← Back to branch summary

~ubuntu-branches/ubuntu/oneiric/openssl/oneiric-security

« back to all changes in this revision

Viewing changes to ssl/ssl_lib.c

  • Committer: Package Import Robot
  • Author(s): Steve Beattie
  • Date: 2011-09-14 22:06:03 UTC
  • mfrom: (11.1.23 sid)
  • Revision ID: package-import@ubuntu.com-20110914220603-tsuxw8z3kt4lx9oc
Tags: 1.0.0e-2ubuntu1
https://launchpad.net/bugs/850608
https://launchpad.net/bugs/244250
* Resynchronise with Debian, fixes CVE-2011-1945, CVE-2011-3207 and
  CVE-2011-3210 (LP: #850608). Remaining changes:
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification bubble on libssl1.0.0
      upgrade.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/aesni.patch: Backport Intel AES-NI support, now from
    http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
    0.9.8 variant.
  - debian/patches/Bsymbolic-functions.patch: Link using
    -Bsymbolic-functions.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building.  Patch from Neil Williams.
    + Don't build for processors no longer supported: i486, i586 (on
      i386), v8 (on sparc).
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
* debian/libssl1.0.0.postinst: only display restart notification on
  servers (LP: #244250)

Show diffs side-by-side

added added

removed removed

Lines of Context:
ssl/ssl_lib.c
1833
1833
#endif
1834
1834
        X509 *x = NULL;
1835
1835
        EVP_PKEY *ecc_pkey = NULL;
1836
 
        int signature_nid = 0;
 
1836
        int signature_nid = 0, pk_nid = 0, md_nid = 0;
1837
1837
 
1838
1838
        if (c == NULL) return;
1839
1839
 
1963
1963
                    EVP_PKEY_bits(ecc_pkey) : 0;
1964
1964
                EVP_PKEY_free(ecc_pkey);
1965
1965
                if ((x->sig_alg) && (x->sig_alg->algorithm))
 
1966
                        {
1966
1967
                        signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
 
1968
                        OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
 
1969
                        }
1967
1970
#ifndef OPENSSL_NO_ECDH
1968
1971
                if (ecdh_ok)
1969
1972
                        {
1970
 
                        const char *sig = OBJ_nid2ln(signature_nid);
1971
 
                        if (sig == NULL)
1972
 
                                {
1973
 
                                ERR_clear_error();
1974
 
                                sig = "unknown";
1975
 
                                }
1976
 
                                
1977
 
                        if (strstr(sig, "WithRSA"))
 
1973
 
 
1974
                        if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa)
1978
1975
                                {
1979
1976
                                mask_k|=SSL_kECDHr;
1980
1977
                                mask_a|=SSL_aECDH;
1985
1982
                                        }
1986
1983
                                }
1987
1984
 
1988
 
                        if (signature_nid == NID_ecdsa_with_SHA1)
 
1985
                        if (pk_nid == NID_X9_62_id_ecPublicKey)
1989
1986
                                {
1990
1987
                                mask_k|=SSL_kECDHe;
1991
1988
                                mask_a|=SSL_aECDH;
2039
2036
        unsigned long alg_k, alg_a;
2040
2037
        EVP_PKEY *pkey = NULL;
2041
2038
        int keysize = 0;
2042
 
        int signature_nid = 0;
 
2039
        int signature_nid = 0, md_nid = 0, pk_nid = 0;
2043
2040
 
2044
2041
        alg_k = cs->algorithm_mkey;
2045
2042
        alg_a = cs->algorithm_auth;
2057
2054
        /* This call populates the ex_flags field correctly */
2058
2055
        X509_check_purpose(x, -1, 0);
2059
2056
        if ((x->sig_alg) && (x->sig_alg->algorithm))
 
2057
                {
2060
2058
                signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
 
2059
                OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
 
2060
                }
2061
2061
        if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
2062
2062
                {
2063
2063
                /* key usage, if present, must allow key agreement */
2069
2069
                if (alg_k & SSL_kECDHe)
2070
2070
                        {
2071
2071
                        /* signature alg must be ECDSA */
2072
 
                        if (signature_nid != NID_ecdsa_with_SHA1)
 
2072
                        if (pk_nid != NID_X9_62_id_ecPublicKey)
2073
2073
                                {
2074
2074
                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2075
2075
                                return 0;
2079
2079
                        {
2080
2080
                        /* signature alg must be RSA */
2081
2081
 
2082
 
                        const char *sig = OBJ_nid2ln(signature_nid);
2083
 
                        if (sig == NULL)
2084
 
                                {
2085
 
                                ERR_clear_error();
2086
 
                                sig = "unknown";
2087
 
                                }
2088
 
                        if (strstr(sig, "WithRSA") == NULL)
 
2082
                        if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa)
2089
2083
                                {
2090
2084
                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2091
2085
                                return 0;