forked from rpms/openssl
		
	- abort if selftests failed and random number generator is polled
- mention EVP_aes and EVP_sha2xx routines in the manpages - add README.FIPS - make CA dir absolute path (#445344) - change default length for RSA key generation to 2048 (#484101)
This commit is contained in:
		
							parent
							
								
									387d98c6e7
								
							
						
					
					
						commit
						44abf9d002
					
				| @ -38,7 +38,7 @@ usage: | ||||
| 	umask 77 ; \
 | ||||
| 	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
 | ||||
| 	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
 | ||||
| 	/usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
 | ||||
| 	/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
 | ||||
| 	cat $$PEM1 >  $@ ; \
 | ||||
| 	echo ""    >> $@ ; \
 | ||||
| 	cat $$PEM2 >> $@ ; \
 | ||||
| @ -46,7 +46,7 @@ usage: | ||||
| 
 | ||||
| %.key: | ||||
| 	umask 77 ; \
 | ||||
| 	/usr/bin/openssl genrsa -des3 1024 > $@ | ||||
| 	/usr/bin/openssl genrsa -aes128 2048 > $@ | ||||
| 
 | ||||
| %.csr: %.key | ||||
| 	umask 77 ; \
 | ||||
|  | ||||
| @ -20,7 +20,7 @@ for target in $@ ; do | ||||
| 	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` | ||||
| 	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` | ||||
| 	trap "rm -f $PEM1 $PEM2" SIGINT | ||||
| 	answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null | ||||
| 	answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null | ||||
| 	cat $PEM1 >  ${target} | ||||
| 	echo ""   >> ${target} | ||||
| 	cat $PEM2 >> ${target} | ||||
|  | ||||
| @ -1,9 +1,10 @@ | ||||
| --- openssl-0.9.8a/apps/openssl.cnf.defaults	2005-09-16 14:20:24.000000000 +0200
 | ||||
| +++ openssl-0.9.8a/apps/openssl.cnf	2005-11-04 11:00:37.000000000 +0100
 | ||||
| @@ -99,6 +99,7 @@
 | ||||
| @@ -99,7 +99,8 @@
 | ||||
|  #################################################################### | ||||
|  [ req ] | ||||
|  default_bits		= 1024 | ||||
| -default_bits		= 1024
 | ||||
| +default_bits		= 2048
 | ||||
| +default_md		= sha1
 | ||||
|  default_keyfile 	= privkey.pem | ||||
|  distinguished_name	= req_distinguished_name | ||||
|  | ||||
| @ -6,7 +6,7 @@ diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf | ||||
|  [ CA_default ] | ||||
|   | ||||
| -dir		= ./demoCA		# Where everything is kept
 | ||||
| +dir		= ../../CA		# Where everything is kept
 | ||||
| +dir		= /etc/pki/CA		# Where everything is kept
 | ||||
|  certs		= $dir/certs		# Where the issued certs are kept | ||||
|  crl_dir		= $dir/crl		# Where the issued crl are kept | ||||
|  database	= $dir/index.txt	# database index file. | ||||
| @ -18,7 +18,7 @@ diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh | ||||
|  X509="$OPENSSL x509" | ||||
|   | ||||
| -CATOP=./demoCA
 | ||||
| +CATOP=../../CA
 | ||||
| +CATOP=/etc/pki/CA
 | ||||
|  CAKEY=./cakey.pem | ||||
|  CAREQ=./careq.pem | ||||
|  CACERT=./cacert.pem | ||||
| @ -30,7 +30,7 @@ diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in | ||||
|  $PKCS12="$openssl pkcs12"; | ||||
|   | ||||
| -$CATOP="./demoCA";
 | ||||
| +$CATOP="../../CA";
 | ||||
| +$CATOP="/etc/pki/CA";
 | ||||
|  $CAKEY="cakey.pem"; | ||||
|  $CAREQ="careq.pem"; | ||||
|  $CACERT="cacert.pem"; | ||||
|  | ||||
| @ -1,6 +1,6 @@ | ||||
| diff -up openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8j/crypto/rand/rand_lcl.h
 | ||||
| --- openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed	2009-02-02 13:40:37.000000000 +0100
 | ||||
| +++ openssl-0.9.8j/crypto/rand/rand_lcl.h	2009-02-02 13:50:42.000000000 +0100
 | ||||
| diff -up openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8k/crypto/rand/rand_lcl.h
 | ||||
| --- openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed	2009-04-21 11:43:58.000000000 +0200
 | ||||
| +++ openssl-0.9.8k/crypto/rand/rand_lcl.h	2009-04-21 11:44:01.000000000 +0200
 | ||||
| @@ -112,7 +112,7 @@
 | ||||
|  #ifndef HEADER_RAND_LCL_H | ||||
|  #define HEADER_RAND_LCL_H | ||||
| @ -10,32 +10,9 @@ diff -up openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8j/crypto/ra | ||||
|   | ||||
|   | ||||
|  #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) | ||||
| diff -up openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed openssl-0.9.8j/fips/rand/fips_rand.c
 | ||||
| --- openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed	2008-09-16 12:12:18.000000000 +0200
 | ||||
| +++ openssl-0.9.8j/fips/rand/fips_rand.c	2009-02-02 14:06:58.000000000 +0100
 | ||||
| @@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
 | ||||
|  	{ | ||||
|  	int i; | ||||
|  	if (!ctx->keyed) | ||||
| -		return 0;
 | ||||
| +		{
 | ||||
| +		FIPS_RAND_SIZE_T keylen = 16;
 | ||||
| +
 | ||||
| +		if (seedlen - keylen < AES_BLOCK_LENGTH)
 | ||||
| +			return 0;
 | ||||
| +		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
 | ||||
| +			keylen += 8;
 | ||||
| +		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
 | ||||
| +			keylen += 8;
 | ||||
| +		seedlen -= keylen;
 | ||||
| +		fips_set_prng_key(ctx, seed+seedlen, keylen);
 | ||||
| +		}
 | ||||
|  	/* In test mode seed is just supplied data */ | ||||
|  	if (ctx->test_mode) | ||||
|  		{ | ||||
| diff -up openssl-0.9.8j/fips/fips.c.rng-seed openssl-0.9.8j/fips/fips.c
 | ||||
| --- openssl-0.9.8j/fips/fips.c.rng-seed	2009-02-02 13:40:38.000000000 +0100
 | ||||
| +++ openssl-0.9.8j/fips/fips.c	2009-02-02 13:49:32.000000000 +0100
 | ||||
| diff -up openssl-0.9.8k/fips/fips.c.rng-seed openssl-0.9.8k/fips/fips.c
 | ||||
| --- openssl-0.9.8k/fips/fips.c.rng-seed	2009-04-21 11:44:01.000000000 +0200
 | ||||
| +++ openssl-0.9.8k/fips/fips.c	2009-04-21 11:44:02.000000000 +0200
 | ||||
| @@ -509,22 +509,22 @@ int FIPS_mode_set(int onoff)
 | ||||
|  	    goto end; | ||||
|  	    } | ||||
| @ -65,3 +42,34 @@ diff -up openssl-0.9.8j/fips/fips.c.rng-seed openssl-0.9.8j/fips/fips.c | ||||
|  	if(FIPS_selftest()) | ||||
|  	    fips_set_mode(1); | ||||
|  	else | ||||
| diff -up openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed openssl-0.9.8k/fips/rand/fips_rand.c
 | ||||
| --- openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed	2008-09-16 12:12:18.000000000 +0200
 | ||||
| +++ openssl-0.9.8k/fips/rand/fips_rand.c	2009-06-30 12:00:53.000000000 +0200
 | ||||
| @@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
 | ||||
|  	{ | ||||
|  	int i; | ||||
|  	if (!ctx->keyed) | ||||
| -		return 0;
 | ||||
| +		{
 | ||||
| +		FIPS_RAND_SIZE_T keylen = 16;
 | ||||
| +
 | ||||
| +		if (seedlen - keylen < AES_BLOCK_LENGTH)
 | ||||
| +			return 0;
 | ||||
| +		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
 | ||||
| +			keylen += 8;
 | ||||
| +		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
 | ||||
| +			keylen += 8;
 | ||||
| +		seedlen -= keylen;
 | ||||
| +		fips_set_prng_key(ctx, seed+seedlen, keylen);
 | ||||
| +		}
 | ||||
|  	/* In test mode seed is just supplied data */ | ||||
|  	if (ctx->test_mode) | ||||
|  		{ | ||||
| @@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
 | ||||
|  	unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH]; | ||||
|  	unsigned char tmp[AES_BLOCK_LENGTH]; | ||||
|  	int i; | ||||
| +	FIPS_selftest_check();
 | ||||
|  	if (ctx->error) | ||||
|  		{ | ||||
|  		RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR); | ||||
							
								
								
									
										18
									
								
								openssl.spec
									
									
									
									
									
								
							
							
						
						
									
										18
									
								
								openssl.spec
									
									
									
									
									
								
							| @ -23,7 +23,7 @@ | ||||
| Summary: A general purpose cryptography library with TLS implementation | ||||
| Name: openssl | ||||
| Version: 0.9.8k | ||||
| Release: 5%{?dist} | ||||
| Release: 6%{?dist} | ||||
| # We remove certain patented algorithms from the openssl source tarball | ||||
| # with the hobble-openssl script which is included below. | ||||
| Source: openssl-%{version}-usa.tar.bz2 | ||||
| @ -33,6 +33,7 @@ Source6: make-dummy-cert | ||||
| Source8: openssl-thread-test.c | ||||
| Source9: opensslconf-new.h | ||||
| Source10: opensslconf-new-warning.h | ||||
| Source11: README.FIPS | ||||
| # Build changes | ||||
| Patch0: openssl-0.9.8j-redhat.patch | ||||
| Patch1: openssl-0.9.8a-defaults.patch | ||||
| @ -63,10 +64,11 @@ Patch46: openssl-0.9.8j-eap-fast.patch | ||||
| Patch47: openssl-0.9.8j-readme-warning.patch | ||||
| Patch48: openssl-0.9.8j-bad-mime.patch | ||||
| Patch49: openssl-0.9.8j-fips-no-pairwise.patch | ||||
| Patch50: openssl-0.9.8j-fips-rng-seed.patch | ||||
| Patch50: openssl-0.9.8k-fips-rng-seed.patch | ||||
| Patch51: openssl-0.9.8k-multi-crl.patch | ||||
| Patch52: openssl-0.9.8k-dtls-compat.patch | ||||
| Patch53: openssl-0.9.8k-dtls-dos.patch | ||||
| Patch54: openssl-0.9.8k-algo-doc.patch | ||||
| # Backported fixes including security fixes | ||||
| 
 | ||||
| License: OpenSSL | ||||
| @ -154,6 +156,7 @@ from other formats to the formats used by the OpenSSL toolkit. | ||||
| %patch51 -p1 -b .multi-crl | ||||
| %patch52 -p1 -b .dtls-compat | ||||
| %patch53 -p1 -b .dtls-dos | ||||
| %patch54 -p1 -b .algo-doc | ||||
| 
 | ||||
| # Modify the various perl scripts to reference perl in the right location. | ||||
| perl util/perlpath.pl `dirname %{__perl}` | ||||
| @ -212,6 +215,9 @@ make all | ||||
| # Generate hashes for the included certs. | ||||
| make rehash | ||||
| 
 | ||||
| # Overwrite FIPS README | ||||
| cp -f %{SOURCE11} . | ||||
| 
 | ||||
| %check | ||||
| # Verify that what was compiled actually works. | ||||
| 
 | ||||
| @ -364,6 +370,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* | ||||
| %doc doc/c-indentation.el doc/openssl.txt | ||||
| %doc doc/openssl_button.html doc/openssl_button.gif | ||||
| %doc doc/ssleay.txt | ||||
| %doc README.FIPS | ||||
| %dir %{_sysconfdir}/pki/tls | ||||
| %dir %{_sysconfdir}/pki/tls/certs | ||||
| %{_sysconfdir}/pki/tls/certs/make-dummy-cert | ||||
| @ -412,6 +419,13 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* | ||||
| %postun -p /sbin/ldconfig | ||||
| 
 | ||||
| %changelog | ||||
| * Tue Jun 30 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-6 | ||||
| - abort if selftests failed and random number generator is polled | ||||
| - mention EVP_aes and EVP_sha2xx routines in the manpages | ||||
| - add README.FIPS | ||||
| - make CA dir absolute path (#445344) | ||||
| - change default length for RSA key generation to 2048 (#484101) | ||||
| 
 | ||||
| * Thu May 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-5 | ||||
| - fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 | ||||
|   (DTLS DoS problems) (#501253, #501254, #501572) | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user