forked from rpms/openssl
minor upstream release 1.0.2c fixing multiple security issues
This commit is contained in:
parent
18455c91c0
commit
837dd04882
1
.gitignore
vendored
1
.gitignore
vendored
@ -23,3 +23,4 @@ openssl-1.0.0a-usa.tar.bz2
|
|||||||
/openssl-1.0.1j-hobbled.tar.xz
|
/openssl-1.0.1j-hobbled.tar.xz
|
||||||
/openssl-1.0.1k-hobbled.tar.xz
|
/openssl-1.0.1k-hobbled.tar.xz
|
||||||
/openssl-1.0.2a-hobbled.tar.xz
|
/openssl-1.0.2a-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2c-hobbled.tar.xz
|
||||||
|
8
ectest.c
8
ectest.c
@ -386,7 +386,7 @@ static void prime_field_tests(void)
|
|||||||
ABORT;
|
ABORT;
|
||||||
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
|
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
|
||||||
ABORT;
|
ABORT;
|
||||||
if (!EC_POINT_is_on_curve(group, P, ctx))
|
if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
|
||||||
ABORT;
|
ABORT;
|
||||||
if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
|
if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
|
||||||
"84F3B9CAC2FC632551"))
|
"84F3B9CAC2FC632551"))
|
||||||
@ -442,7 +442,7 @@ static void prime_field_tests(void)
|
|||||||
ABORT;
|
ABORT;
|
||||||
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
|
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx))
|
||||||
ABORT;
|
ABORT;
|
||||||
if (!EC_POINT_is_on_curve(group, P, ctx))
|
if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
|
||||||
ABORT;
|
ABORT;
|
||||||
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
"FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"))
|
"FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"))
|
||||||
@ -501,7 +501,7 @@ static void prime_field_tests(void)
|
|||||||
ABORT;
|
ABORT;
|
||||||
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
|
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))
|
||||||
ABORT;
|
ABORT;
|
||||||
if (!EC_POINT_is_on_curve(group, P, ctx))
|
if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
|
||||||
ABORT;
|
ABORT;
|
||||||
if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
"FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
|
"FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
|
||||||
@ -545,7 +545,7 @@ static void prime_field_tests(void)
|
|||||||
ABORT;
|
ABORT;
|
||||||
if (!EC_POINT_dbl(group, P, P, ctx))
|
if (!EC_POINT_dbl(group, P, P, ctx))
|
||||||
ABORT;
|
ABORT;
|
||||||
if (!EC_POINT_is_on_curve(group, P, ctx))
|
if (EC_POINT_is_on_curve(group, P, ctx) <= 0)
|
||||||
ABORT;
|
ABORT;
|
||||||
if (!EC_POINT_invert(group, Q, ctx))
|
if (!EC_POINT_invert(group, Q, ctx))
|
||||||
ABORT; /* P = -2Q */
|
ABORT; /* P = -2Q */
|
||||||
|
@ -1,527 +0,0 @@
|
|||||||
diff -up openssl-1.0.2a/apps/apps.c.alt-chains openssl-1.0.2a/apps/apps.c
|
|
||||||
--- openssl-1.0.2a/apps/apps.c.alt-chains 2015-03-19 14:30:36.000000000 +0100
|
|
||||||
+++ openssl-1.0.2a/apps/apps.c 2015-04-28 16:49:50.124558770 +0200
|
|
||||||
@@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *parg
|
|
||||||
flags |= X509_V_FLAG_SUITEB_192_LOS;
|
|
||||||
else if (!strcmp(arg, "-partial_chain"))
|
|
||||||
flags |= X509_V_FLAG_PARTIAL_CHAIN;
|
|
||||||
+ else if (!strcmp(arg, "-no_alt_chains"))
|
|
||||||
+ flags |= X509_V_FLAG_NO_ALT_CHAINS;
|
|
||||||
else
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
diff -up openssl-1.0.2a/apps/cms.c.alt-chains openssl-1.0.2a/apps/cms.c
|
|
||||||
--- openssl-1.0.2a/apps/cms.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
|
|
||||||
+++ openssl-1.0.2a/apps/cms.c 2015-04-28 16:49:50.125558793 +0200
|
|
||||||
@@ -648,6 +648,8 @@ int MAIN(int argc, char **argv)
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
"-trusted_first use trusted certificates first when building the trust chain\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
+ "-no_alt_chains only ever use the first certificate chain found\n");
|
|
||||||
+ BIO_printf(bio_err,
|
|
||||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
|
||||||
diff -up openssl-1.0.2a/apps/ocsp.c.alt-chains openssl-1.0.2a/apps/ocsp.c
|
|
||||||
--- openssl-1.0.2a/apps/ocsp.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
|
|
||||||
+++ openssl-1.0.2a/apps/ocsp.c 2015-04-28 16:49:50.125558793 +0200
|
|
||||||
@@ -538,6 +538,8 @@ int MAIN(int argc, char **argv)
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
"-trusted_first use trusted certificates first when building the trust chain\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
+ "-no_alt_chains only ever use the first certificate chain found\n");
|
|
||||||
+ BIO_printf(bio_err,
|
|
||||||
"-VAfile file validator certificates file\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
"-validity_period n maximum validity discrepancy in seconds\n");
|
|
||||||
diff -up openssl-1.0.2a/apps/s_client.c.alt-chains openssl-1.0.2a/apps/s_client.c
|
|
||||||
--- openssl-1.0.2a/apps/s_client.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
|
|
||||||
+++ openssl-1.0.2a/apps/s_client.c 2015-04-28 16:49:50.126558815 +0200
|
|
||||||
@@ -335,6 +335,8 @@ static void sc_usage(void)
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
" -trusted_first - Use trusted CA's first when building the trust chain\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
+ " -no_alt_chains - only ever use the first certificate chain found\n");
|
|
||||||
+ BIO_printf(bio_err,
|
|
||||||
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
" -pause - sleep(1) after each read(2) and write(2) system call\n");
|
|
||||||
diff -up openssl-1.0.2a/apps/smime.c.alt-chains openssl-1.0.2a/apps/smime.c
|
|
||||||
--- openssl-1.0.2a/apps/smime.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
|
|
||||||
+++ openssl-1.0.2a/apps/smime.c 2015-04-28 16:49:50.128558861 +0200
|
|
||||||
@@ -444,6 +444,8 @@ int MAIN(int argc, char **argv)
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
"-trusted_first use trusted certificates first when building the trust chain\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
+ "-no_alt_chains only ever use the first certificate chain found\n");
|
|
||||||
+ BIO_printf(bio_err,
|
|
||||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
|
||||||
diff -up openssl-1.0.2a/apps/s_server.c.alt-chains openssl-1.0.2a/apps/s_server.c
|
|
||||||
--- openssl-1.0.2a/apps/s_server.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
|
|
||||||
+++ openssl-1.0.2a/apps/s_server.c 2015-04-28 16:49:50.128558861 +0200
|
|
||||||
@@ -571,6 +571,8 @@ static void sv_usage(void)
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
" -trusted_first - Use trusted CA's first when building the trust chain\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
+ " -no_alt_chains - only ever use the first certificate chain found\n");
|
|
||||||
+ BIO_printf(bio_err,
|
|
||||||
" -nocert - Don't use any certificates (Anon-DH)\n");
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
" -cipher arg - play with 'openssl ciphers' to see what goes here\n");
|
|
||||||
diff -up openssl-1.0.2a/apps/verify.c.alt-chains openssl-1.0.2a/apps/verify.c
|
|
||||||
--- openssl-1.0.2a/apps/verify.c.alt-chains 2015-04-28 16:49:50.128558861 +0200
|
|
||||||
+++ openssl-1.0.2a/apps/verify.c 2015-04-28 16:50:52.210974346 +0200
|
|
||||||
@@ -232,7 +232,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
if (ret == 1) {
|
|
||||||
BIO_printf(bio_err,
|
|
||||||
"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
|
|
||||||
- BIO_printf(bio_err, " [-attime timestamp]");
|
|
||||||
+ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
BIO_printf(bio_err, " [-engine e]");
|
|
||||||
#endif
|
|
||||||
diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.c
|
|
||||||
--- openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains 2015-04-23 10:22:56.188684277 +0200
|
|
||||||
+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-28 17:03:40.478786778 +0200
|
|
||||||
@@ -189,11 +189,11 @@ static X509 *lookup_cert_match(X509_STOR
|
|
||||||
|
|
||||||
int X509_verify_cert(X509_STORE_CTX *ctx)
|
|
||||||
{
|
|
||||||
- X509 *x, *xtmp, *chain_ss = NULL;
|
|
||||||
+ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
|
|
||||||
int bad_chain = 0;
|
|
||||||
X509_VERIFY_PARAM *param = ctx->param;
|
|
||||||
int depth, i, ok = 0;
|
|
||||||
- int num;
|
|
||||||
+ int num, j, retry;
|
|
||||||
int (*cb) (int xok, X509_STORE_CTX *xctx);
|
|
||||||
STACK_OF(X509) *sktmp = NULL;
|
|
||||||
if (ctx->cert == NULL) {
|
|
||||||
@@ -278,91 +278,136 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Remember how many untrusted certs we have */
|
|
||||||
+ j = num;
|
|
||||||
/*
|
|
||||||
* at this point, chain should contain a list of untrusted certificates.
|
|
||||||
* We now need to add at least one trusted one, if possible, otherwise we
|
|
||||||
* complain.
|
|
||||||
*/
|
|
||||||
|
|
||||||
- /*
|
|
||||||
- * Examine last certificate in chain and see if it is self signed.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- i = sk_X509_num(ctx->chain);
|
|
||||||
- x = sk_X509_value(ctx->chain, i - 1);
|
|
||||||
- if (cert_self_signed(x)) {
|
|
||||||
- /* we have a self signed certificate */
|
|
||||||
- if (sk_X509_num(ctx->chain) == 1) {
|
|
||||||
- /*
|
|
||||||
- * We have a single self signed certificate: see if we can find
|
|
||||||
- * it in the store. We must have an exact match to avoid possible
|
|
||||||
- * impersonation.
|
|
||||||
- */
|
|
||||||
- ok = ctx->get_issuer(&xtmp, ctx, x);
|
|
||||||
- if ((ok <= 0) || X509_cmp(x, xtmp)) {
|
|
||||||
- ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
|
|
||||||
- ctx->current_cert = x;
|
|
||||||
- ctx->error_depth = i - 1;
|
|
||||||
- if (ok == 1)
|
|
||||||
- X509_free(xtmp);
|
|
||||||
- bad_chain = 1;
|
|
||||||
- ok = cb(0, ctx);
|
|
||||||
- if (!ok)
|
|
||||||
- goto end;
|
|
||||||
+ do {
|
|
||||||
+ /*
|
|
||||||
+ * Examine last certificate in chain and see if it is self signed.
|
|
||||||
+ */
|
|
||||||
+ i = sk_X509_num(ctx->chain);
|
|
||||||
+ x = sk_X509_value(ctx->chain, i - 1);
|
|
||||||
+ if (cert_self_signed(x)) {
|
|
||||||
+ /* we have a self signed certificate */
|
|
||||||
+ if (sk_X509_num(ctx->chain) == 1) {
|
|
||||||
+ /*
|
|
||||||
+ * We have a single self signed certificate: see if we can
|
|
||||||
+ * find it in the store. We must have an exact match to avoid
|
|
||||||
+ * possible impersonation.
|
|
||||||
+ */
|
|
||||||
+ ok = ctx->get_issuer(&xtmp, ctx, x);
|
|
||||||
+ if ((ok <= 0) || X509_cmp(x, xtmp)) {
|
|
||||||
+ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
|
|
||||||
+ ctx->current_cert = x;
|
|
||||||
+ ctx->error_depth = i - 1;
|
|
||||||
+ if (ok == 1)
|
|
||||||
+ X509_free(xtmp);
|
|
||||||
+ bad_chain = 1;
|
|
||||||
+ ok = cb(0, ctx);
|
|
||||||
+ if (!ok)
|
|
||||||
+ goto end;
|
|
||||||
+ } else {
|
|
||||||
+ /*
|
|
||||||
+ * We have a match: replace certificate with store
|
|
||||||
+ * version so we get any trust settings.
|
|
||||||
+ */
|
|
||||||
+ X509_free(x);
|
|
||||||
+ x = xtmp;
|
|
||||||
+ (void)sk_X509_set(ctx->chain, i - 1, x);
|
|
||||||
+ ctx->last_untrusted = 0;
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
/*
|
|
||||||
- * We have a match: replace certificate with store version so
|
|
||||||
- * we get any trust settings.
|
|
||||||
+ * extract and save self signed certificate for later use
|
|
||||||
*/
|
|
||||||
- X509_free(x);
|
|
||||||
- x = xtmp;
|
|
||||||
- (void)sk_X509_set(ctx->chain, i - 1, x);
|
|
||||||
- ctx->last_untrusted = 0;
|
|
||||||
+ chain_ss = sk_X509_pop(ctx->chain);
|
|
||||||
+ ctx->last_untrusted--;
|
|
||||||
+ num--;
|
|
||||||
+ j--;
|
|
||||||
+ x = sk_X509_value(ctx->chain, num - 1);
|
|
||||||
}
|
|
||||||
- } else {
|
|
||||||
- /*
|
|
||||||
- * extract and save self signed certificate for later use
|
|
||||||
- */
|
|
||||||
- chain_ss = sk_X509_pop(ctx->chain);
|
|
||||||
- ctx->last_untrusted--;
|
|
||||||
- num--;
|
|
||||||
- x = sk_X509_value(ctx->chain, num - 1);
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* We now lookup certs from the certificate store */
|
|
||||||
- for (;;) {
|
|
||||||
- /* If we have enough, we break */
|
|
||||||
- if (depth < num)
|
|
||||||
- break;
|
|
||||||
+ /* We now lookup certs from the certificate store */
|
|
||||||
+ for (;;) {
|
|
||||||
+ /* If we have enough, we break */
|
|
||||||
+ if (depth < num)
|
|
||||||
+ break;
|
|
||||||
+ /* If we are self signed, we break */
|
|
||||||
+ if (cert_self_signed(x))
|
|
||||||
+ break;
|
|
||||||
+ ok = ctx->get_issuer(&xtmp, ctx, x);
|
|
||||||
|
|
||||||
- /* If we are self signed, we break */
|
|
||||||
- if (cert_self_signed(x))
|
|
||||||
- break;
|
|
||||||
+ if (ok < 0)
|
|
||||||
+ return ok;
|
|
||||||
+ if (ok == 0)
|
|
||||||
+ break;
|
|
||||||
+ x = xtmp;
|
|
||||||
+ if (!sk_X509_push(ctx->chain, x)) {
|
|
||||||
+ X509_free(xtmp);
|
|
||||||
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ num++;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- ok = ctx->get_issuer(&xtmp, ctx, x);
|
|
||||||
+ /* we now have our chain, lets check it... */
|
|
||||||
+ i = check_trust(ctx);
|
|
||||||
|
|
||||||
- if (ok < 0)
|
|
||||||
- return ok;
|
|
||||||
- if (ok == 0)
|
|
||||||
- break;
|
|
||||||
+ /* If explicitly rejected error */
|
|
||||||
+ if (i == X509_TRUST_REJECTED)
|
|
||||||
+ goto end;
|
|
||||||
+ /*
|
|
||||||
+ * If it's not explicitly trusted then check if there is an alternative
|
|
||||||
+ * chain that could be used. We only do this if we haven't already
|
|
||||||
+ * checked via TRUSTED_FIRST and the user hasn't switched off alternate
|
|
||||||
+ * chain checking
|
|
||||||
+ */
|
|
||||||
+ retry = 0;
|
|
||||||
+ if (i != X509_TRUST_TRUSTED
|
|
||||||
+ && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
|
|
||||||
+ && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
|
|
||||||
+ while (j-- > 1) {
|
|
||||||
+ STACK_OF(X509) *chtmp = ctx->chain;
|
|
||||||
+ xtmp2 = sk_X509_value(ctx->chain, j - 1);
|
|
||||||
+ /*
|
|
||||||
+ * Temporarily set chain to NULL so we don't discount
|
|
||||||
+ * duplicates: the same certificate could be an untrusted
|
|
||||||
+ * CA found in the trusted store.
|
|
||||||
+ */
|
|
||||||
+ ctx->chain = NULL;
|
|
||||||
+ ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
|
|
||||||
+ ctx->chain = chtmp;
|
|
||||||
+ if (ok < 0)
|
|
||||||
+ goto end;
|
|
||||||
+ /* Check if we found an alternate chain */
|
|
||||||
+ if (ok > 0) {
|
|
||||||
+ /*
|
|
||||||
+ * Free up the found cert we'll add it again later
|
|
||||||
+ */
|
|
||||||
+ X509_free(xtmp);
|
|
||||||
|
|
||||||
- x = xtmp;
|
|
||||||
- if (!sk_X509_push(ctx->chain, x)) {
|
|
||||||
- X509_free(xtmp);
|
|
||||||
- X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
|
|
||||||
- return 0;
|
|
||||||
+ /*
|
|
||||||
+ * Dump all the certs above this point - we've found an
|
|
||||||
+ * alternate chain
|
|
||||||
+ */
|
|
||||||
+ while (num > j) {
|
|
||||||
+ xtmp = sk_X509_pop(ctx->chain);
|
|
||||||
+ X509_free(xtmp);
|
|
||||||
+ num--;
|
|
||||||
+ ctx->last_untrusted--;
|
|
||||||
+ }
|
|
||||||
+ retry = 1;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
- num++;
|
|
||||||
- }
|
|
||||||
+ } while (retry);
|
|
||||||
|
|
||||||
- /* we now have our chain, lets check it... */
|
|
||||||
-
|
|
||||||
- i = check_trust(ctx);
|
|
||||||
-
|
|
||||||
- /* If explicitly rejected error */
|
|
||||||
- if (i == X509_TRUST_REJECTED)
|
|
||||||
- goto end;
|
|
||||||
/*
|
|
||||||
* If not explicitly trusted then indicate error unless it's a single
|
|
||||||
* self signed certificate in which case we've indicated an error already
|
|
||||||
diff -up openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.h
|
|
||||||
--- openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains 2015-04-23 10:22:56.016679751 +0200
|
|
||||||
+++ openssl-1.0.2a/crypto/x509/x509_vfy.h 2015-04-28 16:49:18.551838908 +0200
|
|
||||||
@@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE
|
|
||||||
|
|
||||||
/* Allow partial chains if at least one certificate is in trusted store */
|
|
||||||
# define X509_V_FLAG_PARTIAL_CHAIN 0x80000
|
|
||||||
+/*
|
|
||||||
+ * If the initial chain is not trusted, do not attempt to build an alternative
|
|
||||||
+ * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
|
|
||||||
+ * will force the behaviour to match that of previous versions.
|
|
||||||
+ */
|
|
||||||
+# define X509_V_FLAG_NO_ALT_CHAINS 0x100000
|
|
||||||
|
|
||||||
# define X509_VP_FLAG_DEFAULT 0x1
|
|
||||||
# define X509_VP_FLAG_OVERWRITE 0x2
|
|
||||||
diff -up openssl-1.0.2a/doc/apps/cms.pod.alt-chains openssl-1.0.2a/doc/apps/cms.pod
|
|
||||||
--- openssl-1.0.2a/doc/apps/cms.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
|
||||||
+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-28 16:54:17.537682406 +0200
|
|
||||||
@@ -36,6 +36,7 @@ B<openssl> B<cms>
|
|
||||||
[B<-CAfile file>]
|
|
||||||
[B<-CApath dir>]
|
|
||||||
[B<-trusted_first>]
|
|
||||||
+[B<-no_alt_chains>]
|
|
||||||
[B<-md digest>]
|
|
||||||
[B<-[cipher]>]
|
|
||||||
[B<-nointern>]
|
|
||||||
@@ -426,7 +427,7 @@ portion of a message so they may be incl
|
|
||||||
then many S/MIME mail clients check the signers certificate's email
|
|
||||||
address matches that specified in the From: address.
|
|
||||||
|
|
||||||
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
|
||||||
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
|
|
||||||
|
|
||||||
Set various certificate chain valiadition option. See the
|
|
||||||
L<B<verify>|verify(1)> manual page for details.
|
|
||||||
@@ -662,4 +663,6 @@ Support for RSA-OAEP and RSA-PSS was fir
|
|
||||||
The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
|
|
||||||
to OpenSSL 1.1.0.
|
|
||||||
|
|
||||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
|
||||||
+
|
|
||||||
=cut
|
|
||||||
diff -up openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains openssl-1.0.2a/doc/apps/ocsp.pod
|
|
||||||
--- openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
|
||||||
+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-28 16:53:44.564914852 +0200
|
|
||||||
@@ -30,6 +30,7 @@ B<openssl> B<ocsp>
|
|
||||||
[B<-CApath dir>]
|
|
||||||
[B<-CAfile file>]
|
|
||||||
[B<-trusted_first>]
|
|
||||||
+[B<-no_alt_chains>]
|
|
||||||
[B<-VAfile file>]
|
|
||||||
[B<-validity_period n>]
|
|
||||||
[B<-status_age n>]
|
|
||||||
@@ -151,6 +152,10 @@ in the response or residing in other cer
|
|
||||||
chain to verify responder certificate.
|
|
||||||
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
||||||
|
|
||||||
+=item B<-no_alt_chains>
|
|
||||||
+
|
|
||||||
+See L<B<verify>|verify(1)> manual page for details.
|
|
||||||
+
|
|
||||||
=item B<-verify_other file>
|
|
||||||
|
|
||||||
file containing additional certificates to search when attempting to locate
|
|
||||||
@@ -388,3 +393,9 @@ second file.
|
|
||||||
|
|
||||||
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
|
|
||||||
-reqin req.der -respout resp.der
|
|
||||||
+
|
|
||||||
+=head1 HISTORY
|
|
||||||
+
|
|
||||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
|
||||||
+
|
|
||||||
+=cut
|
|
||||||
diff -up openssl-1.0.2a/doc/apps/s_client.pod.alt-chains openssl-1.0.2a/doc/apps/s_client.pod
|
|
||||||
--- openssl-1.0.2a/doc/apps/s_client.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
|
||||||
+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-28 16:55:24.812248450 +0200
|
|
||||||
@@ -20,6 +20,7 @@ B<openssl> B<s_client>
|
|
||||||
[B<-CApath directory>]
|
|
||||||
[B<-CAfile filename>]
|
|
||||||
[B<-trusted_first>]
|
|
||||||
+[B<-no_alt_chains>]
|
|
||||||
[B<-reconnect>]
|
|
||||||
[B<-pause>]
|
|
||||||
[B<-showcerts>]
|
|
||||||
@@ -124,7 +125,7 @@ also used when building the client certi
|
|
||||||
A file containing trusted certificates to use during server authentication
|
|
||||||
and to use when attempting to build the client certificate chain.
|
|
||||||
|
|
||||||
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
|
|
||||||
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
|
|
||||||
|
|
||||||
Set various certificate chain valiadition option. See the
|
|
||||||
L<B<verify>|verify(1)> manual page for details.
|
|
||||||
@@ -365,4 +366,8 @@ information whenever a session is renego
|
|
||||||
|
|
||||||
L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
|
|
||||||
|
|
||||||
+=head1 HISTORY
|
|
||||||
+
|
|
||||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
|
||||||
+
|
|
||||||
=cut
|
|
||||||
diff -up openssl-1.0.2a/doc/apps/smime.pod.alt-chains openssl-1.0.2a/doc/apps/smime.pod
|
|
||||||
--- openssl-1.0.2a/doc/apps/smime.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
|
||||||
+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-28 16:57:33.598246384 +0200
|
|
||||||
@@ -18,6 +18,7 @@ B<openssl> B<smime>
|
|
||||||
[B<-CAfile file>]
|
|
||||||
[B<-CApath dir>]
|
|
||||||
[B<-trusted_first>]
|
|
||||||
+[B<-no_alt_chains>]
|
|
||||||
[B<-certfile file>]
|
|
||||||
[B<-signer file>]
|
|
||||||
[B<-recip file>]
|
|
||||||
@@ -268,7 +269,7 @@ portion of a message so they may be incl
|
|
||||||
then many S/MIME mail clients check the signers certificate's email
|
|
||||||
address matches that specified in the From: address.
|
|
||||||
|
|
||||||
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
|
||||||
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
|
|
||||||
|
|
||||||
Set various options of certificate chain verification. See
|
|
||||||
L<B<verify>|verify(1)> manual page for details.
|
|
||||||
@@ -450,5 +451,6 @@ structures may cause parsing errors.
|
|
||||||
The use of multiple B<-signer> options and the B<-resign> command were first
|
|
||||||
added in OpenSSL 1.0.0
|
|
||||||
|
|
||||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
|
||||||
|
|
||||||
=cut
|
|
||||||
diff -up openssl-1.0.2a/doc/apps/s_server.pod.alt-chains openssl-1.0.2a/doc/apps/s_server.pod
|
|
||||||
--- openssl-1.0.2a/doc/apps/s_server.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
|
|
||||||
+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-28 16:56:27.494707598 +0200
|
|
||||||
@@ -34,6 +34,7 @@ B<openssl> B<s_server>
|
|
||||||
[B<-CApath directory>]
|
|
||||||
[B<-CAfile filename>]
|
|
||||||
[B<-trusted_first>]
|
|
||||||
+[B<-no_alt_chains>]
|
|
||||||
[B<-nocert>]
|
|
||||||
[B<-cipher cipherlist>]
|
|
||||||
[B<-serverpref>]
|
|
||||||
@@ -181,6 +182,10 @@ Use certificates in CA file or CA direct
|
|
||||||
when building the trust chain to verify client certificates.
|
|
||||||
This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
||||||
|
|
||||||
+=item B<-no_alt_chains>
|
|
||||||
+
|
|
||||||
+See the L<B<verify>|verify(1)> manual page for details.
|
|
||||||
+
|
|
||||||
=item B<-state>
|
|
||||||
|
|
||||||
prints out the SSL session states.
|
|
||||||
@@ -413,4 +418,8 @@ unknown cipher suites a client says it s
|
|
||||||
|
|
||||||
L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
|
|
||||||
|
|
||||||
+=head1 HISTORY
|
|
||||||
+
|
|
||||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
|
||||||
+
|
|
||||||
=cut
|
|
||||||
diff -up openssl-1.0.2a/doc/apps/verify.pod.alt-chains openssl-1.0.2a/doc/apps/verify.pod
|
|
||||||
--- openssl-1.0.2a/doc/apps/verify.pod.alt-chains 2015-04-23 10:22:56.228685330 +0200
|
|
||||||
+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-28 16:52:22.544033948 +0200
|
|
||||||
@@ -26,6 +26,7 @@ B<openssl> B<verify>
|
|
||||||
[B<-extended_crl>]
|
|
||||||
[B<-use_deltas>]
|
|
||||||
[B<-policy_print>]
|
|
||||||
+[B<-no_alt_chains>]
|
|
||||||
[B<-untrusted file>]
|
|
||||||
[B<-help>]
|
|
||||||
[B<-issuer_checks>]
|
|
||||||
@@ -131,6 +132,14 @@ Set policy variable inhibit-any-policy (
|
|
||||||
|
|
||||||
Set policy variable inhibit-policy-mapping (see RFC5280).
|
|
||||||
|
|
||||||
+=item B<-no_alt_chains>
|
|
||||||
+
|
|
||||||
+When building a certificate chain, if the first certificate chain found is not
|
|
||||||
+trusted, then OpenSSL will continue to check to see if an alternative chain can
|
|
||||||
+be found that is trusted. With this option that behaviour is suppressed so that
|
|
||||||
+only the first chain found is ever used. Using this option will force the
|
|
||||||
+behaviour to match that of previous OpenSSL versions.
|
|
||||||
+
|
|
||||||
=item B<-policy_print>
|
|
||||||
|
|
||||||
Print out diagnostics related to policy processing.
|
|
||||||
@@ -432,4 +441,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CER
|
|
||||||
|
|
||||||
L<x509(1)|x509(1)>
|
|
||||||
|
|
||||||
+=head1 HISTORY
|
|
||||||
+
|
|
||||||
+The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
|
||||||
+
|
|
||||||
=cut
|
|
||||||
diff -up openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
|
|
||||||
--- openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2015-03-19 14:30:36.000000000 +0100
|
|
||||||
+++ openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-04-28 16:52:22.544033948 +0200
|
|
||||||
@@ -197,6 +197,12 @@ verification. If this flag is set then a
|
|
||||||
to the verification callback and it B<must> be prepared to handle such cases
|
|
||||||
without assuming they are hard errors.
|
|
||||||
|
|
||||||
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
|
|
||||||
+chains. By default, when building a certificate chain, if the first certificate
|
|
||||||
+chain found is not trusted, then OpenSSL will continue to check to see if an
|
|
||||||
+alternative chain can be found that is trusted. With this flag set the behaviour
|
|
||||||
+will match that of OpenSSL versions prior to 1.0.2b.
|
|
||||||
+
|
|
||||||
=head1 NOTES
|
|
||||||
|
|
||||||
The above functions should be used to manipulate verification parameters
|
|
||||||
@@ -233,6 +239,6 @@ L<X509_check_ip(3)|X509_check_ip(3)>
|
|
||||||
|
|
||||||
=head1 HISTORY
|
|
||||||
|
|
||||||
-TBA
|
|
||||||
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.2b
|
|
||||||
|
|
||||||
=cut
|
|
@ -1,75 +0,0 @@
|
|||||||
diff -up openssl-1.0.2a/apps/s_server.c.dh1024 openssl-1.0.2a/apps/s_server.c
|
|
||||||
--- openssl-1.0.2a/apps/s_server.c.dh1024 2015-04-09 18:19:55.978228949 +0200
|
|
||||||
+++ openssl-1.0.2a/apps/s_server.c 2015-04-09 18:19:50.842110304 +0200
|
|
||||||
@@ -230,29 +230,44 @@ static void s_server_init(void);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DH
|
|
||||||
-static unsigned char dh512_p[] = {
|
|
||||||
- 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
|
|
||||||
- 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
|
|
||||||
- 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
|
|
||||||
- 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
|
|
||||||
- 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
|
|
||||||
- 0x47, 0x74, 0xE8, 0x33,
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
-static unsigned char dh512_g[] = {
|
|
||||||
- 0x02,
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
-static DH *get_dh512(void)
|
|
||||||
+static DH *get_dh1024()
|
|
||||||
{
|
|
||||||
- DH *dh = NULL;
|
|
||||||
+ static unsigned char dh1024_p[] = {
|
|
||||||
+ 0x99, 0x58, 0xFA, 0x90, 0x53, 0x2F, 0xE0, 0x61, 0x83, 0x9D, 0x54,
|
|
||||||
+ 0x63,
|
|
||||||
+ 0xBD, 0x35, 0x5A, 0x31, 0xF3, 0xC6, 0x79, 0xE5, 0xA0, 0x0F, 0x66,
|
|
||||||
+ 0x79,
|
|
||||||
+ 0x3C, 0xA0, 0x7F, 0xE8, 0xA2, 0x5F, 0xDF, 0x11, 0x08, 0xA3, 0xF0,
|
|
||||||
+ 0x3C,
|
|
||||||
+ 0xC3, 0x3C, 0x5D, 0x50, 0x2C, 0xD5, 0xD6, 0x58, 0x12, 0xDB, 0xC1,
|
|
||||||
+ 0xEF,
|
|
||||||
+ 0xB4, 0x47, 0x4A, 0x5A, 0x39, 0x8A, 0x4E, 0xEB, 0x44, 0xE2, 0x07,
|
|
||||||
+ 0xFB,
|
|
||||||
+ 0x3D, 0xA3, 0xC7, 0x6E, 0x52, 0xF3, 0x2B, 0x7B, 0x10, 0xA5, 0x98,
|
|
||||||
+ 0xE3,
|
|
||||||
+ 0x38, 0x2A, 0xE2, 0x7F, 0xA4, 0x8F, 0x26, 0x87, 0x9B, 0x66, 0x7A,
|
|
||||||
+ 0xED,
|
|
||||||
+ 0x2D, 0x4C, 0xE7, 0x33, 0x77, 0x47, 0x94, 0x43, 0xB6, 0xAA, 0x97,
|
|
||||||
+ 0x23,
|
|
||||||
+ 0x8A, 0xFC, 0xA5, 0xA6, 0x64, 0x09, 0xC0, 0x27, 0xC0, 0xEF, 0xCB,
|
|
||||||
+ 0x05,
|
|
||||||
+ 0x90, 0x9D, 0xD5, 0x75, 0xBA, 0x00, 0xE0, 0xFB, 0xA8, 0x81, 0x52,
|
|
||||||
+ 0xA4,
|
|
||||||
+ 0xB2, 0x83, 0x22, 0x5B, 0xCB, 0xD7, 0x16, 0x93,
|
|
||||||
+ };
|
|
||||||
+ static unsigned char dh1024_g[] = {
|
|
||||||
+ 0x02,
|
|
||||||
+ };
|
|
||||||
+ DH *dh;
|
|
||||||
|
|
||||||
if ((dh = DH_new()) == NULL)
|
|
||||||
return (NULL);
|
|
||||||
- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
|
|
||||||
- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
|
|
||||||
- if ((dh->p == NULL) || (dh->g == NULL))
|
|
||||||
+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
|
|
||||||
+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
|
|
||||||
+ if ((dh->p == NULL) || (dh->g == NULL)) {
|
|
||||||
+ DH_free(dh);
|
|
||||||
return (NULL);
|
|
||||||
+ }
|
|
||||||
return (dh);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
@@ -1872,7 +1987,7 @@ int MAIN(int argc, char *argv[])
|
|
||||||
BIO_printf(bio_s_out, "Setting temp DH parameters\n");
|
|
||||||
} else {
|
|
||||||
BIO_printf(bio_s_out, "Using default temp DH parameters\n");
|
|
||||||
- dh = get_dh512();
|
|
||||||
+ dh = get_dh1024();
|
|
||||||
}
|
|
||||||
(void)BIO_flush(bio_s_out);
|
|
||||||
|
|
@ -1,38 +1,7 @@
|
|||||||
diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c
|
diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c
|
||||||
--- openssl-1.0.2a/apps/s_client.c.default-paths 2015-04-20 14:48:31.462166971 +0200
|
--- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200
|
||||||
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 14:52:55.125316170 +0200
|
+++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200
|
||||||
@@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv)
|
@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
|
||||||
|
|
||||||
SSL_CTX_set_verify(ctx, verify, verify_callback);
|
|
||||||
|
|
||||||
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
|
|
||||||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
|
|
||||||
- /*
|
|
||||||
- * BIO_printf(bio_err,"error setting default verify locations\n");
|
|
||||||
- */
|
|
||||||
- ERR_print_errors(bio_err);
|
|
||||||
- /* goto end; */
|
|
||||||
+ if (CAfile == NULL && CApath == NULL) {
|
|
||||||
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
- ssl_ctx_add_crls(ctx, crls, crl_download);
|
|
||||||
- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
|
|
||||||
- goto end;
|
|
||||||
-
|
|
||||||
#ifndef OPENSSL_NO_TLSEXT
|
|
||||||
if (servername != NULL) {
|
|
||||||
tlsextcbp.biodebug = bio_err;
|
|
||||||
diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c
|
|
||||||
--- openssl-1.0.2a/apps/s_server.c.default-paths 2015-03-19 14:30:36.000000000 +0100
|
|
||||||
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 14:48:31.462166971 +0200
|
|
||||||
@@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[])
|
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -54,7 +23,7 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv
|
|||||||
if (vpm)
|
if (vpm)
|
||||||
SSL_CTX_set1_param(ctx, vpm);
|
SSL_CTX_set1_param(ctx, vpm);
|
||||||
|
|
||||||
@@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[])
|
@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
|
||||||
else
|
else
|
||||||
SSL_CTX_sess_set_cache_size(ctx2, 128);
|
SSL_CTX_sess_set_cache_size(ctx2, 128);
|
||||||
|
|
||||||
@ -67,9 +36,9 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv
|
|||||||
ERR_print_errors(bio_err);
|
ERR_print_errors(bio_err);
|
||||||
}
|
}
|
||||||
if (vpm)
|
if (vpm)
|
||||||
diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c
|
diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c
|
||||||
--- openssl-1.0.2a/apps/s_time.c.default-paths 2015-04-20 14:48:31.462166971 +0200
|
--- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200
|
||||||
+++ openssl-1.0.2a/apps/s_time.c 2015-04-20 14:55:14.232542738 +0200
|
+++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200
|
||||||
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
|
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
|
||||||
|
|
||||||
SSL_load_error_strings();
|
SSL_load_error_strings();
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c
|
diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c
|
||||||
--- openssl-1.0.2a/apps/speed.c.suiteb 2015-04-21 17:46:15.452321183 +0200
|
--- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200
|
||||||
+++ openssl-1.0.2a/apps/speed.c 2015-04-22 14:52:45.362272296 +0200
|
+++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200
|
||||||
@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
|
@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
|
||||||
} else
|
} else
|
||||||
# endif
|
# endif
|
||||||
@ -122,52 +122,48 @@ diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c
|
|||||||
ecdh_doit[i] = 1;
|
ecdh_doit[i] = 1;
|
||||||
# endif
|
# endif
|
||||||
}
|
}
|
||||||
diff -up openssl-1.0.2a/ssl/t1_lib.c.suiteb openssl-1.0.2a/ssl/t1_lib.c
|
diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c
|
||||||
--- openssl-1.0.2a/ssl/t1_lib.c.suiteb 2015-04-21 17:46:15.506322451 +0200
|
--- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200
|
||||||
+++ openssl-1.0.2a/ssl/t1_lib.c 2015-04-22 15:03:32.464591096 +0200
|
+++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200
|
||||||
@@ -266,41 +266,30 @@ static const unsigned char eccurves_defa
|
@@ -268,11 +268,7 @@ static const unsigned char eccurves_auto
|
||||||
0, 13, /* sect571k1 (13) */
|
0, 23, /* secp256r1 (23) */
|
||||||
# endif
|
/* Other >= 256-bit prime curves. */
|
||||||
0, 25, /* secp521r1 (25) */
|
0, 25, /* secp521r1 (25) */
|
||||||
- 0, 28, /* brainpool512r1 (28) */
|
- 0, 28, /* brainpool512r1 (28) */
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
0, 11, /* sect409k1 (11) */
|
|
||||||
0, 12, /* sect409r1 (12) */
|
|
||||||
# endif
|
|
||||||
- 0, 27, /* brainpoolP384r1 (27) */
|
- 0, 27, /* brainpoolP384r1 (27) */
|
||||||
0, 24, /* secp384r1 (24) */
|
0, 24, /* secp384r1 (24) */
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
0, 9, /* sect283k1 (9) */
|
|
||||||
0, 10, /* sect283r1 (10) */
|
|
||||||
# endif
|
|
||||||
- 0, 26, /* brainpoolP256r1 (26) */
|
- 0, 26, /* brainpoolP256r1 (26) */
|
||||||
- 0, 22, /* secp256k1 (22) */
|
- 0, 22, /* secp256k1 (22) */
|
||||||
0, 23, /* secp256r1 (23) */
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
# ifndef OPENSSL_NO_EC2M
|
||||||
0, 8, /* sect239k1 (8) */
|
/* >= 256-bit binary curves. */
|
||||||
0, 6, /* sect233k1 (6) */
|
0, 14, /* sect571r1 (14) */
|
||||||
0, 7, /* sect233r1 (7) */
|
@@ -289,11 +285,7 @@ static const unsigned char eccurves_all[
|
||||||
# endif
|
0, 23, /* secp256r1 (23) */
|
||||||
|
/* Other >= 256-bit prime curves. */
|
||||||
|
0, 25, /* secp521r1 (25) */
|
||||||
|
- 0, 28, /* brainpool512r1 (28) */
|
||||||
|
- 0, 27, /* brainpoolP384r1 (27) */
|
||||||
|
0, 24, /* secp384r1 (24) */
|
||||||
|
- 0, 26, /* brainpoolP256r1 (26) */
|
||||||
|
- 0, 22, /* secp256k1 (22) */
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
/* >= 256-bit binary curves. */
|
||||||
|
0, 14, /* sect571r1 (14) */
|
||||||
|
@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[
|
||||||
|
* Remaining curves disabled by default but still permitted if set
|
||||||
|
* via an explicit callback or parameters.
|
||||||
|
*/
|
||||||
- 0, 20, /* secp224k1 (20) */
|
- 0, 20, /* secp224k1 (20) */
|
||||||
- 0, 21, /* secp224r1 (21) */
|
- 0, 21, /* secp224r1 (21) */
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
0, 4, /* sect193r1 (4) */
|
|
||||||
0, 5, /* sect193r2 (5) */
|
|
||||||
# endif
|
|
||||||
- 0, 18, /* secp192k1 (18) */
|
- 0, 18, /* secp192k1 (18) */
|
||||||
- 0, 19, /* secp192r1 (19) */
|
- 0, 19, /* secp192r1 (19) */
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
0, 1, /* sect163k1 (1) */
|
|
||||||
0, 2, /* sect163r1 (2) */
|
|
||||||
0, 3, /* sect163r2 (3) */
|
|
||||||
# endif
|
|
||||||
- 0, 15, /* secp160k1 (15) */
|
- 0, 15, /* secp160k1 (15) */
|
||||||
- 0, 16, /* secp160r1 (16) */
|
- 0, 16, /* secp160r1 (16) */
|
||||||
- 0, 17, /* secp160r2 (17) */
|
- 0, 17, /* secp160r2 (17) */
|
||||||
};
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
0, 8, /* sect239k1 (8) */
|
||||||
static const unsigned char suiteb_curves[] = {
|
0, 6, /* sect233k1 (6) */
|
||||||
@@ -325,29 +314,21 @@ static const unsigned char fips_curves_d
|
@@ -348,29 +333,21 @@ static const unsigned char fips_curves_d
|
||||||
0, 9, /* sect283k1 (9) */
|
0, 9, /* sect283k1 (9) */
|
||||||
0, 10, /* sect283r1 (10) */
|
0, 10, /* sect283r1 (10) */
|
||||||
# endif
|
# endif
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
|||||||
diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
|
diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
|
||||||
--- openssl-1.0.2a/Configure.rpmbuild 2015-03-19 14:30:36.000000000 +0100
|
--- openssl-1.0.2c/Configure.rpmbuild 2015-06-12 16:51:21.000000000 +0200
|
||||||
+++ openssl-1.0.2a/Configure 2015-04-20 14:35:03.516318252 +0200
|
+++ openssl-1.0.2c/Configure 2015-06-15 17:22:52.598496680 +0200
|
||||||
@@ -348,8 +348,8 @@ my %table=(
|
@@ -365,8 +365,8 @@ my %table=(
|
||||||
####
|
####
|
||||||
# *-generic* is endian-neutral target, but ./config is free to
|
# *-generic* is endian-neutral target, but ./config is free to
|
||||||
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
||||||
@ -12,14 +12,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
|
|||||||
|
|
||||||
#######################################################################
|
#######################################################################
|
||||||
# Note that -march is not among compiler options in below linux-armv4
|
# Note that -march is not among compiler options in below linux-armv4
|
||||||
@@ -378,30 +378,30 @@ my %table=(
|
@@ -395,30 +395,30 @@ my %table=(
|
||||||
#
|
#
|
||||||
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
|
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
|
||||||
#
|
#
|
||||||
-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
# Configure script adds minimally required -march for assembly support,
|
# Configure script adds minimally required -march for assembly support,
|
||||||
# if no -march was specified at command line. mips32 and mips64 below
|
# if no -march was specified at command line. mips32 and mips64 below
|
||||||
# refer to contemporary MIPS Architecture specifications, MIPS32 and
|
# refer to contemporary MIPS Architecture specifications, MIPS32 and
|
||||||
@ -40,14 +40,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
|
|||||||
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
|
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
|
||||||
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
|
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
|
||||||
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
@ -55,12 +55,12 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
|
|||||||
#### So called "highgprs" target for z/Architecture CPUs
|
#### So called "highgprs" target for z/Architecture CPUs
|
||||||
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
|
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
|
||||||
# /proc/cpuinfo. The idea is to preserve most significant bits of
|
# /proc/cpuinfo. The idea is to preserve most significant bits of
|
||||||
@@ -419,12 +419,12 @@ my %table=(
|
@@ -436,12 +436,12 @@ my %table=(
|
||||||
#### SPARC Linux setups
|
#### SPARC Linux setups
|
||||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||||
# assisted with debugging of following two configs.
|
# assisted with debugging of following two configs.
|
||||||
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
# it's a real mess with -mcpu=ultrasparc option under Linux, but
|
# it's a real mess with -mcpu=ultrasparc option under Linux, but
|
||||||
# -Wa,-Av8plus should do the trick no matter what.
|
# -Wa,-Av8plus should do the trick no matter what.
|
||||||
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
@ -71,7 +71,7 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
|
|||||||
#### Alpha Linux with GNU C and Compaq C setups
|
#### Alpha Linux with GNU C and Compaq C setups
|
||||||
# Special notes:
|
# Special notes:
|
||||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
||||||
@@ -1737,7 +1737,7 @@ while (<IN>)
|
@@ -1764,7 +1764,7 @@ while (<IN>)
|
||||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
||||||
{
|
{
|
||||||
my $sotmp = $1;
|
my $sotmp = $1;
|
||||||
@ -80,9 +80,9 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
|
|||||||
}
|
}
|
||||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
||||||
{
|
{
|
||||||
diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
|
diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
|
||||||
--- openssl-1.0.2a/Makefile.org.rpmbuild 2015-03-19 14:30:36.000000000 +0100
|
--- openssl-1.0.2c/Makefile.org.rpmbuild 2015-06-12 16:51:21.000000000 +0200
|
||||||
+++ openssl-1.0.2a/Makefile.org 2015-04-20 14:11:52.152847093 +0200
|
+++ openssl-1.0.2c/Makefile.org 2015-06-15 17:19:14.874510995 +0200
|
||||||
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
||||||
SHLIB_MAJOR=
|
SHLIB_MAJOR=
|
||||||
SHLIB_MINOR=
|
SHLIB_MINOR=
|
||||||
@ -91,7 +91,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
|
|||||||
PLATFORM=dist
|
PLATFORM=dist
|
||||||
OPTIONS=
|
OPTIONS=
|
||||||
CONFIGURE_ARGS=
|
CONFIGURE_ARGS=
|
||||||
@@ -335,10 +336,9 @@ clean-shared:
|
@@ -338,10 +339,9 @@ clean-shared:
|
||||||
link-shared:
|
link-shared:
|
||||||
@ set -e; for i in $(SHLIBDIRS); do \
|
@ set -e; for i in $(SHLIBDIRS); do \
|
||||||
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
||||||
@ -103,7 +103,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
|
|||||||
done
|
done
|
||||||
|
|
||||||
build-shared: do_$(SHLIB_TARGET) link-shared
|
build-shared: do_$(SHLIB_TARGET) link-shared
|
||||||
@@ -349,7 +349,7 @@ do_$(SHLIB_TARGET):
|
@@ -352,7 +352,7 @@ do_$(SHLIB_TARGET):
|
||||||
libs="$(LIBKRB5) $$libs"; \
|
libs="$(LIBKRB5) $$libs"; \
|
||||||
fi; \
|
fi; \
|
||||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
@ -1,66 +1,66 @@
|
|||||||
diff -up openssl-1.0.2a/apps/cms.c.trusted-first openssl-1.0.2a/apps/cms.c
|
diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c
|
||||||
--- openssl-1.0.2a/apps/cms.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
--- openssl-1.0.2c/apps/cms.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
|
||||||
+++ openssl-1.0.2a/apps/cms.c 2015-04-22 16:25:31.839164061 +0200
|
+++ openssl-1.0.2c/apps/cms.c 2015-06-15 17:46:11.045611575 +0200
|
||||||
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
|
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
|
||||||
"-CApath dir trusted certificates directory\n");
|
"-CApath dir trusted certificates directory\n");
|
||||||
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
+ "-trusted_first use trusted certificates first when building the trust chain\n");
|
+ "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
+ BIO_printf(bio_err,
|
+ BIO_printf(bio_err,
|
||||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
"-no_alt_chains only ever use the first certificate chain found\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
diff -up openssl-1.0.2a/apps/ocsp.c.trusted-first openssl-1.0.2a/apps/ocsp.c
|
diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c
|
||||||
--- openssl-1.0.2a/apps/ocsp.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
--- openssl-1.0.2c/apps/ocsp.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
|
||||||
+++ openssl-1.0.2a/apps/ocsp.c 2015-04-22 16:25:31.840164085 +0200
|
+++ openssl-1.0.2c/apps/ocsp.c 2015-06-15 17:46:31.898090948 +0200
|
||||||
@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
|
@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
"-CAfile file trusted certificates file\n");
|
"-CAfile file trusted certificates file\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
+ "-trusted_first use trusted certificates first when building the trust chain\n");
|
+ "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
+ BIO_printf(bio_err,
|
+ BIO_printf(bio_err,
|
||||||
"-VAfile file validator certificates file\n");
|
"-no_alt_chains only ever use the first certificate chain found\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
"-validity_period n maximum validity discrepancy in seconds\n");
|
"-VAfile file validator certificates file\n");
|
||||||
diff -up openssl-1.0.2a/apps/s_client.c.trusted-first openssl-1.0.2a/apps/s_client.c
|
diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c
|
||||||
--- openssl-1.0.2a/apps/s_client.c.trusted-first 2015-04-22 16:25:31.799163115 +0200
|
--- openssl-1.0.2c/apps/s_client.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
|
||||||
+++ openssl-1.0.2a/apps/s_client.c 2015-04-22 16:25:31.840164085 +0200
|
+++ openssl-1.0.2c/apps/s_client.c 2015-06-15 17:47:05.645866767 +0200
|
||||||
@@ -333,6 +333,8 @@ static void sc_usage(void)
|
@@ -333,6 +333,8 @@ static void sc_usage(void)
|
||||||
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
||||||
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
|
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
+ BIO_printf(bio_err,
|
+ BIO_printf(bio_err,
|
||||||
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
" -no_alt_chains - only ever use the first certificate chain found\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
" -pause - sleep(1) after each read(2) and write(2) system call\n");
|
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
||||||
diff -up openssl-1.0.2a/apps/smime.c.trusted-first openssl-1.0.2a/apps/smime.c
|
diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c
|
||||||
--- openssl-1.0.2a/apps/smime.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
--- openssl-1.0.2c/apps/smime.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
|
||||||
+++ openssl-1.0.2a/apps/smime.c 2015-04-22 16:25:31.840164085 +0200
|
+++ openssl-1.0.2c/apps/smime.c 2015-06-15 17:47:39.090635621 +0200
|
||||||
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
|
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
|
||||||
"-CApath dir trusted certificates directory\n");
|
"-CApath dir trusted certificates directory\n");
|
||||||
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
+ "-trusted_first use trusted certificates first when building the trust chain\n");
|
+ "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
+ BIO_printf(bio_err,
|
+ BIO_printf(bio_err,
|
||||||
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
"-no_alt_chains only ever use the first certificate chain found\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
diff -up openssl-1.0.2a/apps/s_server.c.trusted-first openssl-1.0.2a/apps/s_server.c
|
diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c
|
||||||
--- openssl-1.0.2a/apps/s_server.c.trusted-first 2015-04-22 16:25:31.806163281 +0200
|
--- openssl-1.0.2c/apps/s_server.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
|
||||||
+++ openssl-1.0.2a/apps/s_server.c 2015-04-22 16:25:31.841164108 +0200
|
+++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:47:24.841308046 +0200
|
||||||
@@ -569,6 +569,8 @@ static void sv_usage(void)
|
@@ -572,6 +572,8 @@ static void sv_usage(void)
|
||||||
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
||||||
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
|
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
+ BIO_printf(bio_err,
|
+ BIO_printf(bio_err,
|
||||||
" -nocert - Don't use any certificates (Anon-DH)\n");
|
" -no_alt_chains - only ever use the first certificate chain found\n");
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
" -cipher arg - play with 'openssl ciphers' to see what goes here\n");
|
" -nocert - Don't use any certificates (Anon-DH)\n");
|
||||||
diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c
|
diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c
|
||||||
--- openssl-1.0.2a/apps/s_time.c.trusted-first 2015-04-22 16:25:31.755162075 +0200
|
--- openssl-1.0.2c/apps/s_time.c.trusted-first 2015-06-15 17:45:13.010277416 +0200
|
||||||
+++ openssl-1.0.2a/apps/s_time.c 2015-04-22 16:25:31.841164108 +0200
|
+++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:45:13.114279807 +0200
|
||||||
@@ -182,6 +182,7 @@ static void s_time_usage(void)
|
@@ -182,6 +182,7 @@ static void s_time_usage(void)
|
||||||
file if not specified by this option\n\
|
file if not specified by this option\n\
|
||||||
-CApath arg - PEM format directory of CA's\n\
|
-CApath arg - PEM format directory of CA's\n\
|
||||||
@ -69,9 +69,9 @@ diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c
|
|||||||
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
|
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
|
||||||
|
|
||||||
printf("usage: s_time <args>\n\n");
|
printf("usage: s_time <args>\n\n");
|
||||||
diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c
|
diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c
|
||||||
--- openssl-1.0.2a/apps/ts.c.trusted-first 2015-04-22 16:25:31.797163068 +0200
|
--- openssl-1.0.2c/apps/ts.c.trusted-first 2015-06-15 17:45:13.065278681 +0200
|
||||||
+++ openssl-1.0.2a/apps/ts.c 2015-04-22 16:25:31.841164108 +0200
|
+++ openssl-1.0.2c/apps/ts.c 2015-06-15 17:45:13.114279807 +0200
|
||||||
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
|
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
|
||||||
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
|
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
|
||||||
"[-queryfile request.tsq] "
|
"[-queryfile request.tsq] "
|
||||||
@ -81,30 +81,30 @@ diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c
|
|||||||
"-untrusted cert_file.pem\n");
|
"-untrusted cert_file.pem\n");
|
||||||
cleanup:
|
cleanup:
|
||||||
/* Clean up. */
|
/* Clean up. */
|
||||||
diff -up openssl-1.0.2a/apps/verify.c.trusted-first openssl-1.0.2a/apps/verify.c
|
diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c
|
||||||
--- openssl-1.0.2a/apps/verify.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
--- openssl-1.0.2c/apps/verify.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
|
||||||
+++ openssl-1.0.2a/apps/verify.c 2015-04-22 16:25:31.841164108 +0200
|
+++ openssl-1.0.2c/apps/verify.c 2015-06-15 17:48:03.979207778 +0200
|
||||||
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
|
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
|
||||||
end:
|
end:
|
||||||
if (ret == 1) {
|
if (ret == 1) {
|
||||||
BIO_printf(bio_err,
|
BIO_printf(bio_err,
|
||||||
- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
|
- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
|
||||||
+ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
|
+ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
|
||||||
BIO_printf(bio_err, " [-attime timestamp]");
|
BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
BIO_printf(bio_err, " [-engine e]");
|
BIO_printf(bio_err, " [-engine e]");
|
||||||
diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/cms.pod
|
diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod
|
||||||
--- openssl-1.0.2a/doc/apps/cms.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
--- openssl-1.0.2c/doc/apps/cms.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
|
||||||
+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-22 16:25:31.842164132 +0200
|
+++ openssl-1.0.2c/doc/apps/cms.pod 2015-06-15 17:48:43.615118958 +0200
|
||||||
@@ -35,6 +35,7 @@ B<openssl> B<cms>
|
@@ -35,6 +35,7 @@ B<openssl> B<cms>
|
||||||
[B<-print>]
|
[B<-print>]
|
||||||
[B<-CAfile file>]
|
[B<-CAfile file>]
|
||||||
[B<-CApath dir>]
|
[B<-CApath dir>]
|
||||||
+[B<-trusted_first>]
|
+[B<-trusted_first>]
|
||||||
|
[B<-no_alt_chains>]
|
||||||
[B<-md digest>]
|
[B<-md digest>]
|
||||||
[B<-[cipher]>]
|
[B<-[cipher]>]
|
||||||
[B<-nointern>]
|
@@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta
|
||||||
@@ -244,6 +245,12 @@ B<-verify>. This directory must be a sta
|
|
||||||
is a hash of each subject name (using B<x509 -hash>) should be linked
|
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||||
to each certificate.
|
to each certificate.
|
||||||
|
|
||||||
@ -117,18 +117,20 @@ diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/c
|
|||||||
=item B<-md digest>
|
=item B<-md digest>
|
||||||
|
|
||||||
digest algorithm to use when signing or resigning. If not present then the
|
digest algorithm to use when signing or resigning. If not present then the
|
||||||
diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ocsp.pod
|
diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod
|
||||||
--- openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first 2015-04-22 16:25:31.798163092 +0200
|
--- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
|
||||||
+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-22 16:25:31.842164132 +0200
|
+++ openssl-1.0.2c/doc/apps/ocsp.pod 2015-06-15 17:49:06.337641320 +0200
|
||||||
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
|
@@ -29,7 +29,8 @@ B<openssl> B<ocsp>
|
||||||
[B<-path>]
|
[B<-path>]
|
||||||
[B<-CApath dir>]
|
[B<-CApath dir>]
|
||||||
[B<-CAfile file>]
|
[B<-CAfile file>]
|
||||||
|
-[B<-no_alt_chains>]]
|
||||||
+[B<-trusted_first>]
|
+[B<-trusted_first>]
|
||||||
|
+[B<-no_alt_chains>]
|
||||||
[B<-VAfile file>]
|
[B<-VAfile file>]
|
||||||
[B<-validity_period n>]
|
[B<-validity_period n>]
|
||||||
[B<-status_age n>]
|
[B<-status_age n>]
|
||||||
@@ -143,6 +144,13 @@ connection timeout to the OCSP responder
|
@@ -144,6 +145,13 @@ connection timeout to the OCSP responder
|
||||||
file or pathname containing trusted CA certificates. These are used to verify
|
file or pathname containing trusted CA certificates. These are used to verify
|
||||||
the signature on the OCSP response.
|
the signature on the OCSP response.
|
||||||
|
|
||||||
@ -139,32 +141,32 @@ diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/
|
|||||||
+chain to verify responder certificate.
|
+chain to verify responder certificate.
|
||||||
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
+
|
+
|
||||||
=item B<-verify_other file>
|
=item B<-no_alt_chains>
|
||||||
|
|
||||||
file containing additional certificates to search when attempting to locate
|
See L<B<verify>|verify(1)> manual page for details.
|
||||||
diff -up openssl-1.0.2a/doc/apps/s_client.pod.trusted-first openssl-1.0.2a/doc/apps/s_client.pod
|
diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod
|
||||||
--- openssl-1.0.2a/doc/apps/s_client.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200
|
--- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
|
||||||
+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-22 16:25:31.843164156 +0200
|
+++ openssl-1.0.2c/doc/apps/s_client.pod 2015-06-15 17:49:23.984046989 +0200
|
||||||
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
|
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
|
||||||
[B<-pass arg>]
|
[B<-pass arg>]
|
||||||
[B<-CApath directory>]
|
[B<-CApath directory>]
|
||||||
[B<-CAfile filename>]
|
[B<-CAfile filename>]
|
||||||
+[B<-trusted_first>]
|
+[B<-trusted_first>]
|
||||||
|
[B<-no_alt_chains>]
|
||||||
[B<-reconnect>]
|
[B<-reconnect>]
|
||||||
[B<-pause>]
|
[B<-pause>]
|
||||||
[B<-showcerts>]
|
@@ -124,7 +125,7 @@ also used when building the client certi
|
||||||
@@ -123,7 +124,7 @@ also used when building the client certi
|
|
||||||
A file containing trusted certificates to use during server authentication
|
A file containing trusted certificates to use during server authentication
|
||||||
and to use when attempting to build the client certificate chain.
|
and to use when attempting to build the client certificate chain.
|
||||||
|
|
||||||
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
|
||||||
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
|
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
|
||||||
|
|
||||||
Set various certificate chain valiadition option. See the
|
Set various certificate chain valiadition option. See the
|
||||||
L<B<verify>|verify(1)> manual page for details.
|
L<B<verify>|verify(1)> manual page for details.
|
||||||
diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps/smime.pod
|
diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod
|
||||||
--- openssl-1.0.2a/doc/apps/smime.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100
|
--- openssl-1.0.2c/doc/apps/smime.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
|
||||||
+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-22 16:25:31.843164156 +0200
|
+++ openssl-1.0.2c/doc/apps/smime.pod 2015-06-15 17:50:00.856894648 +0200
|
||||||
@@ -15,6 +15,9 @@ B<openssl> B<smime>
|
@@ -15,6 +15,9 @@ B<openssl> B<smime>
|
||||||
[B<-pk7out>]
|
[B<-pk7out>]
|
||||||
[B<-[cipher]>]
|
[B<-[cipher]>]
|
||||||
@ -172,10 +174,10 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps
|
|||||||
+[B<-CAfile file>]
|
+[B<-CAfile file>]
|
||||||
+[B<-CApath dir>]
|
+[B<-CApath dir>]
|
||||||
+[B<-trusted_first>]
|
+[B<-trusted_first>]
|
||||||
|
[B<-no_alt_chains>]
|
||||||
[B<-certfile file>]
|
[B<-certfile file>]
|
||||||
[B<-signer file>]
|
[B<-signer file>]
|
||||||
[B<-recip file>]
|
@@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta
|
||||||
@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
|
|
||||||
is a hash of each subject name (using B<x509 -hash>) should be linked
|
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||||
to each certificate.
|
to each certificate.
|
||||||
|
|
||||||
@ -188,18 +190,18 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps
|
|||||||
=item B<-md digest>
|
=item B<-md digest>
|
||||||
|
|
||||||
digest algorithm to use when signing or resigning. If not present then the
|
digest algorithm to use when signing or resigning. If not present then the
|
||||||
diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/apps/s_server.pod
|
diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod
|
||||||
--- openssl-1.0.2a/doc/apps/s_server.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200
|
--- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first 2015-06-15 17:45:13.116279853 +0200
|
||||||
+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-22 16:25:31.843164156 +0200
|
+++ openssl-1.0.2c/doc/apps/s_server.pod 2015-06-15 17:49:37.420355873 +0200
|
||||||
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
|
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
|
||||||
[B<-state>]
|
[B<-state>]
|
||||||
[B<-CApath directory>]
|
[B<-CApath directory>]
|
||||||
[B<-CAfile filename>]
|
[B<-CAfile filename>]
|
||||||
+[B<-trusted_first>]
|
+[B<-trusted_first>]
|
||||||
|
[B<-no_alt_chains>]
|
||||||
[B<-nocert>]
|
[B<-nocert>]
|
||||||
[B<-cipher cipherlist>]
|
[B<-cipher cipherlist>]
|
||||||
[B<-serverpref>]
|
@@ -175,6 +176,12 @@ and to use when attempting to build the
|
||||||
@@ -174,6 +175,12 @@ and to use when attempting to build the
|
|
||||||
is also used in the list of acceptable client CAs passed to the client when
|
is also used in the list of acceptable client CAs passed to the client when
|
||||||
a certificate is requested.
|
a certificate is requested.
|
||||||
|
|
||||||
@ -209,12 +211,12 @@ diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/a
|
|||||||
+when building the trust chain to verify client certificates.
|
+when building the trust chain to verify client certificates.
|
||||||
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
+
|
+
|
||||||
=item B<-state>
|
=item B<-no_alt_chains>
|
||||||
|
|
||||||
prints out the SSL session states.
|
See the L<B<verify>|verify(1)> manual page for details.
|
||||||
diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/apps/s_time.pod
|
diff -up openssl-1.0.2c/doc/apps/s_time.pod.trusted-first openssl-1.0.2c/doc/apps/s_time.pod
|
||||||
--- openssl-1.0.2a/doc/apps/s_time.pod.trusted-first 2015-01-15 15:43:49.000000000 +0100
|
--- openssl-1.0.2c/doc/apps/s_time.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
|
||||||
+++ openssl-1.0.2a/doc/apps/s_time.pod 2015-04-22 16:25:31.843164156 +0200
|
+++ openssl-1.0.2c/doc/apps/s_time.pod 2015-06-15 17:45:13.116279853 +0200
|
||||||
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
|
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
|
||||||
[B<-key filename>]
|
[B<-key filename>]
|
||||||
[B<-CApath directory>]
|
[B<-CApath directory>]
|
||||||
@ -236,9 +238,9 @@ diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/app
|
|||||||
=item B<-new>
|
=item B<-new>
|
||||||
|
|
||||||
performs the timing test using a new session ID for each connection.
|
performs the timing test using a new session ID for each connection.
|
||||||
diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts.pod
|
diff -up openssl-1.0.2c/doc/apps/ts.pod.trusted-first openssl-1.0.2c/doc/apps/ts.pod
|
||||||
--- openssl-1.0.2a/doc/apps/ts.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100
|
--- openssl-1.0.2c/doc/apps/ts.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
|
||||||
+++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-22 16:25:31.843164156 +0200
|
+++ openssl-1.0.2c/doc/apps/ts.pod 2015-06-15 17:45:13.116279853 +0200
|
||||||
@@ -46,6 +46,7 @@ B<-verify>
|
@@ -46,6 +46,7 @@ B<-verify>
|
||||||
[B<-token_in>]
|
[B<-token_in>]
|
||||||
[B<-CApath> trusted_cert_path]
|
[B<-CApath> trusted_cert_path]
|
||||||
@ -260,9 +262,9 @@ diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts
|
|||||||
=item B<-untrusted> cert_file.pem
|
=item B<-untrusted> cert_file.pem
|
||||||
|
|
||||||
Set of additional untrusted certificates in PEM format which may be
|
Set of additional untrusted certificates in PEM format which may be
|
||||||
diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/apps/verify.pod
|
diff -up openssl-1.0.2c/doc/apps/verify.pod.trusted-first openssl-1.0.2c/doc/apps/verify.pod
|
||||||
--- openssl-1.0.2a/doc/apps/verify.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
--- openssl-1.0.2c/doc/apps/verify.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
|
||||||
+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-22 16:25:31.843164156 +0200
|
+++ openssl-1.0.2c/doc/apps/verify.pod 2015-06-15 17:45:13.116279853 +0200
|
||||||
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
|
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
|
||||||
B<openssl> B<verify>
|
B<openssl> B<verify>
|
||||||
[B<-CApath directory>]
|
[B<-CApath directory>]
|
||||||
@ -271,7 +273,7 @@ diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/app
|
|||||||
[B<-purpose purpose>]
|
[B<-purpose purpose>]
|
||||||
[B<-policy arg>]
|
[B<-policy arg>]
|
||||||
[B<-ignore_critical>]
|
[B<-ignore_critical>]
|
||||||
@@ -78,6 +79,12 @@ If a valid CRL cannot be found an error
|
@@ -79,6 +80,12 @@ If a valid CRL cannot be found an error
|
||||||
A file of untrusted certificates. The file should contain multiple certificates
|
A file of untrusted certificates. The file should contain multiple certificates
|
||||||
in PEM format concatenated together.
|
in PEM format concatenated together.
|
||||||
|
|
21
openssl.spec
21
openssl.spec
@ -22,8 +22,8 @@
|
|||||||
|
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.2a
|
Version: 1.0.2c
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -40,7 +40,7 @@ Source11: README.FIPS
|
|||||||
Source12: ec_curve.c
|
Source12: ec_curve.c
|
||||||
Source13: ectest.c
|
Source13: ectest.c
|
||||||
# Build changes
|
# Build changes
|
||||||
Patch1: openssl-1.0.2a-rpmbuild.patch
|
Patch1: openssl-1.0.2c-rpmbuild.patch
|
||||||
Patch2: openssl-1.0.2a-defaults.patch
|
Patch2: openssl-1.0.2a-defaults.patch
|
||||||
Patch4: openssl-1.0.2a-enginesdir.patch
|
Patch4: openssl-1.0.2a-enginesdir.patch
|
||||||
Patch5: openssl-1.0.2a-no-rpath.patch
|
Patch5: openssl-1.0.2a-no-rpath.patch
|
||||||
@ -49,14 +49,14 @@ Patch7: openssl-1.0.0-timezone.patch
|
|||||||
Patch8: openssl-1.0.1c-perlfind.patch
|
Patch8: openssl-1.0.1c-perlfind.patch
|
||||||
Patch9: openssl-1.0.1c-aliasing.patch
|
Patch9: openssl-1.0.1c-aliasing.patch
|
||||||
# Bug fixes
|
# Bug fixes
|
||||||
Patch23: openssl-1.0.2a-default-paths.patch
|
Patch23: openssl-1.0.2c-default-paths.patch
|
||||||
Patch24: openssl-1.0.2a-issuer-hash.patch
|
Patch24: openssl-1.0.2a-issuer-hash.patch
|
||||||
# Functionality changes
|
# Functionality changes
|
||||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||||
Patch34: openssl-1.0.2a-x509.patch
|
Patch34: openssl-1.0.2a-x509.patch
|
||||||
Patch35: openssl-1.0.2a-version-add-engines.patch
|
Patch35: openssl-1.0.2a-version-add-engines.patch
|
||||||
Patch39: openssl-1.0.2a-ipv6-apps.patch
|
Patch39: openssl-1.0.2a-ipv6-apps.patch
|
||||||
Patch40: openssl-1.0.2a-fips.patch
|
Patch40: openssl-1.0.2c-fips.patch
|
||||||
Patch45: openssl-1.0.2a-env-zlib.patch
|
Patch45: openssl-1.0.2a-env-zlib.patch
|
||||||
Patch47: openssl-1.0.2a-readme-warning.patch
|
Patch47: openssl-1.0.2a-readme-warning.patch
|
||||||
Patch49: openssl-1.0.1i-algo-doc.patch
|
Patch49: openssl-1.0.1i-algo-doc.patch
|
||||||
@ -69,11 +69,10 @@ Patch63: openssl-1.0.2a-xmpp-starttls.patch
|
|||||||
Patch65: openssl-1.0.2a-chil-fixes.patch
|
Patch65: openssl-1.0.2a-chil-fixes.patch
|
||||||
Patch66: openssl-1.0.2a-pkgconfig-krb5.patch
|
Patch66: openssl-1.0.2a-pkgconfig-krb5.patch
|
||||||
Patch68: openssl-1.0.2a-secure-getenv.patch
|
Patch68: openssl-1.0.2a-secure-getenv.patch
|
||||||
Patch69: openssl-1.0.2a-dh-1024.patch
|
|
||||||
Patch70: openssl-1.0.2a-fips-ec.patch
|
Patch70: openssl-1.0.2a-fips-ec.patch
|
||||||
Patch71: openssl-1.0.2a-manfix.patch
|
Patch71: openssl-1.0.2a-manfix.patch
|
||||||
Patch72: openssl-1.0.2a-fips-ctor.patch
|
Patch72: openssl-1.0.2a-fips-ctor.patch
|
||||||
Patch73: openssl-1.0.2a-ecc-suiteb.patch
|
Patch73: openssl-1.0.2c-ecc-suiteb.patch
|
||||||
Patch74: openssl-1.0.2a-no-md5-verify.patch
|
Patch74: openssl-1.0.2a-no-md5-verify.patch
|
||||||
Patch75: openssl-1.0.2a-compat-symbols.patch
|
Patch75: openssl-1.0.2a-compat-symbols.patch
|
||||||
Patch76: openssl-1.0.2a-new-fips-reqs.patch
|
Patch76: openssl-1.0.2a-new-fips-reqs.patch
|
||||||
@ -85,8 +84,7 @@ Patch93: openssl-1.0.2a-disable-sslv2v3.patch
|
|||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch80: openssl-1.0.2a-wrap-pad.patch
|
Patch80: openssl-1.0.2a-wrap-pad.patch
|
||||||
Patch81: openssl-1.0.2a-padlock64.patch
|
Patch81: openssl-1.0.2a-padlock64.patch
|
||||||
Patch82: openssl-1.0.2a-trusted-first-doc.patch
|
Patch82: openssl-1.0.2c-trusted-first-doc.patch
|
||||||
Patch83: openssl-1.0.2a-alt-chains.patch
|
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -190,7 +188,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||||||
%patch65 -p1 -b .chil
|
%patch65 -p1 -b .chil
|
||||||
%patch66 -p1 -b .krb5
|
%patch66 -p1 -b .krb5
|
||||||
%patch68 -p1 -b .secure-getenv
|
%patch68 -p1 -b .secure-getenv
|
||||||
%patch69 -p1 -b .dh1024
|
|
||||||
%patch70 -p1 -b .fips-ec
|
%patch70 -p1 -b .fips-ec
|
||||||
%patch71 -p1 -b .manfix
|
%patch71 -p1 -b .manfix
|
||||||
%patch72 -p1 -b .fips-ctor
|
%patch72 -p1 -b .fips-ctor
|
||||||
@ -207,7 +204,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||||||
%patch80 -p1 -b .wrap
|
%patch80 -p1 -b .wrap
|
||||||
%patch81 -p1 -b .padlock64
|
%patch81 -p1 -b .padlock64
|
||||||
%patch82 -p1 -b .trusted-first
|
%patch82 -p1 -b .trusted-first
|
||||||
%patch83 -p1 -b .alt-chains
|
|
||||||
|
|
||||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||||
|
|
||||||
@ -478,6 +474,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jun 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2c-1
|
||||||
|
- minor upstream release 1.0.2c fixing multiple security issues
|
||||||
|
|
||||||
* Thu May 7 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.2a-4
|
* Thu May 7 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.2a-4
|
||||||
- Add aarch64 sslarch details
|
- Add aarch64 sslarch details
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user