jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

minor upstream release 1.0.2c fixing multiple security issues

Browse Source
This commit is contained in:
Tomas Mraz 2015-06-15 18:23:46 +02:00
parent 18455c91c0
commit 837dd04882
11 changed files with 461 additions and 1096 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -23,3 +23,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.1j-hobbled.tar.xz /openssl-1.0.1j-hobbled.tar.xz
/openssl-1.0.1k-hobbled.tar.xz /openssl-1.0.1k-hobbled.tar.xz
/openssl-1.0.2a-hobbled.tar.xz /openssl-1.0.2a-hobbled.tar.xz
/openssl-1.0.2c-hobbled.tar.xz

8
ectest.c
View File

@ -386,7 +386,7 @@ static void prime_field_tests(void)
ABORT; ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
ABORT; ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT; ABORT;
if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
"84F3B9CAC2FC632551")) "84F3B9CAC2FC632551"))
@ -442,7 +442,7 @@ static void prime_field_tests(void)
ABORT; ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
ABORT; ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT; ABORT;
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"))
@ -501,7 +501,7 @@ static void prime_field_tests(void)
ABORT; ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
ABORT; ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT; ABORT;
if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
@ -545,7 +545,7 @@ static void prime_field_tests(void)
ABORT; ABORT;
if (!EC_POINT_dbl(group, P, P, ctx)) if (!EC_POINT_dbl(group, P, P, ctx))
ABORT; ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
ABORT; ABORT;
if (!EC_POINT_invert(group, Q, ctx)) if (!EC_POINT_invert(group, Q, ctx))
ABORT; /* P = -2Q */ ABORT; /* P = -2Q */

527
openssl-1.0.2a-alt-chains.patch
View File

@ -1,527 +0,0 @@
diff -up openssl-1.0.2a/apps/apps.c.alt-chains openssl-1.0.2a/apps/apps.c
--- openssl-1.0.2a/apps/apps.c.alt-chains 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/apps.c 2015-04-28 16:49:50.124558770 +0200
@@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *parg
flags |= X509_V_FLAG_SUITEB_192_LOS;
else if (!strcmp(arg, "-partial_chain"))
flags |= X509_V_FLAG_PARTIAL_CHAIN;
+ else if (!strcmp(arg, "-no_alt_chains"))
+ flags |= X509_V_FLAG_NO_ALT_CHAINS;
else
return 0;
diff -up openssl-1.0.2a/apps/cms.c.alt-chains openssl-1.0.2a/apps/cms.c
--- openssl-1.0.2a/apps/cms.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
+++ openssl-1.0.2a/apps/cms.c 2015-04-28 16:49:50.125558793 +0200
@@ -648,6 +648,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,
"-trusted_first use trusted certificates first when building the trust chain\n");
BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf(bio_err,
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
diff -up openssl-1.0.2a/apps/ocsp.c.alt-chains openssl-1.0.2a/apps/ocsp.c
--- openssl-1.0.2a/apps/ocsp.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
+++ openssl-1.0.2a/apps/ocsp.c 2015-04-28 16:49:50.125558793 +0200
@@ -538,6 +538,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,
"-trusted_first use trusted certificates first when building the trust chain\n");
BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
"-VAfile file validator certificates file\n");
BIO_printf(bio_err,
"-validity_period n maximum validity discrepancy in seconds\n");
diff -up openssl-1.0.2a/apps/s_client.c.alt-chains openssl-1.0.2a/apps/s_client.c
--- openssl-1.0.2a/apps/s_client.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
+++ openssl-1.0.2a/apps/s_client.c 2015-04-28 16:49:50.126558815 +0200
@@ -335,6 +335,8 @@ static void sc_usage(void)
BIO_printf(bio_err,
" -trusted_first - Use trusted CA's first when building the trust chain\n");
BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
BIO_printf(bio_err,
" -pause - sleep(1) after each read(2) and write(2) system call\n");
diff -up openssl-1.0.2a/apps/smime.c.alt-chains openssl-1.0.2a/apps/smime.c
--- openssl-1.0.2a/apps/smime.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
+++ openssl-1.0.2a/apps/smime.c 2015-04-28 16:49:50.128558861 +0200
@@ -444,6 +444,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,
"-trusted_first use trusted certificates first when building the trust chain\n");
BIO_printf(bio_err,
+ "-no_alt_chains only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
BIO_printf(bio_err,
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
diff -up openssl-1.0.2a/apps/s_server.c.alt-chains openssl-1.0.2a/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
+++ openssl-1.0.2a/apps/s_server.c 2015-04-28 16:49:50.128558861 +0200
@@ -571,6 +571,8 @@ static void sv_usage(void)
BIO_printf(bio_err,
" -trusted_first - Use trusted CA's first when building the trust chain\n");
BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
+ BIO_printf(bio_err,
" -nocert - Don't use any certificates (Anon-DH)\n");
BIO_printf(bio_err,
" -cipher arg - play with 'openssl ciphers' to see what goes here\n");
diff -up openssl-1.0.2a/apps/verify.c.alt-chains openssl-1.0.2a/apps/verify.c
--- openssl-1.0.2a/apps/verify.c.alt-chains 2015-04-28 16:49:50.128558861 +0200
+++ openssl-1.0.2a/apps/verify.c 2015-04-28 16:50:52.210974346 +0200
@@ -232,7 +232,7 @@ int MAIN(int argc, char **argv)
if (ret == 1) {
BIO_printf(bio_err,
"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
- BIO_printf(bio_err, " [-attime timestamp]");
+ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " [-engine e]");
#endif
diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.c
--- openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains 2015-04-23 10:22:56.188684277 +0200
+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-28 17:03:40.478786778 +0200
@@ -189,11 +189,11 @@ static X509 *lookup_cert_match(X509_STOR
int X509_verify_cert(X509_STORE_CTX *ctx)
{
- X509 *x, *xtmp, *chain_ss = NULL;
+ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
int bad_chain = 0;
X509_VERIFY_PARAM *param = ctx->param;
int depth, i, ok = 0;
- int num;
+ int num, j, retry;
int (*cb) (int xok, X509_STORE_CTX *xctx);
STACK_OF(X509) *sktmp = NULL;
if (ctx->cert == NULL) {
@@ -278,91 +278,136 @@ int X509_verify_cert(X509_STORE_CTX *ctx
break;
}
+ /* Remember how many untrusted certs we have */
+ j = num;
/*
* at this point, chain should contain a list of untrusted certificates.
* We now need to add at least one trusted one, if possible, otherwise we
* complain.
*/
- /*
- * Examine last certificate in chain and see if it is self signed.
- */
-
- i = sk_X509_num(ctx->chain);
- x = sk_X509_value(ctx->chain, i - 1);
- if (cert_self_signed(x)) {
- /* we have a self signed certificate */
- if (sk_X509_num(ctx->chain) == 1) {
- /*
- * We have a single self signed certificate: see if we can find
- * it in the store. We must have an exact match to avoid possible
- * impersonation.
- */
- ok = ctx->get_issuer(&xtmp, ctx, x);
- if ((ok <= 0) || X509_cmp(x, xtmp)) {
- ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
- ctx->current_cert = x;
- ctx->error_depth = i - 1;
- if (ok == 1)
- X509_free(xtmp);
- bad_chain = 1;
- ok = cb(0, ctx);
- if (!ok)
- goto end;
+ do {
+ /*
+ * Examine last certificate in chain and see if it is self signed.
+ */
+ i = sk_X509_num(ctx->chain);
+ x = sk_X509_value(ctx->chain, i - 1);
+ if (cert_self_signed(x)) {
+ /* we have a self signed certificate */
+ if (sk_X509_num(ctx->chain) == 1) {
+ /*
+ * We have a single self signed certificate: see if we can
+ * find it in the store. We must have an exact match to avoid
+ * possible impersonation.
+ */
+ ok = ctx->get_issuer(&xtmp, ctx, x);
+ if ((ok <= 0) || X509_cmp(x, xtmp)) {
+ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+ ctx->current_cert = x;
+ ctx->error_depth = i - 1;
+ if (ok == 1)
+ X509_free(xtmp);
+ bad_chain = 1;
+ ok = cb(0, ctx);
+ if (!ok)
+ goto end;
+ } else {
+ /*
+ * We have a match: replace certificate with store
+ * version so we get any trust settings.
+ */
+ X509_free(x);
+ x = xtmp;
+ (void)sk_X509_set(ctx->chain, i - 1, x);
+ ctx->last_untrusted = 0;
+ }
} else {
/*
- * We have a match: replace certificate with store version so
- * we get any trust settings.
+ * extract and save self signed certificate for later use
*/
- X509_free(x);
- x = xtmp;
- (void)sk_X509_set(ctx->chain, i - 1, x);
- ctx->last_untrusted = 0;
+ chain_ss = sk_X509_pop(ctx->chain);
+ ctx->last_untrusted--;
+ num--;
+ j--;
+ x = sk_X509_value(ctx->chain, num - 1);
}
- } else {
- /*
- * extract and save self signed certificate for later use
- */
- chain_ss = sk_X509_pop(ctx->chain);
- ctx->last_untrusted--;
- num--;
- x = sk_X509_value(ctx->chain, num - 1);
}
- }
-
- /* We now lookup certs from the certificate store */
- for (;;) {
- /* If we have enough, we break */
- if (depth < num)
- break;
+ /* We now lookup certs from the certificate store */
+ for (;;) {
+ /* If we have enough, we break */
+ if (depth < num)
+ break;
+ /* If we are self signed, we break */
+ if (cert_self_signed(x))
+ break;
+ ok = ctx->get_issuer(&xtmp, ctx, x);
- /* If we are self signed, we break */
- if (cert_self_signed(x))
- break;
+ if (ok < 0)
+ return ok;
+ if (ok == 0)
+ break;
+ x = xtmp;
+ if (!sk_X509_push(ctx->chain, x)) {
+ X509_free(xtmp);
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ num++;
+ }
- ok = ctx->get_issuer(&xtmp, ctx, x);
+ /* we now have our chain, lets check it... */
+ i = check_trust(ctx);
- if (ok < 0)
- return ok;
- if (ok == 0)
- break;
+ /* If explicitly rejected error */
+ if (i == X509_TRUST_REJECTED)
+ goto end;
+ /*
+ * If it's not explicitly trusted then check if there is an alternative
+ * chain that could be used. We only do this if we haven't already
+ * checked via TRUSTED_FIRST and the user hasn't switched off alternate
+ * chain checking
+ */
+ retry = 0;
+ if (i != X509_TRUST_TRUSTED
+ && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+ && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
+ while (j-- > 1) {
+ STACK_OF(X509) *chtmp = ctx->chain;
+ xtmp2 = sk_X509_value(ctx->chain, j - 1);
+ /*
+ * Temporarily set chain to NULL so we don't discount
+ * duplicates: the same certificate could be an untrusted
+ * CA found in the trusted store.
+ */
+ ctx->chain = NULL;
+ ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
+ ctx->chain = chtmp;
+ if (ok < 0)
+ goto end;
+ /* Check if we found an alternate chain */
+ if (ok > 0) {
+ /*
+ * Free up the found cert we'll add it again later
+ */
+ X509_free(xtmp);
- x = xtmp;
- if (!sk_X509_push(ctx->chain, x)) {
- X509_free(xtmp);
- X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
- return 0;
+ /*
+ * Dump all the certs above this point - we've found an
+ * alternate chain
+ */
+ while (num > j) {
+ xtmp = sk_X509_pop(ctx->chain);
+ X509_free(xtmp);
+ num--;
+ ctx->last_untrusted--;
+ }
+ retry = 1;
+ break;
+ }
+ }
}
- num++;
- }
+ } while (retry);
- /* we now have our chain, lets check it... */
-
- i = check_trust(ctx);
-
- /* If explicitly rejected error */
- if (i == X509_TRUST_REJECTED)
- goto end;
/*
* If not explicitly trusted then indicate error unless it's a single
* self signed certificate in which case we've indicated an error already
diff -up openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.h
--- openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains 2015-04-23 10:22:56.016679751 +0200
+++ openssl-1.0.2a/crypto/x509/x509_vfy.h 2015-04-28 16:49:18.551838908 +0200
@@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE
/* Allow partial chains if at least one certificate is in trusted store */
# define X509_V_FLAG_PARTIAL_CHAIN 0x80000
+/*
+ * If the initial chain is not trusted, do not attempt to build an alternative
+ * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
+ * will force the behaviour to match that of previous versions.
+ */
+# define X509_V_FLAG_NO_ALT_CHAINS 0x100000
# define X509_VP_FLAG_DEFAULT 0x1
# define X509_VP_FLAG_OVERWRITE 0x2
diff -up openssl-1.0.2a/doc/apps/cms.pod.alt-chains openssl-1.0.2a/doc/apps/cms.pod
--- openssl-1.0.2a/doc/apps/cms.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-28 16:54:17.537682406 +0200
@@ -36,6 +36,7 @@ B<openssl> B<cms>
[B<-CAfile file>]
[B<-CApath dir>]
[B<-trusted_first>]
+[B<-no_alt_chains>]
[B<-md digest>]
[B<-[cipher]>]
[B<-nointern>]
@@ -426,7 +427,7 @@ portion of a message so they may be incl
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
@@ -662,4 +663,6 @@ Support for RSA-OAEP and RSA-PSS was fir
The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
to OpenSSL 1.1.0.
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
+
=cut
diff -up openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains openssl-1.0.2a/doc/apps/ocsp.pod
--- openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-28 16:53:44.564914852 +0200
@@ -30,6 +30,7 @@ B<openssl> B<ocsp>
[B<-CApath dir>]
[B<-CAfile file>]
[B<-trusted_first>]
+[B<-no_alt_chains>]
[B<-VAfile file>]
[B<-validity_period n>]
[B<-status_age n>]
@@ -151,6 +152,10 @@ in the response or residing in other cer
chain to verify responder certificate.
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+=item B<-no_alt_chains>
+
+See L<B<verify>|verify(1)> manual page for details.
+
=item B<-verify_other file>
file containing additional certificates to search when attempting to locate
@@ -388,3 +393,9 @@ second file.
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
-reqin req.der -respout resp.der
+
+=head1 HISTORY
+
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
+
+=cut
diff -up openssl-1.0.2a/doc/apps/s_client.pod.alt-chains openssl-1.0.2a/doc/apps/s_client.pod
--- openssl-1.0.2a/doc/apps/s_client.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-28 16:55:24.812248450 +0200
@@ -20,6 +20,7 @@ B<openssl> B<s_client>
[B<-CApath directory>]
[B<-CAfile filename>]
[B<-trusted_first>]
+[B<-no_alt_chains>]
[B<-reconnect>]
[B<-pause>]
[B<-showcerts>]
@@ -124,7 +125,7 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
@@ -365,4 +366,8 @@ information whenever a session is renego
L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
+=head1 HISTORY
+
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
+
=cut
diff -up openssl-1.0.2a/doc/apps/smime.pod.alt-chains openssl-1.0.2a/doc/apps/smime.pod
--- openssl-1.0.2a/doc/apps/smime.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-28 16:57:33.598246384 +0200
@@ -18,6 +18,7 @@ B<openssl> B<smime>
[B<-CAfile file>]
[B<-CApath dir>]
[B<-trusted_first>]
+[B<-no_alt_chains>]
[B<-certfile file>]
[B<-signer file>]
[B<-recip file>]
@@ -268,7 +269,7 @@ portion of a message so they may be incl
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
Set various options of certificate chain verification. See
L<B<verify>|verify(1)> manual page for details.
@@ -450,5 +451,6 @@ structures may cause parsing errors.
The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
=cut
diff -up openssl-1.0.2a/doc/apps/s_server.pod.alt-chains openssl-1.0.2a/doc/apps/s_server.pod
--- openssl-1.0.2a/doc/apps/s_server.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-28 16:56:27.494707598 +0200
@@ -34,6 +34,7 @@ B<openssl> B<s_server>
[B<-CApath directory>]
[B<-CAfile filename>]
[B<-trusted_first>]
+[B<-no_alt_chains>]
[B<-nocert>]
[B<-cipher cipherlist>]
[B<-serverpref>]
@@ -181,6 +182,10 @@ Use certificates in CA file or CA direct
when building the trust chain to verify client certificates.
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+=item B<-no_alt_chains>
+
+See the L<B<verify>|verify(1)> manual page for details.
+
=item B<-state>
prints out the SSL session states.
@@ -413,4 +418,8 @@ unknown cipher suites a client says it s
L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
+=head1 HISTORY
+
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
+
=cut
diff -up openssl-1.0.2a/doc/apps/verify.pod.alt-chains openssl-1.0.2a/doc/apps/verify.pod
--- openssl-1.0.2a/doc/apps/verify.pod.alt-chains 2015-04-23 10:22:56.228685330 +0200
+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-28 16:52:22.544033948 +0200
@@ -26,6 +26,7 @@ B<openssl> B<verify>
[B<-extended_crl>]
[B<-use_deltas>]
[B<-policy_print>]
+[B<-no_alt_chains>]
[B<-untrusted file>]
[B<-help>]
[B<-issuer_checks>]
@@ -131,6 +132,14 @@ Set policy variable inhibit-any-policy (
Set policy variable inhibit-policy-mapping (see RFC5280).
+=item B<-no_alt_chains>
+
+When building a certificate chain, if the first certificate chain found is not
+trusted, then OpenSSL will continue to check to see if an alternative chain can
+be found that is trusted. With this option that behaviour is suppressed so that
+only the first chain found is ever used. Using this option will force the
+behaviour to match that of previous OpenSSL versions.
+
=item B<-policy_print>
Print out diagnostics related to policy processing.
@@ -432,4 +441,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CER
L<x509(1)|x509(1)>
+=head1 HISTORY
+
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
+
=cut
diff -up openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
--- openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-04-28 16:52:22.544033948 +0200
@@ -197,6 +197,12 @@ verification. If this flag is set then a
to the verification callback and it B<must> be prepared to handle such cases
without assuming they are hard errors.
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
+chains. By default, when building a certificate chain, if the first certificate
+chain found is not trusted, then OpenSSL will continue to check to see if an
+alternative chain can be found that is trusted. With this flag set the behaviour
+will match that of OpenSSL versions prior to 1.0.2b.
+
=head1 NOTES
The above functions should be used to manipulate verification parameters
@@ -233,6 +239,6 @@ L<X509_check_ip(3)|X509_check_ip(3)>
=head1 HISTORY
-TBA
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.2b
=cut

75
openssl-1.0.2a-dh-1024.patch
View File

@ -1,75 +0,0 @@
diff -up openssl-1.0.2a/apps/s_server.c.dh1024 openssl-1.0.2a/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.dh1024 2015-04-09 18:19:55.978228949 +0200
+++ openssl-1.0.2a/apps/s_server.c 2015-04-09 18:19:50.842110304 +0200
@@ -230,29 +230,44 @@ static void s_server_init(void);
#endif
#ifndef OPENSSL_NO_DH
-static unsigned char dh512_p[] = {
- 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
- 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
- 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
- 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
- 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
- 0x47, 0x74, 0xE8, 0x33,
-};
-
-static unsigned char dh512_g[] = {
- 0x02,
-};
-
-static DH *get_dh512(void)
+static DH *get_dh1024()
{
- DH *dh = NULL;
+ static unsigned char dh1024_p[] = {
+ 0x99, 0x58, 0xFA, 0x90, 0x53, 0x2F, 0xE0, 0x61, 0x83, 0x9D, 0x54,
+ 0x63,
+ 0xBD, 0x35, 0x5A, 0x31, 0xF3, 0xC6, 0x79, 0xE5, 0xA0, 0x0F, 0x66,
+ 0x79,
+ 0x3C, 0xA0, 0x7F, 0xE8, 0xA2, 0x5F, 0xDF, 0x11, 0x08, 0xA3, 0xF0,
+ 0x3C,
+ 0xC3, 0x3C, 0x5D, 0x50, 0x2C, 0xD5, 0xD6, 0x58, 0x12, 0xDB, 0xC1,
+ 0xEF,
+ 0xB4, 0x47, 0x4A, 0x5A, 0x39, 0x8A, 0x4E, 0xEB, 0x44, 0xE2, 0x07,
+ 0xFB,
+ 0x3D, 0xA3, 0xC7, 0x6E, 0x52, 0xF3, 0x2B, 0x7B, 0x10, 0xA5, 0x98,
+ 0xE3,
+ 0x38, 0x2A, 0xE2, 0x7F, 0xA4, 0x8F, 0x26, 0x87, 0x9B, 0x66, 0x7A,
+ 0xED,
+ 0x2D, 0x4C, 0xE7, 0x33, 0x77, 0x47, 0x94, 0x43, 0xB6, 0xAA, 0x97,
+ 0x23,
+ 0x8A, 0xFC, 0xA5, 0xA6, 0x64, 0x09, 0xC0, 0x27, 0xC0, 0xEF, 0xCB,
+ 0x05,
+ 0x90, 0x9D, 0xD5, 0x75, 0xBA, 0x00, 0xE0, 0xFB, 0xA8, 0x81, 0x52,
+ 0xA4,
+ 0xB2, 0x83, 0x22, 0x5B, 0xCB, 0xD7, 0x16, 0x93,
+ };
+ static unsigned char dh1024_g[] = {
+ 0x02,
+ };
+ DH *dh;
if ((dh = DH_new()) == NULL)
return (NULL);
- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+ if ((dh->p == NULL) || (dh->g == NULL)) {
+ DH_free(dh);
return (NULL);
+ }
return (dh);
}
#endif
@@ -1872,7 +1987,7 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_s_out, "Setting temp DH parameters\n");
} else {
BIO_printf(bio_s_out, "Using default temp DH parameters\n");
- dh = get_dh512();
+ dh = get_dh1024();
}
(void)BIO_flush(bio_s_out);

47
openssl-1.0.2a-default-paths.patch → openssl-1.0.2c-default-paths.patch
View File

@ -1,38 +1,7 @@
diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c
--- openssl-1.0.2a/apps/s_client.c.default-paths 2015-04-20 14:48:31.462166971 +0200 --- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 14:52:55.125316170 +0200 +++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200
@@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv) @@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
SSL_CTX_set_verify(ctx, verify, verify_callback);
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- /*
- * BIO_printf(bio_err,"error setting default verify locations\n");
- */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
- ssl_ctx_add_crls(ctx, crls, crl_download);
- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
- goto end;
-
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL) {
tlsextcbp.biodebug = bio_err;
diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.default-paths 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 14:48:31.462166971 +0200
@@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[])
} }
#endif #endif
@ -54,7 +23,7 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv
if (vpm) if (vpm)
SSL_CTX_set1_param(ctx, vpm); SSL_CTX_set1_param(ctx, vpm);
@@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[]) @@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
else else
SSL_CTX_sess_set_cache_size(ctx2, 128); SSL_CTX_sess_set_cache_size(ctx2, 128);
@ -67,9 +36,9 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
} }
if (vpm) if (vpm)
diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c
--- openssl-1.0.2a/apps/s_time.c.default-paths 2015-04-20 14:48:31.462166971 +0200 --- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/apps/s_time.c 2015-04-20 14:55:14.232542738 +0200 +++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv) @@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings(); SSL_load_error_strings();

66
openssl-1.0.2a-ecc-suiteb.patch → openssl-1.0.2c-ecc-suiteb.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c
--- openssl-1.0.2a/apps/speed.c.suiteb 2015-04-21 17:46:15.452321183 +0200 --- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200
+++ openssl-1.0.2a/apps/speed.c 2015-04-22 14:52:45.362272296 +0200 +++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200
@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv) @@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
} else } else
# endif # endif
@ -122,52 +122,48 @@ diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c
ecdh_doit[i] = 1; ecdh_doit[i] = 1;
# endif # endif
} }
diff -up openssl-1.0.2a/ssl/t1_lib.c.suiteb openssl-1.0.2a/ssl/t1_lib.c diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c
--- openssl-1.0.2a/ssl/t1_lib.c.suiteb 2015-04-21 17:46:15.506322451 +0200 --- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200
+++ openssl-1.0.2a/ssl/t1_lib.c 2015-04-22 15:03:32.464591096 +0200 +++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200
@@ -266,41 +266,30 @@ static const unsigned char eccurves_defa @@ -268,11 +268,7 @@ static const unsigned char eccurves_auto
0, 13, /* sect571k1 (13) */ 0, 23, /* secp256r1 (23) */
# endif /* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */ 0, 25, /* secp521r1 (25) */
- 0, 28, /* brainpool512r1 (28) */ - 0, 28, /* brainpool512r1 (28) */
# ifndef OPENSSL_NO_EC2M
0, 11, /* sect409k1 (11) */
0, 12, /* sect409r1 (12) */
# endif
- 0, 27, /* brainpoolP384r1 (27) */ - 0, 27, /* brainpoolP384r1 (27) */
0, 24, /* secp384r1 (24) */ 0, 24, /* secp384r1 (24) */
# ifndef OPENSSL_NO_EC2M
0, 9, /* sect283k1 (9) */
0, 10, /* sect283r1 (10) */
# endif
- 0, 26, /* brainpoolP256r1 (26) */ - 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */ - 0, 22, /* secp256k1 (22) */
0, 23, /* secp256r1 (23) */
# ifndef OPENSSL_NO_EC2M # ifndef OPENSSL_NO_EC2M
0, 8, /* sect239k1 (8) */ /* >= 256-bit binary curves. */
0, 6, /* sect233k1 (6) */ 0, 14, /* sect571r1 (14) */
0, 7, /* sect233r1 (7) */ @@ -289,11 +285,7 @@ static const unsigned char eccurves_all[
# endif 0, 23, /* secp256r1 (23) */
/* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */
- 0, 28, /* brainpool512r1 (28) */
- 0, 27, /* brainpoolP384r1 (27) */
0, 24, /* secp384r1 (24) */
- 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */
# ifndef OPENSSL_NO_EC2M
/* >= 256-bit binary curves. */
0, 14, /* sect571r1 (14) */
@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[
* Remaining curves disabled by default but still permitted if set
* via an explicit callback or parameters.
*/
- 0, 20, /* secp224k1 (20) */ - 0, 20, /* secp224k1 (20) */
- 0, 21, /* secp224r1 (21) */ - 0, 21, /* secp224r1 (21) */
# ifndef OPENSSL_NO_EC2M
0, 4, /* sect193r1 (4) */
0, 5, /* sect193r2 (5) */
# endif
- 0, 18, /* secp192k1 (18) */ - 0, 18, /* secp192k1 (18) */
- 0, 19, /* secp192r1 (19) */ - 0, 19, /* secp192r1 (19) */
# ifndef OPENSSL_NO_EC2M
0, 1, /* sect163k1 (1) */
0, 2, /* sect163r1 (2) */
0, 3, /* sect163r2 (3) */
# endif
- 0, 15, /* secp160k1 (15) */ - 0, 15, /* secp160k1 (15) */
- 0, 16, /* secp160r1 (16) */ - 0, 16, /* secp160r1 (16) */
- 0, 17, /* secp160r2 (17) */ - 0, 17, /* secp160r2 (17) */
}; # ifndef OPENSSL_NO_EC2M
0, 8, /* sect239k1 (8) */
static const unsigned char suiteb_curves[] = { 0, 6, /* sect233k1 (6) */
@@ -325,29 +314,21 @@ static const unsigned char fips_curves_d @@ -348,29 +333,21 @@ static const unsigned char fips_curves_d
0, 9, /* sect283k1 (9) */ 0, 9, /* sect283k1 (9) */
0, 10, /* sect283r1 (10) */ 0, 10, /* sect283r1 (10) */
# endif # endif

620
openssl-1.0.2a-fips.patch → openssl-1.0.2c-fips.patch
View File

File diff suppressed because it is too large Load Diff

34
openssl-1.0.2a-rpmbuild.patch → openssl-1.0.2c-rpmbuild.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
--- openssl-1.0.2a/Configure.rpmbuild 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/Configure.rpmbuild 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/Configure 2015-04-20 14:35:03.516318252 +0200 +++ openssl-1.0.2c/Configure 2015-06-15 17:22:52.598496680 +0200
@@ -348,8 +348,8 @@ my %table=( @@ -365,8 +365,8 @@ my %table=(
#### ####
# *-generic* is endian-neutral target, but ./config is free to # *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate... # throw in -D[BL]_ENDIAN, whichever appropriate...
@ -12,14 +12,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
####################################################################### #######################################################################
# Note that -march is not among compiler options in below linux-armv4 # Note that -march is not among compiler options in below linux-armv4
@@ -378,30 +378,30 @@ my %table=( @@ -395,30 +395,30 @@ my %table=(
# #
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
# #
-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
# Configure script adds minimally required -march for assembly support, # Configure script adds minimally required -march for assembly support,
# if no -march was specified at command line. mips32 and mips64 below # if no -march was specified at command line. mips32 and mips64 below
# refer to contemporary MIPS Architecture specifications, MIPS32 and # refer to contemporary MIPS Architecture specifications, MIPS32 and
@ -40,14 +40,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::", -"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
@ -55,12 +55,12 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
#### So called "highgprs" target for z/Architecture CPUs #### So called "highgprs" target for z/Architecture CPUs
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
# /proc/cpuinfo. The idea is to preserve most significant bits of # /proc/cpuinfo. The idea is to preserve most significant bits of
@@ -419,12 +419,12 @@ my %table=( @@ -436,12 +436,12 @@ my %table=(
#### SPARC Linux setups #### SPARC Linux setups
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
# assisted with debugging of following two configs. # assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
# it's a real mess with -mcpu=ultrasparc option under Linux, but # it's a real mess with -mcpu=ultrasparc option under Linux, but
# -Wa,-Av8plus should do the trick no matter what. # -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@ -71,7 +71,7 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
#### Alpha Linux with GNU C and Compaq C setups #### Alpha Linux with GNU C and Compaq C setups
# Special notes: # Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
@@ -1737,7 +1737,7 @@ while (<IN>) @@ -1764,7 +1764,7 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{ {
my $sotmp = $1; my $sotmp = $1;
@ -80,9 +80,9 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
} }
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{ {
diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
--- openssl-1.0.2a/Makefile.org.rpmbuild 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/Makefile.org.rpmbuild 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/Makefile.org 2015-04-20 14:11:52.152847093 +0200 +++ openssl-1.0.2c/Makefile.org 2015-06-15 17:19:14.874510995 +0200
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= @@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR= SHLIB_MAJOR=
SHLIB_MINOR= SHLIB_MINOR=
@ -91,7 +91,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
PLATFORM=dist PLATFORM=dist
OPTIONS= OPTIONS=
CONFIGURE_ARGS= CONFIGURE_ARGS=
@@ -335,10 +336,9 @@ clean-shared: @@ -338,10 +339,9 @@ clean-shared:
link-shared: link-shared:
@ set -e; for i in $(SHLIBDIRS); do \ @ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
@ -103,7 +103,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
done done
build-shared: do_$(SHLIB_TARGET) link-shared build-shared: do_$(SHLIB_TARGET) link-shared
@@ -349,7 +349,7 @@ do_$(SHLIB_TARGET): @@ -352,7 +352,7 @@ do_$(SHLIB_TARGET):
libs="$(LIBKRB5) $$libs"; \ libs="$(LIBKRB5) $$libs"; \
fi; \ fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \

156
openssl-1.0.2a-trusted-first-doc.patch → openssl-1.0.2c-trusted-first-doc.patch
View File

@ -1,66 +1,66 @@
diff -up openssl-1.0.2a/apps/cms.c.trusted-first openssl-1.0.2a/apps/cms.c diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c
--- openssl-1.0.2a/apps/cms.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/apps/cms.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
+++ openssl-1.0.2a/apps/cms.c 2015-04-22 16:25:31.839164061 +0200 +++ openssl-1.0.2c/apps/cms.c 2015-06-15 17:46:11.045611575 +0200
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv) @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n"); "-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n"); + "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n"); "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); "-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2a/apps/ocsp.c.trusted-first openssl-1.0.2a/apps/ocsp.c diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c
--- openssl-1.0.2a/apps/ocsp.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/apps/ocsp.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
+++ openssl-1.0.2a/apps/ocsp.c 2015-04-22 16:25:31.840164085 +0200 +++ openssl-1.0.2c/apps/ocsp.c 2015-06-15 17:46:31.898090948 +0200
@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv) @@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, BIO_printf(bio_err,
"-CAfile file trusted certificates file\n"); "-CAfile file trusted certificates file\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n"); + "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
"-VAfile file validator certificates file\n"); "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
"-validity_period n maximum validity discrepancy in seconds\n"); "-VAfile file validator certificates file\n");
diff -up openssl-1.0.2a/apps/s_client.c.trusted-first openssl-1.0.2a/apps/s_client.c diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c
--- openssl-1.0.2a/apps/s_client.c.trusted-first 2015-04-22 16:25:31.799163115 +0200 --- openssl-1.0.2c/apps/s_client.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
+++ openssl-1.0.2a/apps/s_client.c 2015-04-22 16:25:31.840164085 +0200 +++ openssl-1.0.2c/apps/s_client.c 2015-06-15 17:47:05.645866767 +0200
@@ -333,6 +333,8 @@ static void sc_usage(void) @@ -333,6 +333,8 @@ static void sc_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ " -trusted_first - Use trusted CA's first when building the trust chain\n"); + " -trusted_first - Use trusted CA's first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
" -reconnect - Drop and re-make the connection with the same Session-ID\n"); " -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
" -pause - sleep(1) after each read(2) and write(2) system call\n"); " -reconnect - Drop and re-make the connection with the same Session-ID\n");
diff -up openssl-1.0.2a/apps/smime.c.trusted-first openssl-1.0.2a/apps/smime.c diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c
--- openssl-1.0.2a/apps/smime.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/apps/smime.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
+++ openssl-1.0.2a/apps/smime.c 2015-04-22 16:25:31.840164085 +0200 +++ openssl-1.0.2c/apps/smime.c 2015-06-15 17:47:39.090635621 +0200
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv) @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n"); "-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n"); + "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n"); "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); "-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2a/apps/s_server.c.trusted-first openssl-1.0.2a/apps/s_server.c diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.trusted-first 2015-04-22 16:25:31.806163281 +0200 --- openssl-1.0.2c/apps/s_server.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
+++ openssl-1.0.2a/apps/s_server.c 2015-04-22 16:25:31.841164108 +0200 +++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:47:24.841308046 +0200
@@ -569,6 +569,8 @@ static void sv_usage(void) @@ -572,6 +572,8 @@ static void sv_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ " -trusted_first - Use trusted CA's first when building the trust chain\n"); + " -trusted_first - Use trusted CA's first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
" -nocert - Don't use any certificates (Anon-DH)\n"); " -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
" -cipher arg - play with 'openssl ciphers' to see what goes here\n"); " -nocert - Don't use any certificates (Anon-DH)\n");
diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c
--- openssl-1.0.2a/apps/s_time.c.trusted-first 2015-04-22 16:25:31.755162075 +0200 --- openssl-1.0.2c/apps/s_time.c.trusted-first 2015-06-15 17:45:13.010277416 +0200
+++ openssl-1.0.2a/apps/s_time.c 2015-04-22 16:25:31.841164108 +0200 +++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:45:13.114279807 +0200
@@ -182,6 +182,7 @@ static void s_time_usage(void) @@ -182,6 +182,7 @@ static void s_time_usage(void)
file if not specified by this option\n\ file if not specified by this option\n\
-CApath arg - PEM format directory of CA's\n\ -CApath arg - PEM format directory of CA's\n\
@ -69,9 +69,9 @@ diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
printf("usage: s_time <args>\n\n"); printf("usage: s_time <args>\n\n");
diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c
--- openssl-1.0.2a/apps/ts.c.trusted-first 2015-04-22 16:25:31.797163068 +0200 --- openssl-1.0.2c/apps/ts.c.trusted-first 2015-06-15 17:45:13.065278681 +0200
+++ openssl-1.0.2a/apps/ts.c 2015-04-22 16:25:31.841164108 +0200 +++ openssl-1.0.2c/apps/ts.c 2015-06-15 17:45:13.114279807 +0200
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv) @@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
"ts -verify [-data file_to_hash] [-digest digest_bytes] " "ts -verify [-data file_to_hash] [-digest digest_bytes] "
"[-queryfile request.tsq] " "[-queryfile request.tsq] "
@ -81,30 +81,30 @@ diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c
"-untrusted cert_file.pem\n"); "-untrusted cert_file.pem\n");
cleanup: cleanup:
/* Clean up. */ /* Clean up. */
diff -up openssl-1.0.2a/apps/verify.c.trusted-first openssl-1.0.2a/apps/verify.c diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c
--- openssl-1.0.2a/apps/verify.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/apps/verify.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
+++ openssl-1.0.2a/apps/verify.c 2015-04-22 16:25:31.841164108 +0200 +++ openssl-1.0.2c/apps/verify.c 2015-06-15 17:48:03.979207778 +0200
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv) @@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
end: end:
if (ret == 1) { if (ret == 1) {
BIO_printf(bio_err, BIO_printf(bio_err,
- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); - "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); + "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
BIO_printf(bio_err, " [-attime timestamp]"); BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " [-engine e]"); BIO_printf(bio_err, " [-engine e]");
diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/cms.pod diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod
--- openssl-1.0.2a/doc/apps/cms.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/doc/apps/cms.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-22 16:25:31.842164132 +0200 +++ openssl-1.0.2c/doc/apps/cms.pod 2015-06-15 17:48:43.615118958 +0200
@@ -35,6 +35,7 @@ B<openssl> B<cms> @@ -35,6 +35,7 @@ B<openssl> B<cms>
[B<-print>] [B<-print>]
[B<-CAfile file>] [B<-CAfile file>]
[B<-CApath dir>] [B<-CApath dir>]
+[B<-trusted_first>] +[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-md digest>] [B<-md digest>]
[B<-[cipher]>] [B<-[cipher]>]
[B<-nointern>] @@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta
@@ -244,6 +245,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate. to each certificate.
@ -117,18 +117,20 @@ diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/c
=item B<-md digest> =item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ocsp.pod diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod
--- openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first 2015-04-22 16:25:31.798163092 +0200 --- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-22 16:25:31.842164132 +0200 +++ openssl-1.0.2c/doc/apps/ocsp.pod 2015-06-15 17:49:06.337641320 +0200
@@ -29,6 +29,7 @@ B<openssl> B<ocsp> @@ -29,7 +29,8 @@ B<openssl> B<ocsp>
[B<-path>] [B<-path>]
[B<-CApath dir>] [B<-CApath dir>]
[B<-CAfile file>] [B<-CAfile file>]
-[B<-no_alt_chains>]]
+[B<-trusted_first>] +[B<-trusted_first>]
+[B<-no_alt_chains>]
[B<-VAfile file>] [B<-VAfile file>]
[B<-validity_period n>] [B<-validity_period n>]
[B<-status_age n>] [B<-status_age n>]
@@ -143,6 +144,13 @@ connection timeout to the OCSP responder @@ -144,6 +145,13 @@ connection timeout to the OCSP responder
file or pathname containing trusted CA certificates. These are used to verify file or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response. the signature on the OCSP response.
@ -139,32 +141,32 @@ diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/
+chain to verify responder certificate. +chain to verify responder certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+ +
=item B<-verify_other file> =item B<-no_alt_chains>
file containing additional certificates to search when attempting to locate See L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2a/doc/apps/s_client.pod.trusted-first openssl-1.0.2a/doc/apps/s_client.pod diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod
--- openssl-1.0.2a/doc/apps/s_client.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200 --- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/s_client.pod 2015-06-15 17:49:23.984046989 +0200
@@ -19,6 +19,7 @@ B<openssl> B<s_client> @@ -19,6 +19,7 @@ B<openssl> B<s_client>
[B<-pass arg>] [B<-pass arg>]
[B<-CApath directory>] [B<-CApath directory>]
[B<-CAfile filename>] [B<-CAfile filename>]
+[B<-trusted_first>] +[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-reconnect>] [B<-reconnect>]
[B<-pause>] [B<-pause>]
[B<-showcerts>] @@ -124,7 +125,7 @@ also used when building the client certi
@@ -123,7 +124,7 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain. and to use when attempting to build the client certificate chain.
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
Set various certificate chain valiadition option. See the Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details. L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps/smime.pod diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod
--- openssl-1.0.2a/doc/apps/smime.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100 --- openssl-1.0.2c/doc/apps/smime.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/smime.pod 2015-06-15 17:50:00.856894648 +0200
@@ -15,6 +15,9 @@ B<openssl> B<smime> @@ -15,6 +15,9 @@ B<openssl> B<smime>
[B<-pk7out>] [B<-pk7out>]
[B<-[cipher]>] [B<-[cipher]>]
@ -172,10 +174,10 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps
+[B<-CAfile file>] +[B<-CAfile file>]
+[B<-CApath dir>] +[B<-CApath dir>]
+[B<-trusted_first>] +[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-certfile file>] [B<-certfile file>]
[B<-signer file>] [B<-signer file>]
[B<-recip file>] @@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta
@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate. to each certificate.
@ -188,18 +190,18 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps
=item B<-md digest> =item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/apps/s_server.pod diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod
--- openssl-1.0.2a/doc/apps/s_server.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200 --- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first 2015-06-15 17:45:13.116279853 +0200
+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/s_server.pod 2015-06-15 17:49:37.420355873 +0200
@@ -33,6 +33,7 @@ B<openssl> B<s_server> @@ -33,6 +33,7 @@ B<openssl> B<s_server>
[B<-state>] [B<-state>]
[B<-CApath directory>] [B<-CApath directory>]
[B<-CAfile filename>] [B<-CAfile filename>]
+[B<-trusted_first>] +[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-nocert>] [B<-nocert>]
[B<-cipher cipherlist>] [B<-cipher cipherlist>]
[B<-serverpref>] @@ -175,6 +176,12 @@ and to use when attempting to build the
@@ -174,6 +175,12 @@ and to use when attempting to build the
is also used in the list of acceptable client CAs passed to the client when is also used in the list of acceptable client CAs passed to the client when
a certificate is requested. a certificate is requested.
@ -209,12 +211,12 @@ diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/a
+when building the trust chain to verify client certificates. +when building the trust chain to verify client certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+ +
=item B<-state> =item B<-no_alt_chains>
prints out the SSL session states. See the L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/apps/s_time.pod diff -up openssl-1.0.2c/doc/apps/s_time.pod.trusted-first openssl-1.0.2c/doc/apps/s_time.pod
--- openssl-1.0.2a/doc/apps/s_time.pod.trusted-first 2015-01-15 15:43:49.000000000 +0100 --- openssl-1.0.2c/doc/apps/s_time.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/s_time.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/s_time.pod 2015-06-15 17:45:13.116279853 +0200
@@ -14,6 +14,7 @@ B<openssl> B<s_time> @@ -14,6 +14,7 @@ B<openssl> B<s_time>
[B<-key filename>] [B<-key filename>]
[B<-CApath directory>] [B<-CApath directory>]
@ -236,9 +238,9 @@ diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/app
=item B<-new> =item B<-new>
performs the timing test using a new session ID for each connection. performs the timing test using a new session ID for each connection.
diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts.pod diff -up openssl-1.0.2c/doc/apps/ts.pod.trusted-first openssl-1.0.2c/doc/apps/ts.pod
--- openssl-1.0.2a/doc/apps/ts.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100 --- openssl-1.0.2c/doc/apps/ts.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/ts.pod 2015-06-15 17:45:13.116279853 +0200
@@ -46,6 +46,7 @@ B<-verify> @@ -46,6 +46,7 @@ B<-verify>
[B<-token_in>] [B<-token_in>]
[B<-CApath> trusted_cert_path] [B<-CApath> trusted_cert_path]
@ -260,9 +262,9 @@ diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts
=item B<-untrusted> cert_file.pem =item B<-untrusted> cert_file.pem
Set of additional untrusted certificates in PEM format which may be Set of additional untrusted certificates in PEM format which may be
diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/apps/verify.pod diff -up openssl-1.0.2c/doc/apps/verify.pod.trusted-first openssl-1.0.2c/doc/apps/verify.pod
--- openssl-1.0.2a/doc/apps/verify.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/doc/apps/verify.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/verify.pod 2015-06-15 17:45:13.116279853 +0200
@@ -9,6 +9,7 @@ verify - Utility to verify certificates. @@ -9,6 +9,7 @@ verify - Utility to verify certificates.
B<openssl> B<verify> B<openssl> B<verify>
[B<-CApath directory>] [B<-CApath directory>]
@ -271,7 +273,7 @@ diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/app
[B<-purpose purpose>] [B<-purpose purpose>]
[B<-policy arg>] [B<-policy arg>]
[B<-ignore_critical>] [B<-ignore_critical>]
@@ -78,6 +79,12 @@ If a valid CRL cannot be found an error @@ -79,6 +80,12 @@ If a valid CRL cannot be found an error
A file of untrusted certificates. The file should contain multiple certificates A file of untrusted certificates. The file should contain multiple certificates
in PEM format concatenated together. in PEM format concatenated together.

21
openssl.spec
View File

@ -22,8 +22,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.2a Version: 1.0.2c
Release: 4%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -40,7 +40,7 @@ Source11: README.FIPS
Source12: ec_curve.c Source12: ec_curve.c
Source13: ectest.c Source13: ectest.c
# Build changes # Build changes
Patch1: openssl-1.0.2a-rpmbuild.patch Patch1: openssl-1.0.2c-rpmbuild.patch
Patch2: openssl-1.0.2a-defaults.patch Patch2: openssl-1.0.2a-defaults.patch
Patch4: openssl-1.0.2a-enginesdir.patch Patch4: openssl-1.0.2a-enginesdir.patch
Patch5: openssl-1.0.2a-no-rpath.patch Patch5: openssl-1.0.2a-no-rpath.patch
@ -49,14 +49,14 @@ Patch7: openssl-1.0.0-timezone.patch
Patch8: openssl-1.0.1c-perlfind.patch Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch Patch9: openssl-1.0.1c-aliasing.patch
# Bug fixes # Bug fixes
Patch23: openssl-1.0.2a-default-paths.patch Patch23: openssl-1.0.2c-default-paths.patch
Patch24: openssl-1.0.2a-issuer-hash.patch Patch24: openssl-1.0.2a-issuer-hash.patch
# Functionality changes # Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-1.0.2a-x509.patch Patch34: openssl-1.0.2a-x509.patch
Patch35: openssl-1.0.2a-version-add-engines.patch Patch35: openssl-1.0.2a-version-add-engines.patch
Patch39: openssl-1.0.2a-ipv6-apps.patch Patch39: openssl-1.0.2a-ipv6-apps.patch
Patch40: openssl-1.0.2a-fips.patch Patch40: openssl-1.0.2c-fips.patch
Patch45: openssl-1.0.2a-env-zlib.patch Patch45: openssl-1.0.2a-env-zlib.patch
Patch47: openssl-1.0.2a-readme-warning.patch Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch Patch49: openssl-1.0.1i-algo-doc.patch
@ -69,11 +69,10 @@ Patch63: openssl-1.0.2a-xmpp-starttls.patch
Patch65: openssl-1.0.2a-chil-fixes.patch Patch65: openssl-1.0.2a-chil-fixes.patch
Patch66: openssl-1.0.2a-pkgconfig-krb5.patch Patch66: openssl-1.0.2a-pkgconfig-krb5.patch
Patch68: openssl-1.0.2a-secure-getenv.patch Patch68: openssl-1.0.2a-secure-getenv.patch
Patch69: openssl-1.0.2a-dh-1024.patch
Patch70: openssl-1.0.2a-fips-ec.patch Patch70: openssl-1.0.2a-fips-ec.patch
Patch71: openssl-1.0.2a-manfix.patch Patch71: openssl-1.0.2a-manfix.patch
Patch72: openssl-1.0.2a-fips-ctor.patch Patch72: openssl-1.0.2a-fips-ctor.patch
Patch73: openssl-1.0.2a-ecc-suiteb.patch Patch73: openssl-1.0.2c-ecc-suiteb.patch
Patch74: openssl-1.0.2a-no-md5-verify.patch Patch74: openssl-1.0.2a-no-md5-verify.patch
Patch75: openssl-1.0.2a-compat-symbols.patch Patch75: openssl-1.0.2a-compat-symbols.patch
Patch76: openssl-1.0.2a-new-fips-reqs.patch Patch76: openssl-1.0.2a-new-fips-reqs.patch
@ -85,8 +84,7 @@ Patch93: openssl-1.0.2a-disable-sslv2v3.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch80: openssl-1.0.2a-wrap-pad.patch Patch80: openssl-1.0.2a-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch Patch81: openssl-1.0.2a-padlock64.patch
Patch82: openssl-1.0.2a-trusted-first-doc.patch Patch82: openssl-1.0.2c-trusted-first-doc.patch
Patch83: openssl-1.0.2a-alt-chains.patch
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries
@ -190,7 +188,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch65 -p1 -b .chil %patch65 -p1 -b .chil
%patch66 -p1 -b .krb5 %patch66 -p1 -b .krb5
%patch68 -p1 -b .secure-getenv %patch68 -p1 -b .secure-getenv
%patch69 -p1 -b .dh1024
%patch70 -p1 -b .fips-ec %patch70 -p1 -b .fips-ec
%patch71 -p1 -b .manfix %patch71 -p1 -b .manfix
%patch72 -p1 -b .fips-ctor %patch72 -p1 -b .fips-ctor
@ -207,7 +204,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch80 -p1 -b .wrap %patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64 %patch81 -p1 -b .padlock64
%patch82 -p1 -b .trusted-first %patch82 -p1 -b .trusted-first
%patch83 -p1 -b .alt-chains
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -478,6 +474,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Mon Jun 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2c-1
- minor upstream release 1.0.2c fixing multiple security issues
* Thu May 7 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.2a-4 * Thu May 7 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.2a-4
- Add aarch64 sslarch details - Add aarch64 sslarch details

2
sources
View File

@ -1 +1 @@
f51c4df95c3d53fc82a0885fd169225a openssl-1.0.2a-hobbled.tar.xz 178792e60274974ec47aedc6dc5eba7a openssl-1.0.2c-hobbled.tar.xz