- listen on ipv6 wildcard in s_server so we accept connections

from both ipv4 and ipv6 (#601612)
- fix openssl speed command so it can be used in the FIPS mode
  with FIPS allowed ciphers
This commit is contained in:
Tomas Mraz 2011-01-24 17:41:43 +01:00
parent 540056f0e0
commit 09127ac54a
3 changed files with 162 additions and 1 deletions

View File

@ -0,0 +1,57 @@
diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c
--- openssl-1.0.0c/apps/s_socket.c.ipv6listen 2011-01-24 16:44:18.000000000 +0100
+++ openssl-1.0.0c/apps/s_socket.c 2011-01-24 16:56:25.000000000 +0100
@@ -335,15 +335,16 @@ int do_server(char *port, int type, int
static int init_server(int *sock, char *port, int type)
{
- struct addrinfo *res, *res0, hints;
+ struct addrinfo *res, *res0 = NULL, hints;
char * failed_call = NULL;
- char port_name[8];
int s;
int e;
if (!ssl_sock_init()) return(0);
memset(&hints, '\0', sizeof(hints));
+ hints.ai_family = AF_INET6;
+tryipv4:
hints.ai_socktype = type;
hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
@@ -365,6 +366,12 @@ static int init_server(int *sock, char *
failed_call = "socket";
goto nextres;
}
+ if (hints.ai_family == AF_INET6)
+ {
+ int j = 0;
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
+ (void *) &j, sizeof j);
+ }
#if defined SOL_SOCKET && defined SO_REUSEADDR
{
int j = 1;
@@ -392,9 +399,19 @@ nextres:
close(s);
res = res->ai_next;
}
- freeaddrinfo(res0);
+ if (res0)
+ freeaddrinfo(res0);
- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+ if (s == INVALID_SOCKET)
+ {
+ if (hints.ai_family == AF_INET6)
+ {
+ hints.ai_family = AF_INET;
+ goto tryipv4;
+ }
+ perror("socket");
+ return(0);
+ }
perror(failed_call);
return(0);

View File

@ -0,0 +1,94 @@
diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c
--- openssl-1.0.0c/apps/speed.c.spfips 2010-11-18 14:22:26.000000000 +0100
+++ openssl-1.0.0c/apps/speed.c 2011-01-24 17:25:32.000000000 +0100
@@ -100,6 +100,9 @@
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
#if !defined(OPENSSL_SYS_MSDOS)
#include OPENSSL_UNISTD
#endif
@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_RSA
if (strcmp(*argv,"rsa") == 0)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ {
rsa_doit[R_RSA_512]=1;
+ }
rsa_doit[R_RSA_1024]=1;
rsa_doit[R_RSA_2048]=1;
rsa_doit[R_RSA_4096]=1;
@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_DSA
if (strcmp(*argv,"dsa") == 0)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ {
dsa_doit[R_DSA_512]=1;
+ }
dsa_doit[R_DSA_1024]=1;
dsa_doit[R_DSA_2048]=1;
}
@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv)
AES_set_encrypt_key(key32,256,&aes_ks3);
#endif
#ifndef OPENSSL_NO_CAMELLIA
+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
+ {
Camellia_set_key(key16,128,&camellia_ks1);
Camellia_set_key(ckey24,192,&camellia_ks2);
Camellia_set_key(ckey32,256,&camellia_ks3);
+ }
#endif
#ifndef OPENSSL_NO_IDEA
+ if (doit[D_CBC_IDEA])
+ {
idea_set_encrypt_key(key16,&idea_ks);
+ }
#endif
#ifndef OPENSSL_NO_SEED
+ if (doit[D_CBC_SEED])
+ {
SEED_set_key(key16,&seed_ks);
+ }
#endif
#ifndef OPENSSL_NO_RC4
+ if (doit[D_RC4])
+ {
RC4_set_key(&rc4_ks,16,key16);
+ }
#endif
#ifndef OPENSSL_NO_RC2
+ if (doit[D_CBC_RC2])
+ {
RC2_set_key(&rc2_ks,16,key16,128);
+ }
#endif
#ifndef OPENSSL_NO_RC5
+ if (doit[D_CBC_RC5])
+ {
RC5_32_set_key(&rc5_ks,16,key16,12);
+ }
#endif
#ifndef OPENSSL_NO_BF
+ if (doit[D_CBC_BF])
+ {
BF_set_key(&bf_ks,16,key16);
+ }
#endif
#ifndef OPENSSL_NO_CAST
+ if (doit[D_CBC_CAST])
+ {
CAST_set_key(&cast_ks,16,key16);
+ }
#endif
#ifndef OPENSSL_NO_RSA
memset(rsa_c,0,sizeof(rsa_c));

View File

@ -21,7 +21,7 @@
Summary: A general purpose cryptography library with TLS implementation Summary: A general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.0c Version: 1.0.0c
Release: 1%{?dist} Release: 2%{?dist}
# We remove certain patented algorithms from the openssl source tarball # We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below. # with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2 Source: openssl-%{version}-usa.tar.bz2
@ -62,6 +62,8 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
Patch51: openssl-1.0.0c-version.patch Patch51: openssl-1.0.0c-version.patch
Patch52: openssl-1.0.0b-aesni.patch Patch52: openssl-1.0.0b-aesni.patch
Patch53: openssl-1.0.0-name-hash.patch Patch53: openssl-1.0.0-name-hash.patch
Patch54: openssl-1.0.0c-speed-fips.patch
Patch55: openssl-1.0.0c-apps-ipv6listen.patch
# Backported fixes including security fixes # Backported fixes including security fixes
License: OpenSSL License: OpenSSL
@ -144,6 +146,8 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch51 -p1 -b .version %patch51 -p1 -b .version
%patch52 -p1 -b .aesni %patch52 -p1 -b .aesni
%patch53 -p1 -b .name-hash %patch53 -p1 -b .name-hash
%patch54 -p1 -b .spfips
%patch55 -p1 -b .ipv6listen
# Modify the various perl scripts to reference perl in the right location. # Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}` perl util/perlpath.pl `dirname %{__perl}`
@ -393,6 +397,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
%changelog %changelog
* Mon Jan 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0c-2
- listen on ipv6 wildcard in s_server so we accept connections
from both ipv4 and ipv6 (#601612)
- fix openssl speed command so it can be used in the FIPS mode
with FIPS allowed ciphers
* Fri Dec 3 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0c-1 * Fri Dec 3 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0c-1
- new upstream version fixing CVE-2010-4180 - new upstream version fixing CVE-2010-4180