update to upstream version 1.1.0e

add documentation of the PROFILE=SYSTEM special cipher string (#1420232)
This commit is contained in:
Tomas Mraz 2017-02-16 16:59:27 +01:00
parent f6b0040c3e
commit c676ac32d5
8 changed files with 413 additions and 565 deletions

1
.gitignore vendored
View File

@ -34,3 +34,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.0b-hobbled.tar.xz
/openssl-1.1.0c-hobbled.tar.xz
/openssl-1.1.0d-hobbled.tar.xz
/openssl-1.1.0e-hobbled.tar.xz

View File

@ -1,147 +0,0 @@
From 3f60b8fbdc9b17572a86457fe5b11437c0d3fbc2 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 26 Jan 2017 17:11:14 +0000
Subject: [PATCH] Use correct signature algorithm list when sending or
checking.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2297)
---
ssl/ssl_locl.h | 2 +-
ssl/statem/statem_srvr.c | 2 +-
ssl/t1_lib.c | 12 ++++++------
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4079b31..9a997cf 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2062,7 +2062,7 @@ __owur size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
const unsigned char *psig, size_t psiglen);
__owur int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
__owur int tls1_process_sigalgs(SSL *s);
-__owur size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
+__owur size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
__owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
const unsigned char *sig, EVP_PKEY *pkey);
void ssl_set_client_disabled(SSL *s);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d36d194..ad89e93 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2002,7 +2002,7 @@ int tls_construct_certificate_request(SSL *s)
if (SSL_USE_SIGALGS(s)) {
const unsigned char *psigs;
unsigned char *etmp = p;
- nl = tls12_get_psigalgs(s, &psigs);
+ nl = tls12_get_psigalgs(s, 1, &psigs);
/* Skip over length for now */
p += 2;
nl = tls12_copy_sigalgs(s, p, psigs, nl);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 1205f99..b75e568 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -711,7 +711,7 @@ static const unsigned char suiteb_sigalgs[] = {
tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
};
#endif
-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
{
/*
* If Suite B mode use Suite B sigalgs only, ignore any other
@@ -733,7 +733,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
}
#endif
/* If server use client authentication sigalgs if not NULL */
- if (s->server && s->cert->client_sigalgs) {
+ if (s->server == sent && s->cert->client_sigalgs) {
*psigs = s->cert->client_sigalgs;
return s->cert->client_sigalgslen;
} else if (s->cert->conf_sigalgs) {
@@ -797,7 +797,7 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
#endif
/* Check signature matches a type we sent */
- sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
+ sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
break;
@@ -1189,7 +1189,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
size_t salglen;
const unsigned char *salg;
unsigned char *etmp;
- salglen = tls12_get_psigalgs(s, &salg);
+ salglen = tls12_get_psigalgs(s, 1, &salg);
/*-
* check for enough space.
@@ -3396,7 +3396,7 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
* RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2. To keep
* down calls to security callback only check if we have to.
*/
- sigalgslen = tls12_get_psigalgs(s, &sigalgs);
+ sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
switch (sigalgs[1]) {
#ifndef OPENSSL_NO_RSA
@@ -3491,7 +3491,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
conf = c->conf_sigalgs;
conflen = c->conf_sigalgslen;
} else
- conflen = tls12_get_psigalgs(s, &conf);
+ conflen = tls12_get_psigalgs(s, 0, &conf);
if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
pref = conf;
preflen = conflen;
--
2.9.3
From b431b094330da3e54805c49fb262192e34bc3864 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Sat, 28 Jan 2017 17:43:17 +0100
Subject: [PATCH] X509_CRL_digest() - ensure precomputed sha1 hash before
returning it
X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
present. This also makes sure there's an appropriate flag to check.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)
(cherry picked from commit 6195848b2eea627c47f74b63eb2ba3dc3d5b6436)
---
crypto/x509/x_all.c | 2 +-
crypto/x509/x_crl.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 59f96a5..124dd2d 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -377,7 +377,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
- if (type == EVP_sha1()) {
+ if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) {
/* Asking for SHA1; always computed in CRL d2i. */
if (len != NULL)
*len = sizeof(data->sha1_hash);
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index da9c6b6..dbed850 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -226,6 +226,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
if (crl->meth->crl_init(crl) == 0)
return 0;
}
+
+ crl->flags |= EXFLAG_SET;
break;
case ASN1_OP_FREE_POST:
--
2.9.3

View File

@ -29,99 +29,3 @@ diff -up openssl-1.1.0c/Configurations/10-main.conf.build openssl-1.1.0c/Configu
},
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
diff -up openssl-1.1.0c/crypto/ec/ec_lib.c.build openssl-1.1.0c/crypto/ec/ec_lib.c
--- openssl-1.1.0c/crypto/ec/ec_lib.c.build 2016-11-10 15:03:44.000000000 +0100
+++ openssl-1.1.0c/crypto/ec/ec_lib.c 2016-11-11 13:26:36.097400901 +0100
@@ -74,9 +74,6 @@ void EC_pre_comp_free(EC_GROUP *group)
break;
#endif
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- case PCT_nistp224:
- EC_nistp224_pre_comp_free(group->pre_comp.nistp224);
- break;
case PCT_nistp256:
EC_nistp256_pre_comp_free(group->pre_comp.nistp256);
break;
@@ -152,9 +149,6 @@ int EC_GROUP_copy(EC_GROUP *dest, const
break;
#endif
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- case PCT_nistp224:
- dest->pre_comp.nistp224 = EC_nistp224_pre_comp_dup(src->pre_comp.nistp224);
- break;
case PCT_nistp256:
dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256);
break;
diff -up openssl-1.1.0c/test/ecdhtest_cavs.h.build openssl-1.1.0c/test/ecdhtest_cavs.h
--- openssl-1.1.0c/test/ecdhtest_cavs.h.build 2016-11-11 13:26:36.079400491 +0100
+++ openssl-1.1.0c/test/ecdhtest_cavs.h 2016-11-11 13:26:36.097400901 +0100
@@ -29,6 +29,7 @@ typedef struct {
static const ecdh_cavs_kat_t ecdh_cavs_kats[] = {
/* curves over prime fields go here */
+#if 0
{ NID_X9_62_prime192v1,
"42ea6dd9969dd2a61fea1aac7f8e98edcc896c6e55857cc0",
"dfbe5d7c61fac88b11811bde328e8a0d12bf01a9d204b523",
@@ -379,6 +380,7 @@ static const ecdh_cavs_kat_t ecdh_cavs_k
"a6b29632db94da2125dc1cf80e03702687b2acc1122022fa2174765a",
"61723edd73e10daed73775278f1958ba56f1fc9d085ebc2b64c84fe5",
"71954e2261e8510be1a060733671d2e9d0a2d012eb4e09556d697d2a" },
+#endif
{ NID_X9_62_prime256v1,
"700c48f77f56584c5cc632ca65640db91b6bacce3a4df6b42ce7cc838833d287",
"db71e509e3fd9b060ddb20ba5c51dcc5948d46fbf640dfe0441782cab85fa4ac",
diff -up openssl-1.1.0c/test/ecdhtest.c.build openssl-1.1.0c/test/ecdhtest.c
--- openssl-1.1.0c/test/ecdhtest.c.build 2016-11-10 15:03:47.000000000 +0100
+++ openssl-1.1.0c/test/ecdhtest.c 2016-11-11 13:26:36.097400901 +0100
@@ -252,6 +252,7 @@ typedef struct {
static const ecdh_kat_t ecdh_kats[] = {
/* Keys and shared secrets from RFC 5114 */
+#if 0
{ NID_X9_62_prime192v1,
"323FA3169D8E9C6593F59476BC142000AB5BE0E249C43426",
"631F95BB4A67632C9C476EEE9AB695AB240A0499307FCF62",
@@ -260,6 +261,7 @@ static const ecdh_kat_t ecdh_kats[] = {
"B558EB6C288DA707BBB4F8FBAE2AB9E9CB62E3BC5C7573E22E26D37F",
"AC3B1ADD3D9770E6F6A708EE9F3B8E0AB3B480E9F27F85C88B5E6D18",
"52272F50F46F4EDC9151569092F46DF2D96ECC3B6DC1714A4EA949FA" },
+#endif
{ NID_X9_62_prime256v1,
"814264145F2F56F2E96A8E337A1284993FAF432A5ABCE59E867B7291D507A3AF",
"2CE1788EC197E096DB95A200CC0AB26A19CE6BCCAD562B8EEE1B593761CF7F41",
@@ -303,6 +305,7 @@ static const ecdh_kat_t ecdh_kats[] = {
"01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04"
"D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3"
"DDEA" },
+#if 0
/* Keys and shared secrets from RFC 7027 */
{ NID_brainpoolP256r1,
"81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D",
@@ -322,6 +325,7 @@ static const ecdh_kat_t ecdh_kats[] = {
"ABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429",
"A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76"
"D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F" }
+#endif
};
/* Given private value and NID, create EC_KEY structure */
diff -up openssl-1.1.0c/test/ecdsatest.c.build openssl-1.1.0c/test/ecdsatest.c
--- openssl-1.1.0c/test/ecdsatest.c.build 2016-11-10 15:03:47.000000000 +0100
+++ openssl-1.1.0c/test/ecdsatest.c 2016-11-11 13:26:36.097400901 +0100
@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out)
if (!change_rand())
goto x962_err;
+#if 0
if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
"3342403536405981729393488334694600415596881826869351677613",
"5735822328888155254683894997897571951568553642892029982342"))
@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out)
"3238135532097973577080787768312505059318910517550078427819"
"78505179448783"))
goto x962_err;
+#endif
# ifndef OPENSSL_NO_EC2M
if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
"87194383164871543355722284926904419997237591535066528048",

View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.0d/apps/speed.c.curves openssl-1.1.0d/apps/speed.c
--- openssl-1.1.0d/apps/speed.c.curves 2017-01-26 14:10:21.000000000 +0100
+++ openssl-1.1.0d/apps/speed.c 2017-01-26 15:53:33.913324153 +0100
diff -up openssl-1.1.0e/apps/speed.c.curves openssl-1.1.0e/apps/speed.c
--- openssl-1.1.0e/apps/speed.c.curves 2017-02-16 12:58:20.000000000 +0100
+++ openssl-1.1.0e/apps/speed.c 2017-02-16 15:46:22.271504354 +0100
@@ -536,42 +536,18 @@ static OPT_PAIR rsa_choices[] = {
#define R_EC_X25519 16
#ifndef OPENSSL_NO_EC
@ -44,9 +44,9 @@ diff -up openssl-1.1.0d/apps/speed.c.curves openssl-1.1.0d/apps/speed.c
{"ecdhx25519", R_EC_X25519},
{NULL}
};
diff -up openssl-1.1.0d/crypto/ec/ecp_smpl.c.curves openssl-1.1.0d/crypto/ec/ecp_smpl.c
--- openssl-1.1.0d/crypto/ec/ecp_smpl.c.curves 2017-01-26 14:10:22.000000000 +0100
+++ openssl-1.1.0d/crypto/ec/ecp_smpl.c 2017-01-26 15:53:33.913324153 +0100
diff -up openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves openssl-1.1.0e/crypto/ec/ecp_smpl.c
--- openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves 2017-02-16 12:58:21.000000000 +0100
+++ openssl-1.1.0e/crypto/ec/ecp_smpl.c 2017-02-16 15:46:22.264504188 +0100
@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0;
}
@ -59,3 +59,73 @@ diff -up openssl-1.1.0d/crypto/ec/ecp_smpl.c.curves openssl-1.1.0d/crypto/ec/ecp
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
diff -up openssl-1.1.0e/test/ecdhtest_cavs.h.curves openssl-1.1.0e/test/ecdhtest_cavs.h
--- openssl-1.1.0e/test/ecdhtest_cavs.h.curves 2017-02-16 15:46:22.237503550 +0100
+++ openssl-1.1.0e/test/ecdhtest_cavs.h 2017-02-16 16:08:16.091687111 +0100
@@ -29,6 +29,7 @@ typedef struct {
static const ecdh_cavs_kat_t ecdh_cavs_kats[] = {
/* curves over prime fields go here */
+#if 0
{ NID_X9_62_prime192v1,
"42ea6dd9969dd2a61fea1aac7f8e98edcc896c6e55857cc0",
"dfbe5d7c61fac88b11811bde328e8a0d12bf01a9d204b523",
@@ -204,6 +205,7 @@ static const ecdh_cavs_kat_t ecdh_cavs_k
"fcd345a976c720caaa97de6697226825615e1287a9eff67e",
"58ea42edbeeafca9ff44cfd7f29abd2cbde7626d79e422c9",
"72e88f3ea67d46d46dbf83926e7e2a6b85b54536741e6d2c" },
+#endif
{ NID_secp224r1,
"af33cd0629bc7e996320a3f40368f74de8704fa37b8fab69abaae280",
"882092ccbba7930f419a8a4f9bb16978bbc3838729992559a6f2e2d7",
diff -up openssl-1.1.0e/test/ecdhtest.c.curves openssl-1.1.0e/test/ecdhtest.c
--- openssl-1.1.0e/test/ecdhtest.c.curves 2017-02-16 12:58:24.000000000 +0100
+++ openssl-1.1.0e/test/ecdhtest.c 2017-02-16 16:07:30.412629758 +0100
@@ -252,10 +252,12 @@ typedef struct {
static const ecdh_kat_t ecdh_kats[] = {
/* Keys and shared secrets from RFC 5114 */
+#if 0
{ NID_X9_62_prime192v1,
"323FA3169D8E9C6593F59476BC142000AB5BE0E249C43426",
"631F95BB4A67632C9C476EEE9AB695AB240A0499307FCF62",
"AD420182633F8526BFE954ACDA376F05E5FF4F837F54FEBE" },
+#endif
{ NID_secp224r1,
"B558EB6C288DA707BBB4F8FBAE2AB9E9CB62E3BC5C7573E22E26D37F",
"AC3B1ADD3D9770E6F6A708EE9F3B8E0AB3B480E9F27F85C88B5E6D18",
@@ -303,6 +305,7 @@ static const ecdh_kat_t ecdh_kats[] = {
"01144C7D79AE6956BC8EDB8E7C787C4521CB086FA64407F97894E5E6B2D79B04"
"D1427E73CA4BAA240A34786859810C06B3C715A3A8CC3151F2BEE417996D19F3"
"DDEA" },
+#if 0
/* Keys and shared secrets from RFC 7027 */
{ NID_brainpoolP256r1,
"81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D",
@@ -322,6 +325,7 @@ static const ecdh_kat_t ecdh_kats[] = {
"ABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429",
"A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76"
"D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F" }
+#endif
};
/* Given private value and NID, create EC_KEY structure */
diff -up openssl-1.1.0e/test/ecdsatest.c.curves openssl-1.1.0e/test/ecdsatest.c
--- openssl-1.1.0e/test/ecdsatest.c.curves 2017-02-16 12:58:24.000000000 +0100
+++ openssl-1.1.0e/test/ecdsatest.c 2017-02-16 15:46:22.250503857 +0100
@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out)
if (!change_rand())
goto x962_err;
+#if 0
if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
"3342403536405981729393488334694600415596881826869351677613",
"5735822328888155254683894997897571951568553642892029982342"))
@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out)
"3238135532097973577080787768312505059318910517550078427819"
"78505179448783"))
goto x962_err;
+#endif
# ifndef OPENSSL_NO_EC2M
if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
"87194383164871543355722284926904419997237591535066528048",

File diff suppressed because it is too large Load Diff

View File

@ -1,7 +1,7 @@
diff -up openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0b/Configurations/unix-Makefile.tmpl
--- openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist 2016-09-26 15:57:34.000000000 +0200
+++ openssl-1.1.0b/Configurations/unix-Makefile.tmpl 2016-09-26 16:41:17.796148764 +0200
@@ -157,6 +157,10 @@ MANDIR=$(INSTALLTOP)/share/man
diff -up openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0e/Configurations/unix-Makefile.tmpl
--- openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist 2017-02-16 16:15:38.658931413 +0100
+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl 2017-02-16 16:15:38.675931806 +0100
@@ -161,6 +161,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@ -12,7 +12,7 @@ diff -up openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist open
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
@@ -167,7 +171,7 @@ HTMLSUFFIX=html
@@ -171,7 +175,7 @@ HTMLSUFFIX=html
CROSS_COMPILE= {- $config{cross_compile_prefix} -}
CC= $(CROSS_COMPILE){- $target{cc} -}
@ -21,9 +21,9 @@ diff -up openssl-1.1.0b/Configurations/unix-Makefile.tmpl.system-cipherlist open
CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
LDFLAGS= {- $target{lflags} -}
PLIB_LDFLAGS= {- $target{plib_lflags} -}
diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
--- openssl-1.1.0b/Configure.system-cipherlist 2016-09-26 15:57:34.000000000 +0200
+++ openssl-1.1.0b/Configure 2016-09-26 16:41:45.002787753 +0200
diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure
--- openssl-1.1.0e/Configure.system-cipherlist 2017-02-16 12:58:20.000000000 +0100
+++ openssl-1.1.0e/Configure 2017-02-16 16:15:38.679931899 +0100
@@ -18,7 +18,7 @@ use if $^O ne "VMS", 'File::Glob' => qw/
# see INSTALL for instructions.
@ -43,7 +43,7 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
# --cross-compile-prefix Add specified prefix to binutils components.
#
# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
@@ -292,6 +295,7 @@ $config{openssldir}="";
@@ -293,6 +296,7 @@ $config{openssldir}="";
$config{processor}="";
$config{libdir}="";
$config{cross_compile_prefix}="";
@ -51,7 +51,7 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
$config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/";
my $nofipscanistercheck=0;
$config{baseaddr}="0xFB00000";
@@ -716,6 +720,10 @@ foreach (@argvcopy)
@@ -718,6 +722,10 @@ while (@argvcopy)
{
$config{baseaddr}="$1";
}
@ -62,7 +62,7 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
elsif (/^--cross-compile-prefix=(.*)$/)
{
$config{cross_compile_prefix}=$1;
@@ -841,6 +849,8 @@ if ($target =~ m/^CygWin32(-.*)$/) {
@@ -851,6 +859,8 @@ if ($target =~ m/^CygWin32(-.*)$/) {
$target = "Cygwin".$1;
}
@ -71,9 +71,28 @@ diff -up openssl-1.1.0b/Configure.system-cipherlist openssl-1.1.0b/Configure
foreach (sort (keys %disabled))
{
$config{options} .= " no-$_";
diff -up openssl-1.1.0b/include/openssl/ssl.h.system-cipherlist openssl-1.1.0b/include/openssl/ssl.h
--- openssl-1.1.0b/include/openssl/ssl.h.system-cipherlist 2016-09-26 11:46:07.000000000 +0200
+++ openssl-1.1.0b/include/openssl/ssl.h 2016-09-26 16:58:03.752760070 +0200
diff -up openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist openssl-1.1.0e/doc/apps/ciphers.pod
--- openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist 2017-02-16 12:58:22.000000000 +0100
+++ openssl-1.1.0e/doc/apps/ciphers.pod 2017-02-16 16:37:14.043219953 +0100
@@ -181,6 +181,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
+=item B<PROFILE=SYSTEM>
+
+The list of enabled cipher suites will be loaded from the system crypto policy
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
+See also L<update-crypto-policies(8)>.
+This is the default behavior unless an application explicitly sets a cipher
+list. If used in a cipher list configuration value this string must be at the
+beginning of the cipher list, otherwise it will not be recognized.
+
=item B<HIGH>
"high" encryption cipher suites. This currently means those with key lengths
diff -up openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist openssl-1.1.0e/include/openssl/ssl.h
--- openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
+++ openssl-1.1.0e/include/openssl/ssl.h 2017-02-16 16:15:38.676931830 +0100
@@ -201,6 +201,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@ -86,9 +105,9 @@ diff -up openssl-1.1.0b/include/openssl/ssl.h.system-cipherlist openssl-1.1.0b/i
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_ciph.c
--- openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist 2016-09-26 11:46:07.000000000 +0200
+++ openssl-1.1.0b/ssl/ssl_ciph.c 2016-09-26 16:51:33.056591689 +0200
diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_ciph.c
--- openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
+++ openssl-1.1.0e/ssl/ssl_ciph.c 2017-02-16 16:15:38.691932177 +0100
@@ -1289,6 +1289,50 @@ static int check_suiteb_cipher_list(cons
}
#endif
@ -140,7 +159,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
**cipher_list, STACK_OF(SSL_CIPHER)
**cipher_list_by_id,
@@ -1296,19 +1340,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1296,19 +1341,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
{
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
@ -173,7 +192,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
#endif
/*
@@ -1331,7 +1385,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1331,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) {
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
@ -182,7 +201,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1401,8 +1455,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1401,8 +1456,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -192,7 +211,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
}
/*
@@ -1447,9 +1500,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1447,9 +1501,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
@ -203,7 +222,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1475,8 +1527,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1475,8 +1528,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
@ -213,7 +232,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
}
/*
@@ -1484,8 +1535,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1484,8 +1536,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -223,7 +242,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
}
/*
@@ -1496,21 +1546,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1496,21 +1547,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
if (curr->active
&& (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
@ -249,7 +268,7 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
}
sk_SSL_CIPHER_free(*cipher_list);
*cipher_list = cipherstack;
@@ -1520,6 +1570,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1520,6 +1571,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
sk_SSL_CIPHER_sort(*cipher_list_by_id);
@ -262,9 +281,9 @@ diff -up openssl-1.1.0b/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0b/ssl/ssl_
return (cipherstack);
}
diff -up openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0b/ssl/ssl_lib.c
--- openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist 2016-09-26 15:57:34.000000000 +0200
+++ openssl-1.1.0b/ssl/ssl_lib.c 2016-09-26 16:55:23.668003396 +0200
diff -up openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0e/ssl/ssl_lib.c
--- openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist 2017-02-16 16:15:38.673931760 +0100
+++ openssl-1.1.0e/ssl/ssl_lib.c 2017-02-16 16:15:38.692932200 +0100
@@ -509,7 +509,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
@ -274,7 +293,7 @@ diff -up openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0b/ssl/ssl_l
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return (0);
@@ -2395,7 +2395,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
@@ -2403,7 +2403,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
#endif
if (!ssl_create_cipher_list(ret->method,
&ret->cipher_list, &ret->cipher_list_by_id,
@ -283,9 +302,9 @@ diff -up openssl-1.1.0b/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0b/ssl/ssl_l
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
diff -up openssl-1.1.0b/test/cipherlist_test.c.system-cipherlist openssl-1.1.0b/test/cipherlist_test.c
--- openssl-1.1.0b/test/cipherlist_test.c.system-cipherlist 2016-09-26 11:46:08.000000000 +0200
+++ openssl-1.1.0b/test/cipherlist_test.c 2016-09-26 17:18:29.380513853 +0200
diff -up openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist openssl-1.1.0e/test/cipherlist_test.c
--- openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist 2017-02-16 12:58:24.000000000 +0100
+++ openssl-1.1.0e/test/cipherlist_test.c 2017-02-16 16:15:38.677931853 +0100
@@ -190,7 +190,9 @@ int main(int argc, char **argv)
{
int result = 0;

View File

@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.0d
Release: 3%{?dist}
Version: 1.1.0e
Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -61,7 +61,6 @@ Patch42: openssl-1.1.0-fips.patch
Patch43: openssl-1.1.0-afalg-eventfd2.patch
Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
# Backported fixes including security fixes
Patch60: openssl-1.1.0-backports.patch
License: OpenSSL
Group: System Environment/Libraries
@ -162,8 +161,6 @@ cp %{SOURCE13} test/
%patch43 -p1 -b .eventfd2
%patch44 -p1 -b .preserve-nl
%patch60 -p1 -b .backports
%build
# Figure out which flags we want to use.
# default
@ -430,6 +427,10 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
* Thu Feb 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0e-1
- update to upstream version 1.1.0e
- add documentation of the PROFILE=SYSTEM special cipher string (#1420232)
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0d-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

View File

@ -1 +1 @@
SHA512 (openssl-1.1.0d-hobbled.tar.xz) = 375cecff07762593606d5e3ea145cf3dfad8ab5ce2fa2b696ffa2fbff9b45b929259f481c44d1db475183030e70eb443ae8c73ee9257fb766597032b27654349
SHA512 (openssl-1.1.0e-hobbled.tar.xz) = 7db753907c211427ed494d92915c255d05faf9b47f22febfffbfe2be602777b6b82d7c71793003c2ebbbf7f67708c80a72aacde2582501ae63761b1090523974