2110.patch: adjust crypto/a_d2i_fp.c, + crypto/buffer.c and crypto/mem.c to verify size of lengths + - CVE-2012-2110 + + -- Jamie Strandboge Thu, 19 Apr 2012 10:31:06 -0500 + +openssl (1.0.1-4ubuntu2) precise-proposed; urgency=low + + * Backport more upstream patches to work around TLS 1.2 failures + (LP #965371): + - Do not use record version number > TLS 1.0 in initial client hello: + some (but not all) hanging servers will now work. + - Truncate the number of ciphers sent in the client hello to 50. Most + broken servers should now work. + - Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. + * Don't re-enable TLS 1.2 client support by default yet, since more of the + sites listed in the above bug and its duplicates still fail if I do that + versus leaving it disabled. + + -- Colin Watson Wed, 18 Apr 2012 15:03:56 +0100 + +openssl (1.0.1-4ubuntu1) precise; urgency=low + + * Resynchronise with Debian (LP: #968753). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + - Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. + - Experimental workaround to large client hello issue: if + OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients + only. + - Compile with -DOPENSSL_NO_TLS1_2_CLIENT. + + -- Colin Watson Tue, 10 Apr 2012 20:50:52 +0100 + openssl (1.0.1-4) unstable; urgency=low * Use official patch for the vpaes problem, also covering amd64. @@ -273,6 +781,70 @@ -- Kurt Roeckx Sat, 31 Mar 2012 18:35:59 +0200 +openssl (1.0.1-2ubuntu4) precise; urgency=low + + * Pass cross-compiling options to 'make install' as well, since apparently + it likes to rebuild fips_premain_dso. + + -- Colin Watson Sat, 31 Mar 2012 00:48:38 +0100 + +openssl (1.0.1-2ubuntu3) precise; urgency=low + + * Temporarily work around TLS 1.2 failures as suggested by upstream + (LP #965371): + - Use client version when deciding whether to send supported signature + algorithms extension. + - Experimental workaround to large client hello issue: if + OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients + only. + - Compile with -DOPENSSL_NO_TLS1_2_CLIENT. + This fixes most of the reported problems, but does not fix the case of + servers that reject version numbers they don't support rather than + trying to negotiate a lower version (e.g. www.mediafire.com). + + -- Colin Watson Fri, 30 Mar 2012 17:11:45 +0100 + +openssl (1.0.1-2ubuntu2) precise; urgency=low + + * Remove compat symlinks from /usr/lib to /lib, as they cause + some serious issued with symbol generation, and are not needed. + * Bump version passed to dh_makeshlibs to 1.0.1 for new symbols. + + -- Adam Conrad Fri, 23 Mar 2012 21:39:39 -0600 + +openssl (1.0.1-2ubuntu1) precise; urgency=low + + * Resynchronise with Debian (LP: #958430). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates rather + than exactly one. + * Drop aesni.patch, applied upstream. + * Drop Bsymbolic-functions.patch, now handled using dpkg-buildflags. + + -- Colin Watson Thu, 22 Mar 2012 17:54:09 +0000 + openssl (1.0.1-2) unstable; urgency=low * Properly quote the new cflags in Configure @@ -312,6 +884,42 @@ -- Kurt Roeckx Tue, 13 Mar 2012 21:08:17 +0100 +openssl (1.0.0g-1ubuntu1) precise; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/aesni.patch: Backport Intel AES-NI support, now from + http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the + 0.9.8 variant. + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates + rather than exactly one. + + -- Marc Deslauriers Sat, 11 Feb 2012 13:27:31 -0500 + openssl (1.0.0g-1) unstable; urgency=high * New upstream version @@ -327,6 +935,42 @@ -- Kurt Roeckx Thu, 12 Jan 2012 19:02:43 +0100 +openssl (1.0.0e-3ubuntu1) precise; urgency=low + + * Resynchronise with Debian. Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification on libssl1.0.0 + upgrade on servers. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/aesni.patch: Backport Intel AES-NI support, now from + http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the + 0.9.8 variant. + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i586 (on i386) + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + - Unapply patch c_rehash-multi and comment it out in the series as it + breaks parsing of certificates with CRLF line endings and other cases + (see Debian #642314 for discussion), it also changes the semantics of + c_rehash directories by requiring applications to parse hash link + targets as files containing potentially *multiple* certificates + rather than exactly one. + + -- Marc Deslauriers Thu, 12 Jan 2012 11:30:17 +0100 + openssl (1.0.0e-3) unstable; urgency=low * Don't build v8 and v9 variants of sparc anymore, they're older than @@ -344,6 +988,68 @@ -- Raphael Geissert Sun, 06 Nov 2011 01:39:30 -0600 +openssl (1.0.0e-2ubuntu4) oneiric; urgency=low + + * The previous change moved the notification to major upgrades only, but + in fact, we do want the sysadmin to be notified when security updates + are installed, without having services automatically restarted. + (LP: #244250) + + -- Marc Deslauriers Tue, 04 Oct 2011 09:31:22 -0400 + +openssl (1.0.0e-2ubuntu3) oneiric; urgency=low + + * Only issue a restart required notification on important upgrades, and + not other actions such as reconfiguration or initial installation. + (LP: #244250) + + -- Anders Kaseorg Tue, 04 Oct 2011 13:33:35 +0100 + +openssl (1.0.0e-2ubuntu2) oneiric; urgency=low + + * Unapply patch c_rehash-multi and comment it out in the series as it breaks + parsing of certificates with CRLF line endings and other cases (see + Debian #642314 for discussion), it also changes the semantics of c_rehash + directories by requiring applications to parse hash link targets as files + containing potentially *multiple* certificates rather than exactly one. + LP: #855454. + + -- Loïc Minier Tue, 27 Sep 2011 18:13:07 +0200 + +openssl (1.0.0e-2ubuntu1) oneiric; urgency=low + + * Resynchronise with Debian, fixes CVE-2011-1945, CVE-2011-3207 and + CVE-2011-3210 (LP: #850608). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification bubble on libssl1.0.0 + upgrade. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/aesni.patch: Backport Intel AES-NI support, now from + http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the + 0.9.8 variant. + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i486, i586 (on + i386), v8 (on sparc). + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + * debian/libssl1.0.0.postinst: only display restart notification on + servers (LP: #244250) + + -- Steve Beattie Wed, 14 Sep 2011 22:06:03 -0700 + openssl (1.0.0e-2) unstable; urgency=low * Add a missing $(DEB_HOST_MULTIARCH) @@ -387,6 +1093,49 @@ -- Kurt Roeckx Mon, 13 Jun 2011 12:39:54 +0200 +openssl (1.0.0d-2ubuntu2) oneiric; urgency=low + + * Build for multiarch. LP: #826601. + + -- Steve Langasek Mon, 15 Aug 2011 01:58:35 -0700 + +openssl (1.0.0d-2ubuntu1) oneiric; urgency=low + + * Resynchronise with Debian (LP: #675566). Remaining changes: + - debian/libssl1.0.0.postinst: + + Display a system restart required notification bubble on libssl1.0.0 + upgrade. + + Use a different priority for libssl1.0.0/restart-services depending + on whether a desktop, or server dist-upgrade is being performed. + - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create + libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package + in Debian). + - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files, + rules}: Move runtime libraries to /lib, for the benefit of + wpasupplicant. + - debian/patches/aesni.patch: Backport Intel AES-NI support, now from + http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the + 0.9.8 variant. + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under + .pc. + - debian/rules: + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + + Don't build for processors no longer supported: i486, i586 (on + i386), v8 (on sparc). + + Fix Makefile to properly clean up libs/ dirs in clean target. + + Replace duplicate files in the doc directory with symlinks. + * Update architectures affected by Bsymbolic-functions.patch. + * Drop debian/patches/no-sslv2.patch; Debian now adds the 'no-ssl2' + configure option, which compiles out SSLv2 support entirely, so this is + no longer needed. + * Drop openssl-doc in favour of the libssl-doc package introduced by + Debian. Add Conflicts/Replaces until the next LTS release. + + -- Colin Watson Sun, 01 May 2011 23:51:53 +0100 + openssl (1.0.0d-2) unstable; urgency=high * Make c_rehash also generate the old subject hash. Gnutls applications @@ -437,12 +1186,128 @@ -- Kurt Roeckx Sun, 12 Dec 2010 15:37:21 +0100 +openssl (0.9.8o-5ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: (LP: #718205) + - d/libssl0.9.8.postinst: + + Display a system restart required notification bubble + on libssl0.9.8 upgrade. + + Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade + is being performed. + - d/{libssl0.9.8-udeb.dirs, control, rules}: Create + libssl0.9.8-udeb, for the benefit of wget-udeb (no wget-udeb + package in Debian). + - d/{libcrypto0.9.8-udeb.dirs, libssl0.9.8.dirs, libssl0.9.8.files, + rules}: Move runtime libraries to /lib, for the benefit of wpasupplicant. + - d/{control, openssl-doc.docs, openssl.docs, openssl.dirs}: + + Ship documentation in openssl-doc, suggested by the package. + (Closes: #470594) + - d/p/aesni.patch: Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed) + - d/p/Bsymbolic-functions.patch: Link using -Bsymbolic-functions. + - d/p/perlpath-quilt.patch: Don't change perl #! paths under .pc. + - d/p/no-sslv2.patch: Disable SSLv2 to match NSS and GnuTLS. + The protocol is unsafe and extremely deprecated. (Closes: #589706) + - d/rules: + + Disable SSLv2 during compile. (Closes: #589706) + + Don't run 'make test' when cross-building. + + Use host compiler when cross-building. Patch from Neil Williams. + (Closes: #465248) + + Don't build for processors no longer supported: i486, i586 + (on i386), v8 (on sparc). + + Fix Makefile to properly clean up libs/ dirs in clean target. + (Closes: #611667) + + Replace duplicate files in the doc directory with symlinks. + * This upload fixed CVE: (LP: #718208) + - CVE-2011-0014 + + -- Artur Rona Sun, 13 Feb 2011 16:10:24 +0100 + +openssl (0.9.8o-5) unstable; urgency=low + + * Fix OCSP stapling parse error (CVE-2011-0014) + + -- Kurt Roeckx Thu, 10 Feb 2011 20:43:43 +0100 + +openssl (0.9.8o-4ubuntu2) natty; urgency=low + + [ Peter Pearse ] + * Fix Makefile to properly clean up libs/ dirs in clean target + + -- Steve Langasek Mon, 31 Jan 2011 10:47:30 -0800 + +openssl (0.9.8o-4ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: (LP: #693902) + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Don't build for processors no longer supported: i486, i586 + (on i386), v8 (on sparc). + - Create libssl0.9.8-udeb, for the benefit of wget-udeb (no + wget-udeb package in Debian). + - Replace duplicate files in the doc directory with symlinks. + - Move runtime libraries to /lib, for the benefit of wpasupplicant. + - Ship documentation in openssl-doc, suggested by the package. + (Closes: #470594) + - Use host compiler when cross-building. Patch from Neil Williams. + (Closes: #465248). + - Don't run 'make test' when cross-building. + - debian/patches/aesni.patch: Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed) + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths + under .pc. + - debian/patches/no-sslv2.patch: disable SSLv2 to match NSS + and GnuTLS. The protocol is unsafe and extremely deprecated. + (Closes: #589706) + + -- Artur Rona Thu, 23 Dec 2010 20:20:03 +0100 + openssl (0.9.8o-4) unstable; urgency=low * Fix CVE-2010-4180 (Closes: #529221) -- Kurt Roeckx Mon, 06 Dec 2010 20:33:21 +0100 +openssl (0.9.8o-3ubuntu1) natty; urgency=low + + * Merge from debian unstable (LP: #677756). Remaining changes: + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions (refreshed) + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Don't build for processors no longer supported: i486, i586 + (on i386), v8 (on sparc). + - Create libssl0.9.8-udeb, for the benefit of wget-udeb (no + wget-udeb package in Debian) + - Replace duplicate files in the doc directory with symlinks. + - Move runtime libraries to /lib, for the benefit of wpasupplicant + - Ship documentation in openssl-doc, suggested by the package. + (Debian bug 470594) + - Use host compiler when cross-building (patch from Neil Williams in + Debian bug 465248). + - Don't run 'make test' when cross-building. + - debian/patches/aesni.patch: Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (refreshed) + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths + under .pc. + - debian/patches/no-sslv2.patch: disable SSLv2 to match NSS + and GnuTLS. The protocol is unsafe and extremely deprecated. + (Debian bug 589706) + * Dropped patches, now upstream: + - debian/patches/CVE-2010-2939.patch (Debian patch is identically + named) + + -- Steve Beattie Thu, 18 Nov 2010 12:54:37 -0800 + openssl (0.9.8o-3) unstable; urgency=high * Fix TLS extension parsing race condition (CVE-2010-3864) (Closes: #603709) @@ -466,6 +1331,72 @@ -- Kurt Roeckx Thu, 26 Aug 2010 18:25:29 +0200 +openssl (0.9.8o-1ubuntu4.1) maverick-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + crafted private key with an invalid prime. + - debian/patches/CVE-2010-2939.patch: set bn_ctx to NULL after freeing + it in ssl/s3_clnt.c. + - CVE-2010-2939 + + -- Marc Deslauriers Wed, 06 Oct 2010 16:46:36 -0400 + +openssl (0.9.8o-1ubuntu4) maverick; urgency=low + + * Update AES-NI patch to openssl-0.9.8-aesni-modes-perlasm-win32-v4.patch + from http://rt.openssl.org/Ticket/Display.html?id=2067, fixing segfault + on engine initialisation (LP: #590639). + + -- Colin Watson Fri, 24 Sep 2010 12:20:49 +0100 + +openssl (0.9.8o-1ubuntu3) maverick; urgency=low + + * debian/patches/no-sslv2.patch: disable SSLv2 to match NSS and GnuTLS. + The protocol is unsafe and extremely deprecated. (Debian bug 589706) + + -- Kees Cook Tue, 20 Jul 2010 08:24:13 -0700 + +openssl (0.9.8o-1ubuntu2) maverick; urgency=low + + * Don't build anymore for processors not supported anymore in maverick: + - i486, i586 (on i386). + - v8 (on sparc). + + -- Matthias Klose Mon, 19 Jul 2010 16:44:10 +0200 + +openssl (0.9.8o-1ubuntu1) maverick; urgency=low + + * Merge from debian unstable, remaining changes (LP: #581167): + - debian/patches/Bsymbolic-functions.patch: Link using + -Bsymbolic-functions + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + - Move runtime libraries to /lib, for the benefit of wpasupplicant + - Use host compiler when cross-building (patch from Neil Williams in + Debian #465248). + - Don't run 'make test' when cross-building. + - Create libssl0.9.8-udeb, for the benefit of wget-udeb (LP: #503339). + - debian/patches/aesni.patch: Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (LP: #485518). + - debian/patches/perlpath-quilt.patch: Don't change perl #! paths + under .pc. + * Dropped patches, now upstream: + - debian/patches/CVE-2009-3245.patch + - debian/patches/CVE-2010-0740.patch + - debian/patches/dtls-compatibility.patch + - debian/patches/CVE-2009-4355.patch + * Dropped "Add support for lpia". + * Dropped "Disable SSLv2 during compile" as this had never actually + disabled SSLv2. + * Don't disable CVE-2009-3555.patch for Maverick. + + -- Marc Deslauriers Mon, 14 Jun 2010 09:08:29 -0400 + openssl (0.9.8o-1) unstable; urgency=low * New upstream version @@ -518,6 +1449,87 @@ -- Kurt Roeckx Wed, 13 Jan 2010 21:26:49 +0100 +openssl (0.9.8k-7ubuntu8) lucid; urgency=low + + * SECURITY UPDATE: denial of service and possible arbitrary code + execution via unchecked return values + - debian/patches/CVE-2009-3245.patch: check bn_wexpand return value in + crypto/bn/{bn_div.c,bn_gf2m.c,bn_mul.c}, crypto/ec/ec2_smpl.c, + engines/e_ubsec.c. + - CVE-2009-3245 + * SECURITY UPDATE: denial of service via "record of death" + - debian/patches/CVE-2010-0740.patch: only send back minor version + number in ssl/s3_pkt.c. + - CVE-2010-0740 + + -- Marc Deslauriers Tue, 30 Mar 2010 08:57:51 -0400 + +openssl (0.9.8k-7ubuntu7) lucid; urgency=low + + * debian/patches/dtls-compatibility.patch: backport dtls compatibility + code from 0.9.8m to fix interopability. (LP: #516318) + + -- Marc Deslauriers Fri, 26 Mar 2010 08:31:09 -0400 + +openssl (0.9.8k-7ubuntu6) lucid; urgency=low + + * Backport Intel AES-NI support from + http://rt.openssl.org/Ticket/Display.html?id=2067 (LP: #485518). + * Don't change perl #! paths under .pc. + + -- Colin Watson Mon, 01 Feb 2010 15:40:27 -0800 + +openssl (0.9.8k-7ubuntu5) lucid; urgency=low + + * SECURITY UPDATE: memory leak possible during state clean-up. + - Add CVE-2009-4355.patch, upstream fixes thanks to Debian. + + -- Kees Cook Fri, 22 Jan 2010 09:50:01 -0800 + +openssl (0.9.8k-7ubuntu4) lucid; urgency=low + + * Use host compiler when cross-building (patch from Neil Williams in + Debian #465248). + * Don't run 'make test' when cross-building. + * Create libssl0.9.8-udeb, for the benefit of wget-udeb (LP: #503339). + + -- Colin Watson Tue, 05 Jan 2010 16:09:38 +0000 + +openssl (0.9.8k-7ubuntu3) lucid; urgency=low + + * debian/patches/disable-sslv2.patch: remove and apply inline to fix + FTBFS when patch won't revert during the build process. + + -- Marc Deslauriers Mon, 07 Dec 2009 21:00:47 -0500 + +openssl (0.9.8k-7ubuntu2) lucid; urgency=low + + * debian/patches/{disable-sslv2,Bsymbolic-functions}.patch: apply + Makefile sections inline as once the package is configured during the + build process, the patches wouldn't revert anymore, causing a FTBFS on + anything other than amd64. + + -- Marc Deslauriers Mon, 07 Dec 2009 19:52:15 -0500 + +openssl (0.9.8k-7ubuntu1) lucid; urgency=low + + * Merge from debian unstable, remaining changes (LP: #493392): + - Link using -Bsymbolic-functions + - Add support for lpia + - Disable SSLv2 during compile + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + - Move runtime libraries to /lib, for the benefit of wpasupplicant + * Strip the patches out of the source into quilt patches + * Disable CVE-2009-3555.patch + + -- Nicolas Valcárcel Scerpella (Canonical) Sun, 06 Dec 2009 20:16:24 -0500 + openssl (0.9.8k-7) unstable; urgency=low * Bump the shlibs to require 0.9.8k-1. The following symbols @@ -595,6 +1607,70 @@ -- Kurt Roeckx Sat, 16 May 2009 17:33:55 +0200 +openssl (0.9.8g-16ubuntu3) karmic; urgency=low + + * SECURITY UPDATE: certificate spoofing via hash collisions from MD2 + design flaws. + - crypto/evp/c_alld.c, ssl/ssl_algs.c: disable MD2 digest. + - crypto/x509/x509_vfy.c: skip signature check for self signed + certificates + - http://marc.info/?l=openssl-cvs&m=124508133203041&w=2 + - http://marc.info/?l=openssl-cvs&m=124704528713852&w=2 + - CVE-2009-2409 + + -- Marc Deslauriers Tue, 08 Sep 2009 14:59:05 -0400 + +openssl (0.9.8g-16ubuntu2) karmic; urgency=low + + * Patches forward ported from http://www.ubuntu.com/usn/USN-792-1 (by + Marc Deslauriers) + * SECURITY UPDATE: denial of service via memory consumption from large + number of future epoch DTLS records. + - crypto/pqueue.*: add new pqueue_size counter function. + - ssl/d1_pkt.c: use pqueue_size to limit size of queue to 100. + - http://cvs.openssl.org/chngview?cn=18187 + - CVE-2009-1377 + * SECURITY UPDATE: denial of service via memory consumption from + duplicate or invalid sequence numbers in DTLS records. + - ssl/d1_both.c: discard message if it's a duplicate or too far in the + future. + - http://marc.info/?l=openssl-dev&m=124263491424212&w=2 + - CVE-2009-1378 + * SECURITY UPDATE: denial of service or other impact via use-after-free + in dtls1_retrieve_buffered_fragment. + - ssl/d1_both.c: use temp frag_len instead of freed frag. + - http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest + - CVE-2009-1379 + * SECURITY UPDATE: denial of service via DTLS ChangeCipherSpec packet + that occurs before ClientHello. + - ssl/s3_pkt.c: abort if s->session is NULL. + - ssl/{ssl.h,ssl_err.c}: add new error codes. + - http://cvs.openssl.org/chngview?cn=17369 + - CVE-2009-1386 + * SECURITY UPDATE: denial of service via an out-of-sequence DTLS + handshake message. + - ssl/d1_both.c: don't buffer fragments with no data. + - http://cvs.openssl.org/chngview?cn=17958 + - CVE-2009-1387 + + -- Jamie Strandboge Fri, 10 Jul 2009 14:44:47 -0500 + +openssl (0.9.8g-16ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - Link using -Bsymbolic-functions + - Add support for lpia + - Disable SSLv2 during compile + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + + -- Jamie Strandboge Thu, 14 May 2009 14:11:05 -0500 + openssl (0.9.8g-16) unstable; urgency=high * Properly validate the length of an encoded BMPString and UniversalString @@ -602,6 +1678,45 @@ -- Kurt Roeckx Wed, 01 Apr 2009 22:04:53 +0200 +openssl (0.9.8g-15ubuntu3) jaunty; urgency=low + + * SECURITY UPDATE: crash via invalid memory access when printing BMPString + or UniversalString with invalid length + - crypto/asn1/tasn_dec.c, crypto/asn1/asn1_err.c and crypto/asn1/asn1.h: + return error if invalid length + - CVE-2009-0590 + - http://www.openssl.org/news/secadv_20090325.txt + - patch from upstream CVS: + crypto/asn1/asn1.h:1.128.2.11->1.128.2.12 + crypto/asn1/asn1_err.c:1.54.2.4->1.54.2.5 + crypto/asn1/tasn_dec.c:1.26.2.10->1.26.2.11 + + -- Jamie Strandboge Fri, 27 Mar 2009 08:23:35 -0500 + +openssl (0.9.8g-15ubuntu2) jaunty; urgency=low + + * Move runtime libraries to /lib, for the benefit of wpasupplicant + (LP: #44194). Leave symlinks behind in /usr/lib (except on the Hurd) + since we used to set an rpath there. + + -- Colin Watson Fri, 06 Mar 2009 12:48:52 +0000 + +openssl (0.9.8g-15ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: LP: #314984 + - Link using -Bsymbolic-functions + - Add support for lpia + - Disable SSLv2 during compile + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + + -- Bhavani Shankar Thu, 08 Jan 2009 12:38:06 +0530 + openssl (0.9.8g-15) unstable; urgency=low * Internal calls to didn't properly check for errors which @@ -612,6 +1727,34 @@ -- Kurt Roeckx Mon, 05 Jan 2009 21:14:31 +0100 +openssl (0.9.8g-14ubuntu2) jaunty; urgency=low + + * SECURITY UPDATE: clients treat malformed signatures as good when verifying + server DSA and ECDSA certificates + - update apps/speed.c, apps/spkac.c, apps/verify.c, apps/x509.c, + ssl/s2_clnt.c, ssl/s2_srvr.c, ssl/s3_clnt.c, s3_srvr.c, and + ssl/ssltest.c to properly check the return code of EVP_VerifyFinal() + - patch based on upstream patch for #2008-016 + - CVE-2008-5077 + + -- Jamie Strandboge Tue, 06 Jan 2009 00:44:19 -0600 + +openssl (0.9.8g-14ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - Link using -Bsymbolic-functions + - Add support for lpia + - Disable SSLv2 during compile + - Ship documentation in openssl-doc, suggested by the package. + - Use a different priority for libssl0.9.8/restart-services + depending on whether a desktop, or server dist-upgrade is being + performed. + - Display a system restart required notification bubble on libssl0.9.8 + upgrade. + - Replace duplicate files in the doc directory with symlinks. + + -- Scott James Remnant Tue, 11 Nov 2008 17:24:44 +0000 + openssl (0.9.8g-14) unstable; urgency=low * Don't give the warning about security updates when upgrading @@ -656,6 +1799,29 @@ -- Christoph Martin Thu, 17 Jul 2008 09:53:01 +0200 +openssl (0.9.8g-10.1ubuntu2) intrepid; urgency=low + + * debian/rules: + - disable SSLv2 during compile + * debian/README.debian + - add note about disabled SSLv2 in Ubuntu + + -- Ante Karamatic Thu, 24 Jul 2008 12:47:09 +0200 + +openssl (0.9.8g-10.1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - use a different priority for libssl0.9.8/restart-services depending on whether + a desktop, or server dist-upgrade is being performed. + - display a system restart required notification bubble on libssl0.9.8 upgrade. + - ship documentation in new openssl-doc package. + - configure: add support for lpia. + - replace duplicate files in the doc directory with symlinks. + - link using -bsymbolic-functions. + - update maintainer as per spec. + + -- Luke Yelavich Tue, 10 Jun 2008 11:50:07 +1000 + openssl (0.9.8g-10.1) unstable; urgency=high * Non-maintainer upload by the Security team. @@ -669,6 +1835,20 @@ -- Nico Golde Tue, 27 May 2008 11:13:44 +0200 +openssl (0.9.8g-10ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - Use a different priority for libssl0.9.8/restart-services depending on whether + a desktop, or server dist-upgrade is being performed. + - Display a system restart required notification bubble on libssl0.9.8 upgrade. + - Ship documentation in new openssl-doc package. + - Configure: Add support for lpia. + - Replace duplicate files in the doc directory with symlinks. + - Link using -Bsymbolic-functions. + - Update maintainer as per spec. + + -- Luke Yelavich Mon, 12 May 2008 22:49:33 +1000 + openssl (0.9.8g-10) unstable; urgency=low * undefine HZ so that the code falls back to sysconf(_SC_CLK_TCK) @@ -687,6 +1867,20 @@ -- Kurt Roeckx Wed, 07 May 2008 20:32:12 +0200 +openssl (0.9.8g-8ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - Use a different priority for libssl0.9.8/restart-services depending on whether + a desktop, or server dist-upgrade is being performed. + - Display a system restart required notification bubble on libssl0.9.8 upgrade. + - Ship documentation in new openssl-doc package. + - Configure: Add support for lpia. + - Replace duplicate files in the doc directory with symlinks. + - Link using -Bsymbolic-functions. + - Update maintainer as per spec. + + -- Luke Yelavich Mon, 12 May 2008 10:09:20 +1000 + openssl (0.9.8g-8) unstable; urgency=high * Don't add extensions to ssl v3 connections. It breaks with some @@ -713,6 +1907,30 @@ -- Kurt Roeckx Sat, 09 Feb 2008 13:32:49 +0100 +openssl (0.9.8g-4ubuntu3) hardy; urgency=low + + * Use a different priority for libssl0.9.8/restart-services depending on whether + a desktop, or server dist-upgrade is being performed. (LP: #91814) + * Display a system restart required notification bubble on libssl0.9.8 upgrade. + + -- Luke Yelavich Tue, 22 Apr 2008 10:50:53 +1000 + +openssl (0.9.8g-4ubuntu2) hardy; urgency=low + + * Ship documentation in new openssl-doc package, since it is very large and + not terribly useful for the casual desktop user. + + -- Martin Pitt Tue, 11 Mar 2008 22:52:28 +0100 + +openssl (0.9.8g-4ubuntu1) hardy; urgency=low + + * Merge from unstable; remaining changes: + - Configure: Add support for lpia. + - Replace duplicate files in the doc directory with symlinks. + - Link using -Bsymbolic-functions. + + -- Matthias Klose Tue, 29 Jan 2008 14:32:12 +0100 + openssl (0.9.8g-4) unstable; urgency=low * Fix aes ige test speed not to overwrite it's buffer and @@ -727,6 +1945,14 @@ -- Kurt Roeckx Wed, 16 Jan 2008 21:49:43 +0100 +openssl (0.9.8g-3ubuntu1) hardy; urgency=low + + * Merge with Debian; remaining changes: + - Configure: Add support for lpia. + - Replace duplicate files in the doc directory with symlinks. + + -- Matthias Klose Wed, 05 Dec 2007 00:13:39 +0100 + openssl (0.9.8g-3) unstable; urgency=low * aes-586.pl: push %ebx on the stack before we put some things on the @@ -814,6 +2040,41 @@ -- Kurt Roeckx Wed, 15 Aug 2007 19:49:54 +0200 +openssl (0.9.8e-5ubuntu3) gutsy; urgency=low + + * Replace duplicate files in the doc directory with symlinks. + + -- Matthias Klose Thu, 04 Oct 2007 16:27:53 +0000 + +openssl (0.9.8e-5ubuntu2) gutsy; urgency=low + + [ Jamie Strandboge ] + * SECURITY UPDATE: off-by-one error in SSL_get_shared_ciphers() results in + buffer overflow + * ssl/ssl_lib.c: applied upstream patch from openssl CVS thanks to + Stephan Hermann + * References: + CVE-2007-5135 + http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded + Fixes LP: #146269 + * Modify Maintainer value to match the DebianMaintainerField + specification. + + [ Kees Cook ] + * SECURITY UPDATE: side-channel attacks via BN_from_montgomery function. + * crypto/bn/bn_mont.c: upstream patch from openssl CVS thanks to Debian. + * References + CVE-2007-3108 + + -- Kees Cook Fri, 28 Sep 2007 13:02:19 -0700 + +openssl (0.9.8e-5ubuntu1) gutsy; urgency=low + + * Configure: Add support for lpia. + * Explicitely build using gcc-4.1 (PR other/31359). + + -- Matthias Klose Tue, 31 Jul 2007 12:47:38 +0000 + openssl (0.9.8e-5) unstable; urgency=low [ Christian Perrier ] @@ -1813,3 +3074,4 @@ * Initial Release. -- Christoph Martin Fri, 22 Nov 1996 21:29:51 +0100 + diff -Nru openssl-1.0.1i/debian/control openssl-1.0.1i/debian/control --- openssl-1.0.1i/debian/control 2014-05-12 23:04:40.000000000 +0200 +++ openssl-1.0.1i/debian/control 2014-08-07 06:41:41.000000000 +0200 @@ -2,11 +2,12 @@ Build-Depends: debhelper (>= 9), m4, bc, dpkg-dev (>= 1.15.7) Section: utils Priority: optional -Maintainer: Debian OpenSSL Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian OpenSSL Team Uploaders: Christoph Martin , Kurt Roeckx Standards-Version: 3.9.5 -Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-openssl/openssl -Vcs-Svn: svn://anonscm.debian.org/pkg-openssl/openssl/ +XS-Debian-Vcs-Browser: http://svn.debian.org/wsvn/pkg-openssl/openssl +XS-Debian-Vcs-Svn: svn://svn.debian.org/pkg-openssl/openssl/ Package: openssl Priority: optional @@ -55,6 +56,17 @@ It contains a version of the libcrypto shared library for use with the Debian Installer. Do not install it on a normal system. +Package: libssl1.0.0-udeb +XC-Package-Type: udeb +Section: debian-installer +Priority: optional +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: ssl shared library - udeb + libssl shared library. + . + Do not install it on a normal system. + Package: libssl-dev Section: libdevel Priority: optional diff -Nru openssl-1.0.1i/debian/libcrypto1.0.0-udeb.dirs openssl-1.0.1i/debian/libcrypto1.0.0-udeb.dirs --- openssl-1.0.1i/debian/libcrypto1.0.0-udeb.dirs 2014-05-12 23:04:40.000000000 +0200 +++ openssl-1.0.1i/debian/libcrypto1.0.0-udeb.dirs 2014-08-07 06:41:41.000000000 +0200 @@ -1 +1 @@ -usr/lib +lib diff -Nru openssl-1.0.1i/debian/libssl1.0.0.files openssl-1.0.1i/debian/libssl1.0.0.files --- openssl-1.0.1i/debian/libssl1.0.0.files 2014-05-12 23:04:40.000000000 +0200 +++ openssl-1.0.1i/debian/libssl1.0.0.files 2014-08-07 06:41:41.000000000 +0200 @@ -1,4 +1,5 @@ +lib/*/*.so.*.*.* +lib/*/*/*.so.*.*.* +lib/*/i686/cmov/*.so.*.*.* usr/lib/*/*.so.*.*.* -usr/lib/*/*/*.so.*.*.* -usr/lib/*/i686/cmov/*.so.*.*.* usr/lib/*/openssl-1.0.0/engines diff -Nru openssl-1.0.1i/debian/libssl1.0.0.postinst openssl-1.0.1i/debian/libssl1.0.0.postinst --- openssl-1.0.1i/debian/libssl1.0.0.postinst 2014-05-12 23:13:44.000000000 +0200 +++ openssl-1.0.1i/debian/libssl1.0.0.postinst 2014-08-07 19:12:12.000000000 +0200 @@ -57,6 +57,8 @@ if [ "$1" = "configure" ] then if [ ! -z "$2" ]; then + # This triggers services restarting, so limit this to major upgrades + # only. Security updates should not restart services automatically. if dpkg --compare-versions "$2" lt 1.0.1g-2; then echo -n "Checking for services that may need to be restarted..." check="amanda-server anon-proxy apache2 apache-ssl" @@ -146,7 +148,11 @@ fi done if [ -n "$services" ]; then - db_input critical libraries/restart-without-asking || true + if [ "$RELEASE_UPGRADE_MODE" = desktop ]; then + db_input medium libraries/restart-without-asking || true + else + db_input critical libraries/restart-without-asking || true + fi db_go || true db_get libraries/restart-without-asking if [ "x$RET" != xtrue ]; then @@ -200,7 +206,20 @@ # Shut down the frontend, to make sure none of the # restarted services keep a connection open to it db_stop + fi # end upgrading and $2 lt 0.9.8c-2 + + # Here we issue the reboot notification for upgrades and + # security updates. We do want services to be restarted when we + # update for a security issue, but planned by the sysadmin, not + # automatically. + + # Only issue the reboot notification for servers; we proxy this by + # testing that the X server is not running (LP: #244250) + if ! pidof /usr/bin/X > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then + /usr/share/update-notifier/notify-reboot-required + fi + fi # Upgrading fi diff -Nru openssl-1.0.1i/debian/libssl1.0.0-udeb.dirs openssl-1.0.1i/debian/libssl1.0.0-udeb.dirs --- openssl-1.0.1i/debian/libssl1.0.0-udeb.dirs 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1i/debian/libssl1.0.0-udeb.dirs 2014-01-08 21:48:19.000000000 +0100 @@ -0,0 +1 @@ +lib diff -Nru openssl-1.0.1i/debian/patches/CVE-2010-5298.patch openssl-1.0.1i/debian/patches/CVE-2010-5298.patch --- openssl-1.0.1i/debian/patches/CVE-2010-5298.patch 2014-05-12 23:11:59.000000000 +0200 +++ openssl-1.0.1i/debian/patches/CVE-2010-5298.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,27 +0,0 @@ -From db978be7388852059cf54e42539a363d549c5bfd Mon Sep 17 00:00:00 2001 -From: Kurt Roeckx -Date: Sun, 13 Apr 2014 15:05:30 +0200 -Subject: [PATCH] Don't release the buffer when there still is data in it - -RT: 2167, 3265 ---- - ssl/s3_pkt.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c -index b9e45c7..32e9207 100644 ---- a/ssl/s3_pkt.c -+++ b/ssl/s3_pkt.c -@@ -1055,7 +1055,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) - { - s->rstate=SSL_ST_READ_HEADER; - rr->off=0; -- if (s->mode & SSL_MODE_RELEASE_BUFFERS) -+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && -+ s->s3->rbuf.left == 0) - ssl3_release_read_buffer(s); - } - } --- -1.9.1 - diff -Nru openssl-1.0.1i/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch openssl-1.0.1i/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch --- openssl-1.0.1i/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch 2014-05-12 23:11:59.000000000 +0200 +++ openssl-1.0.1i/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,40 +0,0 @@ -From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001 -From: "Dr. Stephen Henson" -Date: Tue, 15 Apr 2014 18:48:54 +0100 -Subject: [PATCH] Extension checking fixes. - -When looking for an extension we need to set the last found -position to -1 to properly search all extensions. - -PR#3309. ---- - crypto/x509v3/v3_purp.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c -index 6c40c7d..5f931db 100644 ---- a/crypto/x509v3/v3_purp.c -+++ b/crypto/x509v3/v3_purp.c -@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x) - /* Handle proxy certificates */ - if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { - if (x->ex_flags & EXFLAG_CA -- || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0 -- || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { -+ || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 -+ || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { - x->ex_flags |= EXFLAG_INVALID; - } - if (pci->pcPathLengthConstraint) { -@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, - return 0; - - /* Extended Key Usage MUST be critical */ -- i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0); -+ i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1); - if (i_ext >= 0) - { - X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext); --- -1.9.1 - diff -Nru openssl-1.0.1i/debian/patches/fix-pod-errors.patch openssl-1.0.1i/debian/patches/fix-pod-errors.patch --- openssl-1.0.1i/debian/patches/fix-pod-errors.patch 2014-05-12 23:08:04.000000000 +0200 +++ openssl-1.0.1i/debian/patches/fix-pod-errors.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,396 +0,0 @@ -Description: Fix pod errors - The version of pod from perl 5.18 is fussier than previous versions changing - thigs that were previously warnings into errors. This patch fixes the errors - and makes the package build but I have not checked the correctness of the - output. -Author: Peter Michael Green -Bug-Debian: http://bugs.debian.org/723954 -Bug: http://rt.openssl.org/Ticket/Display.html?id=3146&user=guest&pass=guest - -Index: openssl-1.0.1g/doc/apps/smime.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/apps/smime.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/apps/smime.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -308,28 +308,28 @@ - - =over 4 - --=item 0 -+=item C<0> - - the operation was completely successfully. - --=item 1 -+=item C<1> - - an error occurred parsing the command options. - --=item 2 -+=item C<2> - - one of the input files could not be read. - --=item 3 -+=item C<3> - - an error occurred creating the PKCS#7 file or when reading the MIME - message. - --=item 4 -+=item C<4> - - an error occurred decrypting or verifying the message. - --=item 5 -+=item C<5> - - the message was verified correctly but an error occurred writing out - the signers certificates. -Index: openssl-1.0.1g/doc/apps/cms.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/apps/cms.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/apps/cms.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -450,28 +450,28 @@ - - =over 4 - --=item 0 -+=item C<0> - - the operation was completely successfully. - --=item 1 -+=item C<1> - - an error occurred parsing the command options. - --=item 2 -+=item C<2> - - one of the input files could not be read. - --=item 3 -+=item C<3> - - an error occurred creating the CMS file or when reading the MIME - message. - --=item 4 -+=item C<4> - - an error occurred decrypting or verifying the message. - --=item 5 -+=item C<5> - - the message was verified correctly but an error occurred writing out - the signers certificates. -Index: openssl-1.0.1g/doc/ssl/SSL_clear.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_clear.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_clear.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -56,12 +56,12 @@ - - =over 4 - --=item 0 -+=item C<0> - - The SSL_clear() operation could not be performed. Check the error stack to - find out the reason. - --=item 1 -+=item C<1> - - The SSL_clear() operation was successful. - -Index: openssl-1.0.1g/doc/ssl/SSL_session_reused.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_session_reused.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_session_reused.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -27,11 +27,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - A new session was negotiated. - --=item 1 -+=item C<1> - - A session was reused. - -Index: openssl-1.0.1g/doc/ssl/SSL_set_session.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_set_session.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_set_session.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -37,11 +37,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation failed; check the error stack to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_connect.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_connect.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_connect.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -41,13 +41,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item C<1> - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -Index: openssl-1.0.1g/doc/ssl/SSL_shutdown.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_shutdown.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_shutdown.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -92,14 +92,14 @@ - - =over 4 - --=item 0 -+=item C<0> - - The shutdown is not yet finished. Call SSL_shutdown() for a second time, - if a bidirectional shutdown shall be performed. - The output of L may be misleading, as an - erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. - --=item 1 -+=item C<1> - - The shutdown was successfully completed. The "close notify" alert was sent - and the peer's "close notify" alert was received. -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_set_client_CA_list.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_set_client_CA_list.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -66,13 +66,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - A failure while manipulating the STACK_OF(X509_NAME) object occurred or - the X509_NAME could not be extracted from B. Check the error stack - to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_accept.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_accept.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_accept.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -44,13 +44,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item C<1> - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_set_session_id_context.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_set_session_id_context.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -64,13 +64,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - The length B of the session id context B exceeded - the maximum allowed length of B. The error - is logged to the error stack. - --=item 1 -+=item C<1> - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_write.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_write.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_write.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -79,7 +79,7 @@ - The write operation was successful, the return value is the number of - bytes actually written to the TLS/SSL connection. - --=item 0 -+=item C<0> - - The write operation was not successful. Probably the underlying connection - was closed. Call SSL_get_error() with the return value B to find out, -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_load_verify_locations.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_load_verify_locations.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -100,13 +100,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation failed because B and B are NULL or the - processing at one of the locations specified failed. Check the error - stack to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_set_fd.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_set_fd.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_set_fd.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -35,11 +35,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation failed. Check the error stack to find out why. - --=item 1 -+=item C<1> - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_use_psk_identity_hint.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -96,7 +96,7 @@ - connection will fail with decryption_error before it will be finished - completely. - --=item 0 -+=item C<0> - - PSK identity was not found. An "unknown_psk_identity" alert message - will be sent and the connection setup fails. -Index: openssl-1.0.1g/doc/ssl/SSL_read.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_read.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_read.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -86,7 +86,7 @@ - The read operation was successful; the return value is the number of - bytes actually read from the TLS/SSL connection. - --=item 0 -+=item C<0> - - The read operation was not successful. The reason may either be a clean - shutdown due to a "close notify" alert sent by the peer (in which case -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_add_session.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_add_session.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_add_session.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -52,13 +52,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation failed. In case of the add operation, it was tried to add - the same (identical) session twice. In case of the remove operation, the - session was not found in the cache. - --=item 1 -+=item C<1> - - The operation succeeded. - -Index: openssl-1.0.1g/doc/ssl/SSL_do_handshake.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_do_handshake.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_do_handshake.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -45,13 +45,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the - return value B to find out the reason. - --=item 1 -+=item C<1> - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. -Index: openssl-1.0.1g/doc/ssl/SSL_COMP_add_compression_method.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_COMP_add_compression_method.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -53,11 +53,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation succeeded. - --=item 1 -+=item C<1> - - The operation failed. Check the error queue to find out the reason. - -Index: openssl-1.0.1g/doc/ssl/SSL_CTX_set_ssl_version.pod -=================================================================== ---- openssl-1.0.1g.orig/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-04-07 23:21:03.985184135 +0200 -+++ openssl-1.0.1g/doc/ssl/SSL_CTX_set_ssl_version.pod 2014-04-07 23:21:03.985184135 +0200 -@@ -42,11 +42,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - The new choice failed, check the error stack to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - diff -Nru openssl-1.0.1i/debian/patches/perlpath-quilt.patch openssl-1.0.1i/debian/patches/perlpath-quilt.patch --- openssl-1.0.1i/debian/patches/perlpath-quilt.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1i/debian/patches/perlpath-quilt.patch 2014-01-08 21:48:19.000000000 +0100 @@ -0,0 +1,14 @@ +diff -Nur openssl-0.9.8o/util/perlpath.pl openssl-0.9.8o.new/util/perlpath.pl +--- openssl-0.9.8o/util/perlpath.pl 2010-06-14 10:17:46.000000000 -0400 ++++ openssl-0.9.8o.new/util/perlpath.pl 2010-06-14 10:18:04.000000000 -0400 +@@ -11,6 +11,10 @@ + + sub wanted + { ++ if (/^\.pc/) { ++ $prune = 1; ++ return; ++ } + return unless /\.pl$/ || /^[Cc]onfigur/; + + open(IN,"<$_") || die "unable to open $dir/$_:$!\n"; diff -Nru openssl-1.0.1i/debian/patches/ppc64-support openssl-1.0.1i/debian/patches/ppc64-support --- openssl-1.0.1i/debian/patches/ppc64-support 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1i/debian/patches/ppc64-support 2014-08-07 19:13:21.000000000 +0200 @@ -0,0 +1,382 @@ +--- a/Configure ++++ b/Configure +@@ -403,6 +404,7 @@ + #### + "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++"linux-ppc64le", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", + "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +--- a/crypto/aes/asm/aes-ppc.pl ++++ b/crypto/aes/asm/aes-ppc.pl +@@ -45,6 +45,12 @@ + $PUSH ="stw"; + } else { die "nonsense $flavour"; } + ++$LITTLE_ENDIAN=0; ++if ($flavour =~ /le$/) { ++ die "little-endian is 64-bit only: $flavour" if ($SIZE_T == 4); ++ $LITTLE_ENDIAN=1; ++} ++ + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or +@@ -365,16 +371,60 @@ + bne Lenc_unaligned + + Lenc_unaligned_ok: ++___ ++$code.=<<___ if (!$LITTLE_ENDIAN); + lwz $s0,0($inp) + lwz $s1,4($inp) + lwz $s2,8($inp) + lwz $s3,12($inp) ++___ ++$code.=<<___ if ($LITTLE_ENDIAN); ++ lwz $t0,0($inp) ++ lwz $t1,4($inp) ++ lwz $t2,8($inp) ++ lwz $t3,12($inp) ++ rotlwi $s0,$t0,8 ++ rotlwi $s1,$t1,8 ++ rotlwi $s2,$t2,8 ++ rotlwi $s3,$t3,8 ++ rlwimi $s0,$t0,24,0,7 ++ rlwimi $s1,$t1,24,0,7 ++ rlwimi $s2,$t2,24,0,7 ++ rlwimi $s3,$t3,24,0,7 ++ rlwimi $s0,$t0,24,16,23 ++ rlwimi $s1,$t1,24,16,23 ++ rlwimi $s2,$t2,24,16,23 ++ rlwimi $s3,$t3,24,16,23 ++___ ++$code.=<<___; + bl LAES_Te + bl Lppc_AES_encrypt_compact ++___ ++$code.=<<___ if ($LITTLE_ENDIAN); ++ rotlwi $t0,$s0,8 ++ rotlwi $t1,$s1,8 ++ rotlwi $t2,$s2,8 ++ rotlwi $t3,$s3,8 ++ rlwimi $t0,$s0,24,0,7 ++ rlwimi $t1,$s1,24,0,7 ++ rlwimi $t2,$s2,24,0,7 ++ rlwimi $t3,$s3,24,0,7 ++ rlwimi $t0,$s0,24,16,23 ++ rlwimi $t1,$s1,24,16,23 ++ rlwimi $t2,$s2,24,16,23 ++ rlwimi $t3,$s3,24,16,23 ++ stw $t0,0($out) ++ stw $t1,4($out) ++ stw $t2,8($out) ++ stw $t3,12($out) ++___ ++$code.=<<___ if (!$LITTLE_ENDIAN); + stw $s0,0($out) + stw $s1,4($out) + stw $s2,8($out) + stw $s3,12($out) ++___ ++$code.=<<___; + b Lenc_done + + Lenc_unaligned: +@@ -799,16 +849,60 @@ + bne Ldec_unaligned + + Ldec_unaligned_ok: ++___ ++$code.=<<___ if (!$LITTLE_ENDIAN); + lwz $s0,0($inp) + lwz $s1,4($inp) + lwz $s2,8($inp) + lwz $s3,12($inp) ++___ ++$code.=<<___ if ($LITTLE_ENDIAN); ++ lwz $t0,0($inp) ++ lwz $t1,4($inp) ++ lwz $t2,8($inp) ++ lwz $t3,12($inp) ++ rotlwi $s0,$t0,8 ++ rotlwi $s1,$t1,8 ++ rotlwi $s2,$t2,8 ++ rotlwi $s3,$t3,8 ++ rlwimi $s0,$t0,24,0,7 ++ rlwimi $s1,$t1,24,0,7 ++ rlwimi $s2,$t2,24,0,7 ++ rlwimi $s3,$t3,24,0,7 ++ rlwimi $s0,$t0,24,16,23 ++ rlwimi $s1,$t1,24,16,23 ++ rlwimi $s2,$t2,24,16,23 ++ rlwimi $s3,$t3,24,16,23 ++___ ++$code.=<<___; + bl LAES_Td + bl Lppc_AES_decrypt_compact ++___ ++$code.=<<___ if ($LITTLE_ENDIAN); ++ rotlwi $t0,$s0,8 ++ rotlwi $t1,$s1,8 ++ rotlwi $t2,$s2,8 ++ rotlwi $t3,$s3,8 ++ rlwimi $t0,$s0,24,0,7 ++ rlwimi $t1,$s1,24,0,7 ++ rlwimi $t2,$s2,24,0,7 ++ rlwimi $t3,$s3,24,0,7 ++ rlwimi $t0,$s0,24,16,23 ++ rlwimi $t1,$s1,24,16,23 ++ rlwimi $t2,$s2,24,16,23 ++ rlwimi $t3,$s3,24,16,23 ++ stw $t0,0($out) ++ stw $t1,4($out) ++ stw $t2,8($out) ++ stw $t3,12($out) ++___ ++$code.=<<___ if (!$LITTLE_ENDIAN); + stw $s0,0($out) + stw $s1,4($out) + stw $s2,8($out) + stw $s3,12($out) ++___ ++$code.=<<___; + b Ldec_done + + Ldec_unaligned: +--- a/crypto/perlasm/ppc-xlate.pl ++++ b/crypto/perlasm/ppc-xlate.pl +@@ -27,7 +27,8 @@ + /osx/ && do { $name = "_$name"; + last; + }; +- /linux.*32/ && do { $ret .= ".globl $name\n"; ++ /linux.*32/ || ++ /linux.*64le/ && do { $ret .= ".globl $name\n"; + $ret .= ".type $name,\@function"; + last; + }; +@@ -62,7 +63,7 @@ + ".machine $arch"; + }; + my $size = sub { +- if ($flavour =~ /linux.*32/) ++ if ($flavour =~ /linux.*32/ || $flavour =~ /linux.*64le/) + { shift; + ".size " . join(",",@_); + } +@@ -77,6 +78,25 @@ + else + { ""; } + }; ++my $quad = sub { ++ shift; ++ my @ret; ++ my ($hi,$lo); ++ for (@_) { ++ if (/^0x([0-9a-f]*?)([0-9a-f]{1,8})$/io) ++ { $hi=$1?"0x$1":"0"; $lo="0x$2"; } ++ elsif (/^([0-9]+)$/o) ++ { $hi=$1>>32; $lo=$1&0xffffffff; } # error-prone with 32-bit perl ++ else ++ { $hi=undef; $lo=$_; } ++ ++ if (defined($hi)) ++ { push(@ret,$flavour=~/le$/o?".long\t$lo,$hi":".long\t$hi,$lo"); } ++ else ++ { push(@ret,".quad $lo"); } ++ } ++ join("\n",@ret); ++}; + + ################################################################ + # simplified mnemonics not handled by at least one assembler +--- a/crypto/sha/asm/sha1-ppc.pl ++++ b/crypto/sha/asm/sha1-ppc.pl +@@ -38,6 +38,14 @@ + $PUSH ="stw"; + } else { die "nonsense $flavour"; } + ++# Define endianess based on flavour ++# i.e.: linux64le ++$LITTLE_ENDIAN=0; ++if ($flavour =~ /le$/) { ++ die "little-endian is 64-bit only: $flavour" if ($SIZE_T == 4); ++ $LITTLE_ENDIAN=1; ++} ++ + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or +@@ -68,14 +76,28 @@ + @X=("r16","r17","r18","r19","r20","r21","r22","r23", + "r24","r25","r26","r27","r28","r29","r30","r31"); + ++sub loadbe { ++my ($dst, $src, $temp_reg) = @_; ++$code.=<<___ if (!$LITTLE_ENDIAN); ++ lwz $dst,$src ++___ ++$code.=<<___ if ($LITTLE_ENDIAN); ++ lwz $temp_reg,$src ++ rotlwi $dst,$temp_reg,8 ++ rlwimi $dst,$temp_reg,24,0,7 ++ rlwimi $dst,$temp_reg,24,16,23 ++___ ++} ++ + sub BODY_00_19 { + my ($i,$a,$b,$c,$d,$e,$f)=@_; + my $j=$i+1; +-$code.=<<___ if ($i==0); +- lwz @X[$i],`$i*4`($inp) +-___ ++ ++ # Since the last value of $f is discarded, we can use ++ # it as a temp reg to swap byte-order when needed. ++ loadbe("@X[$i]","`$i*4`($inp)",$f) if ($i==0); ++ loadbe("@X[$j]","`$j*4`($inp)",$f) if ($i<15); + $code.=<<___ if ($i<15); +- lwz @X[$j],`$j*4`($inp) + add $f,$K,$e + rotlwi $e,$a,5 + add $f,$f,@X[$i] +--- a/crypto/sha/asm/sha512-ppc.pl ++++ b/crypto/sha/asm/sha512-ppc.pl +@@ -56,6 +56,12 @@ + $PUSH="stw"; + } else { die "nonsense $flavour"; } + ++$LITTLE_ENDIAN=0; ++if ($flavour =~ /le$/) { ++ die "little-endian is 64-bit only: $flavour" if ($SIZE_T==4); ++ $LITTLE_ENDIAN=1; ++} ++ + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or +@@ -314,16 +320,33 @@ + Lsha2_block_private: + ___ + for($i=0;$i<16;$i++) { +-$code.=<<___ if ($SZ==4); ++$code.=<<___ if ($SZ==4 && !$LITTLE_ENDIAN); + lwz @X[$i],`$i*$SZ`($inp) + ___ ++$code.=<<___ if ($SZ==4 && $LITTLE_ENDIAN); ++ lwz $a0,`$i*$SZ`($inp) ++ rotlwi @X[$i],$a0,8 ++ rlwimi @X[$i],$a0,24,0,7 ++ rlwimi @X[$i],$a0,24,16,23 ++___ + # 64-bit loads are split to 2x32-bit ones, as CPU can't handle + # unaligned 64-bit loads, only 32-bit ones... +-$code.=<<___ if ($SZ==8); ++$code.=<<___ if ($SZ==8 && !$LITTLE_ENDIAN); + lwz $t0,`$i*$SZ`($inp) + lwz @X[$i],`$i*$SZ+4`($inp) + insrdi @X[$i],$t0,32,0 + ___ ++$code.=<<___ if ($SZ==8 && $LITTLE_ENDIAN); ++ lwz $a0,`$i*$SZ`($inp) ++ lwz $a1,`$i*$SZ+4`($inp) ++ rotlwi $t0,$a0,8 ++ rotlwi @X[$i],$a1,8 ++ rlwimi $t0,$a0,24,0,7 ++ rlwimi @X[$i],$a1,24,0,7 ++ rlwimi $t0,$a0,24,16,23 ++ rlwimi @X[$i],$a1,24,16,23 ++ insrdi @X[$i],$t0,32,0 ++___ + &ROUND_00_15($i,@V); + unshift(@V,pop(@V)); + } +@@ -395,46 +418,46 @@ + .space `64-9*4` + ___ + $code.=<<___ if ($SZ==8); +- .long 0x428a2f98,0xd728ae22,0x71374491,0x23ef65cd +- .long 0xb5c0fbcf,0xec4d3b2f,0xe9b5dba5,0x8189dbbc +- .long 0x3956c25b,0xf348b538,0x59f111f1,0xb605d019 +- .long 0x923f82a4,0xaf194f9b,0xab1c5ed5,0xda6d8118 +- .long 0xd807aa98,0xa3030242,0x12835b01,0x45706fbe +- .long 0x243185be,0x4ee4b28c,0x550c7dc3,0xd5ffb4e2 +- .long 0x72be5d74,0xf27b896f,0x80deb1fe,0x3b1696b1 +- .long 0x9bdc06a7,0x25c71235,0xc19bf174,0xcf692694 +- .long 0xe49b69c1,0x9ef14ad2,0xefbe4786,0x384f25e3 +- .long 0x0fc19dc6,0x8b8cd5b5,0x240ca1cc,0x77ac9c65 +- .long 0x2de92c6f,0x592b0275,0x4a7484aa,0x6ea6e483 +- .long 0x5cb0a9dc,0xbd41fbd4,0x76f988da,0x831153b5 +- .long 0x983e5152,0xee66dfab,0xa831c66d,0x2db43210 +- .long 0xb00327c8,0x98fb213f,0xbf597fc7,0xbeef0ee4 +- .long 0xc6e00bf3,0x3da88fc2,0xd5a79147,0x930aa725 +- .long 0x06ca6351,0xe003826f,0x14292967,0x0a0e6e70 +- .long 0x27b70a85,0x46d22ffc,0x2e1b2138,0x5c26c926 +- .long 0x4d2c6dfc,0x5ac42aed,0x53380d13,0x9d95b3df +- .long 0x650a7354,0x8baf63de,0x766a0abb,0x3c77b2a8 +- .long 0x81c2c92e,0x47edaee6,0x92722c85,0x1482353b +- .long 0xa2bfe8a1,0x4cf10364,0xa81a664b,0xbc423001 +- .long 0xc24b8b70,0xd0f89791,0xc76c51a3,0x0654be30 +- .long 0xd192e819,0xd6ef5218,0xd6990624,0x5565a910 +- .long 0xf40e3585,0x5771202a,0x106aa070,0x32bbd1b8 +- .long 0x19a4c116,0xb8d2d0c8,0x1e376c08,0x5141ab53 +- .long 0x2748774c,0xdf8eeb99,0x34b0bcb5,0xe19b48a8 +- .long 0x391c0cb3,0xc5c95a63,0x4ed8aa4a,0xe3418acb +- .long 0x5b9cca4f,0x7763e373,0x682e6ff3,0xd6b2b8a3 +- .long 0x748f82ee,0x5defb2fc,0x78a5636f,0x43172f60 +- .long 0x84c87814,0xa1f0ab72,0x8cc70208,0x1a6439ec +- .long 0x90befffa,0x23631e28,0xa4506ceb,0xde82bde9 +- .long 0xbef9a3f7,0xb2c67915,0xc67178f2,0xe372532b +- .long 0xca273ece,0xea26619c,0xd186b8c7,0x21c0c207 +- .long 0xeada7dd6,0xcde0eb1e,0xf57d4f7f,0xee6ed178 +- .long 0x06f067aa,0x72176fba,0x0a637dc5,0xa2c898a6 +- .long 0x113f9804,0xbef90dae,0x1b710b35,0x131c471b +- .long 0x28db77f5,0x23047d84,0x32caab7b,0x40c72493 +- .long 0x3c9ebe0a,0x15c9bebc,0x431d67c4,0x9c100d4c +- .long 0x4cc5d4be,0xcb3e42b6,0x597f299c,0xfc657e2a +- .long 0x5fcb6fab,0x3ad6faec,0x6c44198c,0x4a475817 ++ .quad 0x428a2f98d728ae22,0x7137449123ef65cd ++ .quad 0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc ++ .quad 0x3956c25bf348b538,0x59f111f1b605d019 ++ .quad 0x923f82a4af194f9b,0xab1c5ed5da6d8118 ++ .quad 0xd807aa98a3030242,0x12835b0145706fbe ++ .quad 0x243185be4ee4b28c,0x550c7dc3d5ffb4e2 ++ .quad 0x72be5d74f27b896f,0x80deb1fe3b1696b1 ++ .quad 0x9bdc06a725c71235,0xc19bf174cf692694 ++ .quad 0xe49b69c19ef14ad2,0xefbe4786384f25e3 ++ .quad 0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65 ++ .quad 0x2de92c6f592b0275,0x4a7484aa6ea6e483 ++ .quad 0x5cb0a9dcbd41fbd4,0x76f988da831153b5 ++ .quad 0x983e5152ee66dfab,0xa831c66d2db43210 ++ .quad 0xb00327c898fb213f,0xbf597fc7beef0ee4 ++ .quad 0xc6e00bf33da88fc2,0xd5a79147930aa725 ++ .quad 0x06ca6351e003826f,0x142929670a0e6e70 ++ .quad 0x27b70a8546d22ffc,0x2e1b21385c26c926 ++ .quad 0x4d2c6dfc5ac42aed,0x53380d139d95b3df ++ .quad 0x650a73548baf63de,0x766a0abb3c77b2a8 ++ .quad 0x81c2c92e47edaee6,0x92722c851482353b ++ .quad 0xa2bfe8a14cf10364,0xa81a664bbc423001 ++ .quad 0xc24b8b70d0f89791,0xc76c51a30654be30 ++ .quad 0xd192e819d6ef5218,0xd69906245565a910 ++ .quad 0xf40e35855771202a,0x106aa07032bbd1b8 ++ .quad 0x19a4c116b8d2d0c8,0x1e376c085141ab53 ++ .quad 0x2748774cdf8eeb99,0x34b0bcb5e19b48a8 ++ .quad 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb ++ .quad 0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3 ++ .quad 0x748f82ee5defb2fc,0x78a5636f43172f60 ++ .quad 0x84c87814a1f0ab72,0x8cc702081a6439ec ++ .quad 0x90befffa23631e28,0xa4506cebde82bde9 ++ .quad 0xbef9a3f7b2c67915,0xc67178f2e372532b ++ .quad 0xca273eceea26619c,0xd186b8c721c0c207 ++ .quad 0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178 ++ .quad 0x06f067aa72176fba,0x0a637dc5a2c898a6 ++ .quad 0x113f9804bef90dae,0x1b710b35131c471b ++ .quad 0x28db77f523047d84,0x32caab7b40c72493 ++ .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c ++ .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a ++ .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817 + ___ + $code.=<<___ if ($SZ==4); + .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 diff -Nru openssl-1.0.1i/debian/patches/req_bits.patch openssl-1.0.1i/debian/patches/req_bits.patch --- openssl-1.0.1i/debian/patches/req_bits.patch 2014-05-12 23:04:40.000000000 +0200 +++ openssl-1.0.1i/debian/patches/req_bits.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,43 +0,0 @@ -From: Kurt Roeckx -Date: Sun, 22 Dec 2013 19:10:21 +0100 -Subject: Use defaults bits in req when not given -Bug: http://rt.openssl.org/Ticket/Display.html?id=2592&user=guest&pass=guest - -Index: openssl-1.0.1e/apps/req.c -=================================================================== ---- openssl-1.0.1e.orig/apps/req.c 2013-12-22 19:47:42.355657810 +0100 -+++ openssl-1.0.1e/apps/req.c 2013-12-22 19:57:12.287547599 +0100 -@@ -644,6 +644,11 @@ - if (inrand) - app_RAND_load_files(inrand); - -+ if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey)) -+ { -+ newkey=DEFAULT_KEY_LENGTH; -+ } -+ - if (keyalg) - { - genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, -@@ -652,12 +657,6 @@ - goto end; - } - -- if (newkey <= 0) -- { -- if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey)) -- newkey=DEFAULT_KEY_LENGTH; -- } -- - if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) - { - BIO_printf(bio_err,"private key length is too short,\n"); -@@ -1649,6 +1648,8 @@ - keylen = atol(p + 1); - *pkeylen = keylen; - } -+ else -+ keylen = *pkeylen; - } - else if (p) - paramfile = p + 1; diff -Nru openssl-1.0.1i/debian/patches/series openssl-1.0.1i/debian/patches/series --- openssl-1.0.1i/debian/patches/series 2014-08-07 00:04:47.000000000 +0200 +++ openssl-1.0.1i/debian/patches/series 2014-08-07 19:29:08.000000000 +0200 @@ -21,3 +21,5 @@ #padlock_conf.patch defaults.patch openssl_fix_for_x32.patch +perlpath-quilt.patch +ppc64-support diff -Nru openssl-1.0.1i/debian/rules openssl-1.0.1i/debian/rules --- openssl-1.0.1i/debian/rules 2014-05-12 23:08:04.000000000 +0200 +++ openssl-1.0.1i/debian/rules 2014-08-07 19:00:06.000000000 +0200 @@ -17,6 +17,8 @@ # The binary architeture DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH) +DEB_HOST_ARCH_OS = $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) + DEB_HOST_MULTIARCH=$(shell dpkg-architecture -qDEB_HOST_MULTIARCH) DEB_HOST_ARCH_CPU=$(shell dpkg-architecture -qDEB_HOST_ARCH_CPU) @@ -24,11 +26,20 @@ DEB_BUILD_GNU_TYPE=$(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) export CROSS_COMPILE ?= $(DEB_HOST_GNU_TYPE)- + CROSS=CC=$(DEB_HOST_GNU_TYPE)-gcc + MAKE_TEST=: +else + CROSS=CC=$(CC) + MAKE_TEST=make test +endif + +ifeq ($(DEB_HOST_ARCH),amd64) + ARCH_CONFARGS := enable-ec_nistp_64_gcc_128 endif -CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 +CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2 $(ARCH_CONFARGS) + OPT_alpha = ev4 ev5 -OPT_i386 = i586 i686/cmov ARCHOPTS = OPT_$(DEB_HOST_ARCH) OPTS = $($(ARCHOPTS)) WANTED_LIBC_VERSION = 2.3.1-10 @@ -37,7 +48,6 @@ CONFARGS += enable-ec_nistp_64_gcc_128 endif -MAKE_TEST = make test ifneq (,$(findstring nocheck,$(DEB_BUILD_OPTIONS))) MAKE_TEST = : endif @@ -50,7 +60,8 @@ # perl util/ssldir.pl /usr/lib/ssl # chmod +x debian/libtool ./Configure no-shared $(CONFARGS) debian-$(DEB_HOST_ARCH) - make -f Makefile all + $(if $(filter enable-ec_nistp_64_gcc_128, $(CONFARGS)), make $(CROSS) -f Makefile depend) + make $(CROSS) -f Makefile all $(MAKE_TEST) mv libcrypto.a libcrypto.static mv libssl.a libssl.static @@ -59,22 +70,22 @@ do \ set -xe; \ ./Configure shared $(CONFARGS) debian-$(DEB_HOST_ARCH)-$$opt; \ - make -f Makefile all; \ + make $(CROSS) -f Makefile all; \ $(MAKE_TEST); \ mkdir -p $$opt; \ mv libcrypto.so* libssl.so* $$opt/; \ make -f Makefile clean; \ done ./Configure shared $(CONFARGS) debian-$(DEB_HOST_ARCH) - #make -f Makefile depend + #make $(CROSS) -f Makefile depend ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ -# make -f Makefile linux-shared - make -f Makefile all +# make $(CROSS) -f Makefile linux-shared + make $(CROSS) -f Makefile all $(MAKE_TEST) # strip apps/openssl # make -f Makefile clean # ./Configure --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 debian-$(DEB_HOST_ARCH) -# make -f Makefile all +# make $(CROSS) -f Makefile all touch build-stamp clean: @@ -82,6 +93,7 @@ dh_testroot -rm -f build-stamp -./Configure $(CONFARGS) debian-$(DEB_HOST_ARCH) + -sed -i -e 's/rm -f/rm -rf/' Makefile [ ! -f Makefile ] || make -f Makefile clean clean-shared #-make -f Makefile dclean # perl util/ssldir.pl /usr/local/ssl @@ -95,7 +107,7 @@ -rm -rf core $(OPTS) -rm doc/*.pod -rm -f libcrypto.* libssl.* - -cd test && rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bntest ectest ecdsatest ecdhtest ideatest md2test md4test md5test hmactest rc2test rc4test rc5test destest shatest sha1test sha256t sha512t mdc2test rmdtest randtest dhtest enginetest bftest casttest ssltest exptest dsatest rsa_test evp_test *.ss *.srl log dummytest newkey.pem igetest + -cd test && rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bntest ectest ecdsatest ecdhtest ideatest md2test md4test md5test hmactest rc2test rc4test rc5test destest shatest sha1test sha256t sha512t mdc2test rmdtest randtest dhtest enginetest bftest casttest ssltest exptest dsatest rsa_test evp_test *.ss *.srl log dummytest newkey.pem igetest jpaketest srptest wp_test asn1test -rm Makefile apps/CA.pl tools/c_rehash crypto/opensslconf.h crypto/x86_64cpuid.S rm -f test/asn1test test/wp_test test/srptest test/jpaketest rm -f certs/demo/*.0 @@ -107,7 +119,7 @@ dh_testroot dh_clean dh_installdirs - make -f Makefile install INSTALL_PREFIX=`pwd`/debian/tmp + make -f Makefile $(CROSS) install INSTALL_PREFIX=`pwd`/debian/tmp binary-indep: build install dh_testdir @@ -133,12 +145,17 @@ # mv debian/tmp/usr/lib/libssl.a debian/tmp/usr/lib/libssl_pic.a cp -pf libcrypto.static debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.a cp -pf libssl.static debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libssl.a + # move runtime libraries to /lib + install -d debian/tmp/lib/$(DEB_HOST_MULTIARCH) + mv debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/lib*.so.* debian/tmp/lib/$(DEB_HOST_MULTIARCH) + ln -sf /lib/$(DEB_HOST_MULTIARCH)/$$(readlink debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so) debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so + ln -sf /lib/$(DEB_HOST_MULTIARCH)/$$(readlink debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libssl.so) debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libssl.so mkdir -p debian/tmp/etc/ssl mv debian/tmp/usr/lib/ssl/{certs,openssl.cnf,private} debian/tmp/etc/ssl/ ln -s /etc/ssl/{certs,openssl.cnf,private} debian/tmp/usr/lib/ssl/ - cp -pf debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so.* debian/libcrypto1.0.0-udeb/usr/lib/ - cp -auv lib*.so* debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/ - for opt in $(OPTS); do set -xe; mkdir -p debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/$$opt; cp -auv $$opt/lib*.so* debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/$$opt/; done + cp -pf debian/tmp/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so.* debian/libcrypto1.0.0-udeb/lib/ + cp -pf debian/tmp/lib/$(DEB_HOST_MULTIARCH)/libssl.so.* debian/libssl1.0.0-udeb/lib/ + for opt in $(OPTS); do set -xe; mkdir -p debian/tmp/lib/$(DEB_HOST_MULTIARCH)/$$opt; cp -auv $$opt/lib*.so* debian/tmp/lib/$(DEB_HOST_MULTIARCH)/$$opt/; done mkdir -p debian/tmp/usr/include/$(DEB_HOST_MULTIARCH)/openssl mv debian/tmp/usr/include/openssl/opensslconf.h debian/tmp/usr/include/$(DEB_HOST_MULTIARCH)/openssl/ install debian/copyright debian/libssl1.0.0/usr/share/doc/libssl1.0.0/ @@ -153,6 +170,12 @@ dh_installdebconf -a dh_movefiles -a dh_compress -a +# symlink doc files + for p in openssl libssl-dev; do \ + for f in changelog.Debian.gz changelog.gz copyright; do \ + ln -sf ../libssl1.0.0/$$f debian/$$p/usr/share/doc/$$p/$$f; \ + done; \ + done chmod 700 debian/openssl/etc/ssl/private dh_fixperms -a -X etc/ssl/private dh_strip -plibssl1.0.0 --dbg-package=libssl1.0.0-dbg @@ -160,7 +183,8 @@ dh_perl -a -d dpkg-gensymbols -Pdebian/libssl1.0.0/ -plibssl1.0.0 -c4 dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.1d)" --add-udeb="libcrypto1.0.0-udeb" -Xengines - dh_shlibdeps -a -L libssl1.0.0 -l debian/libssl1.0.0/usr/lib/$(DEB_HOST_MULTIARCH) + sed -i '/^udeb: libssl/s/libcrypto1.0.0-udeb/libssl1.0.0-udeb/' debian/libssl1.0.0/DEBIAN/shlibs + dh_shlibdeps -a -L libssl1.0.0 -l debian/libssl1.0.0/lib/$(DEB_HOST_MULTIARCH) dh_gencontrol -a dh_installdeb -a dh_md5sums -a diff -Nru openssl-1.0.1i/debian/source/options openssl-1.0.1i/debian/source/options --- openssl-1.0.1i/debian/source/options 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1i/debian/source/options 2014-01-08 21:48:19.000000000 +0100 @@ -0,0 +1,3 @@ +# If building on amd64, Makefiles are regenerated +# We could move .save Makefiles back in place.... +extend-diff-ignore = "(^|/)(Makefile)$"