From 09127ac54a2e1983a9a0e5c91d9335475b5f3162 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 24 Jan 2011 17:41:43 +0100 Subject: [PATCH] - listen on ipv6 wildcard in s_server so we accept connections from both ipv4 and ipv6 (#601612) - fix openssl speed command so it can be used in the FIPS mode with FIPS allowed ciphers --- openssl-1.0.0c-apps-ipv6listen.patch | 57 +++++++++++++++++ openssl-1.0.0c-speed-fips.patch | 94 ++++++++++++++++++++++++++++ openssl.spec | 12 +++- 3 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 openssl-1.0.0c-apps-ipv6listen.patch create mode 100644 openssl-1.0.0c-speed-fips.patch diff --git a/openssl-1.0.0c-apps-ipv6listen.patch b/openssl-1.0.0c-apps-ipv6listen.patch new file mode 100644 index 0000000..7c3d4a0 --- /dev/null +++ b/openssl-1.0.0c-apps-ipv6listen.patch @@ -0,0 +1,57 @@ +diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c +--- openssl-1.0.0c/apps/s_socket.c.ipv6listen 2011-01-24 16:44:18.000000000 +0100 ++++ openssl-1.0.0c/apps/s_socket.c 2011-01-24 16:56:25.000000000 +0100 +@@ -335,15 +335,16 @@ int do_server(char *port, int type, int + + static int init_server(int *sock, char *port, int type) + { +- struct addrinfo *res, *res0, hints; ++ struct addrinfo *res, *res0 = NULL, hints; + char * failed_call = NULL; +- char port_name[8]; + int s; + int e; + + if (!ssl_sock_init()) return(0); + + memset(&hints, '\0', sizeof(hints)); ++ hints.ai_family = AF_INET6; ++tryipv4: + hints.ai_socktype = type; + hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; + +@@ -365,6 +366,12 @@ static int init_server(int *sock, char * + failed_call = "socket"; + goto nextres; + } ++ if (hints.ai_family == AF_INET6) ++ { ++ int j = 0; ++ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, ++ (void *) &j, sizeof j); ++ } + #if defined SOL_SOCKET && defined SO_REUSEADDR + { + int j = 1; +@@ -392,9 +399,19 @@ nextres: + close(s); + res = res->ai_next; + } +- freeaddrinfo(res0); ++ if (res0) ++ freeaddrinfo(res0); + +- if (s == INVALID_SOCKET) { perror("socket"); return(0); } ++ if (s == INVALID_SOCKET) ++ { ++ if (hints.ai_family == AF_INET6) ++ { ++ hints.ai_family = AF_INET; ++ goto tryipv4; ++ } ++ perror("socket"); ++ return(0); ++ } + + perror(failed_call); + return(0); diff --git a/openssl-1.0.0c-speed-fips.patch b/openssl-1.0.0c-speed-fips.patch new file mode 100644 index 0000000..048d673 --- /dev/null +++ b/openssl-1.0.0c-speed-fips.patch @@ -0,0 +1,94 @@ +diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c +--- openssl-1.0.0c/apps/speed.c.spfips 2010-11-18 14:22:26.000000000 +0100 ++++ openssl-1.0.0c/apps/speed.c 2011-01-24 17:25:32.000000000 +0100 +@@ -100,6 +100,9 @@ + #include + #include + #include ++#ifdef OPENSSL_FIPS ++#include ++#endif + #if !defined(OPENSSL_SYS_MSDOS) + #include OPENSSL_UNISTD + #endif +@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv) + #ifndef OPENSSL_NO_RSA + if (strcmp(*argv,"rsa") == 0) + { ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) ++#endif ++ { + rsa_doit[R_RSA_512]=1; ++ } + rsa_doit[R_RSA_1024]=1; + rsa_doit[R_RSA_2048]=1; + rsa_doit[R_RSA_4096]=1; +@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv) + #ifndef OPENSSL_NO_DSA + if (strcmp(*argv,"dsa") == 0) + { ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) ++#endif ++ { + dsa_doit[R_DSA_512]=1; ++ } + dsa_doit[R_DSA_1024]=1; + dsa_doit[R_DSA_2048]=1; + } +@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv) + AES_set_encrypt_key(key32,256,&aes_ks3); + #endif + #ifndef OPENSSL_NO_CAMELLIA ++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) ++ { + Camellia_set_key(key16,128,&camellia_ks1); + Camellia_set_key(ckey24,192,&camellia_ks2); + Camellia_set_key(ckey32,256,&camellia_ks3); ++ } + #endif + #ifndef OPENSSL_NO_IDEA ++ if (doit[D_CBC_IDEA]) ++ { + idea_set_encrypt_key(key16,&idea_ks); ++ } + #endif + #ifndef OPENSSL_NO_SEED ++ if (doit[D_CBC_SEED]) ++ { + SEED_set_key(key16,&seed_ks); ++ } + #endif + #ifndef OPENSSL_NO_RC4 ++ if (doit[D_RC4]) ++ { + RC4_set_key(&rc4_ks,16,key16); ++ } + #endif + #ifndef OPENSSL_NO_RC2 ++ if (doit[D_CBC_RC2]) ++ { + RC2_set_key(&rc2_ks,16,key16,128); ++ } + #endif + #ifndef OPENSSL_NO_RC5 ++ if (doit[D_CBC_RC5]) ++ { + RC5_32_set_key(&rc5_ks,16,key16,12); ++ } + #endif + #ifndef OPENSSL_NO_BF ++ if (doit[D_CBC_BF]) ++ { + BF_set_key(&bf_ks,16,key16); ++ } + #endif + #ifndef OPENSSL_NO_CAST ++ if (doit[D_CBC_CAST]) ++ { + CAST_set_key(&cast_ks,16,key16); ++ } + #endif + #ifndef OPENSSL_NO_RSA + memset(rsa_c,0,sizeof(rsa_c)); diff --git a/openssl.spec b/openssl.spec index 0d07c4e..97b7fec 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: A general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.0c -Release: 1%{?dist} +Release: 2%{?dist} # We remove certain patented algorithms from the openssl source tarball # with the hobble-openssl script which is included below. Source: openssl-%{version}-usa.tar.bz2 @@ -62,6 +62,8 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch Patch51: openssl-1.0.0c-version.patch Patch52: openssl-1.0.0b-aesni.patch Patch53: openssl-1.0.0-name-hash.patch +Patch54: openssl-1.0.0c-speed-fips.patch +Patch55: openssl-1.0.0c-apps-ipv6listen.patch # Backported fixes including security fixes License: OpenSSL @@ -144,6 +146,8 @@ from other formats to the formats used by the OpenSSL toolkit. %patch51 -p1 -b .version %patch52 -p1 -b .aesni %patch53 -p1 -b .name-hash +%patch54 -p1 -b .spfips +%patch55 -p1 -b .ipv6listen # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` @@ -393,6 +397,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun -p /sbin/ldconfig %changelog +* Mon Jan 24 2011 Tomas Mraz 1.0.0c-2 +- listen on ipv6 wildcard in s_server so we accept connections + from both ipv4 and ipv6 (#601612) +- fix openssl speed command so it can be used in the FIPS mode + with FIPS allowed ciphers + * Fri Dec 3 2010 Tomas Mraz 1.0.0c-1 - new upstream version fixing CVE-2010-4180