forked from rpms/openssl
import openssl-3.0.0-0.beta2.7.el9
This commit is contained in:
commit
fbde049751
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/openssl-3.0.0-hobbled.tar.xz
|
1
.openssl.metadata
Normal file
1
.openssl.metadata
Normal file
@ -0,0 +1 @@
|
||||
cf283f0e3bdfd2c7480797583c78efe4cabf600e SOURCES/openssl-3.0.0-hobbled.tar.xz
|
33
SOURCES/0001-Aarch64-and-ppc64le-use-lib64.patch
Normal file
33
SOURCES/0001-Aarch64-and-ppc64le-use-lib64.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:01:41 +0200
|
||||
Subject: Aarch64 and ppc64le use lib64
|
||||
|
||||
(Was openssl-1.1.1-build.patch)
|
||||
---
|
||||
Configurations/10-main.conf | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
|
||||
index d7580bf3e1..a7dbfd7f40 100644
|
||||
--- a/Configurations/10-main.conf
|
||||
+++ b/Configurations/10-main.conf
|
||||
@@ -723,6 +723,7 @@ my %targets = (
|
||||
lib_cppflags => add("-DL_ENDIAN"),
|
||||
asm_arch => 'ppc64',
|
||||
perlasm_scheme => "linux64le",
|
||||
+ multilib => "64",
|
||||
},
|
||||
|
||||
"linux-armv4" => {
|
||||
@@ -765,6 +766,7 @@ my %targets = (
|
||||
inherit_from => [ "linux-generic64" ],
|
||||
asm_arch => 'aarch64',
|
||||
perlasm_scheme => "linux64",
|
||||
+ multilib => "64",
|
||||
},
|
||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||
inherit_from => [ "linux-generic32" ],
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,68 @@
|
||||
From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:03:40 +0200
|
||||
Subject: Use more general default values in openssl.cnf
|
||||
|
||||
Also set sha256 as default hash, although that should not be
|
||||
necessary anymore.
|
||||
|
||||
(was openssl-1.1.1-defaults.patch)
|
||||
---
|
||||
apps/openssl.cnf | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
|
||||
index 97567a67be..eb25a0ac48 100644
|
||||
--- a/apps/openssl.cnf
|
||||
+++ b/apps/openssl.cnf
|
||||
@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
-default_md = default # use public key default MD
|
||||
+default_md = sha256 # use SHA-256 by default
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
@@ -136,6 +136,7 @@ emailAddress = optional
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
+default_md = sha256
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
@@ -158,17 +159,18 @@ string_mask = utf8only
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
-countryName_default = AU
|
||||
+countryName_default = XX
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
-stateOrProvinceName_default = Some-State
|
||||
+#stateOrProvinceName_default = Default Province
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
+localityName_default = Default City
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
-0.organizationName_default = Internet Widgits Pty Ltd
|
||||
+0.organizationName_default = Default Company Ltd
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city)
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
-commonName = Common Name (e.g. server FQDN or YOUR name)
|
||||
+commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
--
|
||||
2.26.2
|
||||
|
26
SOURCES/0003-Do-not-install-html-docs.patch
Normal file
26
SOURCES/0003-Do-not-install-html-docs.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:05:55 +0200
|
||||
Subject: Do not install html docs
|
||||
|
||||
(was openssl-1.1.1-no-html.patch)
|
||||
---
|
||||
Configurations/unix-Makefile.tmpl | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
||||
index 342e46d24d..9f369edf0e 100644
|
||||
--- a/Configurations/unix-Makefile.tmpl
|
||||
+++ b/Configurations/unix-Makefile.tmpl
|
||||
@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime
|
||||
|
||||
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
|
||||
|
||||
-install_docs: install_man_docs install_html_docs
|
||||
+install_docs: install_man_docs
|
||||
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||
$(RM) -r $(DESTDIR)$(DOCDIR)
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,73 @@
|
||||
From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:17:26 +0200
|
||||
Subject: Override default paths for the CA directory tree
|
||||
|
||||
Also add default section to load crypto-policies configuration
|
||||
for TLS.
|
||||
|
||||
It needs to be reverted before running tests.
|
||||
|
||||
(was openssl-1.1.1-conf-paths.patch)
|
||||
---
|
||||
apps/CA.pl.in | 2 +-
|
||||
apps/openssl.cnf | 20 ++++++++++++++++++--
|
||||
2 files changed, 19 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
|
||||
index c0afb96716..d6a5fabd16 100644
|
||||
--- a/apps/CA.pl.in
|
||||
+++ b/apps/CA.pl.in
|
||||
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
|
||||
my $PKCS12 = "$openssl pkcs12";
|
||||
|
||||
# Default values for various configuration settings.
|
||||
-my $CATOP = "./demoCA";
|
||||
+my $CATOP = "/etc/pki/CA";
|
||||
my $CAKEY = "cakey.pem";
|
||||
my $CAREQ = "careq.pem";
|
||||
my $CACERT = "cacert.pem";
|
||||
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
|
||||
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
|
||||
+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
|
||||
@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
+# Load default TLS policy configuration
|
||||
+ssl_conf = ssl_module
|
||||
|
||||
# List of providers to load
|
||||
[provider_sect]
|
||||
@@ -64,6 +66,13 @@ default = default_sect
|
||||
[default_sect]
|
||||
# activate = 1
|
||||
|
||||
+[ ssl_module ]
|
||||
+
|
||||
+system_default = crypto_policy
|
||||
+
|
||||
+[ crypto_policy ]
|
||||
+
|
||||
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
-dir = ./demoCA # Where everything is kept
|
||||
+dir = /etc/pki/CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
|
||||
[ tsa_config1 ]
|
||||
|
||||
# These are used by the TSA reply generation only.
|
||||
-dir = ./demoCA # TSA root directory
|
||||
+dir = /etc/pki/CA # TSA root directory
|
||||
serial = $dir/tsaserial # The current serial number (mandatory)
|
||||
crypto_device = builtin # OpenSSL engine to use for signing
|
||||
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
28
SOURCES/0005-apps-ca-fix-md-option-help-text.patch
Normal file
28
SOURCES/0005-apps-ca-fix-md-option-help-text.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:27:18 +0200
|
||||
Subject: apps/ca: fix md option help text
|
||||
|
||||
upstreamable
|
||||
|
||||
(was openssl-1.1.1-apps-dgst.patch)
|
||||
---
|
||||
apps/ca.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/apps/ca.c b/apps/ca.c
|
||||
index 0f21b4fa1c..3d4b2c1673 100755
|
||||
--- a/apps/ca.c
|
||||
+++ b/apps/ca.c
|
||||
@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
|
||||
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
|
||||
|
||||
OPT_SECTION("Signing"),
|
||||
- {"md", OPT_MD, 's', "Digest to use, such as sha256"},
|
||||
+ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
|
||||
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
|
||||
{"keyform", OPT_KEYFORM, 'f',
|
||||
"Private key file format (ENGINE, other values ignored)"},
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,29 @@
|
||||
From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:51:34 +0200
|
||||
Subject: Disable signature verification with totally unsafe hash algorithms
|
||||
|
||||
(was openssl-1.1.1-no-weak-verify.patch)
|
||||
---
|
||||
crypto/asn1/a_verify.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
|
||||
index b7eed914b0..af62f0ef08 100644
|
||||
--- a/crypto/asn1/a_verify.c
|
||||
+++ b/crypto/asn1/a_verify.c
|
||||
@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
|
||||
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
|
||||
if (ret <= 1)
|
||||
goto err;
|
||||
+ } else if ((mdnid == NID_md5
|
||||
+ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
|
||||
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
|
||||
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||
+ goto err;
|
||||
} else {
|
||||
const EVP_MD *type = NULL;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,331 @@
|
||||
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 10:16:46 +0200
|
||||
Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
||||
|
||||
(was openssl-1.1.1-system-cipherlist.patch)
|
||||
---
|
||||
Configurations/unix-Makefile.tmpl | 5 ++
|
||||
Configure | 10 +++-
|
||||
doc/man1/openssl-ciphers.pod.in | 9 ++++
|
||||
include/openssl/ssl.h.in | 5 ++
|
||||
ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++----
|
||||
ssl/ssl_lib.c | 4 +-
|
||||
test/cipherlist_test.c | 2 +
|
||||
util/libcrypto.num | 1 +
|
||||
8 files changed, 110 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
||||
index 9f369edf0e..c52389f831 100644
|
||||
--- a/Configurations/unix-Makefile.tmpl
|
||||
+++ b/Configurations/unix-Makefile.tmpl
|
||||
@@ -269,6 +269,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||
HTMLDIR=$(DOCDIR)/html
|
||||
|
||||
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
|
||||
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
|
||||
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
|
||||
+
|
||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||
# appended after the manpage file section number. "ssl" is popular,
|
||||
# resulting in files such as config.5ssl rather than config.5.
|
||||
@@ -292,6 +296,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
|
||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||
@{$config{CPPFLAGS}}) -}
|
||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
|
||||
index b4ed3e51d5..2122e6bdfd 100644
|
||||
--- a/doc/man1/openssl-ciphers.pod.in
|
||||
+++ b/doc/man1/openssl-ciphers.pod.in
|
||||
@@ -187,6 +187,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
|
||||
|
||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||
|
||||
+=item B<PROFILE=SYSTEM>
|
||||
+
|
||||
+The list of enabled cipher suites will be loaded from the system crypto policy
|
||||
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
|
||||
+See also L<update-crypto-policies(8)>.
|
||||
+This is the default behavior unless an application explicitly sets a cipher
|
||||
+list. If used in a cipher list configuration value this string must be at the
|
||||
+beginning of the cipher list, otherwise it will not be recognized.
|
||||
+
|
||||
=item B<HIGH>
|
||||
|
||||
"High" encryption cipher suites. This currently means those with key lengths
|
||||
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
||||
index f9a61609e4..c6f95fed3f 100644
|
||||
--- a/include/openssl/ssl.h.in
|
||||
+++ b/include/openssl/ssl.h.in
|
||||
@@ -209,6 +209,11 @@ extern "C" {
|
||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||
*/
|
||||
+# ifdef SYSTEM_CIPHERS_FILE
|
||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
||||
+# else
|
||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
|
||||
+# endif
|
||||
|
||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||
# define SSL_SENT_SHUTDOWN 1
|
||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index b1d3f7919e..f7cc7fed48 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -1411,6 +1411,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+static char *load_system_str(const char *suffix)
|
||||
+{
|
||||
+ FILE *fp;
|
||||
+ char buf[1024];
|
||||
+ char *new_rules;
|
||||
+ const char *ciphers_path;
|
||||
+ unsigned len, slen;
|
||||
+
|
||||
+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
||||
+ ciphers_path = SYSTEM_CIPHERS_FILE;
|
||||
+ fp = fopen(ciphers_path, "r");
|
||||
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
||||
+ /* cannot open or file is empty */
|
||||
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
||||
+ }
|
||||
+
|
||||
+ if (fp)
|
||||
+ fclose(fp);
|
||||
+
|
||||
+ slen = strlen(suffix);
|
||||
+ len = strlen(buf);
|
||||
+
|
||||
+ if (buf[len - 1] == '\n') {
|
||||
+ len--;
|
||||
+ buf[len] = 0;
|
||||
+ }
|
||||
+ if (buf[len - 1] == '\r') {
|
||||
+ len--;
|
||||
+ buf[len] = 0;
|
||||
+ }
|
||||
+
|
||||
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
||||
+ if (new_rules == 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ memcpy(new_rules, buf, len);
|
||||
+ if (slen > 0) {
|
||||
+ memcpy(&new_rules[len], suffix, slen);
|
||||
+ len += slen;
|
||||
+ }
|
||||
+ new_rules[len] = 0;
|
||||
+
|
||||
+ return new_rules;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||
@@ -1425,15 +1472,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||
const SSL_CIPHER **ca_list = NULL;
|
||||
const SSL_METHOD *ssl_method = ctx->method;
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ char *new_rules = NULL;
|
||||
+
|
||||
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
|
||||
+ char *p = rule_str + 14;
|
||||
+
|
||||
+ new_rules = load_system_str(p);
|
||||
+ rule_str = new_rules;
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Return with error if nothing to do.
|
||||
*/
|
||||
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
|
||||
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
|
||||
/*
|
||||
* To reduce the work to do we only want to process the compiled
|
||||
@@ -1456,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||
if (co_list == NULL) {
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||
@@ -1522,8 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
* in force within each class
|
||||
*/
|
||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1568,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1596,8 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
if (!ok) { /* Rule processing failure */
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1605,10 +1659,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
* if we cannot get one.
|
||||
*/
|
||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ OPENSSL_free(new_rules); /* Not needed anymore */
|
||||
+#endif
|
||||
+
|
||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||
@@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
|
||||
if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
|
||||
sk_SSL_CIPHER_free(cipherstack);
|
||||
+ OPENSSL_free(co_list);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
*cipher_list = cipherstack;
|
||||
|
||||
return cipherstack;
|
||||
+
|
||||
+err:
|
||||
+ OPENSSL_free(co_list);
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ OPENSSL_free(new_rules);
|
||||
+#endif
|
||||
+ return NULL;
|
||||
+
|
||||
}
|
||||
|
||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index d14d5819ba..48d491219a 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
|
||||
ctx->tls13_ciphersuites,
|
||||
&(ctx->cipher_list),
|
||||
&(ctx->cipher_list_by_id),
|
||||
- OSSL_default_cipher_list(), ctx->cert);
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||
return 0;
|
||||
@@ -3193,7 +3193,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
||||
if (!ssl_create_cipher_list(ret,
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
- OSSL_default_cipher_list(), ret->cert)
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
|
||||
index 380f0727fc..6922a87c30 100644
|
||||
--- a/test/cipherlist_test.c
|
||||
+++ b/test/cipherlist_test.c
|
||||
@@ -244,7 +244,9 @@ end:
|
||||
|
||||
int setup_tests(void)
|
||||
{
|
||||
+#ifndef SYSTEM_CIPHERS_FILE
|
||||
ADD_TEST(test_default_cipherlist_implicit);
|
||||
+#endif
|
||||
ADD_TEST(test_default_cipherlist_explicit);
|
||||
ADD_TEST(test_default_cipherlist_clear);
|
||||
return 1;
|
||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||
index 404a706fab..e81fa9ec3e 100644
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION:
|
||||
ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
|
||||
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
|
||||
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||
--
|
||||
2.26.2
|
||||
|
||||
diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure
|
||||
--- openssl-3.0.0-beta1/Configure.sys-default 2021-06-29 11:47:58.978144386 +0200
|
||||
+++ openssl-3.0.0-beta1/Configure 2021-06-29 11:52:01.631126260 +0200
|
||||
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||
my $orig_death_handler = $SIG{__DIE__};
|
||||
$SIG{__DIE__} = \&death_handler;
|
||||
|
||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
|
||||
my $banner = <<"EOF";
|
||||
|
||||
@@ -61,6 +61,10 @@ EOF
|
||||
# given with --prefix.
|
||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||
# (Default: PREFIX/ssl)
|
||||
+#
|
||||
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||
+# cipher is specified (default).
|
||||
+#
|
||||
# --banner=".." Output specified text instead of default completion banner
|
||||
#
|
||||
# --cross-compile-prefix Add specified prefix to binutils components.
|
||||
@@ -385,6 +389,7 @@ $config{prefix}="";
|
||||
$config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
+$config{system_ciphers_file}="";
|
||||
my $auto_threads=1; # enable threads automatically? true by default
|
||||
my $default_ranlib;
|
||||
|
||||
@@ -987,6 +992,10 @@ while (@argvcopy)
|
||||
die "FIPS key too long (64 bytes max)\n"
|
||||
if length $1 > 64;
|
||||
}
|
||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||
+ {
|
||||
+ $config{system_ciphers_file}=$1;
|
||||
+ }
|
||||
elsif (/^--banner=(.*)$/)
|
||||
{
|
||||
$banner = $1 . "\n";
|
87
SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch
Normal file
87
SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch
Normal file
@ -0,0 +1,87 @@
|
||||
From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 26 Nov 2020 14:00:16 +0100
|
||||
Subject: Add FIPS_mode() compatibility macro
|
||||
|
||||
The macro calls EVP_default_properties_is_fips_enabled() on the
|
||||
default context.
|
||||
---
|
||||
include/openssl/crypto.h.in | 1 +
|
||||
include/openssl/fips.h | 25 +++++++++++++++++++++++++
|
||||
test/property_test.c | 13 +++++++++++++
|
||||
3 files changed, 39 insertions(+)
|
||||
create mode 100644 include/openssl/fips.h
|
||||
|
||||
diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
|
||||
index 1036da9a2b..9d4896fcaf 100644
|
||||
--- a/include/openssl/crypto.h.in
|
||||
+++ b/include/openssl/crypto.h.in
|
||||
@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack_macros);
|
||||
# include <openssl/opensslconf.h>
|
||||
# include <openssl/cryptoerr.h>
|
||||
# include <openssl/core.h>
|
||||
+# include <openssl/fips.h>
|
||||
|
||||
# ifdef CHARSET_EBCDIC
|
||||
# include <openssl/ebcdic.h>
|
||||
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
|
||||
new file mode 100644
|
||||
index 0000000000..c64f0f8e8f
|
||||
--- /dev/null
|
||||
+++ b/include/openssl/fips.h
|
||||
@@ -0,0 +1,25 @@
|
||||
+/*
|
||||
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#ifndef OPENSSL_FIPS_H
|
||||
+# define OPENSSL_FIPS_H
|
||||
+# pragma once
|
||||
+
|
||||
+# include <openssl/macros.h>
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+extern "C" {
|
||||
+# endif
|
||||
+
|
||||
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+}
|
||||
+# endif
|
||||
+#endif
|
||||
diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
|
||||
--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200
|
||||
+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200
|
||||
@@ -488,6 +488,18 @@ static int test_property_list_to_string(
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int test_downstream_FIPS_mode(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
|
||||
+ && TEST_true(FIPS_mode())
|
||||
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
|
||||
+ && TEST_false(FIPS_mode());
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
ADD_TEST(test_property_string);
|
||||
@@ -500,6 +512,7 @@ int setup_tests(void)
|
||||
ADD_TEST(test_property);
|
||||
ADD_TEST(test_query_cache_stochastic);
|
||||
ADD_TEST(test_fips_mode);
|
||||
+ ADD_TEST(test_downstream_FIPS_mode);
|
||||
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
||||
return 1;
|
||||
}
|
5013
SOURCES/0011-Remove-EC-curves.patch
Normal file
5013
SOURCES/0011-Remove-EC-curves.patch
Normal file
File diff suppressed because it is too large
Load Diff
22
SOURCES/0020-sigalgs-fix-alerts.patch
Normal file
22
SOURCES/0020-sigalgs-fix-alerts.patch
Normal file
@ -0,0 +1,22 @@
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index 3579202c22..134c948bcb 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -3302,7 +3302,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
|
||||
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
|
||||
if (!fatalerrs)
|
||||
return 1;
|
||||
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
|
||||
return 0;
|
||||
}
|
||||
@@ -3317,7 +3317,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
|
||||
if (i == sent_sigslen) {
|
||||
if (!fatalerrs)
|
||||
return 1;
|
||||
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
SSL_R_WRONG_SIGNATURE_TYPE);
|
||||
return 0;
|
||||
}
|
38
SOURCES/0021-fix-core-dump-req.patch
Normal file
38
SOURCES/0021-fix-core-dump-req.patch
Normal file
@ -0,0 +1,38 @@
|
||||
diff -up openssl-3.0.0-beta2/apps/req.c.req-segfault openssl-3.0.0-beta2/apps/req.c
|
||||
--- openssl-3.0.0-beta2/apps/req.c.req-segfault 2021-08-10 16:24:58.784384336 +0200
|
||||
+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:26:38.347688172 +0200
|
||||
@@ -996,8 +996,8 @@ int req_main(int argc, char **argv)
|
||||
if (EVP_PKEY_is_a(tpubkey, "RSA")) {
|
||||
BIGNUM *n = NULL;
|
||||
|
||||
- /* Every RSA key has an 'n' */
|
||||
- EVP_PKEY_get_bn_param(pkey, "n", &n);
|
||||
+ if (!EVP_PKEY_get_bn_param(tpubkey, "n", &n))
|
||||
+ goto end;
|
||||
BN_print(out, n);
|
||||
BN_free(n);
|
||||
} else {
|
||||
diff -up openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault openssl-3.0.0-beta2/test/recipes/25-test_req.t
|
||||
--- openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault 2021-08-10 16:26:53.305884053 +0200
|
||||
+++ openssl-3.0.0-beta2/test/recipes/25-test_req.t 2021-08-10 16:28:33.674221058 +0200
|
||||
@@ -78,7 +78,7 @@ subtest "generating alt certificate requ
|
||||
|
||||
|
||||
subtest "generating certificate requests with RSA" => sub {
|
||||
- plan tests => 7;
|
||||
+ plan tests => 8;
|
||||
|
||||
SKIP: {
|
||||
skip "RSA is not supported by this OpenSSL build", 2
|
||||
@@ -105,6 +105,11 @@ subtest "generating certificate requests
|
||||
|
||||
ok(run(app(["openssl", "req",
|
||||
"-config", srctop_file("test", "test.cnf"),
|
||||
+ "-modulus", "-in", "testreq-rsa.pem", "-noout"])),
|
||||
+ "Printing a modulus of the request key");
|
||||
+
|
||||
+ ok(run(app(["openssl", "req",
|
||||
+ "-config", srctop_file("test", "test.cnf"),
|
||||
"-new", "-out", "testreq_withattrs_pem.pem", "-utf8",
|
||||
"-key", srctop_file("test", "testrsa_withattrs.pem")])),
|
||||
"Generating request from a key with extra attributes - PEM");
|
33
SOURCES/0022-fix-openssl-req-password.patch
Normal file
33
SOURCES/0022-fix-openssl-req-password.patch
Normal file
@ -0,0 +1,33 @@
|
||||
diff -up openssl-3.0.0-beta2/apps/req.c.req-password openssl-3.0.0-beta2/apps/req.c
|
||||
--- openssl-3.0.0-beta2/apps/req.c.req-password 2021-08-10 16:31:04.726233653 +0200
|
||||
+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:31:58.286947297 +0200
|
||||
@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
|
||||
EVP_PKEY_CTX_free(genctx);
|
||||
genctx = NULL;
|
||||
}
|
||||
- if (keyout == NULL) {
|
||||
+ if (keyout == NULL && keyfile == NULL) {
|
||||
keyout = NCONF_get_string(req_conf, section, KEYFILE);
|
||||
if (keyout == NULL)
|
||||
ERR_clear_error();
|
||||
diff -up openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in
|
||||
--- openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password 2021-08-10 16:32:21.863261416 +0200
|
||||
+++ openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in 2021-08-10 16:33:19.173025012 +0200
|
||||
@@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for det
|
||||
=item B<-keyout> I<filename>
|
||||
|
||||
This gives the filename to write any private key to that has been newly created
|
||||
-or read from B<-key>.
|
||||
-If the B<-keyout> option is not given the filename specified in the
|
||||
-configuration file with the B<default_keyfile> option is used, if present.
|
||||
-If a new key is generated and no filename is specified
|
||||
-the key is written to standard output.
|
||||
+or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option
|
||||
+are given then the filename specified in the configuration file with the
|
||||
+B<default_keyfile> option is used, if present. Thus, if you want to write the
|
||||
+private key and the B<-key> option is provided, you should provide the
|
||||
+B<-keyout> option explicitly. If a new key is generated and no filename is
|
||||
+specified the key is written to standard output.
|
||||
|
||||
=item B<-noenc>
|
||||
|
38
SOURCES/0023-cms-stdin.patch
Normal file
38
SOURCES/0023-cms-stdin.patch
Normal file
@ -0,0 +1,38 @@
|
||||
diff -up openssl-3.0.0-beta2/apps/cms.c.cms-stdin openssl-3.0.0-beta2/apps/cms.c
|
||||
--- openssl-3.0.0-beta2/apps/cms.c.cms-stdin 2021-08-10 16:20:07.787573587 +0200
|
||||
+++ openssl-3.0.0-beta2/apps/cms.c 2021-08-10 16:23:08.500940124 +0200
|
||||
@@ -278,6 +278,8 @@ static void warn_binary(const char *file
|
||||
unsigned char linebuf[1024], *cur, *end;
|
||||
int len;
|
||||
|
||||
+ if (file == NULL)
|
||||
+ return; /* cannot give a warning for stdin input */
|
||||
if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL)
|
||||
return; /* cannot give a proper warning since there is an error */
|
||||
while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) {
|
||||
@@ -482,13 +484,9 @@ int cms_main(int argc, char **argv)
|
||||
rr_allorfirst = 1;
|
||||
break;
|
||||
case OPT_RCTFORM:
|
||||
- if (rctformat == FORMAT_ASN1) {
|
||||
- if (!opt_format(opt_arg(),
|
||||
- OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
|
||||
- goto opthelp;
|
||||
- } else {
|
||||
- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
|
||||
- }
|
||||
+ if (!opt_format(opt_arg(),
|
||||
+ OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
|
||||
+ goto opthelp;
|
||||
break;
|
||||
case OPT_CERTFILE:
|
||||
certfile = opt_arg();
|
||||
@@ -954,7 +952,7 @@ int cms_main(int argc, char **argv)
|
||||
goto end;
|
||||
}
|
||||
|
||||
- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
|
||||
+ rcms = load_content_info(rctformat, rctin, 0, NULL, "receipt");
|
||||
if (rcms == NULL)
|
||||
goto end;
|
||||
}
|
67
SOURCES/0024-load-legacy-prov.patch
Normal file
67
SOURCES/0024-load-legacy-prov.patch
Normal file
@ -0,0 +1,67 @@
|
||||
diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/apps/openssl.cnf
|
||||
--- openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov 2021-08-16 14:02:48.029645419 +0200
|
||||
+++ openssl-3.0.0-beta2/apps/openssl.cnf 2021-08-16 14:14:48.006409467 +0200
|
||||
@@ -43,28 +43,29 @@ tsa_policy1 = 1.2.3.4.1
|
||||
tsa_policy2 = 1.2.3.4.5.6
|
||||
tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
-# For FIPS
|
||||
-# Optionally include a file that is generated by the OpenSSL fipsinstall
|
||||
-# application. This file contains configuration data required by the OpenSSL
|
||||
-# fips provider. It contains a named section e.g. [fips_sect] which is
|
||||
-# referenced from the [provider_sect] below.
|
||||
-# Refer to the OpenSSL security policy for more information.
|
||||
-# .include fipsmodule.cnf
|
||||
-
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
# Load default TLS policy configuration
|
||||
ssl_conf = ssl_module
|
||||
|
||||
-# List of providers to load
|
||||
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
||||
+# Loading the legacy provider enables support for the following algorithms:
|
||||
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
||||
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
|
||||
+# Key Derivation Function (KDF): PBKDF1
|
||||
+# In general it is not recommended to use the above mentioned algorithms for
|
||||
+# security critical operations, as they are cryptographically weak or vulnerable
|
||||
+# to side-channel attacks and as such have been deprecated.
|
||||
+
|
||||
[provider_sect]
|
||||
-default = default_sect
|
||||
-# The fips section name should match the section name inside the
|
||||
-# included fipsmodule.cnf.
|
||||
-# fips = fips_sect
|
||||
-
|
||||
-[default_sect]
|
||||
-# activate = 1
|
||||
+##default = default_sect
|
||||
+##legacy = legacy_sect
|
||||
+##
|
||||
+##[default_sect]
|
||||
+##activate = 1
|
||||
+##
|
||||
+##[legacy_sect]
|
||||
+##activate = 1
|
||||
|
||||
[ ssl_module ]
|
||||
|
||||
diff -up openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov openssl-3.0.0-beta2/doc/man5/config.pod
|
||||
--- openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov 2021-08-16 14:12:35.021606001 +0200
|
||||
+++ openssl-3.0.0-beta2/doc/man5/config.pod 2021-08-16 14:14:47.077396867 +0200
|
||||
@@ -269,6 +269,14 @@ significant.
|
||||
All parameters in the section as well as sub-sections are made
|
||||
available to the provider.
|
||||
|
||||
+=head3 Loading the legacy provider
|
||||
+
|
||||
+Uncomment the sections that start with ## in openssl.cnf
|
||||
+to enable the legacy provider.
|
||||
+Note: In general it is not recommended to use the above mentioned algorithms for
|
||||
+security critical operations, as they are cryptographically weak or vulnerable
|
||||
+to side-channel attacks and as such have been deprecated.
|
||||
+
|
||||
=head2 EVP Configuration
|
||||
|
||||
The name B<alg_section> in the initialization section names the section
|
70
SOURCES/0025-cms-stdin2.patch
Normal file
70
SOURCES/0025-cms-stdin2.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From 9bdf6bb619543248c1bee1d8207b455c1ee40ab6 Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Fri, 20 Aug 2021 16:45:15 +0200
|
||||
Subject: [PATCH] Get rid of warn_binary
|
||||
|
||||
Current implementation of warn_binary introduces a regression
|
||||
when the content is passed in /dev/stdin as an explicit file name
|
||||
and reads the file to be processed twice otherwise.
|
||||
|
||||
I suggest to reimplement this functionality after 3.0 if necessary.
|
||||
|
||||
Fixes #16359
|
||||
---
|
||||
apps/cms.c | 29 -----------------------------
|
||||
1 file changed, 29 deletions(-)
|
||||
|
||||
diff --git a/apps/cms.c b/apps/cms.c
|
||||
index c22027e3b198..b30273f1710d 100644
|
||||
--- a/apps/cms.c
|
||||
+++ b/apps/cms.c
|
||||
@@ -272,31 +272,6 @@ static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-static void warn_binary(const char *file)
|
||||
-{
|
||||
- BIO *bio;
|
||||
- unsigned char linebuf[1024], *cur, *end;
|
||||
- int len;
|
||||
-
|
||||
- if (file == NULL)
|
||||
- return; /* cannot give a warning for stdin input */
|
||||
- if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL)
|
||||
- return; /* cannot give a proper warning since there is an error */
|
||||
- while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) {
|
||||
- end = linebuf + len;
|
||||
- for (cur = linebuf; cur < end; cur++) {
|
||||
- if (*cur == '\0' || *cur >= 0x80) {
|
||||
- BIO_printf(bio_err, "Warning: input file '%s' contains %s"
|
||||
- " character; better use -binary option\n",
|
||||
- file, *cur == '\0' ? "NUL" : "8-bit");
|
||||
- goto end;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- end:
|
||||
- BIO_free(bio);
|
||||
-}
|
||||
-
|
||||
int cms_main(int argc, char **argv)
|
||||
{
|
||||
CONF *conf = NULL;
|
||||
@@ -911,8 +886,6 @@ int cms_main(int argc, char **argv)
|
||||
goto end;
|
||||
}
|
||||
|
||||
- if ((flags & CMS_BINARY) == 0)
|
||||
- warn_binary(infile);
|
||||
in = bio_open_default(infile, 'r',
|
||||
binary_files ? FORMAT_BINARY : informat);
|
||||
if (in == NULL)
|
||||
@@ -924,8 +897,6 @@ int cms_main(int argc, char **argv)
|
||||
goto end;
|
||||
if (contfile != NULL) {
|
||||
BIO_free(indata);
|
||||
- if ((flags & CMS_BINARY) == 0)
|
||||
- warn_binary(contfile);
|
||||
if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
|
||||
BIO_printf(bio_err, "Can't read content file %s\n", contfile);
|
||||
goto end;
|
82
SOURCES/Makefile.certificate
Normal file
82
SOURCES/Makefile.certificate
Normal file
@ -0,0 +1,82 @@
|
||||
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
|
||||
DAYS=365
|
||||
KEYLEN=2048
|
||||
TYPE=rsa:$(KEYLEN)
|
||||
EXTRA_FLAGS=
|
||||
ifdef SERIAL
|
||||
EXTRA_FLAGS+=-set_serial $(SERIAL)
|
||||
endif
|
||||
|
||||
.PHONY: usage
|
||||
.SUFFIXES: .key .csr .crt .pem
|
||||
.PRECIOUS: %.key %.csr %.crt %.pem
|
||||
|
||||
usage:
|
||||
@echo "This makefile allows you to create:"
|
||||
@echo " o public/private key pairs"
|
||||
@echo " o SSL certificate signing requests (CSRs)"
|
||||
@echo " o self-signed SSL test certificates"
|
||||
@echo
|
||||
@echo "To create a key pair, run \"make SOMETHING.key\"."
|
||||
@echo "To create a CSR, run \"make SOMETHING.csr\"."
|
||||
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
|
||||
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
|
||||
@echo
|
||||
@echo "To create a key for use with Apache, run \"make genkey\"."
|
||||
@echo "To create a CSR for use with Apache, run \"make certreq\"."
|
||||
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
|
||||
@echo
|
||||
@echo "To create a test certificate with serial number other than random, add SERIAL=num"
|
||||
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
|
||||
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
|
||||
@echo
|
||||
@echo Examples:
|
||||
@echo " make server.key"
|
||||
@echo " make server.csr"
|
||||
@echo " make server.crt"
|
||||
@echo " make stunnel.pem"
|
||||
@echo " make genkey"
|
||||
@echo " make certreq"
|
||||
@echo " make testcert"
|
||||
@echo " make server.crt SERIAL=1"
|
||||
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
|
||||
@echo " make testcert DAYS=600"
|
||||
|
||||
%.pem:
|
||||
umask 77 ; \
|
||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
|
||||
cat $$PEM1 > $@ ; \
|
||||
echo "" >> $@ ; \
|
||||
cat $$PEM2 >> $@ ; \
|
||||
$(RM) $$PEM1 $$PEM2
|
||||
|
||||
%.key:
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
|
||||
|
||||
%.csr: %.key
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
|
||||
|
||||
%.crt: %.key
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
|
||||
|
||||
TLSROOT=/etc/pki/tls
|
||||
KEY=$(TLSROOT)/private/localhost.key
|
||||
CSR=$(TLSROOT)/certs/localhost.csr
|
||||
CRT=$(TLSROOT)/certs/localhost.crt
|
||||
|
||||
genkey: $(KEY)
|
||||
certreq: $(CSR)
|
||||
testcert: $(CRT)
|
||||
|
||||
$(CSR): $(KEY)
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
|
||||
|
||||
$(CRT): $(KEY)
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)
|
7
SOURCES/configuration-prefix.h
Normal file
7
SOURCES/configuration-prefix.h
Normal file
@ -0,0 +1,7 @@
|
||||
/* Prepended at openssl package build-time. Don't include this file directly,
|
||||
* use <openssl/opensslconf.h> instead. */
|
||||
|
||||
#ifndef openssl_conf_multilib_redirection_h
|
||||
#error "Don't include this file directly, use <openssl/opensslconf.h> instead!"
|
||||
#endif
|
||||
|
47
SOURCES/configuration-switch.h
Normal file
47
SOURCES/configuration-switch.h
Normal file
@ -0,0 +1,47 @@
|
||||
/* This file is here to prevent a file conflict on multiarch systems. A
|
||||
* conflict will frequently occur because arch-specific build-time
|
||||
* configuration options are stored (and used, so they can't just be stripped
|
||||
* out) in configuration.h. The original configuration.h has been renamed.
|
||||
* DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
|
||||
|
||||
#ifdef openssl_conf_multilib_redirection_h
|
||||
#error "Do not define openssl_conf_multilib_redirection_h!"
|
||||
#endif
|
||||
#define openssl_conf_multilib_redirection_h
|
||||
|
||||
#if defined(__i386__)
|
||||
#include "configuration-i386.h"
|
||||
#elif defined(__ia64__)
|
||||
#include "configuration-ia64.h"
|
||||
#elif defined(__mips64) && defined(__MIPSEL__)
|
||||
#include "configuration-mips64el.h"
|
||||
#elif defined(__mips64)
|
||||
#include "configuration-mips64.h"
|
||||
#elif defined(__mips) && defined(__MIPSEL__)
|
||||
#include "configuration-mipsel.h"
|
||||
#elif defined(__mips)
|
||||
#include "configuration-mips.h"
|
||||
#elif defined(__powerpc64__)
|
||||
#include <endian.h>
|
||||
#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
|
||||
#include "configuration-ppc64.h"
|
||||
#else
|
||||
#include "configuration-ppc64le.h"
|
||||
#endif
|
||||
#elif defined(__powerpc__)
|
||||
#include "configuration-ppc.h"
|
||||
#elif defined(__s390x__)
|
||||
#include "configuration-s390x.h"
|
||||
#elif defined(__s390__)
|
||||
#include "configuration-s390.h"
|
||||
#elif defined(__sparc__) && defined(__arch64__)
|
||||
#include "configuration-sparc64.h"
|
||||
#elif defined(__sparc__)
|
||||
#include "configuration-sparc.h"
|
||||
#elif defined(__x86_64__)
|
||||
#include "configuration-x86_64.h"
|
||||
#else
|
||||
#error "The openssl-devel package does not work your architecture?"
|
||||
#endif
|
||||
|
||||
#undef openssl_conf_multilib_redirection_h
|
628
SOURCES/ec_curve.c
Normal file
628
SOURCES/ec_curve.c
Normal file
@ -0,0 +1,628 @@
|
||||
/*
|
||||
* Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* ECDSA low level APIs are deprecated for public use, but still ok for
|
||||
* internal use.
|
||||
*/
|
||||
#include "internal/deprecated.h"
|
||||
|
||||
#include <string.h>
|
||||
#include "ec_local.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include "internal/nelem.h"
|
||||
|
||||
typedef struct {
|
||||
int field_type, /* either NID_X9_62_prime_field or
|
||||
* NID_X9_62_characteristic_two_field */
|
||||
seed_len, param_len;
|
||||
unsigned int cofactor; /* promoted to BN_ULONG */
|
||||
} EC_CURVE_DATA;
|
||||
|
||||
/* the nist prime curves */
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 28 * 6];
|
||||
} _EC_NIST_PRIME_224 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 28, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F,
|
||||
0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x01,
|
||||
/* a */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE,
|
||||
/* b */
|
||||
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
|
||||
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
|
||||
0x23, 0x55, 0xFF, 0xB4,
|
||||
/* x */
|
||||
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
|
||||
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
|
||||
0x11, 0x5C, 0x1D, 0x21,
|
||||
/* y */
|
||||
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
|
||||
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
|
||||
0x85, 0x00, 0x7e, 0x34,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
|
||||
0x5C, 0x5C, 0x2A, 0x3D
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 48 * 6];
|
||||
} _EC_NIST_PRIME_384 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 48, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
|
||||
0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
/* a */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||
/* b */
|
||||
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
|
||||
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
|
||||
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
|
||||
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
|
||||
/* x */
|
||||
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
|
||||
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
|
||||
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
|
||||
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
|
||||
/* y */
|
||||
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
|
||||
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
||||
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
|
||||
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
|
||||
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 66 * 6];
|
||||
} _EC_NIST_PRIME_521 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 66, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
|
||||
0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
|
||||
/* p */
|
||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
/* a */
|
||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||
/* b */
|
||||
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
|
||||
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
|
||||
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
|
||||
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
|
||||
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
|
||||
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
|
||||
/* x */
|
||||
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
|
||||
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
|
||||
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
|
||||
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
|
||||
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
|
||||
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
|
||||
/* y */
|
||||
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
|
||||
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
||||
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
|
||||
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
||||
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
|
||||
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
|
||||
/* order */
|
||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
|
||||
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
|
||||
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
|
||||
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 32 * 6];
|
||||
} _EC_X9_62_PRIME_256V1 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 32, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
|
||||
0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
/* a */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||
/* b */
|
||||
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
|
||||
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
|
||||
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
|
||||
/* x */
|
||||
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
|
||||
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
|
||||
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
|
||||
/* y */
|
||||
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
|
||||
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
||||
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
|
||||
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[0 + 32 * 6];
|
||||
} _EC_SECG_PRIME_256K1 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 0, 32, 1
|
||||
},
|
||||
{
|
||||
/* no seed */
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
|
||||
/* a */
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
/* b */
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
|
||||
/* x */
|
||||
0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
|
||||
0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
|
||||
0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
|
||||
/* y */
|
||||
0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
|
||||
0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
|
||||
0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
|
||||
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
|
||||
}
|
||||
};
|
||||
|
||||
typedef struct _ec_list_element_st {
|
||||
int nid;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_METHOD *(*meth) (void);
|
||||
const char *comment;
|
||||
} ec_list_element;
|
||||
|
||||
#ifdef FIPS_MODULE
|
||||
static const ec_list_element curve_list[] = {
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h,
|
||||
# if !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp224_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp384_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 384 bit prime field"},
|
||||
|
||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp521_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp521_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
|
||||
/* X9.62 curves */
|
||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
# if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
# elif defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp256_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp256_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"X9.62/SECG curve over a 256 bit prime field"},
|
||||
};
|
||||
|
||||
#else
|
||||
|
||||
static const ec_list_element curve_list[] = {
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
# else
|
||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
# endif
|
||||
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
"SECG curve over a 256 bit prime field"},
|
||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp384_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 384 bit prime field"},
|
||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp521_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp521_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
/* X9.62 curves */
|
||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
# if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
# elif defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp256_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp256_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"X9.62/SECG curve over a 256 bit prime field"},
|
||||
};
|
||||
#endif /* FIPS_MODULE */
|
||||
|
||||
#define curve_list_length OSSL_NELEM(curve_list)
|
||||
|
||||
static const ec_list_element *ec_curve_nid2curve(int nid)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
if (nid <= 0)
|
||||
return NULL;
|
||||
|
||||
for (i = 0; i < curve_list_length; i++) {
|
||||
if (curve_list[i].nid == nid)
|
||||
return &curve_list[i];
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx,
|
||||
const char *propq,
|
||||
const ec_list_element curve)
|
||||
{
|
||||
EC_GROUP *group = NULL;
|
||||
EC_POINT *P = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
|
||||
NULL;
|
||||
int ok = 0;
|
||||
int seed_len, param_len;
|
||||
const EC_METHOD *meth;
|
||||
const EC_CURVE_DATA *data;
|
||||
const unsigned char *params;
|
||||
|
||||
/* If no curve data curve method must handle everything */
|
||||
if (curve.data == NULL)
|
||||
return ossl_ec_group_new_ex(libctx, propq,
|
||||
curve.meth != NULL ? curve.meth() : NULL);
|
||||
|
||||
if ((ctx = BN_CTX_new_ex(libctx)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
data = curve.data;
|
||||
seed_len = data->seed_len;
|
||||
param_len = data->param_len;
|
||||
params = (const unsigned char *)(data + 1); /* skip header */
|
||||
params += seed_len; /* skip seed */
|
||||
|
||||
if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL
|
||||
|| (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL
|
||||
|| (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (curve.meth != 0) {
|
||||
meth = curve.meth();
|
||||
if (((group = ossl_ec_group_new_ex(libctx, propq, meth)) == NULL) ||
|
||||
(!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
} else if (data->field_type == NID_X9_62_prime_field) {
|
||||
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
#ifndef OPENSSL_NO_EC2M
|
||||
else { /* field_type ==
|
||||
* NID_X9_62_characteristic_two_field */
|
||||
|
||||
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
EC_GROUP_set_curve_name(group, curve.nid);
|
||||
|
||||
if ((P = EC_POINT_new(group)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL
|
||||
|| (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL
|
||||
|| !BN_set_word(x, (BN_ULONG)data->cofactor)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!EC_GROUP_set_generator(group, P, order, x)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (seed_len) {
|
||||
if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
ok = 1;
|
||||
err:
|
||||
if (!ok) {
|
||||
EC_GROUP_free(group);
|
||||
group = NULL;
|
||||
}
|
||||
EC_POINT_free(P);
|
||||
BN_CTX_free(ctx);
|
||||
BN_free(p);
|
||||
BN_free(a);
|
||||
BN_free(b);
|
||||
BN_free(order);
|
||||
BN_free(x);
|
||||
BN_free(y);
|
||||
return group;
|
||||
}
|
||||
|
||||
EC_GROUP *EC_GROUP_new_by_curve_name_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
||||
int nid)
|
||||
{
|
||||
EC_GROUP *ret = NULL;
|
||||
const ec_list_element *curve;
|
||||
|
||||
if ((curve = ec_curve_nid2curve(nid)) == NULL
|
||||
|| (ret = ec_group_new_from_data(libctx, propq, *curve)) == NULL) {
|
||||
#ifndef FIPS_MODULE
|
||||
ERR_raise_data(ERR_LIB_EC, EC_R_UNKNOWN_GROUP,
|
||||
"name=%s", OBJ_nid2sn(nid));
|
||||
#else
|
||||
ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
||||
{
|
||||
return EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid);
|
||||
}
|
||||
#endif
|
||||
|
||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||
{
|
||||
size_t i, min;
|
||||
|
||||
if (r == NULL || nitems == 0)
|
||||
return curve_list_length;
|
||||
|
||||
min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||
|
||||
for (i = 0; i < min; i++) {
|
||||
r[i].nid = curve_list[i].nid;
|
||||
r[i].comment = curve_list[i].comment;
|
||||
}
|
||||
|
||||
return curve_list_length;
|
||||
}
|
||||
|
||||
const char *EC_curve_nid2nist(int nid)
|
||||
{
|
||||
return ossl_ec_curve_nid2nist_int(nid);
|
||||
}
|
||||
|
||||
int EC_curve_nist2nid(const char *name)
|
||||
{
|
||||
return ossl_ec_curve_nist2nid_int(name);
|
||||
}
|
||||
|
||||
#define NUM_BN_FIELDS 6
|
||||
/*
|
||||
* Validates EC domain parameter data for known named curves.
|
||||
* This can be used when a curve is loaded explicitly (without a curve
|
||||
* name) or to validate that domain parameters have not been modified.
|
||||
*
|
||||
* Returns: The nid associated with the found named curve, or NID_undef
|
||||
* if not found. If there was an error it returns -1.
|
||||
*/
|
||||
int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
||||
{
|
||||
int ret = -1, nid, len, field_type, param_len;
|
||||
size_t i, seed_len;
|
||||
const unsigned char *seed, *params_seed, *params;
|
||||
unsigned char *param_bytes = NULL;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_POINT *generator = NULL;
|
||||
const BIGNUM *cofactor = NULL;
|
||||
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
||||
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
||||
|
||||
/* Use the optional named curve nid as a search field */
|
||||
nid = EC_GROUP_get_curve_name(group);
|
||||
field_type = EC_GROUP_get_field_type(group);
|
||||
seed_len = EC_GROUP_get_seed_len(group);
|
||||
seed = EC_GROUP_get0_seed(group);
|
||||
cofactor = EC_GROUP_get0_cofactor(group);
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
/*
|
||||
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
||||
* all zero-padded to be the same size. The size of the padding is
|
||||
* determined by either the number of bytes in the field modulus (p) or the
|
||||
* EC group order, whichever is larger.
|
||||
*/
|
||||
param_len = BN_num_bytes(group->order);
|
||||
len = BN_num_bytes(group->field);
|
||||
if (len > param_len)
|
||||
param_len = len;
|
||||
|
||||
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
||||
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
||||
if (param_bytes == NULL)
|
||||
goto end;
|
||||
|
||||
/* Create the bignums */
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* Fill in the bn array with the same values as the internal curves
|
||||
* i.e. the values are p, a, b, x, y, order.
|
||||
*/
|
||||
/* Get p, a & b */
|
||||
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
||||
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
||||
/* Get x & y */
|
||||
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
||||
/* Get order */
|
||||
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
||||
goto end;
|
||||
|
||||
/*
|
||||
* Convert the bignum array to bytes that are joined together to form
|
||||
* a single buffer that contains data for all fields.
|
||||
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
||||
*/
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
||||
goto end;
|
||||
}
|
||||
|
||||
for (i = 0; i < curve_list_length; i++) {
|
||||
const ec_list_element curve = curve_list[i];
|
||||
|
||||
data = curve.data;
|
||||
/* Get the raw order byte data */
|
||||
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
||||
params = params_seed + data->seed_len;
|
||||
|
||||
/* Look for unique fields in the fixed curve data */
|
||||
if (data->field_type == field_type
|
||||
&& param_len == data->param_len
|
||||
&& (nid <= 0 || nid == curve.nid)
|
||||
/* check the optional cofactor (ignore if its zero) */
|
||||
&& (BN_is_zero(cofactor)
|
||||
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
||||
/* Check the optional seed (ignore if its not set) */
|
||||
&& (data->seed_len == 0 || seed_len == 0
|
||||
|| ((size_t)data->seed_len == seed_len
|
||||
&& memcmp(params_seed, seed, seed_len) == 0))
|
||||
/* Check that the groups params match the built-in curve params */
|
||||
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
||||
== 0) {
|
||||
ret = curve.nid;
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
/* Gets here if the group was not found */
|
||||
ret = NID_undef;
|
||||
end:
|
||||
OPENSSL_free(param_bytes);
|
||||
BN_CTX_end(ctx);
|
||||
return ret;
|
||||
}
|
2311
SOURCES/ectest.c
Normal file
2311
SOURCES/ectest.c
Normal file
File diff suppressed because it is too large
Load Diff
26
SOURCES/genpatches
Executable file
26
SOURCES/genpatches
Executable file
@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ $# -ne 2 ] ; then
|
||||
echo "Usage:"
|
||||
echo " $0 <git-dir> <base-tag>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
git_dir="$1"
|
||||
base_tag="$2"
|
||||
|
||||
target_dir="$(pwd)"
|
||||
|
||||
pushd "$git_dir" >/dev/null
|
||||
git format-patch -k -o "$target_dir" "$base_tag" >/dev/null
|
||||
popd >/dev/null
|
||||
|
||||
echo "# Patches exported from source git"
|
||||
|
||||
i=1
|
||||
for p in *.patch ; do
|
||||
printf "# "
|
||||
sed '/^Subject:/{s/^Subject: //;p};d' "$p"
|
||||
printf "Patch%s: %s\n" $i "$p"
|
||||
i=$(($i + 1))
|
||||
done
|
40
SOURCES/hobble-openssl
Executable file
40
SOURCES/hobble-openssl
Executable file
@ -0,0 +1,40 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Quit out if anything fails.
|
||||
set -e
|
||||
|
||||
# Clean out patent-or-otherwise-encumbered code.
|
||||
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
|
||||
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
|
||||
# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore
|
||||
# EC: ????????? ??/??/2020
|
||||
# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore
|
||||
|
||||
# Remove assembler portions of IDEA, MDC2, and RC5.
|
||||
# (find crypto/rc5/asm -type f | xargs -r rm -fv)
|
||||
|
||||
for c in `find crypto/bn -name "*gf2m.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for c in `find test -name "ectest.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for h in `find crypto ssl apps test -name "*.h"` ; do
|
||||
echo Removing EC2M references from $h
|
||||
cat $h | \
|
||||
awk 'BEGIN {ech=1;} \
|
||||
/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
|
||||
/^#[ \t]*if/ {if(ech < 1) ech--;} \
|
||||
{if(ech>0) {;print $0};} \
|
||||
/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
|
||||
mv $h.hobbled $h
|
||||
done
|
28
SOURCES/make-dummy-cert
Executable file
28
SOURCES/make-dummy-cert
Executable file
@ -0,0 +1,28 @@
|
||||
#!/bin/sh
|
||||
umask 077
|
||||
|
||||
answers() {
|
||||
echo --
|
||||
echo SomeState
|
||||
echo SomeCity
|
||||
echo SomeOrganization
|
||||
echo SomeOrganizationalUnit
|
||||
echo localhost.localdomain
|
||||
echo root@localhost.localdomain
|
||||
}
|
||||
|
||||
if [ $# -eq 0 ] ; then
|
||||
echo $"Usage: `basename $0` filename [...]"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
for target in $@ ; do
|
||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
trap "rm -f $PEM1 $PEM2" SIGINT
|
||||
answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
|
||||
cat $PEM1 > ${target}
|
||||
echo "" >> ${target}
|
||||
cat $PEM2 >> ${target}
|
||||
rm -f $PEM1 $PEM2
|
||||
done
|
39
SOURCES/renew-dummy-cert
Executable file
39
SOURCES/renew-dummy-cert
Executable file
@ -0,0 +1,39 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
echo $"Usage: `basename $0` filename" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PEM=$1
|
||||
REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
NEW=${PEM}_
|
||||
|
||||
trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
|
||||
|
||||
if [ ! -f $PEM ]; then
|
||||
echo "$PEM: file not found" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
umask 077
|
||||
|
||||
OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
|
||||
|
||||
openssl rsa -inform pem -in $PEM -out $KEY
|
||||
openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
|
||||
openssl x509 -req -in $REQ -signkey $KEY -days 365 \
|
||||
-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
|
||||
|
||||
(cat $KEY ; echo "" ; cat $CRT) > $NEW
|
||||
|
||||
chown $OWNER $NEW
|
||||
|
||||
mv -f $NEW $PEM
|
||||
|
||||
rm -f $REQ $KEY $CRT
|
||||
|
||||
exit 0
|
||||
|
486
SPECS/openssl.spec
Normal file
486
SPECS/openssl.spec
Normal file
@ -0,0 +1,486 @@
|
||||
# For the curious:
|
||||
# 0.9.8jk + EAP-FAST soversion = 8
|
||||
# 1.0.0 soversion = 10
|
||||
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
|
||||
# depends on build configuration options)
|
||||
# 3.0.0 soversion = 3 (same as upstream)
|
||||
%define soversion 3
|
||||
|
||||
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
|
||||
# also be handled in opensslconf-new.h.
|
||||
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
|
||||
|
||||
%global _performance_build 1
|
||||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.0
|
||||
Release: 0.beta2.7%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
|
||||
Source: openssl-%{version}-hobbled.tar.xz
|
||||
Source1: hobble-openssl
|
||||
Source2: Makefile.certificate
|
||||
Source3: genpatches
|
||||
Source6: make-dummy-cert
|
||||
Source7: renew-dummy-cert
|
||||
Source9: configuration-switch.h
|
||||
Source10: configuration-prefix.h
|
||||
Source12: ec_curve.c
|
||||
Source13: ectest.c
|
||||
|
||||
# Patches exported from source git
|
||||
# Aarch64 and ppc64le use lib64
|
||||
Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
|
||||
# Use more general default values in openssl.cnf
|
||||
Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
|
||||
# Do not install html docs
|
||||
Patch3: 0003-Do-not-install-html-docs.patch
|
||||
# Override default paths for the CA directory tree
|
||||
Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
|
||||
# apps/ca: fix md option help text
|
||||
Patch5: 0005-apps-ca-fix-md-option-help-text.patch
|
||||
# Disable signature verification with totally unsafe hash algorithms
|
||||
Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
|
||||
# Add support for PROFILE=SYSTEM system default cipherlist
|
||||
Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||
# Add FIPS_mode() compatibility macro
|
||||
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
|
||||
# Add check to see if fips flag is enabled in kernel
|
||||
#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
# remove unsupported EC curves
|
||||
Patch11: 0011-Remove-EC-curves.patch
|
||||
# Update alerts according to #1965017
|
||||
Patch20: 0020-sigalgs-fix-alerts.patch
|
||||
# Fixes core dump in openssl req -modulus
|
||||
Patch21: 0021-fix-core-dump-req.patch
|
||||
# Fixes 'openssl req' to not ask for password when non-encrypted key
|
||||
Patch22: 0022-fix-openssl-req-password.patch
|
||||
# cms: Do not try to check binary format on stdin and -rctform fix
|
||||
Patch23: 0023-cms-stdin.patch
|
||||
# Instructions to load legacy provider in openssl.cnf
|
||||
Patch24: 0024-load-legacy-prov.patch
|
||||
# cms: don't read /dev/stdin twice
|
||||
Patch25: 0025-cms-stdin2.patch
|
||||
|
||||
License: ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
BuildRequires: gcc
|
||||
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
||||
BuildRequires: lksctp-tools-devel
|
||||
BuildRequires: /usr/bin/rename
|
||||
BuildRequires: /usr/bin/pod2man
|
||||
BuildRequires: /usr/sbin/sysctl
|
||||
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
|
||||
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
|
||||
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
|
||||
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
|
||||
BuildRequires: git-core
|
||||
Requires: coreutils
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description
|
||||
The OpenSSL toolkit provides support for secure communications between
|
||||
machines. OpenSSL includes a certificate management tool and shared
|
||||
libraries which provide various cryptographic algorithms and
|
||||
protocols.
|
||||
|
||||
%package libs
|
||||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Requires: ca-certificates >= 2008-5
|
||||
Requires: crypto-policies >= 20180730
|
||||
Recommends: openssl-pkcs11%{?_isa}
|
||||
|
||||
%description libs
|
||||
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
|
||||
package contains the libraries that are used by various applications which
|
||||
support cryptographic algorithms and protocols.
|
||||
|
||||
%package devel
|
||||
Summary: Files for development of applications which will use OpenSSL
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: pkgconfig
|
||||
|
||||
%description devel
|
||||
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
|
||||
package contains include files needed to develop applications which
|
||||
support various cryptographic algorithms and protocols.
|
||||
|
||||
%package perl
|
||||
Summary: Perl scripts provided with OpenSSL
|
||||
Requires: perl-interpreter
|
||||
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description perl
|
||||
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
|
||||
package provides Perl scripts for converting certificates and keys
|
||||
from other formats to the formats used by the OpenSSL toolkit.
|
||||
|
||||
%prep
|
||||
%autosetup -S git -n %{name}-%{version}-beta2
|
||||
|
||||
# The hobble_openssl is called here redundantly, just to be sure.
|
||||
# The tarball has already the sources removed.
|
||||
%{SOURCE1} > /dev/null
|
||||
|
||||
cp %{SOURCE12} crypto/ec/
|
||||
cp %{SOURCE13} test/
|
||||
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
# default
|
||||
sslarch=%{_os}-%{_target_cpu}
|
||||
%ifarch %ix86
|
||||
sslarch=linux-elf
|
||||
if ! echo %{_target} | grep -q i686 ; then
|
||||
sslflags="no-asm 386"
|
||||
fi
|
||||
%endif
|
||||
%ifarch x86_64
|
||||
sslflags=enable-ec_nistp_64_gcc_128
|
||||
%endif
|
||||
%ifarch sparcv9
|
||||
sslarch=linux-sparcv9
|
||||
sslflags=no-asm
|
||||
%endif
|
||||
%ifarch sparc64
|
||||
sslarch=linux64-sparcv9
|
||||
sslflags=no-asm
|
||||
%endif
|
||||
%ifarch alpha alphaev56 alphaev6 alphaev67
|
||||
sslarch=linux-alpha-gcc
|
||||
%endif
|
||||
%ifarch s390 sh3eb sh4eb
|
||||
sslarch="linux-generic32 -DB_ENDIAN"
|
||||
%endif
|
||||
%ifarch s390x
|
||||
sslarch="linux64-s390x"
|
||||
%endif
|
||||
%ifarch %{arm}
|
||||
sslarch=linux-armv4
|
||||
%endif
|
||||
%ifarch aarch64
|
||||
sslarch=linux-aarch64
|
||||
sslflags=enable-ec_nistp_64_gcc_128
|
||||
%endif
|
||||
%ifarch sh3 sh4
|
||||
sslarch=linux-generic32
|
||||
%endif
|
||||
%ifarch ppc64 ppc64p7
|
||||
sslarch=linux-ppc64
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
sslarch="linux-ppc64le"
|
||||
sslflags=enable-ec_nistp_64_gcc_128
|
||||
%endif
|
||||
%ifarch mips mipsel
|
||||
sslarch="linux-mips32 -mips32r2"
|
||||
%endif
|
||||
%ifarch mips64 mips64el
|
||||
sslarch="linux64-mips64 -mips64r2"
|
||||
%endif
|
||||
%ifarch mips64el
|
||||
sslflags=enable-ec_nistp_64_gcc_128
|
||||
%endif
|
||||
%ifarch riscv64
|
||||
sslarch=linux-generic64
|
||||
%endif
|
||||
|
||||
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
|
||||
# marked as not requiring an executable stack.
|
||||
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
|
||||
# want to depend on the uninitialized memory as a source of entropy anyway.
|
||||
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
|
||||
|
||||
export HASHBANGPERL=/usr/bin/perl
|
||||
|
||||
# ia64, x86_64, ppc are OK by default
|
||||
# Configure the build tree. Override OpenSSL defaults with known-good defaults
|
||||
# usable on all platforms. The Configure script already knows to use -fPIC and
|
||||
# RPM_OPT_FLAGS, so we can skip specifiying them here.
|
||||
./Configure \
|
||||
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
||||
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
|
||||
no-mdc2 no-ec2m no-sm2 no-sm4 \
|
||||
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
|
||||
|
||||
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||
#util/mkdef.pl crypto update
|
||||
|
||||
make -s %{?_smp_mflags} all
|
||||
|
||||
# Clean up the .pc files
|
||||
for i in libcrypto.pc libssl.pc openssl.pc ; do
|
||||
sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
|
||||
done
|
||||
|
||||
%check
|
||||
# Verify that what was compiled actually works.
|
||||
|
||||
# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
|
||||
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
|
||||
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
|
||||
sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
|
||||
touch -r configdata.pm configdata.pm.new && \
|
||||
mv -f configdata.pm.new configdata.pm)
|
||||
|
||||
# We must revert patch4 before tests otherwise they will fail
|
||||
patch -p1 -R < %{PATCH4}
|
||||
|
||||
OPENSSL_ENABLE_MD5_VERIFY=
|
||||
export OPENSSL_ENABLE_MD5_VERIFY
|
||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
||||
make test HARNESS_JOBS=8
|
||||
|
||||
# Add generation of HMAC checksum of the final stripped library
|
||||
#%define __spec_install_post \
|
||||
# %{?__debug_package:%{__debug_install_post}} \
|
||||
# %{__arch_install_post} \
|
||||
# %{__os_install_post} \
|
||||
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
|
||||
# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
|
||||
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
|
||||
# ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
|
||||
#%{nil}
|
||||
|
||||
%define __provides_exclude_from %{_libdir}/openssl
|
||||
|
||||
%install
|
||||
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
||||
# Install OpenSSL.
|
||||
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
|
||||
%make_install
|
||||
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
||||
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
||||
chmod 755 ${lib}
|
||||
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
|
||||
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
|
||||
done
|
||||
|
||||
# Remove static libraries
|
||||
for lib in $RPM_BUILD_ROOT%{_libdir}/*.a ; do
|
||||
rm -f ${lib}
|
||||
done
|
||||
|
||||
# Install a makefile for generating keys and self-signed certs, and a script
|
||||
# for generating them on the fly.
|
||||
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
|
||||
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
|
||||
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
|
||||
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
|
||||
|
||||
# Move runable perl scripts to bindir
|
||||
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
|
||||
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
|
||||
|
||||
# Rename man pages so that they don't conflict with other system man pages.
|
||||
pushd $RPM_BUILD_ROOT%{_mandir}
|
||||
mv man5/config.5ossl man5/openssl.cnf.5
|
||||
popd
|
||||
|
||||
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
|
||||
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
|
||||
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
|
||||
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
|
||||
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
|
||||
|
||||
# Ensure the config file timestamps are identical across builds to avoid
|
||||
# mulitlib conflicts and unnecessary renames on upgrade
|
||||
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
|
||||
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
|
||||
|
||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
|
||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
|
||||
%ifarch i686
|
||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf
|
||||
%endif
|
||||
|
||||
# Determine which arch opensslconf.h is going to try to #include.
|
||||
basearch=%{_arch}
|
||||
%ifarch %{ix86}
|
||||
basearch=i386
|
||||
%endif
|
||||
%ifarch sparcv9
|
||||
basearch=sparc
|
||||
%endif
|
||||
%ifarch sparc64
|
||||
basearch=sparc64
|
||||
%endif
|
||||
|
||||
# Next step of gradual disablement of SSL3.
|
||||
# Make SSL3 disappear to newly built dependencies.
|
||||
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
|
||||
#ifndef OPENSSL_NO_SSL3\
|
||||
# define OPENSSL_NO_SSL3\
|
||||
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
|
||||
|
||||
%ifarch %{multilib_arches}
|
||||
# Do an configuration.h switcheroo to avoid file conflicts on systems where you
|
||||
# can have both a 32- and 64-bit version of the library, and they each need
|
||||
# their own correct-but-different versions of opensslconf.h to be usable.
|
||||
install -m644 %{SOURCE10} \
|
||||
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
|
||||
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \
|
||||
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
|
||||
install -m644 %{SOURCE9} \
|
||||
$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h
|
||||
%endif
|
||||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license LICENSE.txt
|
||||
%doc NEWS.md README.md
|
||||
%{_bindir}/make-dummy-cert
|
||||
%{_bindir}/renew-dummy-cert
|
||||
%{_bindir}/openssl
|
||||
%{_mandir}/man1/*
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man7/*
|
||||
%{_pkgdocdir}/Makefile.certificate
|
||||
%exclude %{_mandir}/man1/*.pl*
|
||||
%exclude %{_mandir}/man1/tsget*
|
||||
|
||||
%files libs
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license LICENSE.txt
|
||||
%dir %{_sysconfdir}/pki/tls
|
||||
%dir %{_sysconfdir}/pki/tls/certs
|
||||
%dir %{_sysconfdir}/pki/tls/misc
|
||||
%dir %{_sysconfdir}/pki/tls/private
|
||||
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
|
||||
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
|
||||
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
|
||||
%{_libdir}/libcrypto.so.%{soversion}
|
||||
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
||||
%{_libdir}/libssl.so.%{soversion}
|
||||
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
|
||||
%attr(0755,root,root) %{_libdir}/ossl-modules
|
||||
%ifnarch i686
|
||||
%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
|
||||
%endif
|
||||
|
||||
%files devel
|
||||
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
|
||||
%{_prefix}/include/openssl
|
||||
%{_libdir}/*.so
|
||||
%{_mandir}/man3/*
|
||||
%{_libdir}/pkgconfig/*.pc
|
||||
|
||||
%files perl
|
||||
%{_bindir}/c_rehash
|
||||
%{_bindir}/*.pl
|
||||
%{_bindir}/tsget
|
||||
%{_mandir}/man1/*.pl*
|
||||
%{_mandir}/man1/tsget*
|
||||
%dir %{_sysconfdir}/pki/CA
|
||||
%dir %{_sysconfdir}/pki/CA/private
|
||||
%dir %{_sysconfdir}/pki/CA/certs
|
||||
%dir %{_sysconfdir}/pki/CA/crl
|
||||
%dir %{_sysconfdir}/pki/CA/newcerts
|
||||
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Wed Aug 25 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-0.beta2.7
|
||||
- Removes the dual-abi build as it not required anymore. The mass rebuild
|
||||
was completed and all packages are rebuilt against Beta version.
|
||||
- Resolves: rhbz#1984097
|
||||
|
||||
* Mon Aug 23 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-0.beta2.6
|
||||
- Correctly process CMS reading from /dev/stdin
|
||||
- Resolves: rhbz#1986315
|
||||
|
||||
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.5
|
||||
- Add instruction for loading legacy provider in openssl.cnf
|
||||
- Resolves: rhbz#1975836
|
||||
|
||||
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.4
|
||||
- Adds support for IDEA encryption.
|
||||
- Resolves: rhbz#1990602
|
||||
|
||||
* Tue Aug 10 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.3
|
||||
- Fixes core dump in openssl req -modulus
|
||||
- Fixes 'openssl req' to not ask for password when non-encrypted private key
|
||||
is used
|
||||
- cms: Do not try to check binary format on stdin and -rctform fix
|
||||
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.beta2.2.1
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Wed Aug 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.0-0.beta2.2
|
||||
- When signature_algorithm extension is omitted, use more relevant alerts
|
||||
- Resolves: rhbz#1965017
|
||||
|
||||
* Tue Aug 03 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta2.1
|
||||
- Rebase to upstream version beta2
|
||||
- Related: rhbz#1903209
|
||||
|
||||
* Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5
|
||||
- Prevents creation of duplicate cert entries in PKCS #12 files
|
||||
- Resolves: rhbz#1978670
|
||||
|
||||
* Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
|
||||
- NVR bump to update to OpenSSL 3.0 Beta1
|
||||
|
||||
* Mon Jul 19 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.3
|
||||
- Update patch dual-abi.patch to add the #define macros in implementation
|
||||
files instead of public header files
|
||||
|
||||
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.2
|
||||
- Removes unused patch dual-abi.patch
|
||||
|
||||
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.1
|
||||
- Update to Beta1 version
|
||||
- Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16
|
||||
|
||||
* Tue Jul 06 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.7
|
||||
- Fixes override of openssl_conf in openssl.cnf
|
||||
- Use AI_ADDRCONFIG only when explicit host name is given
|
||||
- Temporarily remove fipsmodule.cnf for arch i686
|
||||
- Fixes segmentation fault in BN_lebin2bn
|
||||
- Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855
|
||||
|
||||
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.6
|
||||
- Adds FIPS mode compatibility patch (sahana@redhat.com)
|
||||
- Related: rhbz#1977318
|
||||
|
||||
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.5
|
||||
- Fixes system hang issue when booted in FIPS mode (sahana@redhat.com)
|
||||
- Temporarily disable downstream FIPS patches
|
||||
- Related: rhbz#1977318
|
||||
|
||||
* Fri Jun 11 2021 Mohan Boddu <mboddu@redhat.com> 3.0.0-0.alpha16.4
|
||||
- Speeding up building openssl (dbelyavs@redhat.com)
|
||||
Resolves: rhbz#1903209
|
||||
|
||||
* Fri Jun 04 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.3
|
||||
- Fix reading SPKAC data from stdin
|
||||
- Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
|
||||
- Return 0 after cleanup in OPENSSL_init_crypto()
|
||||
- Cleanup the peer point formats on regotiation
|
||||
- Fix default digest to SHA256
|
||||
|
||||
* Thu May 27 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.2
|
||||
- Enable FIPS via config options
|
||||
|
||||
* Mon May 17 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.1
|
||||
- Update to alpha 16 version
|
||||
Resolves: rhbz#1952901 openssl sends alert after orderly connection close
|
||||
|
||||
* Mon Apr 26 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha15.1
|
||||
- Update to alpha 15 version
|
||||
Resolves: rhbz#1903209, rhbz#1952598,
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.alpha13.1.1
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Fri Apr 09 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha13.1
|
||||
- Update to new major release OpenSSL 3.0.0 alpha 13
|
||||
Resolves: rhbz#1903209
|
Loading…
Reference in New Issue
Block a user