forked from rpms/openssl
- abort if selftests failed and random number generator is polled
- mention EVP_aes and EVP_sha2xx routines in the manpages - add README.FIPS - make CA dir absolute path (#445344) - change default length for RSA key generation to 2048 (#484101)
This commit is contained in:
parent
387d98c6e7
commit
44abf9d002
@ -38,7 +38,7 @@ usage:
|
|||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||||
/usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
|
/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
|
||||||
cat $$PEM1 > $@ ; \
|
cat $$PEM1 > $@ ; \
|
||||||
echo "" >> $@ ; \
|
echo "" >> $@ ; \
|
||||||
cat $$PEM2 >> $@ ; \
|
cat $$PEM2 >> $@ ; \
|
||||||
@ -46,7 +46,7 @@ usage:
|
|||||||
|
|
||||||
%.key:
|
%.key:
|
||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
/usr/bin/openssl genrsa -des3 1024 > $@
|
/usr/bin/openssl genrsa -aes128 2048 > $@
|
||||||
|
|
||||||
%.csr: %.key
|
%.csr: %.key
|
||||||
umask 77 ; \
|
umask 77 ; \
|
||||||
|
@ -20,7 +20,7 @@ for target in $@ ; do
|
|||||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
|
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
|
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||||
trap "rm -f $PEM1 $PEM2" SIGINT
|
trap "rm -f $PEM1 $PEM2" SIGINT
|
||||||
answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
|
answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
|
||||||
cat $PEM1 > ${target}
|
cat $PEM1 > ${target}
|
||||||
echo "" >> ${target}
|
echo "" >> ${target}
|
||||||
cat $PEM2 >> ${target}
|
cat $PEM2 >> ${target}
|
||||||
|
@ -1,9 +1,10 @@
|
|||||||
--- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200
|
--- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200
|
||||||
+++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100
|
+++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100
|
||||||
@@ -99,6 +99,7 @@
|
@@ -99,7 +99,8 @@
|
||||||
####################################################################
|
####################################################################
|
||||||
[ req ]
|
[ req ]
|
||||||
default_bits = 1024
|
-default_bits = 1024
|
||||||
|
+default_bits = 2048
|
||||||
+default_md = sha1
|
+default_md = sha1
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
|
@ -6,7 +6,7 @@ diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
|
|||||||
[ CA_default ]
|
[ CA_default ]
|
||||||
|
|
||||||
-dir = ./demoCA # Where everything is kept
|
-dir = ./demoCA # Where everything is kept
|
||||||
+dir = ../../CA # Where everything is kept
|
+dir = /etc/pki/CA # Where everything is kept
|
||||||
certs = $dir/certs # Where the issued certs are kept
|
certs = $dir/certs # Where the issued certs are kept
|
||||||
crl_dir = $dir/crl # Where the issued crl are kept
|
crl_dir = $dir/crl # Where the issued crl are kept
|
||||||
database = $dir/index.txt # database index file.
|
database = $dir/index.txt # database index file.
|
||||||
@ -18,7 +18,7 @@ diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
|
|||||||
X509="$OPENSSL x509"
|
X509="$OPENSSL x509"
|
||||||
|
|
||||||
-CATOP=./demoCA
|
-CATOP=./demoCA
|
||||||
+CATOP=../../CA
|
+CATOP=/etc/pki/CA
|
||||||
CAKEY=./cakey.pem
|
CAKEY=./cakey.pem
|
||||||
CAREQ=./careq.pem
|
CAREQ=./careq.pem
|
||||||
CACERT=./cacert.pem
|
CACERT=./cacert.pem
|
||||||
@ -30,7 +30,7 @@ diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
|
|||||||
$PKCS12="$openssl pkcs12";
|
$PKCS12="$openssl pkcs12";
|
||||||
|
|
||||||
-$CATOP="./demoCA";
|
-$CATOP="./demoCA";
|
||||||
+$CATOP="../../CA";
|
+$CATOP="/etc/pki/CA";
|
||||||
$CAKEY="cakey.pem";
|
$CAKEY="cakey.pem";
|
||||||
$CAREQ="careq.pem";
|
$CAREQ="careq.pem";
|
||||||
$CACERT="cacert.pem";
|
$CACERT="cacert.pem";
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8j/crypto/rand/rand_lcl.h
|
diff -up openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8k/crypto/rand/rand_lcl.h
|
||||||
--- openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed 2009-02-02 13:40:37.000000000 +0100
|
--- openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed 2009-04-21 11:43:58.000000000 +0200
|
||||||
+++ openssl-0.9.8j/crypto/rand/rand_lcl.h 2009-02-02 13:50:42.000000000 +0100
|
+++ openssl-0.9.8k/crypto/rand/rand_lcl.h 2009-04-21 11:44:01.000000000 +0200
|
||||||
@@ -112,7 +112,7 @@
|
@@ -112,7 +112,7 @@
|
||||||
#ifndef HEADER_RAND_LCL_H
|
#ifndef HEADER_RAND_LCL_H
|
||||||
#define HEADER_RAND_LCL_H
|
#define HEADER_RAND_LCL_H
|
||||||
@ -10,32 +10,9 @@ diff -up openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8j/crypto/ra
|
|||||||
|
|
||||||
|
|
||||||
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
|
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
|
||||||
diff -up openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed openssl-0.9.8j/fips/rand/fips_rand.c
|
diff -up openssl-0.9.8k/fips/fips.c.rng-seed openssl-0.9.8k/fips/fips.c
|
||||||
--- openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed 2008-09-16 12:12:18.000000000 +0200
|
--- openssl-0.9.8k/fips/fips.c.rng-seed 2009-04-21 11:44:01.000000000 +0200
|
||||||
+++ openssl-0.9.8j/fips/rand/fips_rand.c 2009-02-02 14:06:58.000000000 +0100
|
+++ openssl-0.9.8k/fips/fips.c 2009-04-21 11:44:02.000000000 +0200
|
||||||
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
if (!ctx->keyed)
|
|
||||||
- return 0;
|
|
||||||
+ {
|
|
||||||
+ FIPS_RAND_SIZE_T keylen = 16;
|
|
||||||
+
|
|
||||||
+ if (seedlen - keylen < AES_BLOCK_LENGTH)
|
|
||||||
+ return 0;
|
|
||||||
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
|
|
||||||
+ keylen += 8;
|
|
||||||
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
|
|
||||||
+ keylen += 8;
|
|
||||||
+ seedlen -= keylen;
|
|
||||||
+ fips_set_prng_key(ctx, seed+seedlen, keylen);
|
|
||||||
+ }
|
|
||||||
/* In test mode seed is just supplied data */
|
|
||||||
if (ctx->test_mode)
|
|
||||||
{
|
|
||||||
diff -up openssl-0.9.8j/fips/fips.c.rng-seed openssl-0.9.8j/fips/fips.c
|
|
||||||
--- openssl-0.9.8j/fips/fips.c.rng-seed 2009-02-02 13:40:38.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/fips/fips.c 2009-02-02 13:49:32.000000000 +0100
|
|
||||||
@@ -509,22 +509,22 @@ int FIPS_mode_set(int onoff)
|
@@ -509,22 +509,22 @@ int FIPS_mode_set(int onoff)
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
@ -65,3 +42,34 @@ diff -up openssl-0.9.8j/fips/fips.c.rng-seed openssl-0.9.8j/fips/fips.c
|
|||||||
if(FIPS_selftest())
|
if(FIPS_selftest())
|
||||||
fips_set_mode(1);
|
fips_set_mode(1);
|
||||||
else
|
else
|
||||||
|
diff -up openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed openssl-0.9.8k/fips/rand/fips_rand.c
|
||||||
|
--- openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed 2008-09-16 12:12:18.000000000 +0200
|
||||||
|
+++ openssl-0.9.8k/fips/rand/fips_rand.c 2009-06-30 12:00:53.000000000 +0200
|
||||||
|
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
if (!ctx->keyed)
|
||||||
|
- return 0;
|
||||||
|
+ {
|
||||||
|
+ FIPS_RAND_SIZE_T keylen = 16;
|
||||||
|
+
|
||||||
|
+ if (seedlen - keylen < AES_BLOCK_LENGTH)
|
||||||
|
+ return 0;
|
||||||
|
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
|
||||||
|
+ keylen += 8;
|
||||||
|
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
|
||||||
|
+ keylen += 8;
|
||||||
|
+ seedlen -= keylen;
|
||||||
|
+ fips_set_prng_key(ctx, seed+seedlen, keylen);
|
||||||
|
+ }
|
||||||
|
/* In test mode seed is just supplied data */
|
||||||
|
if (ctx->test_mode)
|
||||||
|
{
|
||||||
|
@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
|
||||||
|
unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
|
||||||
|
unsigned char tmp[AES_BLOCK_LENGTH];
|
||||||
|
int i;
|
||||||
|
+ FIPS_selftest_check();
|
||||||
|
if (ctx->error)
|
||||||
|
{
|
||||||
|
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
|
18
openssl.spec
18
openssl.spec
@ -23,7 +23,7 @@
|
|||||||
Summary: A general purpose cryptography library with TLS implementation
|
Summary: A general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 0.9.8k
|
Version: 0.9.8k
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
# We remove certain patented algorithms from the openssl source tarball
|
# We remove certain patented algorithms from the openssl source tarball
|
||||||
# with the hobble-openssl script which is included below.
|
# with the hobble-openssl script which is included below.
|
||||||
Source: openssl-%{version}-usa.tar.bz2
|
Source: openssl-%{version}-usa.tar.bz2
|
||||||
@ -33,6 +33,7 @@ Source6: make-dummy-cert
|
|||||||
Source8: openssl-thread-test.c
|
Source8: openssl-thread-test.c
|
||||||
Source9: opensslconf-new.h
|
Source9: opensslconf-new.h
|
||||||
Source10: opensslconf-new-warning.h
|
Source10: opensslconf-new-warning.h
|
||||||
|
Source11: README.FIPS
|
||||||
# Build changes
|
# Build changes
|
||||||
Patch0: openssl-0.9.8j-redhat.patch
|
Patch0: openssl-0.9.8j-redhat.patch
|
||||||
Patch1: openssl-0.9.8a-defaults.patch
|
Patch1: openssl-0.9.8a-defaults.patch
|
||||||
@ -63,10 +64,11 @@ Patch46: openssl-0.9.8j-eap-fast.patch
|
|||||||
Patch47: openssl-0.9.8j-readme-warning.patch
|
Patch47: openssl-0.9.8j-readme-warning.patch
|
||||||
Patch48: openssl-0.9.8j-bad-mime.patch
|
Patch48: openssl-0.9.8j-bad-mime.patch
|
||||||
Patch49: openssl-0.9.8j-fips-no-pairwise.patch
|
Patch49: openssl-0.9.8j-fips-no-pairwise.patch
|
||||||
Patch50: openssl-0.9.8j-fips-rng-seed.patch
|
Patch50: openssl-0.9.8k-fips-rng-seed.patch
|
||||||
Patch51: openssl-0.9.8k-multi-crl.patch
|
Patch51: openssl-0.9.8k-multi-crl.patch
|
||||||
Patch52: openssl-0.9.8k-dtls-compat.patch
|
Patch52: openssl-0.9.8k-dtls-compat.patch
|
||||||
Patch53: openssl-0.9.8k-dtls-dos.patch
|
Patch53: openssl-0.9.8k-dtls-dos.patch
|
||||||
|
Patch54: openssl-0.9.8k-algo-doc.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
@ -154,6 +156,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||||||
%patch51 -p1 -b .multi-crl
|
%patch51 -p1 -b .multi-crl
|
||||||
%patch52 -p1 -b .dtls-compat
|
%patch52 -p1 -b .dtls-compat
|
||||||
%patch53 -p1 -b .dtls-dos
|
%patch53 -p1 -b .dtls-dos
|
||||||
|
%patch54 -p1 -b .algo-doc
|
||||||
|
|
||||||
# Modify the various perl scripts to reference perl in the right location.
|
# Modify the various perl scripts to reference perl in the right location.
|
||||||
perl util/perlpath.pl `dirname %{__perl}`
|
perl util/perlpath.pl `dirname %{__perl}`
|
||||||
@ -212,6 +215,9 @@ make all
|
|||||||
# Generate hashes for the included certs.
|
# Generate hashes for the included certs.
|
||||||
make rehash
|
make rehash
|
||||||
|
|
||||||
|
# Overwrite FIPS README
|
||||||
|
cp -f %{SOURCE11} .
|
||||||
|
|
||||||
%check
|
%check
|
||||||
# Verify that what was compiled actually works.
|
# Verify that what was compiled actually works.
|
||||||
|
|
||||||
@ -364,6 +370,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%doc doc/c-indentation.el doc/openssl.txt
|
%doc doc/c-indentation.el doc/openssl.txt
|
||||||
%doc doc/openssl_button.html doc/openssl_button.gif
|
%doc doc/openssl_button.html doc/openssl_button.gif
|
||||||
%doc doc/ssleay.txt
|
%doc doc/ssleay.txt
|
||||||
|
%doc README.FIPS
|
||||||
%dir %{_sysconfdir}/pki/tls
|
%dir %{_sysconfdir}/pki/tls
|
||||||
%dir %{_sysconfdir}/pki/tls/certs
|
%dir %{_sysconfdir}/pki/tls/certs
|
||||||
%{_sysconfdir}/pki/tls/certs/make-dummy-cert
|
%{_sysconfdir}/pki/tls/certs/make-dummy-cert
|
||||||
@ -412,6 +419,13 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun -p /sbin/ldconfig
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 30 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-6
|
||||||
|
- abort if selftests failed and random number generator is polled
|
||||||
|
- mention EVP_aes and EVP_sha2xx routines in the manpages
|
||||||
|
- add README.FIPS
|
||||||
|
- make CA dir absolute path (#445344)
|
||||||
|
- change default length for RSA key generation to 2048 (#484101)
|
||||||
|
|
||||||
* Thu May 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-5
|
* Thu May 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-5
|
||||||
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
|
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
|
||||||
(DTLS DoS problems) (#501253, #501254, #501572)
|
(DTLS DoS problems) (#501253, #501254, #501572)
|
||||||
|
Loading…
Reference in New Issue
Block a user