[arch-commits] Commit in bitcoin/trunk (4 files)
Timothy Redaelli
tredaelli at archlinux.org
Mon Feb 16 17:07:20 UTC 2015
Date: Monday, February 16, 2015 @ 18:07:20
Author: tredaelli
Revision: 127801
upgpkg: bitcoin 0.10.0-1
Deleted:
bitcoin/trunk/037bfefe6bccbdf656e628a1f4526db8f80c3922.patch
bitcoin/trunk/0a94661e8db94e84ecbf1ea45a51fb3c7fb77283.patch
bitcoin/trunk/60c51f1c381bbd93c70cfdf41c6688609a7956fc.patch
bitcoin/trunk/b8e81b7ccd4490155e3345fc73346ff8c3a77524.patch
------------------------------------------------+
037bfefe6bccbdf656e628a1f4526db8f80c3922.patch | 43 -------------------
0a94661e8db94e84ecbf1ea45a51fb3c7fb77283.patch | 50 -----------------------
60c51f1c381bbd93c70cfdf41c6688609a7956fc.patch | 25 -----------
b8e81b7ccd4490155e3345fc73346ff8c3a77524.patch | 43 -------------------
4 files changed, 161 deletions(-)
Deleted: 037bfefe6bccbdf656e628a1f4526db8f80c3922.patch
===================================================================
--- 037bfefe6bccbdf656e628a1f4526db8f80c3922.patch 2015-02-16 17:05:57 UTC (rev 127800)
+++ 037bfefe6bccbdf656e628a1f4526db8f80c3922.patch 2015-02-16 17:07:20 UTC (rev 127801)
@@ -1,43 +0,0 @@
-From 037bfefe6bccbdf656e628a1f4526db8f80c3922 Mon Sep 17 00:00:00 2001
-From: "Wladimir J. van der Laan" <laanwj at gmail.com>
-Date: Mon, 12 Jan 2015 09:28:24 +0100
-Subject: [PATCH] Improve robustness of DER recoding code
-
-Add some defensive programming on top of #5634.
-
-This copies the respective OpenSSL code in ECDSA_verify in
-OpenSSL pre-1.0.1k (e.g. https://github.com/openssl/openssl/blob/OpenSSL_1_0_1j/crypto/ecdsa/ecs_vrf.c#L89)
-more closely.
-
-As reported by @sergiodemianlerner.
-
-Github-Pull: #5640
-Rebased-From: c6b7b29f232c651f898eeffb93f36c8f537c56d2
----
- src/key.cpp | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/key.cpp b/src/key.cpp
-index a845ba1..63332bf 100644
---- a/src/key.cpp
-+++ b/src/key.cpp
-@@ -234,7 +234,18 @@ class CECKey {
- unsigned char *norm_der = NULL;
- ECDSA_SIG *norm_sig = ECDSA_SIG_new();
- const unsigned char* sigptr = &vchSig[0];
-- d2i_ECDSA_SIG(&norm_sig, &sigptr, vchSig.size());
-+ assert(norm_sig);
-+ if (d2i_ECDSA_SIG(&norm_sig, &sigptr, vchSig.size()) == NULL)
-+ {
-+ /* As of OpenSSL 1.0.0p d2i_ECDSA_SIG frees and nulls the pointer on
-+ * error. But OpenSSL's own use of this function redundantly frees the
-+ * result. As ECDSA_SIG_free(NULL) is a no-op, and in the absence of a
-+ * clear contract for the function behaving the same way is more
-+ * conservative.
-+ */
-+ ECDSA_SIG_free(norm_sig);
-+ return false;
-+ }
- int derlen = i2d_ECDSA_SIG(norm_sig, &norm_der);
- ECDSA_SIG_free(norm_sig);
- if (derlen <= 0)
Deleted: 0a94661e8db94e84ecbf1ea45a51fb3c7fb77283.patch
===================================================================
--- 0a94661e8db94e84ecbf1ea45a51fb3c7fb77283.patch 2015-02-16 17:05:57 UTC (rev 127800)
+++ 0a94661e8db94e84ecbf1ea45a51fb3c7fb77283.patch 2015-02-16 17:07:20 UTC (rev 127801)
@@ -1,50 +0,0 @@
-From 0a94661e8db94e84ecbf1ea45a51fb3c7fb77283 Mon Sep 17 00:00:00 2001
-From: Gregory Maxwell <greg at xiph.org>
-Date: Sat, 6 Dec 2014 07:08:02 -0800
-Subject: [PATCH] Disable SSLv3 (in favor of TLS) for the RPC client and
- server.
-
-TLS is subject to downgrade attacks when SSLv3 is available, and
- SSLv3 has vulnerabilities.
-
-The popular solution is to disable SSLv3. On the web this breaks
- some tiny number of very old clients. While Bitcoin RPC shouldn't
- be exposed to the open Internet, it also shouldn't be exposed to
- really old SSL implementations, so it shouldn't be a major issue
- for us to disable SSLv3.
-
-There is more information on the downgrade attacks and disabling
- SSLv3 at https://disablessl3.com/ .
-
-Rebased-From: 683dc4009b2b01699e672f8150c28e2ebe0aae19
----
- src/rpcclient.cpp | 2 +-
- src/rpcserver.cpp | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/rpcclient.cpp b/src/rpcclient.cpp
-index 4f3c39c..5e62b71 100644
---- a/src/rpcclient.cpp
-+++ b/src/rpcclient.cpp
-@@ -40,7 +40,7 @@ Object CallRPC(const string& strMethod, const Array& params)
- bool fUseSSL = GetBoolArg("-rpcssl", false);
- asio::io_service io_service;
- ssl::context context(io_service, ssl::context::sslv23);
-- context.set_options(ssl::context::no_sslv2);
-+ context.set_options(ssl::context::no_sslv2 | ssl::context::no_sslv3);
- asio::ssl::stream<asio::ip::tcp::socket> sslStream(io_service, context);
- SSLIOStreamDevice<asio::ip::tcp> d(sslStream, fUseSSL);
- iostreams::stream< SSLIOStreamDevice<asio::ip::tcp> > stream(d);
-diff --git a/src/rpcserver.cpp b/src/rpcserver.cpp
-index f43acf4..cc9e330 100644
---- a/src/rpcserver.cpp
-+++ b/src/rpcserver.cpp
-@@ -539,7 +539,7 @@ void StartRPCThreads()
-
- if (fUseSSL)
- {
-- rpc_ssl_context->set_options(ssl::context::no_sslv2);
-+ rpc_ssl_context->set_options(ssl::context::no_sslv2 | ssl::context::no_sslv3);
-
- filesystem::path pathCertFile(GetArg("-rpcsslcertificatechainfile", "server.cert"));
- if (!pathCertFile.is_complete()) pathCertFile = filesystem::path(GetDataDir()) / pathCertFile;
Deleted: 60c51f1c381bbd93c70cfdf41c6688609a7956fc.patch
===================================================================
--- 60c51f1c381bbd93c70cfdf41c6688609a7956fc.patch 2015-02-16 17:05:57 UTC (rev 127800)
+++ 60c51f1c381bbd93c70cfdf41c6688609a7956fc.patch 2015-02-16 17:07:20 UTC (rev 127801)
@@ -1,25 +0,0 @@
-From 60c51f1c381bbd93c70cfdf41c6688609a7956fc Mon Sep 17 00:00:00 2001
-From: "Wladimir J. van der Laan" <laanwj at gmail.com>
-Date: Sat, 10 Jan 2015 08:58:47 +0100
-Subject: [PATCH] fail immediately on an empty signature
-
-Github-Pull: #5634
-Rebased-From: 8dccba6a45db0466370726ed462b9da2eae43bce
----
- src/key.cpp | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/key.cpp b/src/key.cpp
-index e5943af..a845ba1 100644
---- a/src/key.cpp
-+++ b/src/key.cpp
-@@ -227,6 +227,9 @@ class CECKey {
- }
-
- bool Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
-+ if (vchSig.empty())
-+ return false;
-+
- // New versions of OpenSSL will reject non-canonical DER signatures. de/re-serialize first.
- unsigned char *norm_der = NULL;
- ECDSA_SIG *norm_sig = ECDSA_SIG_new();
Deleted: b8e81b7ccd4490155e3345fc73346ff8c3a77524.patch
===================================================================
--- b8e81b7ccd4490155e3345fc73346ff8c3a77524.patch 2015-02-16 17:05:57 UTC (rev 127800)
+++ b8e81b7ccd4490155e3345fc73346ff8c3a77524.patch 2015-02-16 17:07:20 UTC (rev 127801)
@@ -1,43 +0,0 @@
-From b8e81b7ccd4490155e3345fc73346ff8c3a77524 Mon Sep 17 00:00:00 2001
-From: Cory Fields <cory-nospam- at coryfields.com>
-Date: Fri, 9 Jan 2015 16:39:12 -0500
-Subject: [PATCH] consensus: guard against openssl's new strict DER checks
-
-New versions of OpenSSL will reject non-canonical DER signatures. However,
-it'll happily decode them. Decode then re-encode before verification in order
-to ensure that it is properly consumed.
-
-Github-Pull: #5634
-Rebased-From: 488ed32f2ada1d1dd108fc245d025c4d5f252783
----
- src/key.cpp | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/src/key.cpp b/src/key.cpp
-index 5b261bb..e5943af 100644
---- a/src/key.cpp
-+++ b/src/key.cpp
-@@ -227,10 +227,20 @@ class CECKey {
- }
-
- bool Verify(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
-- // -1 = error, 0 = bad sig, 1 = good
-- if (ECDSA_verify(0, (unsigned char*)&hash, sizeof(hash), &vchSig[0], vchSig.size(), pkey) != 1)
-+ // New versions of OpenSSL will reject non-canonical DER signatures. de/re-serialize first.
-+ unsigned char *norm_der = NULL;
-+ ECDSA_SIG *norm_sig = ECDSA_SIG_new();
-+ const unsigned char* sigptr = &vchSig[0];
-+ d2i_ECDSA_SIG(&norm_sig, &sigptr, vchSig.size());
-+ int derlen = i2d_ECDSA_SIG(norm_sig, &norm_der);
-+ ECDSA_SIG_free(norm_sig);
-+ if (derlen <= 0)
- return false;
-- return true;
-+
-+ // -1 = error, 0 = bad sig, 1 = good
-+ bool ret = ECDSA_verify(0, (unsigned char*)&hash, sizeof(hash), norm_der, derlen, pkey) == 1;
-+ OPENSSL_free(norm_der);
-+ return ret;
- }
-
- bool SignCompact(const uint256 &hash, unsigned char *p64, int &rec) {
More information about the arch-commits
mailing list