jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

minor upstream release 1.0.2i fixing security issues

Browse Source 
- move man pages for perl based scripts to perl subpackage ()
This commit is contained in:
Tomas Mraz 2016-09-22 14:16:05 +02:00
parent 9fc25c1d28
commit 6e67274c62
12 changed files with 525 additions and 582 deletions

1
.gitignore vendored
View File

@ -29,3 +29,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.2f-hobbled.tar.xz /openssl-1.0.2f-hobbled.tar.xz
/openssl-1.0.2g-hobbled.tar.xz /openssl-1.0.2g-hobbled.tar.xz
/openssl-1.0.2h-hobbled.tar.xz /openssl-1.0.2h-hobbled.tar.xz
/openssl-1.0.2i-hobbled.tar.xz

24
openssl-1.0.2a-chil-fixes.patch
View File

@ -1,24 +0,0 @@
diff -up openssl-1.0.2a/engines/e_chil.c.chil openssl-1.0.2a/engines/e_chil.c
--- openssl-1.0.2a/engines/e_chil.c.chil 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/engines/e_chil.c 2015-04-21 17:06:25.480293443 +0200
@@ -1247,6 +1247,11 @@ static int hwcrhk_insert_card(const char
UI *ui;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
+ /* Despite what the documentation says prompt_info can be
+ * an empty string.
+ */
+ if (prompt_info && !*prompt_info)
+ prompt_info = NULL;
if (cactx) {
if (cactx->ui_method)
@@ -1268,7 +1273,7 @@ static int hwcrhk_insert_card(const char
ui = UI_new_method(ui_method);
if (ui) {
- char answer;
+ char answer = '\0';
char buf[BUFSIZ];
/*
* Despite what the documentation says wrong_info can be an empty

61
openssl-1.0.2a-enc-fail.patch
View File

@ -1,61 +0,0 @@
diff -up openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2a/crypto/evp/bio_enc.c
--- openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/evp/bio_enc.c 2015-04-22 18:10:06.491819948 +0200
@@ -201,10 +201,14 @@ static int enc_read(BIO *b, char *out, i
break;
}
} else {
- EVP_CipherUpdate(&(ctx->cipher),
- (unsigned char *)ctx->buf, &ctx->buf_len,
- (unsigned char *)&(ctx->buf[BUF_OFFSET]), i);
- ctx->cont = 1;
+ if (!EVP_CipherUpdate(&(ctx->cipher),
+ (unsigned char *)ctx->buf, &ctx->buf_len,
+ (unsigned char *)&(ctx->buf[BUF_OFFSET]),
+ i)) {
+ ctx->ok = 0;
+ ctx->cont = 0;
+ } else
+ ctx->cont = 1;
/*
* Note: it is possible for EVP_CipherUpdate to decrypt zero
* bytes because this is or looks like the final block: if this
@@ -260,9 +264,13 @@ static int enc_write(BIO *b, const char
ctx->buf_off = 0;
while (inl > 0) {
n = (inl > ENC_BLOCK_SIZE) ? ENC_BLOCK_SIZE : inl;
- EVP_CipherUpdate(&(ctx->cipher),
- (unsigned char *)ctx->buf, &ctx->buf_len,
- (unsigned char *)in, n);
+ if (!EVP_CipherUpdate(&(ctx->cipher),
+ (unsigned char *)ctx->buf, &ctx->buf_len,
+ (unsigned char *)in, n)) {
+ BIO_copy_next_retry(b);
+ ctx->ok = 0;
+ return ret - inl;
+ }
inl -= n;
in += n;
@@ -298,8 +306,9 @@ static long enc_ctrl(BIO *b, int cmd, lo
case BIO_CTRL_RESET:
ctx->ok = 1;
ctx->finished = 0;
- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
- ctx->cipher.encrypt);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
+ ctx->cipher.encrypt))
+ ctx->ok = 0;
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
break;
case BIO_CTRL_EOF: /* More to read */
@@ -421,7 +430,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI
b->init = 1;
ctx = (BIO_ENC_CTX *)b->ptr;
- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e))
+ ctx->ok = 0;
if (b->callback != NULL)
b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);

12
openssl-1.0.2h-dtls-bad-ver.patch
View File

@ -1,12 +0,0 @@
diff -up openssl-1.0.2h/ssl/ssl_lib.c.dtls-bad-ver openssl-1.0.2h/ssl/ssl_lib.c
--- openssl-1.0.2h/ssl/ssl_lib.c.dtls-bad-ver 2016-05-03 18:06:45.000000000 +0200
+++ openssl-1.0.2h/ssl/ssl_lib.c 2016-08-10 13:47:33.995530954 +0200
@@ -1828,7 +1828,7 @@ int SSL_export_keying_material(SSL *s, u
const unsigned char *p, size_t plen,
int use_context)
{
- if (s->version < TLS1_VERSION)
+ if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,

15
openssl-1.0.2i-chil-fixes.patch Normal file
View File

@ -0,0 +1,15 @@
diff -up openssl-1.0.2i/engines/e_chil.c.chil openssl-1.0.2i/engines/e_chil.c
--- openssl-1.0.2i/engines/e_chil.c.chil 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/engines/e_chil.c 2016-09-22 13:49:32.532017102 +0200
@@ -1274,6 +1274,11 @@ static int hwcrhk_insert_card(const char
UI *ui;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
+ /* Despite what the documentation says prompt_info can be
+ * an empty string.
+ */
+ if (prompt_info && !*prompt_info)
+ prompt_info = NULL;
if (cactx) {
if (cactx->ui_method)

25
openssl-1.0.2i-enc-fail.patch Normal file
View File

@ -0,0 +1,25 @@
diff -up openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2i/crypto/evp/bio_enc.c
--- openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/evp/bio_enc.c 2016-09-22 13:58:24.592381002 +0200
@@ -307,8 +307,9 @@ static long enc_ctrl(BIO *b, int cmd, lo
case BIO_CTRL_RESET:
ctx->ok = 1;
ctx->finished = 0;
- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
- ctx->cipher.encrypt);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
+ ctx->cipher.encrypt))
+ ctx->ok = 0;
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
break;
case BIO_CTRL_EOF: /* More to read */
@@ -430,7 +431,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI
b->init = 1;
ctx = (BIO_ENC_CTX *)b->ptr;
- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e))
+ ctx->ok = 0;
if (b->callback != NULL)
b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);

641
openssl-1.0.2h-fips.patch → openssl-1.0.2i-fips.patch
View File

File diff suppressed because it is too large Load Diff

109
openssl-1.0.2f-new-fips-reqs.patch → openssl-1.0.2i-new-fips-reqs.patch
View File

@ -1,24 +1,23 @@
diff -up openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2f/crypto/bn/bn_rand.c diff -up openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2i/crypto/bn/bn_rand.c
--- openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs 2016-01-28 14:38:30.000000000 +0100 --- openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs 2016-09-22 13:54:26.533848449 +0200
+++ openssl-1.0.2f/crypto/bn/bn_rand.c 2016-01-28 16:36:22.811387420 +0100 +++ openssl-1.0.2i/crypto/bn/bn_rand.c 2016-09-22 13:56:52.169233060 +0200
@@ -141,9 +141,11 @@ static int bnrand(int pseudorand, BIGNUM @@ -141,8 +141,11 @@ static int bnrand(int pseudorand, BIGNUM
goto err;
} }
- /* make a random number and set the top and bottom bits */ /* make a random number and set the top and bottom bits */
- time(&tim); - time(&tim);
- RAND_add(&tim, sizeof(tim), 0.0); - RAND_add(&tim, sizeof(tim), 0.0);
+ if (!FIPS_mode()) { /* in FIPS mode the RNG is always properly seeded or the module fails */ + if (!FIPS_mode()) {
+ /* make a random number and set the top and bottom bits */ + /* in FIPS mode the RNG is always properly seeded or the module fails */
+ time(&tim); + time(&tim);
+ RAND_add(&tim, sizeof(tim), 0.0); + RAND_add(&tim, sizeof(tim), 0.0);
+ } + }
if (pseudorand) { /* We ignore the value of pseudorand and always call RAND_bytes */
if (RAND_pseudo_bytes(buf, bytes) == -1) if (RAND_bytes(buf, bytes) <= 0)
diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh_gen.c diff -up openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2i/crypto/dh/dh_gen.c
--- openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs 2016-01-28 16:36:22.767386408 +0100 --- openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs 2016-09-22 13:54:26.489847426 +0200
+++ openssl-1.0.2f/crypto/dh/dh_gen.c 2016-01-28 16:36:22.811387420 +0100 +++ openssl-1.0.2i/crypto/dh/dh_gen.c 2016-09-22 13:54:26.533848449 +0200
@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret, @@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret,
return 0; return 0;
} }
@ -28,9 +27,9 @@ diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
goto err; goto err;
} }
diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h diff -up openssl-1.0.2i/crypto/dh/dh.h.fips-reqs openssl-1.0.2i/crypto/dh/dh.h
--- openssl-1.0.2f/crypto/dh/dh.h.fips-reqs 2016-01-28 16:36:22.767386408 +0100 --- openssl-1.0.2i/crypto/dh/dh.h.fips-reqs 2016-09-22 13:54:26.489847426 +0200
+++ openssl-1.0.2f/crypto/dh/dh.h 2016-01-28 16:36:22.812387443 +0100 +++ openssl-1.0.2i/crypto/dh/dh.h 2016-09-22 13:54:26.534848472 +0200
@@ -78,6 +78,7 @@ @@ -78,6 +78,7 @@
# endif # endif
@ -39,9 +38,9 @@ diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h
# define DH_FLAG_CACHE_MONT_P 0x01 # define DH_FLAG_CACHE_MONT_P 0x01
diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_gen.c diff -up openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_gen.c
--- openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs 2016-01-28 16:36:22.768386431 +0100 --- openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs 2016-09-22 13:54:26.490847450 +0200
+++ openssl-1.0.2f/crypto/dsa/dsa_gen.c 2016-01-28 16:36:22.812387443 +0100 +++ openssl-1.0.2i/crypto/dsa/dsa_gen.c 2016-09-22 13:54:26.534848472 +0200
@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_ @@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
} }
@ -57,9 +56,9 @@ diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
goto err; goto err;
} }
diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa.h diff -up openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2i/crypto/dsa/dsa.h
--- openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs 2016-01-28 16:36:22.768386431 +0100 --- openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs 2016-09-22 13:54:26.490847450 +0200
+++ openssl-1.0.2f/crypto/dsa/dsa.h 2016-01-28 16:36:22.812387443 +0100 +++ openssl-1.0.2i/crypto/dsa/dsa.h 2016-09-22 13:54:26.534848472 +0200
@@ -89,6 +89,7 @@ @@ -89,6 +89,7 @@
# endif # endif
@ -80,9 +79,9 @@ diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa
* Rabin-Miller * Rabin-Miller
*/ */
# define DSA_is_prime(n, callback, cb_arg) \ # define DSA_is_prime(n, callback, cb_arg) \
diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_key.c diff -up openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_key.c
--- openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100 --- openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs 2016-09-22 13:54:26.532848426 +0200
+++ openssl-1.0.2f/crypto/dsa/dsa_key.c 2016-01-28 16:36:22.812387443 +0100 +++ openssl-1.0.2i/crypto/dsa/dsa_key.c 2016-09-22 13:54:26.534848472 +0200
@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa) @@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa)
# ifdef OPENSSL_FIPS # ifdef OPENSSL_FIPS
@ -92,9 +91,9 @@ diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa
DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
goto err; goto err;
} }
diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/fips.c diff -up openssl-1.0.2i/crypto/fips/fips.c.fips-reqs openssl-1.0.2i/crypto/fips/fips.c
--- openssl-1.0.2f/crypto/fips/fips.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100 --- openssl-1.0.2i/crypto/fips/fips.c.fips-reqs 2016-09-22 13:54:26.532848426 +0200
+++ openssl-1.0.2f/crypto/fips/fips.c 2016-01-28 16:36:22.813387467 +0100 +++ openssl-1.0.2i/crypto/fips/fips.c 2016-09-22 13:54:26.534848472 +0200
@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons @@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons
ret = 0; ret = 0;
goto end; goto end;
@ -128,9 +127,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/
ret = 1; ret = 1;
goto end; goto end;
} }
diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_dh_selftest.c diff -up openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_dh_selftest.c
--- openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-01-28 16:36:22.813387467 +0100 --- openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-09-22 13:54:26.535848495 +0200
+++ openssl-1.0.2f/crypto/fips/fips_dh_selftest.c 2016-01-28 16:36:22.813387467 +0100 +++ openssl-1.0.2i/crypto/fips/fips_dh_selftest.c 2016-09-22 13:54:26.535848495 +0200
@@ -0,0 +1,162 @@ @@ -0,0 +1,162 @@
+/* ==================================================================== +/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@ -294,9 +293,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/
+ return ret; + return ret;
+} +}
+#endif +#endif
diff -up openssl-1.0.2f/crypto/fips/fips.h.fips-reqs openssl-1.0.2f/crypto/fips/fips.h diff -up openssl-1.0.2i/crypto/fips/fips.h.fips-reqs openssl-1.0.2i/crypto/fips/fips.h
--- openssl-1.0.2f/crypto/fips/fips.h.fips-reqs 2016-01-28 16:36:22.806387305 +0100 --- openssl-1.0.2i/crypto/fips/fips.h.fips-reqs 2016-09-22 13:54:26.527848309 +0200
+++ openssl-1.0.2f/crypto/fips/fips.h 2016-01-28 16:36:22.813387467 +0100 +++ openssl-1.0.2i/crypto/fips/fips.h 2016-09-22 13:54:26.535848495 +0200
@@ -96,6 +96,7 @@ extern "C" { @@ -96,6 +96,7 @@ extern "C" {
int FIPS_selftest_dsa(void); int FIPS_selftest_dsa(void);
int FIPS_selftest_ecdsa(void); int FIPS_selftest_ecdsa(void);
@ -305,9 +304,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips.h.fips-reqs openssl-1.0.2f/crypto/fips/
void FIPS_corrupt_rng(void); void FIPS_corrupt_rng(void);
void FIPS_rng_stick(void); void FIPS_rng_stick(void);
void FIPS_x931_stick(int onoff); void FIPS_x931_stick(int onoff);
diff -up openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_post.c diff -up openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_post.c
--- openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs 2016-01-28 16:36:22.803387236 +0100 --- openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs 2016-09-22 13:54:26.524848240 +0200
+++ openssl-1.0.2f/crypto/fips/fips_post.c 2016-01-28 16:36:22.813387467 +0100 +++ openssl-1.0.2i/crypto/fips/fips_post.c 2016-09-22 13:54:26.535848495 +0200
@@ -99,6 +99,8 @@ int FIPS_selftest(void) @@ -99,6 +99,8 @@ int FIPS_selftest(void)
rv = 0; rv = 0;
if (!FIPS_selftest_dsa()) if (!FIPS_selftest_dsa())
@ -317,9 +316,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2f/crypto/
if (!FIPS_selftest_ecdh()) if (!FIPS_selftest_ecdh())
rv = 0; rv = 0;
return rv; return rv;
diff -up openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c diff -up openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c
--- openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs 2016-01-28 16:36:22.778386661 +0100 --- openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs 2016-09-22 13:54:26.499847659 +0200
+++ openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c 2016-01-28 16:36:22.814387489 +0100 +++ openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c 2016-09-22 13:54:26.537848542 +0200
@@ -60,68 +60,107 @@ @@ -60,68 +60,107 @@
#ifdef OPENSSL_FIPS #ifdef OPENSSL_FIPS
@ -974,9 +973,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2f
RSA_free(key); RSA_free(key);
return ret; return ret;
} }
diff -up openssl-1.0.2f/crypto/fips/Makefile.fips-reqs openssl-1.0.2f/crypto/fips/Makefile diff -up openssl-1.0.2i/crypto/fips/Makefile.fips-reqs openssl-1.0.2i/crypto/fips/Makefile
--- openssl-1.0.2f/crypto/fips/Makefile.fips-reqs 2016-01-28 16:36:22.803387236 +0100 --- openssl-1.0.2i/crypto/fips/Makefile.fips-reqs 2016-09-22 13:54:26.524848240 +0200
+++ openssl-1.0.2f/crypto/fips/Makefile 2016-01-28 16:36:22.814387489 +0100 +++ openssl-1.0.2i/crypto/fips/Makefile 2016-09-22 13:54:26.537848542 +0200
@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self @@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
@ -995,9 +994,9 @@ diff -up openssl-1.0.2f/crypto/fips/Makefile.fips-reqs openssl-1.0.2f/crypto/fip
LIBCRYPTO=-L.. -lcrypto LIBCRYPTO=-L.. -lcrypto
diff -up openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2f/crypto/rand/rand_lcl.h diff -up openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2i/crypto/rand/rand_lcl.h
--- openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs 2016-01-28 16:36:22.516380636 +0100 --- openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs 2016-09-22 13:54:26.261842127 +0200
+++ openssl-1.0.2f/crypto/rand/rand_lcl.h 2016-01-28 16:36:22.814387489 +0100 +++ openssl-1.0.2i/crypto/rand/rand_lcl.h 2016-09-22 13:54:26.537848542 +0200
@@ -112,7 +112,7 @@ @@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H #ifndef HEADER_RAND_LCL_H
# define HEADER_RAND_LCL_H # define HEADER_RAND_LCL_H
@ -1007,9 +1006,9 @@ diff -up openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2f/crypto/r
# if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
diff -up openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2f/crypto/rand/rand_lib.c diff -up openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2i/crypto/rand/rand_lib.c
--- openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs 2016-01-28 14:38:31.000000000 +0100 --- openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2f/crypto/rand/rand_lib.c 2016-01-28 16:36:22.814387489 +0100 +++ openssl-1.0.2i/crypto/rand/rand_lib.c 2016-09-22 13:54:26.537848542 +0200
@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx, @@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx,
double entropy) double entropy)
{ {
@ -1033,9 +1032,9 @@ diff -up openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2f/crypto/r
return 1; return 1;
} }
diff -up openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2f/crypto/rsa/rsa_gen.c diff -up openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2i/crypto/rsa/rsa_gen.c
--- openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs 2016-01-28 16:36:22.781386731 +0100 --- openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs 2016-09-22 13:54:26.502847728 +0200
+++ openssl-1.0.2f/crypto/rsa/rsa_gen.c 2016-01-28 16:36:22.814387489 +0100 +++ openssl-1.0.2i/crypto/rsa/rsa_gen.c 2016-09-22 13:54:26.538848565 +0200
@@ -1,5 +1,6 @@ @@ -1,5 +1,6 @@
/* crypto/rsa/rsa_gen.c */ /* crypto/rsa/rsa_gen.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
@ -1337,9 +1336,9 @@ diff -up openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2f/crypto/rsa
ok = 1; ok = 1;
err: err:
if (ok == -1) { if (ok == -1) {
diff -up openssl-1.0.2f/ssl/t1_enc.c.fips-reqs openssl-1.0.2f/ssl/t1_enc.c diff -up openssl-1.0.2i/ssl/t1_enc.c.fips-reqs openssl-1.0.2i/ssl/t1_enc.c
--- openssl-1.0.2f/ssl/t1_enc.c.fips-reqs 2016-01-28 14:56:08.000000000 +0100 --- openssl-1.0.2i/ssl/t1_enc.c.fips-reqs 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2f/ssl/t1_enc.c 2016-01-28 16:36:22.814387489 +0100 +++ openssl-1.0.2i/ssl/t1_enc.c 2016-09-22 13:54:26.538848565 +0200
@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask, @@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask,
return ret; return ret;
} }

76
openssl-1.0.2a-secure-getenv.patch → openssl-1.0.2i-secure-getenv.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_api.c diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_api.c
--- openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 --- openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2a/crypto/conf/conf_api.c 2015-04-21 17:14:12.757214532 +0200 +++ openssl-1.0.2i/crypto/conf/conf_api.c 2016-09-22 13:51:29.847742209 +0200
@@ -63,6 +63,8 @@ @@ -63,6 +63,8 @@
# define NDEBUG # define NDEBUG
#endif #endif
@ -28,9 +28,9 @@ diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/cryp
} }
#if 0 /* There's no way to provide error checking #if 0 /* There's no way to provide error checking
diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_mod.c diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_mod.c
--- openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 --- openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2a/crypto/conf/conf_mod.c 2015-04-21 17:13:24.165078848 +0200 +++ openssl-1.0.2i/crypto/conf/conf_mod.c 2016-09-22 13:51:29.847742209 +0200
@@ -57,6 +57,8 @@ @@ -57,6 +57,8 @@
* *
*/ */
@ -40,7 +40,7 @@ diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/cryp
#include <stdio.h> #include <stdio.h>
#include <ctype.h> #include <ctype.h>
#include <openssl/crypto.h> #include <openssl/crypto.h>
@@ -526,7 +528,7 @@ char *CONF_get1_default_config_file(void @@ -530,7 +532,7 @@ char *CONF_get1_default_config_file(void
char *file; char *file;
int len; int len;
@ -49,9 +49,9 @@ diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/cryp
if (file) if (file)
return BUF_strdup(file); return BUF_strdup(file);
diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/crypto/engine/eng_list.c diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/crypto/engine/eng_list.c
--- openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv 2015-04-21 17:13:24.165078848 +0200 --- openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2a/crypto/engine/eng_list.c 2015-04-21 17:15:53.180561603 +0200 +++ openssl-1.0.2i/crypto/engine/eng_list.c 2016-09-22 13:51:29.847742209 +0200
@@ -62,6 +62,8 @@ @@ -62,6 +62,8 @@
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/ */
@ -61,7 +61,7 @@ diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/cr
#include "eng_int.h" #include "eng_int.h"
/* /*
@@ -368,10 +370,10 @@ ENGINE *ENGINE_by_id(const char *id) @@ -369,10 +371,10 @@ ENGINE *ENGINE_by_id(const char *id)
*/ */
if (strcmp(id, "dynamic")) { if (strcmp(id, "dynamic")) {
# ifdef OPENSSL_SYS_VMS # ifdef OPENSSL_SYS_VMS
@ -74,9 +74,9 @@ diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/cr
load_dir = ENGINESDIR; load_dir = ENGINESDIR;
# endif # endif
iterator = ENGINE_by_id("dynamic"); iterator = ENGINE_by_id("dynamic");
diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypto/md5/md5_dgst.c diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypto/md5/md5_dgst.c
--- openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv 2015-04-21 17:13:24.156078637 +0200 --- openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv 2016-09-22 13:51:29.840742047 +0200
+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-21 17:13:24.165078848 +0200 +++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:51:29.847742209 +0200
@@ -56,6 +56,8 @@ @@ -56,6 +56,8 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
@ -96,9 +96,9 @@ diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypt
OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!"); OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
return private_MD5_Init(c); return private_MD5_Init(c);
} }
diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_init.c diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_init.c
--- openssl-1.0.2a/crypto/o_init.c.secure-getenv 2015-04-21 17:13:24.142078310 +0200 --- openssl-1.0.2i/crypto/o_init.c.secure-getenv 2016-09-22 13:51:29.830741814 +0200
+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:13:24.165078848 +0200 +++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:51:30.046746834 +0200
@@ -53,6 +53,8 @@ @@ -53,6 +53,8 @@
* *
*/ */
@ -117,19 +117,19 @@ diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_in
buf[0] = '1'; buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/crypto/rand/randfile.c diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/crypto/rand/randfile.c
--- openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 --- openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2a/crypto/rand/randfile.c 2015-04-21 17:13:24.165078848 +0200 +++ openssl-1.0.2i/crypto/rand/randfile.c 2016-09-22 13:53:17.222237626 +0200
@@ -60,6 +60,8 @@ @@ -55,6 +55,8 @@
#if !defined(OPENSSL_SYS_VXWORKS) * copied and put under another distribution licence
# define _XOPEN_SOURCE 500 * [including the GNU Public Licence.]
#endif */
+/* for secure_getenv */ +/* for secure_getenv */
+#define _GNU_SOURCE +#define _GNU_SOURCE
#include <errno.h> #include <errno.h>
#include <stdio.h> #include <stdio.h>
@@ -292,14 +294,12 @@ const char *RAND_file_name(char *buf, si @@ -327,14 +329,12 @@ const char *RAND_file_name(char *buf, si
struct stat sb; struct stat sb;
#endif #endif
@ -146,9 +146,9 @@ diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/cryp
#ifdef DEFAULT_HOME #ifdef DEFAULT_HOME
if (s == NULL) { if (s == NULL) {
s = DEFAULT_HOME; s = DEFAULT_HOME;
diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto/x509/by_dir.c diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto/x509/by_dir.c
--- openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 --- openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2a/crypto/x509/by_dir.c 2015-04-21 17:13:24.165078848 +0200 +++ openssl-1.0.2i/crypto/x509/by_dir.c 2016-09-22 13:51:30.047746858 +0200
@@ -56,6 +56,8 @@ @@ -56,6 +56,8 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
@ -167,9 +167,9 @@ diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto
if (dir) if (dir)
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
else else
diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypto/x509/by_file.c diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypto/x509/by_file.c
--- openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv 2015-04-21 17:13:24.118077749 +0200 --- openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv 2016-09-22 13:51:29.812741396 +0200
+++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-21 17:13:24.166078871 +0200 +++ openssl-1.0.2i/crypto/x509/by_file.c 2016-09-22 13:51:30.047746858 +0200
@@ -56,6 +56,8 @@ @@ -56,6 +56,8 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
@ -188,9 +188,9 @@ diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypt
if (file) if (file)
ok = (X509_load_cert_crl_file(ctx, file, ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0); X509_FILETYPE_PEM) != 0);
diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/crypto/x509/x509_vfy.c diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/crypto/x509/x509_vfy.c
--- openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-21 17:19:14.948277272 +0200 +++ openssl-1.0.2i/crypto/x509/x509_vfy.c 2016-09-22 13:51:30.048746881 +0200
@@ -56,6 +56,8 @@ @@ -56,6 +56,8 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
@ -200,7 +200,7 @@ diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/cryp
#include <stdio.h> #include <stdio.h>
#include <time.h> #include <time.h>
#include <errno.h> #include <errno.h>
@@ -550,7 +552,7 @@ static int check_chain_extensions(X509_S @@ -620,7 +622,7 @@ static int check_chain_extensions(X509_S
* A hack to keep people who don't want to modify their software * A hack to keep people who don't want to modify their software
* happy * happy
*/ */
@ -209,9 +209,9 @@ diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/cryp
allow_proxy_certs = 1; allow_proxy_certs = 1;
purpose = ctx->param->purpose; purpose = ctx->param->purpose;
} }
diff -up openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2a/engines/ccgost/gost_ctl.c diff -up openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2i/engines/ccgost/gost_ctl.c
--- openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100 --- openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2a/engines/ccgost/gost_ctl.c 2015-04-21 17:19:53.897187577 +0200 +++ openssl-1.0.2i/engines/ccgost/gost_ctl.c 2016-09-22 13:51:30.048746881 +0200
@@ -6,6 +6,8 @@ @@ -6,6 +6,8 @@
* Implementation of control commands for GOST engine * * Implementation of control commands for GOST engine *
* OpenSSL 0.9.9 libraries required * * OpenSSL 0.9.9 libraries required *

112
openssl-1.0.2h-trusted-first-doc.patch → openssl-1.0.2i-trusted-first-doc.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2h/apps/cms.c.trusted-first openssl-1.0.2h/apps/cms.c diff -up openssl-1.0.2i/apps/cms.c.trusted-first openssl-1.0.2i/apps/cms.c
--- openssl-1.0.2h/apps/cms.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 --- openssl-1.0.2i/apps/cms.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2h/apps/cms.c 2016-05-03 18:01:16.729556976 +0200 +++ openssl-1.0.2i/apps/cms.c 2016-09-22 14:01:27.436630359 +0200
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv) @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n"); "-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
@ -10,9 +10,9 @@ diff -up openssl-1.0.2h/apps/cms.c.trusted-first openssl-1.0.2h/apps/cms.c
"-no_alt_chains only ever use the first certificate chain found\n"); "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n"); "-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2h/apps/ocsp.c.trusted-first openssl-1.0.2h/apps/ocsp.c diff -up openssl-1.0.2i/apps/ocsp.c.trusted-first openssl-1.0.2i/apps/ocsp.c
--- openssl-1.0.2h/apps/ocsp.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 --- openssl-1.0.2i/apps/ocsp.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2h/apps/ocsp.c 2016-05-03 18:01:16.730556998 +0200 +++ openssl-1.0.2i/apps/ocsp.c 2016-09-22 14:01:27.436630359 +0200
@@ -537,6 +537,8 @@ int MAIN(int argc, char **argv) @@ -537,6 +537,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, BIO_printf(bio_err,
"-CAfile file trusted certificates file\n"); "-CAfile file trusted certificates file\n");
@ -22,10 +22,10 @@ diff -up openssl-1.0.2h/apps/ocsp.c.trusted-first openssl-1.0.2h/apps/ocsp.c
"-no_alt_chains only ever use the first certificate chain found\n"); "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
"-VAfile file validator certificates file\n"); "-VAfile file validator certificates file\n");
diff -up openssl-1.0.2h/apps/s_client.c.trusted-first openssl-1.0.2h/apps/s_client.c diff -up openssl-1.0.2i/apps/s_client.c.trusted-first openssl-1.0.2i/apps/s_client.c
--- openssl-1.0.2h/apps/s_client.c.trusted-first 2016-05-03 18:01:16.696556246 +0200 --- openssl-1.0.2i/apps/s_client.c.trusted-first 2016-09-22 14:01:27.402629569 +0200
+++ openssl-1.0.2h/apps/s_client.c 2016-05-03 18:01:16.730556998 +0200 +++ openssl-1.0.2i/apps/s_client.c 2016-09-22 14:01:27.436630359 +0200
@@ -333,6 +333,8 @@ static void sc_usage(void) @@ -330,6 +330,8 @@ static void sc_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err, BIO_printf(bio_err,
@ -34,9 +34,9 @@ diff -up openssl-1.0.2h/apps/s_client.c.trusted-first openssl-1.0.2h/apps/s_clie
" -no_alt_chains - only ever use the first certificate chain found\n"); " -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
" -reconnect - Drop and re-make the connection with the same Session-ID\n"); " -reconnect - Drop and re-make the connection with the same Session-ID\n");
diff -up openssl-1.0.2h/apps/smime.c.trusted-first openssl-1.0.2h/apps/smime.c diff -up openssl-1.0.2i/apps/smime.c.trusted-first openssl-1.0.2i/apps/smime.c
--- openssl-1.0.2h/apps/smime.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 --- openssl-1.0.2i/apps/smime.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2h/apps/smime.c 2016-05-03 18:01:16.730556998 +0200 +++ openssl-1.0.2i/apps/smime.c 2016-09-22 14:01:27.436630359 +0200
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv) @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n"); "-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
@ -46,10 +46,10 @@ diff -up openssl-1.0.2h/apps/smime.c.trusted-first openssl-1.0.2h/apps/smime.c
"-no_alt_chains only ever use the first certificate chain found\n"); "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n"); "-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2h/apps/s_server.c.trusted-first openssl-1.0.2h/apps/s_server.c diff -up openssl-1.0.2i/apps/s_server.c.trusted-first openssl-1.0.2i/apps/s_server.c
--- openssl-1.0.2h/apps/s_server.c.trusted-first 2016-05-03 18:01:16.666555583 +0200 --- openssl-1.0.2i/apps/s_server.c.trusted-first 2016-09-22 14:01:27.374628918 +0200
+++ openssl-1.0.2h/apps/s_server.c 2016-05-03 18:01:16.731557020 +0200 +++ openssl-1.0.2i/apps/s_server.c 2016-09-22 14:01:27.437630382 +0200
@@ -578,6 +578,8 @@ static void sv_usage(void) @@ -571,6 +571,8 @@ static void sv_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err, BIO_printf(bio_err,
@ -58,9 +58,9 @@ diff -up openssl-1.0.2h/apps/s_server.c.trusted-first openssl-1.0.2h/apps/s_serv
" -no_alt_chains - only ever use the first certificate chain found\n"); " -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
" -nocert - Don't use any certificates (Anon-DH)\n"); " -nocert - Don't use any certificates (Anon-DH)\n");
diff -up openssl-1.0.2h/apps/s_time.c.trusted-first openssl-1.0.2h/apps/s_time.c diff -up openssl-1.0.2i/apps/s_time.c.trusted-first openssl-1.0.2i/apps/s_time.c
--- openssl-1.0.2h/apps/s_time.c.trusted-first 2016-05-03 18:01:16.661555472 +0200 --- openssl-1.0.2i/apps/s_time.c.trusted-first 2016-09-22 14:01:27.368628779 +0200
+++ openssl-1.0.2h/apps/s_time.c 2016-05-03 18:01:16.731557020 +0200 +++ openssl-1.0.2i/apps/s_time.c 2016-09-22 14:01:27.437630382 +0200
@@ -182,6 +182,7 @@ static void s_time_usage(void) @@ -182,6 +182,7 @@ static void s_time_usage(void)
file if not specified by this option\n\ file if not specified by this option\n\
-CApath arg - PEM format directory of CA's\n\ -CApath arg - PEM format directory of CA's\n\
@ -69,9 +69,9 @@ diff -up openssl-1.0.2h/apps/s_time.c.trusted-first openssl-1.0.2h/apps/s_time.c
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
printf("usage: s_time <args>\n\n"); printf("usage: s_time <args>\n\n");
diff -up openssl-1.0.2h/apps/ts.c.trusted-first openssl-1.0.2h/apps/ts.c diff -up openssl-1.0.2i/apps/ts.c.trusted-first openssl-1.0.2i/apps/ts.c
--- openssl-1.0.2h/apps/ts.c.trusted-first 2016-05-03 18:01:16.694556202 +0200 --- openssl-1.0.2i/apps/ts.c.trusted-first 2016-09-22 14:01:27.400629522 +0200
+++ openssl-1.0.2h/apps/ts.c 2016-05-03 18:01:16.731557020 +0200 +++ openssl-1.0.2i/apps/ts.c 2016-09-22 14:01:27.437630382 +0200
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv) @@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
"ts -verify [-data file_to_hash] [-digest digest_bytes] " "ts -verify [-data file_to_hash] [-digest digest_bytes] "
"[-queryfile request.tsq] " "[-queryfile request.tsq] "
@ -81,11 +81,11 @@ diff -up openssl-1.0.2h/apps/ts.c.trusted-first openssl-1.0.2h/apps/ts.c
"-untrusted cert_file.pem\n"); "-untrusted cert_file.pem\n");
cleanup: cleanup:
/* Clean up. */ /* Clean up. */
diff -up openssl-1.0.2h/apps/verify.c.trusted-first openssl-1.0.2h/apps/verify.c diff -up openssl-1.0.2i/apps/verify.c.trusted-first openssl-1.0.2i/apps/verify.c
--- openssl-1.0.2h/apps/verify.c.trusted-first 2016-05-03 15:44:42.000000000 +0200 --- openssl-1.0.2i/apps/verify.c.trusted-first 2016-09-22 14:01:27.438630405 +0200
+++ openssl-1.0.2h/apps/verify.c 2016-05-03 18:01:16.731557020 +0200 +++ openssl-1.0.2i/apps/verify.c 2016-09-22 14:02:37.951269140 +0200
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv) @@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
end: usage:
if (ret == 1) { if (ret == 1) {
BIO_printf(bio_err, BIO_printf(bio_err,
- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); - "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
@ -93,9 +93,9 @@ diff -up openssl-1.0.2h/apps/verify.c.trusted-first openssl-1.0.2h/apps/verify.c
BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " [-engine e]"); BIO_printf(bio_err, " [-engine e]");
diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/cms.pod diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/cms.pod
--- openssl-1.0.2h/doc/apps/cms.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 --- openssl-1.0.2i/doc/apps/cms.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2h/doc/apps/cms.pod 2016-05-03 18:01:16.731557020 +0200 +++ openssl-1.0.2i/doc/apps/cms.pod 2016-09-22 14:01:27.438630405 +0200
@@ -35,6 +35,7 @@ B<openssl> B<cms> @@ -35,6 +35,7 @@ B<openssl> B<cms>
[B<-print>] [B<-print>]
[B<-CAfile file>] [B<-CAfile file>]
@ -104,7 +104,7 @@ diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/c
[B<-no_alt_chains>] [B<-no_alt_chains>]
[B<-md digest>] [B<-md digest>]
[B<-[cipher]>] [B<-[cipher]>]
@@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta @@ -248,6 +249,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate. to each certificate.
@ -117,9 +117,9 @@ diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/c
=item B<-md digest> =item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first openssl-1.0.2h/doc/apps/ocsp.pod diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/ocsp.pod
--- openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first 2016-05-03 18:01:16.695556224 +0200 --- openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first 2016-09-22 14:01:27.401629545 +0200
+++ openssl-1.0.2h/doc/apps/ocsp.pod 2016-05-03 18:02:16.021868012 +0200 +++ openssl-1.0.2i/doc/apps/ocsp.pod 2016-09-22 14:01:27.438630405 +0200
@@ -29,6 +29,7 @@ B<openssl> B<ocsp> @@ -29,6 +29,7 @@ B<openssl> B<ocsp>
[B<-path>] [B<-path>]
[B<-CApath dir>] [B<-CApath dir>]
@ -142,9 +142,9 @@ diff -up openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first openssl-1.0.2h/doc/apps/
=item B<-no_alt_chains> =item B<-no_alt_chains>
See L<B<verify>|verify(1)> manual page for details. See L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/apps/s_client.pod diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/apps/s_client.pod
--- openssl-1.0.2h/doc/apps/s_client.pod.trusted-first 2016-05-03 18:01:16.706556467 +0200 --- openssl-1.0.2i/doc/apps/s_client.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
+++ openssl-1.0.2h/doc/apps/s_client.pod 2016-05-03 18:01:16.732557042 +0200 +++ openssl-1.0.2i/doc/apps/s_client.pod 2016-09-22 14:01:27.438630405 +0200
@@ -19,6 +19,7 @@ B<openssl> B<s_client> @@ -19,6 +19,7 @@ B<openssl> B<s_client>
[B<-pass arg>] [B<-pass arg>]
[B<-CApath directory>] [B<-CApath directory>]
@ -153,7 +153,7 @@ diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/a
[B<-no_alt_chains>] [B<-no_alt_chains>]
[B<-reconnect>] [B<-reconnect>]
[B<-pause>] [B<-pause>]
@@ -124,7 +125,7 @@ also used when building the client certi @@ -125,7 +126,7 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain. and to use when attempting to build the client certificate chain.
@ -162,9 +162,9 @@ diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/a
Set various certificate chain valiadition option. See the Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details. L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps/smime.pod diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps/smime.pod
--- openssl-1.0.2h/doc/apps/smime.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 --- openssl-1.0.2i/doc/apps/smime.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2h/doc/apps/smime.pod 2016-05-03 18:01:16.732557042 +0200 +++ openssl-1.0.2i/doc/apps/smime.pod 2016-09-22 14:01:27.438630405 +0200
@@ -15,6 +15,9 @@ B<openssl> B<smime> @@ -15,6 +15,9 @@ B<openssl> B<smime>
[B<-pk7out>] [B<-pk7out>]
[B<-[cipher]>] [B<-[cipher]>]
@ -175,7 +175,7 @@ diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps
[B<-no_alt_chains>] [B<-no_alt_chains>]
[B<-certfile file>] [B<-certfile file>]
[B<-signer file>] [B<-signer file>]
@@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta @@ -150,6 +153,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate. to each certificate.
@ -188,9 +188,9 @@ diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps
=item B<-md digest> =item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/apps/s_server.pod diff -up openssl-1.0.2i/doc/apps/s_server.pod.trusted-first openssl-1.0.2i/doc/apps/s_server.pod
--- openssl-1.0.2h/doc/apps/s_server.pod.trusted-first 2016-05-03 18:01:16.706556467 +0200 --- openssl-1.0.2i/doc/apps/s_server.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
+++ openssl-1.0.2h/doc/apps/s_server.pod 2016-05-03 18:01:16.732557042 +0200 +++ openssl-1.0.2i/doc/apps/s_server.pod 2016-09-22 14:01:27.438630405 +0200
@@ -33,6 +33,7 @@ B<openssl> B<s_server> @@ -33,6 +33,7 @@ B<openssl> B<s_server>
[B<-state>] [B<-state>]
[B<-CApath directory>] [B<-CApath directory>]
@ -199,7 +199,7 @@ diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/a
[B<-no_alt_chains>] [B<-no_alt_chains>]
[B<-nocert>] [B<-nocert>]
[B<-cipher cipherlist>] [B<-cipher cipherlist>]
@@ -177,6 +178,12 @@ and to use when attempting to build the @@ -178,6 +179,12 @@ and to use when attempting to build the
is also used in the list of acceptable client CAs passed to the client when is also used in the list of acceptable client CAs passed to the client when
a certificate is requested. a certificate is requested.
@ -212,9 +212,9 @@ diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/a
=item B<-no_alt_chains> =item B<-no_alt_chains>
See the L<B<verify>|verify(1)> manual page for details. See the L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2h/doc/apps/s_time.pod.trusted-first openssl-1.0.2h/doc/apps/s_time.pod diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/apps/s_time.pod
--- openssl-1.0.2h/doc/apps/s_time.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 --- openssl-1.0.2i/doc/apps/s_time.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2h/doc/apps/s_time.pod 2016-05-03 18:01:16.732557042 +0200 +++ openssl-1.0.2i/doc/apps/s_time.pod 2016-09-22 14:01:27.439630429 +0200
@@ -14,6 +14,7 @@ B<openssl> B<s_time> @@ -14,6 +14,7 @@ B<openssl> B<s_time>
[B<-key filename>] [B<-key filename>]
[B<-CApath directory>] [B<-CApath directory>]
@ -236,9 +236,9 @@ diff -up openssl-1.0.2h/doc/apps/s_time.pod.trusted-first openssl-1.0.2h/doc/app
=item B<-new> =item B<-new>
performs the timing test using a new session ID for each connection. performs the timing test using a new session ID for each connection.
diff -up openssl-1.0.2h/doc/apps/ts.pod.trusted-first openssl-1.0.2h/doc/apps/ts.pod diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts.pod
--- openssl-1.0.2h/doc/apps/ts.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 --- openssl-1.0.2i/doc/apps/ts.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2h/doc/apps/ts.pod 2016-05-03 18:01:16.732557042 +0200 +++ openssl-1.0.2i/doc/apps/ts.pod 2016-09-22 14:01:27.439630429 +0200
@@ -46,6 +46,7 @@ B<-verify> @@ -46,6 +46,7 @@ B<-verify>
[B<-token_in>] [B<-token_in>]
[B<-CApath> trusted_cert_path] [B<-CApath> trusted_cert_path]
@ -260,9 +260,9 @@ diff -up openssl-1.0.2h/doc/apps/ts.pod.trusted-first openssl-1.0.2h/doc/apps/ts
=item B<-untrusted> cert_file.pem =item B<-untrusted> cert_file.pem
Set of additional untrusted certificates in PEM format which may be Set of additional untrusted certificates in PEM format which may be
diff -up openssl-1.0.2h/doc/apps/verify.pod.trusted-first openssl-1.0.2h/doc/apps/verify.pod diff -up openssl-1.0.2i/doc/apps/verify.pod.trusted-first openssl-1.0.2i/doc/apps/verify.pod
--- openssl-1.0.2h/doc/apps/verify.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200 --- openssl-1.0.2i/doc/apps/verify.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2h/doc/apps/verify.pod 2016-05-03 18:01:16.732557042 +0200 +++ openssl-1.0.2i/doc/apps/verify.pod 2016-09-22 14:01:27.439630429 +0200
@@ -9,6 +9,7 @@ verify - Utility to verify certificates. @@ -9,6 +9,7 @@ verify - Utility to verify certificates.
B<openssl> B<verify> B<openssl> B<verify>
[B<-CApath directory>] [B<-CApath directory>]
@ -271,7 +271,7 @@ diff -up openssl-1.0.2h/doc/apps/verify.pod.trusted-first openssl-1.0.2h/doc/app
[B<-purpose purpose>] [B<-purpose purpose>]
[B<-policy arg>] [B<-policy arg>]
[B<-ignore_critical>] [B<-ignore_critical>]
@@ -85,6 +86,12 @@ If a valid CRL cannot be found an error @@ -86,6 +87,12 @@ If a valid CRL cannot be found an error
A file of untrusted certificates. The file should contain multiple certificates A file of untrusted certificates. The file should contain multiple certificates
in PEM format concatenated together. in PEM format concatenated together.

29
openssl.spec
View File

@ -22,8 +22,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.2h Version: 1.0.2i
Release: 3%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -56,7 +56,7 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-1.0.2a-x509.patch Patch34: openssl-1.0.2a-x509.patch
Patch35: openssl-1.0.2a-version-add-engines.patch Patch35: openssl-1.0.2a-version-add-engines.patch
Patch39: openssl-1.0.2a-ipv6-apps.patch Patch39: openssl-1.0.2a-ipv6-apps.patch
Patch40: openssl-1.0.2h-fips.patch Patch40: openssl-1.0.2i-fips.patch
Patch45: openssl-1.0.2a-env-zlib.patch Patch45: openssl-1.0.2a-env-zlib.patch
Patch47: openssl-1.0.2a-readme-warning.patch Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch Patch49: openssl-1.0.1i-algo-doc.patch
@ -66,18 +66,18 @@ Patch56: openssl-1.0.2a-rsa-x931.patch
Patch58: openssl-1.0.2a-fips-md5-allow.patch Patch58: openssl-1.0.2a-fips-md5-allow.patch
Patch60: openssl-1.0.2a-apps-dgst.patch Patch60: openssl-1.0.2a-apps-dgst.patch
Patch63: openssl-1.0.2a-xmpp-starttls.patch Patch63: openssl-1.0.2a-xmpp-starttls.patch
Patch65: openssl-1.0.2a-chil-fixes.patch Patch65: openssl-1.0.2i-chil-fixes.patch
Patch66: openssl-1.0.2h-pkgconfig.patch Patch66: openssl-1.0.2h-pkgconfig.patch
Patch68: openssl-1.0.2a-secure-getenv.patch Patch68: openssl-1.0.2i-secure-getenv.patch
Patch70: openssl-1.0.2a-fips-ec.patch Patch70: openssl-1.0.2a-fips-ec.patch
Patch71: openssl-1.0.2g-manfix.patch Patch71: openssl-1.0.2g-manfix.patch
Patch72: openssl-1.0.2a-fips-ctor.patch Patch72: openssl-1.0.2a-fips-ctor.patch
Patch73: openssl-1.0.2c-ecc-suiteb.patch Patch73: openssl-1.0.2c-ecc-suiteb.patch
Patch74: openssl-1.0.2a-no-md5-verify.patch Patch74: openssl-1.0.2a-no-md5-verify.patch
Patch75: openssl-1.0.2a-compat-symbols.patch Patch75: openssl-1.0.2a-compat-symbols.patch
Patch76: openssl-1.0.2f-new-fips-reqs.patch Patch76: openssl-1.0.2i-new-fips-reqs.patch
Patch78: openssl-1.0.2a-cc-reqs.patch Patch78: openssl-1.0.2a-cc-reqs.patch
Patch90: openssl-1.0.2a-enc-fail.patch Patch90: openssl-1.0.2i-enc-fail.patch
Patch92: openssl-1.0.2a-system-cipherlist.patch Patch92: openssl-1.0.2a-system-cipherlist.patch
Patch93: openssl-1.0.2g-disable-sslv2v3.patch Patch93: openssl-1.0.2g-disable-sslv2v3.patch
Patch94: openssl-1.0.2d-secp256k1.patch Patch94: openssl-1.0.2d-secp256k1.patch
@ -86,8 +86,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch80: openssl-1.0.2e-wrap-pad.patch Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch Patch81: openssl-1.0.2a-padlock64.patch
Patch82: openssl-1.0.2h-trusted-first-doc.patch Patch82: openssl-1.0.2i-trusted-first-doc.patch
Patch83: openssl-1.0.2h-dtls-bad-ver.patch
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries
@ -211,7 +210,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch80 -p1 -b .wrap %patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64 %patch81 -p1 -b .padlock64
%patch82 -p1 -b .trusted-first %patch82 -p1 -b .trusted-first
%patch83 -p1 -b .dtls-bad-ver
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -457,7 +455,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%dir %{_sysconfdir}/pki/CA/newcerts %dir %{_sysconfdir}/pki/CA/newcerts
%{_sysconfdir}/pki/tls/misc/c_* %{_sysconfdir}/pki/tls/misc/c_*
%attr(0755,root,root) %{_bindir}/openssl %attr(0755,root,root) %{_bindir}/openssl
%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]* %attr(0644,root,root) %{_mandir}/man1*/*
%exclude %{_mandir}/man1*/*.pl*
%exclude %{_mandir}/man1*/c_rehash*
%exclude %{_mandir}/man1*/tsget*
%attr(0644,root,root) %{_mandir}/man5*/* %attr(0644,root,root) %{_mandir}/man5*/*
%attr(0644,root,root) %{_mandir}/man7*/* %attr(0644,root,root) %{_mandir}/man7*/*
@ -494,6 +495,8 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%defattr(-,root,root) %defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/c_rehash %attr(0755,root,root) %{_bindir}/c_rehash
%attr(0644,root,root) %{_mandir}/man1*/*.pl* %attr(0644,root,root) %{_mandir}/man1*/*.pl*
%attr(0644,root,root) %{_mandir}/man1*/c_rehash*
%attr(0644,root,root) %{_mandir}/man1*/tsget*
%{_sysconfdir}/pki/tls/misc/*.pl %{_sysconfdir}/pki/tls/misc/*.pl
%{_sysconfdir}/pki/tls/misc/tsget %{_sysconfdir}/pki/tls/misc/tsget
@ -502,6 +505,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2i-1
- minor upstream release 1.0.2i fixing security issues
- move man pages for perl based scripts to perl subpackage (#1377617)
* Wed Aug 10 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2h-3 * Wed Aug 10 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2h-3
- fix regression in Cisco AnyConnect VPN support (#1354588) - fix regression in Cisco AnyConnect VPN support (#1354588)

2
sources
View File

@ -1 +1 @@
020793e7b8901a1ac62d38f3a77f9a0c openssl-1.0.2h-hobbled.tar.xz 449bf5f62fc5d4e712b2405988debaa1 openssl-1.0.2i-hobbled.tar.xz