Synced with native openssl-1.0.2a-1.fc23
This commit is contained in:
parent
183a42d3cc
commit
038bb32a6e
625
ec_curve.c
625
ec_curve.c
@ -10,7 +10,7 @@
|
|||||||
* are met:
|
* are met:
|
||||||
*
|
*
|
||||||
* 1. Redistributions of source code must retain the above copyright
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
* notice, this list of conditions and the following disclaimer.
|
* notice, this list of conditions and the following disclaimer.
|
||||||
*
|
*
|
||||||
* 2. Redistributions in binary form must reproduce the above copyright
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
* notice, this list of conditions and the following disclaimer in
|
* notice, this list of conditions and the following disclaimer in
|
||||||
@ -58,339 +58,398 @@
|
|||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
||||||
*
|
*
|
||||||
* Portions of the attached software ("Contribution") are developed by
|
* Portions of the attached software ("Contribution") are developed by
|
||||||
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
|
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
|
||||||
*
|
*
|
||||||
* The Contribution is licensed pursuant to the OpenSSL open source
|
* The Contribution is licensed pursuant to the OpenSSL open source
|
||||||
* license provided above.
|
* license provided above.
|
||||||
*
|
*
|
||||||
* The elliptic curve binary polynomial software is originally written by
|
* The elliptic curve binary polynomial software is originally written by
|
||||||
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
|
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
#include "ec_lcl.h"
|
#include "ec_lcl.h"
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#include <openssl/obj_mac.h>
|
#include <openssl/obj_mac.h>
|
||||||
#include <openssl/opensslconf.h>
|
#include <openssl/opensslconf.h>
|
||||||
|
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
# include <openssl/fips.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
int field_type, /* either NID_X9_62_prime_field or
|
int field_type, /* either NID_X9_62_prime_field or
|
||||||
* NID_X9_62_characteristic_two_field */
|
* NID_X9_62_characteristic_two_field */
|
||||||
seed_len,
|
seed_len, param_len;
|
||||||
param_len;
|
unsigned int cofactor; /* promoted to BN_ULONG */
|
||||||
unsigned int cofactor; /* promoted to BN_ULONG */
|
|
||||||
} EC_CURVE_DATA;
|
} EC_CURVE_DATA;
|
||||||
|
|
||||||
static const struct { EC_CURVE_DATA h; unsigned char data[20+48*6]; }
|
/* the nist prime curves */
|
||||||
_EC_NIST_PRIME_384 = {
|
static const struct {
|
||||||
{ NID_X9_62_prime_field,20,48,1 },
|
EC_CURVE_DATA h;
|
||||||
{ 0xA3,0x35,0x92,0x6A,0xA3,0x19,0xA2,0x7A,0x1D,0x00, /* seed */
|
unsigned char data[20 + 48 * 6];
|
||||||
0x89,0x6A,0x67,0x73,0xA4,0x82,0x7A,0xCD,0xAC,0x73,
|
} _EC_NIST_PRIME_384 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 48, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* seed */
|
||||||
|
0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
|
||||||
|
0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
|
||||||
|
/* p */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
/* a */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||||
|
/* b */
|
||||||
|
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
|
||||||
|
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
|
||||||
|
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
|
||||||
|
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
|
||||||
|
/* x */
|
||||||
|
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
|
||||||
|
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
|
||||||
|
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
|
||||||
|
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
|
||||||
|
/* y */
|
||||||
|
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
|
||||||
|
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
||||||
|
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
|
||||||
|
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
|
||||||
|
/* order */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
|
||||||
|
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */
|
static const struct {
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
EC_CURVE_DATA h;
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
unsigned char data[20 + 66 * 6];
|
||||||
0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
|
} _EC_NIST_PRIME_521 = {
|
||||||
0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,
|
{
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */
|
NID_X9_62_prime_field, 20, 66, 1
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
},
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
{
|
||||||
0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
|
/* seed */
|
||||||
0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFC,
|
0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
|
||||||
0xB3,0x31,0x2F,0xA7,0xE2,0x3E,0xE7,0xE4,0x98,0x8E, /* b */
|
0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
|
||||||
0x05,0x6B,0xE3,0xF8,0x2D,0x19,0x18,0x1D,0x9C,0x6E,
|
/* p */
|
||||||
0xFE,0x81,0x41,0x12,0x03,0x14,0x08,0x8F,0x50,0x13,
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0x87,0x5A,0xC6,0x56,0x39,0x8D,0x8A,0x2E,0xD1,0x9D,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0x2A,0x85,0xC8,0xED,0xD3,0xEC,0x2A,0xEF,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0xAA,0x87,0xCA,0x22,0xBE,0x8B,0x05,0x37,0x8E,0xB1, /* x */
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0xC7,0x1E,0xF3,0x20,0xAD,0x74,0x6E,0x1D,0x3B,0x62,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0x8B,0xA7,0x9B,0x98,0x59,0xF7,0x41,0xE0,0x82,0x54,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0x2A,0x38,0x55,0x02,0xF2,0x5D,0xBF,0x55,0x29,0x6C,
|
/* a */
|
||||||
0x3A,0x54,0x5E,0x38,0x72,0x76,0x0A,0xB7,
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0x36,0x17,0xde,0x4a,0x96,0x26,0x2c,0x6f,0x5d,0x9e, /* y */
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0x98,0xbf,0x92,0x92,0xdc,0x29,0xf8,0xf4,0x1d,0xbd,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0x28,0x9a,0x14,0x7c,0xe9,0xda,0x31,0x13,0xb5,0xf0,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0xb8,0xc0,0x0a,0x60,0xb1,0xce,0x1d,0x7e,0x81,0x9d,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0x7a,0x43,0x1d,0x7c,0x90,0xea,0x0e,0x5f,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */
|
/* b */
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
|
||||||
0xFF,0xFF,0xFF,0xFF,0xC7,0x63,0x4D,0x81,0xF4,0x37,
|
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
|
||||||
0x2D,0xDF,0x58,0x1A,0x0D,0xB2,0x48,0xB0,0xA7,0x7A,
|
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
|
||||||
0xEC,0xEC,0x19,0x6A,0xCC,0xC5,0x29,0x73 }
|
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
|
||||||
};
|
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
|
||||||
|
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
|
||||||
|
/* x */
|
||||||
|
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
|
||||||
|
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
|
||||||
|
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
|
||||||
|
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
|
||||||
|
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
|
||||||
|
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
|
||||||
|
/* y */
|
||||||
|
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
|
||||||
|
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
||||||
|
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
|
||||||
|
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
||||||
|
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
|
||||||
|
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
|
||||||
|
/* order */
|
||||||
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
|
||||||
|
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
|
||||||
|
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
|
||||||
|
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
static const struct { EC_CURVE_DATA h; unsigned char data[20+66*6]; }
|
static const struct {
|
||||||
_EC_NIST_PRIME_521 = {
|
EC_CURVE_DATA h;
|
||||||
{ NID_X9_62_prime_field,20,66,1 },
|
unsigned char data[20 + 32 * 6];
|
||||||
{ 0xD0,0x9E,0x88,0x00,0x29,0x1C,0xB8,0x53,0x96,0xCC, /* seed */
|
} _EC_X9_62_PRIME_256V1 = {
|
||||||
0x67,0x17,0x39,0x32,0x84,0xAA,0xA0,0xDA,0x64,0xBA,
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 32, 1
|
||||||
0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */
|
},
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
{
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
/* seed */
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
/* p */
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||||
0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
/* a */
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFC,
|
/* b */
|
||||||
0x00,0x51,0x95,0x3E,0xB9,0x61,0x8E,0x1C,0x9A,0x1F, /* b */
|
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
|
||||||
0x92,0x9A,0x21,0xA0,0xB6,0x85,0x40,0xEE,0xA2,0xDA,
|
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
|
||||||
0x72,0x5B,0x99,0xB3,0x15,0xF3,0xB8,0xB4,0x89,0x91,
|
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
|
||||||
0x8E,0xF1,0x09,0xE1,0x56,0x19,0x39,0x51,0xEC,0x7E,
|
/* x */
|
||||||
0x93,0x7B,0x16,0x52,0xC0,0xBD,0x3B,0xB1,0xBF,0x07,
|
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
|
||||||
0x35,0x73,0xDF,0x88,0x3D,0x2C,0x34,0xF1,0xEF,0x45,
|
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
|
||||||
0x1F,0xD4,0x6B,0x50,0x3F,0x00,
|
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
|
||||||
0x00,0xC6,0x85,0x8E,0x06,0xB7,0x04,0x04,0xE9,0xCD, /* x */
|
/* y */
|
||||||
0x9E,0x3E,0xCB,0x66,0x23,0x95,0xB4,0x42,0x9C,0x64,
|
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
|
||||||
0x81,0x39,0x05,0x3F,0xB5,0x21,0xF8,0x28,0xAF,0x60,
|
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
||||||
0x6B,0x4D,0x3D,0xBA,0xA1,0x4B,0x5E,0x77,0xEF,0xE7,
|
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
|
||||||
0x59,0x28,0xFE,0x1D,0xC1,0x27,0xA2,0xFF,0xA8,0xDE,
|
/* order */
|
||||||
0x33,0x48,0xB3,0xC1,0x85,0x6A,0x42,0x9B,0xF9,0x7E,
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
0x7E,0x31,0xC2,0xE5,0xBD,0x66,
|
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
|
||||||
0x01,0x18,0x39,0x29,0x6a,0x78,0x9a,0x3b,0xc0,0x04, /* y */
|
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
|
||||||
0x5c,0x8a,0x5f,0xb4,0x2c,0x7d,0x1b,0xd9,0x98,0xf5,
|
}
|
||||||
0x44,0x49,0x57,0x9b,0x44,0x68,0x17,0xaf,0xbd,0x17,
|
};
|
||||||
0x27,0x3e,0x66,0x2c,0x97,0xee,0x72,0x99,0x5e,0xf4,
|
|
||||||
0x26,0x40,0xc5,0x50,0xb9,0x01,0x3f,0xad,0x07,0x61,
|
|
||||||
0x35,0x3c,0x70,0x86,0xa2,0x72,0xc2,0x40,0x88,0xbe,
|
|
||||||
0x94,0x76,0x9f,0xd1,0x66,0x50,
|
|
||||||
0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */
|
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
|
||||||
0xFF,0xFF,0xFF,0xFA,0x51,0x86,0x87,0x83,0xBF,0x2F,
|
|
||||||
0x96,0x6B,0x7F,0xCC,0x01,0x48,0xF7,0x09,0xA5,0xD0,
|
|
||||||
0x3B,0xB5,0xC9,0xB8,0x89,0x9C,0x47,0xAE,0xBB,0x6F,
|
|
||||||
0xB7,0x1E,0x91,0x38,0x64,0x09 }
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct { EC_CURVE_DATA h; unsigned char data[20+32*6]; }
|
|
||||||
_EC_X9_62_PRIME_256V1 = {
|
|
||||||
{ NID_X9_62_prime_field,20,32,1 },
|
|
||||||
{ 0xC4,0x9D,0x36,0x08,0x86,0xE7,0x04,0x93,0x6A,0x66, /* seed */
|
|
||||||
0x78,0xE1,0x13,0x9D,0x26,0xB7,0x81,0x9F,0x7E,0x90,
|
|
||||||
|
|
||||||
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* p */
|
|
||||||
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
|
||||||
0xFF,0xFF,
|
|
||||||
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* a */
|
|
||||||
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
|
||||||
0xFF,0xFC,
|
|
||||||
0x5A,0xC6,0x35,0xD8,0xAA,0x3A,0x93,0xE7,0xB3,0xEB, /* b */
|
|
||||||
0xBD,0x55,0x76,0x98,0x86,0xBC,0x65,0x1D,0x06,0xB0,
|
|
||||||
0xCC,0x53,0xB0,0xF6,0x3B,0xCE,0x3C,0x3E,0x27,0xD2,
|
|
||||||
0x60,0x4B,
|
|
||||||
0x6B,0x17,0xD1,0xF2,0xE1,0x2C,0x42,0x47,0xF8,0xBC, /* x */
|
|
||||||
0xE6,0xE5,0x63,0xA4,0x40,0xF2,0x77,0x03,0x7D,0x81,
|
|
||||||
0x2D,0xEB,0x33,0xA0,0xF4,0xA1,0x39,0x45,0xD8,0x98,
|
|
||||||
0xC2,0x96,
|
|
||||||
0x4f,0xe3,0x42,0xe2,0xfe,0x1a,0x7f,0x9b,0x8e,0xe7, /* y */
|
|
||||||
0xeb,0x4a,0x7c,0x0f,0x9e,0x16,0x2b,0xce,0x33,0x57,
|
|
||||||
0x6b,0x31,0x5e,0xce,0xcb,0xb6,0x40,0x68,0x37,0xbf,
|
|
||||||
0x51,0xf5,
|
|
||||||
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xFF,0xFF, /* order */
|
|
||||||
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xBC,0xE6,0xFA,0xAD,
|
|
||||||
0xA7,0x17,0x9E,0x84,0xF3,0xB9,0xCA,0xC2,0xFC,0x63,
|
|
||||||
0x25,0x51 }
|
|
||||||
};
|
|
||||||
|
|
||||||
typedef struct _ec_list_element_st {
|
typedef struct _ec_list_element_st {
|
||||||
int nid;
|
int nid;
|
||||||
const EC_CURVE_DATA *data;
|
const EC_CURVE_DATA *data;
|
||||||
const EC_METHOD *(*meth)(void);
|
const EC_METHOD *(*meth) (void);
|
||||||
const char *comment;
|
const char *comment;
|
||||||
} ec_list_element;
|
} ec_list_element;
|
||||||
|
|
||||||
static const ec_list_element curve_list[] = {
|
static const ec_list_element curve_list[] = {
|
||||||
/* prime field curves */
|
/* prime field curves */
|
||||||
/* secg curves */
|
/* secg curves */
|
||||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||||
{ NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" },
|
{NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
|
||||||
|
"NIST/SECG curve over a 384 bit prime field"},
|
||||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
{ NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field" },
|
{NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
|
||||||
|
"NIST/SECG curve over a 521 bit prime field"},
|
||||||
#else
|
#else
|
||||||
{ NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field" },
|
{NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
|
||||||
|
"NIST/SECG curve over a 521 bit prime field"},
|
||||||
#endif
|
#endif
|
||||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
/* X9.62 curves */
|
||||||
{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, EC_GFp_nistp256_method, "X9.62/SECG curve over a 256 bit prime field" },
|
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||||
|
#if defined(ECP_NISTZ256_ASM)
|
||||||
|
EC_GFp_nistz256_method,
|
||||||
|
#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||||
|
EC_GFp_nistp256_method,
|
||||||
#else
|
#else
|
||||||
{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field" },
|
0,
|
||||||
#endif
|
#endif
|
||||||
|
"X9.62/SECG curve over a 256 bit prime field"},
|
||||||
};
|
};
|
||||||
|
|
||||||
#define curve_list_length (sizeof(curve_list)/sizeof(ec_list_element))
|
#define curve_list_length (sizeof(curve_list)/sizeof(ec_list_element))
|
||||||
|
|
||||||
static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
|
static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
|
||||||
{
|
{
|
||||||
EC_GROUP *group=NULL;
|
EC_GROUP *group = NULL;
|
||||||
EC_POINT *P=NULL;
|
EC_POINT *P = NULL;
|
||||||
BN_CTX *ctx=NULL;
|
BN_CTX *ctx = NULL;
|
||||||
BIGNUM *p=NULL, *a=NULL, *b=NULL, *x=NULL, *y=NULL, *order=NULL;
|
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
|
||||||
int ok=0;
|
NULL;
|
||||||
int seed_len,param_len;
|
int ok = 0;
|
||||||
const EC_METHOD *meth;
|
int seed_len, param_len;
|
||||||
const EC_CURVE_DATA *data;
|
const EC_METHOD *meth;
|
||||||
const unsigned char *params;
|
const EC_CURVE_DATA *data;
|
||||||
|
const unsigned char *params;
|
||||||
|
|
||||||
if ((ctx = BN_CTX_new()) == NULL)
|
if ((ctx = BN_CTX_new()) == NULL) {
|
||||||
{
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
|
goto err;
|
||||||
goto err;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
data = curve.data;
|
data = curve.data;
|
||||||
seed_len = data->seed_len;
|
seed_len = data->seed_len;
|
||||||
param_len = data->param_len;
|
param_len = data->param_len;
|
||||||
params = (const unsigned char *)(data+1); /* skip header */
|
params = (const unsigned char *)(data + 1); /* skip header */
|
||||||
params += seed_len; /* skip seed */
|
params += seed_len; /* skip seed */
|
||||||
|
|
||||||
if (!(p = BN_bin2bn(params+0*param_len, param_len, NULL))
|
if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL))
|
||||||
|| !(a = BN_bin2bn(params+1*param_len, param_len, NULL))
|
|| !(a = BN_bin2bn(params + 1 * param_len, param_len, NULL))
|
||||||
|| !(b = BN_bin2bn(params+2*param_len, param_len, NULL)))
|
|| !(b = BN_bin2bn(params + 2 * param_len, param_len, NULL))) {
|
||||||
{
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
goto err;
|
||||||
goto err;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if (curve.meth != 0)
|
if (curve.meth != 0) {
|
||||||
{
|
meth = curve.meth();
|
||||||
meth = curve.meth();
|
if (((group = EC_GROUP_new(meth)) == NULL) ||
|
||||||
if (((group = EC_GROUP_new(meth)) == NULL) ||
|
(!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
|
||||||
(!(group->meth->group_set_curve(group, p, a, b, ctx))))
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
{
|
goto err;
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
}
|
||||||
goto err;
|
} else if (data->field_type == NID_X9_62_prime_field) {
|
||||||
}
|
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
|
||||||
}
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
else if (data->field_type == NID_X9_62_prime_field)
|
goto err;
|
||||||
{
|
}
|
||||||
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL)
|
}
|
||||||
{
|
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#ifndef OPENSSL_NO_EC2M
|
#ifndef OPENSSL_NO_EC2M
|
||||||
else /* field_type == NID_X9_62_characteristic_two_field */
|
else { /* field_type ==
|
||||||
{
|
* NID_X9_62_characteristic_two_field */
|
||||||
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL)
|
|
||||||
{
|
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if ((P = EC_POINT_new(group)) == NULL)
|
if ((P = EC_POINT_new(group)) == NULL) {
|
||||||
{
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
goto err;
|
||||||
goto err;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if (!(x = BN_bin2bn(params+3*param_len, param_len, NULL))
|
if (!(x = BN_bin2bn(params + 3 * param_len, param_len, NULL))
|
||||||
|| !(y = BN_bin2bn(params+4*param_len, param_len, NULL)))
|
|| !(y = BN_bin2bn(params + 4 * param_len, param_len, NULL))) {
|
||||||
{
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
goto err;
|
||||||
goto err;
|
}
|
||||||
}
|
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
|
||||||
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
{
|
goto err;
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
}
|
||||||
goto err;
|
if (!(order = BN_bin2bn(params + 5 * param_len, param_len, NULL))
|
||||||
}
|
|| !BN_set_word(x, (BN_ULONG)data->cofactor)) {
|
||||||
if (!(order = BN_bin2bn(params+5*param_len, param_len, NULL))
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
|| !BN_set_word(x, (BN_ULONG)data->cofactor))
|
goto err;
|
||||||
{
|
}
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
if (!EC_GROUP_set_generator(group, P, order, x)) {
|
||||||
goto err;
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
}
|
goto err;
|
||||||
if (!EC_GROUP_set_generator(group, P, order, x))
|
}
|
||||||
{
|
if (seed_len) {
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
|
||||||
goto err;
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
}
|
goto err;
|
||||||
if (seed_len)
|
}
|
||||||
{
|
}
|
||||||
if (!EC_GROUP_set_seed(group, params-seed_len, seed_len))
|
ok = 1;
|
||||||
{
|
err:
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
if (!ok) {
|
||||||
goto err;
|
EC_GROUP_free(group);
|
||||||
}
|
group = NULL;
|
||||||
}
|
}
|
||||||
ok=1;
|
if (P)
|
||||||
err:
|
EC_POINT_free(P);
|
||||||
if (!ok)
|
if (ctx)
|
||||||
{
|
BN_CTX_free(ctx);
|
||||||
EC_GROUP_free(group);
|
if (p)
|
||||||
group = NULL;
|
BN_free(p);
|
||||||
}
|
if (a)
|
||||||
if (P)
|
BN_free(a);
|
||||||
EC_POINT_free(P);
|
if (b)
|
||||||
if (ctx)
|
BN_free(b);
|
||||||
BN_CTX_free(ctx);
|
if (order)
|
||||||
if (p)
|
BN_free(order);
|
||||||
BN_free(p);
|
if (x)
|
||||||
if (a)
|
BN_free(x);
|
||||||
BN_free(a);
|
if (y)
|
||||||
if (b)
|
BN_free(y);
|
||||||
BN_free(b);
|
return group;
|
||||||
if (order)
|
}
|
||||||
BN_free(order);
|
|
||||||
if (x)
|
|
||||||
BN_free(x);
|
|
||||||
if (y)
|
|
||||||
BN_free(y);
|
|
||||||
return group;
|
|
||||||
}
|
|
||||||
|
|
||||||
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
EC_GROUP *ret = NULL;
|
EC_GROUP *ret = NULL;
|
||||||
|
|
||||||
if (nid <= 0)
|
if (nid <= 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
for (i=0; i<curve_list_length; i++)
|
for (i = 0; i < curve_list_length; i++)
|
||||||
if (curve_list[i].nid == nid)
|
if (curve_list[i].nid == nid) {
|
||||||
{
|
ret = ec_group_new_from_data(curve_list[i]);
|
||||||
ret = ec_group_new_from_data(curve_list[i]);
|
break;
|
||||||
break;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if (ret == NULL)
|
if (ret == NULL) {
|
||||||
{
|
ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
|
||||||
ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
|
return NULL;
|
||||||
return NULL;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
EC_GROUP_set_curve_name(ret, nid);
|
EC_GROUP_set_curve_name(ret, nid);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||||
{
|
{
|
||||||
size_t i, min;
|
size_t i, min;
|
||||||
|
|
||||||
if (r == NULL || nitems == 0)
|
if (r == NULL || nitems == 0)
|
||||||
return curve_list_length;
|
return curve_list_length;
|
||||||
|
|
||||||
min = nitems < curve_list_length ? nitems : curve_list_length;
|
min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||||
|
|
||||||
for (i = 0; i < min; i++)
|
for (i = 0; i < min; i++) {
|
||||||
{
|
r[i].nid = curve_list[i].nid;
|
||||||
r[i].nid = curve_list[i].nid;
|
r[i].comment = curve_list[i].comment;
|
||||||
r[i].comment = curve_list[i].comment;
|
}
|
||||||
}
|
|
||||||
|
|
||||||
return curve_list_length;
|
return curve_list_length;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Functions to translate between common NIST curve names and NIDs */
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
const char *name; /* NIST Name of curve */
|
||||||
|
int nid; /* Curve NID */
|
||||||
|
} EC_NIST_NAME;
|
||||||
|
|
||||||
|
static EC_NIST_NAME nist_curves[] = {
|
||||||
|
{"B-163", NID_sect163r2},
|
||||||
|
{"B-233", NID_sect233r1},
|
||||||
|
{"B-283", NID_sect283r1},
|
||||||
|
{"B-409", NID_sect409r1},
|
||||||
|
{"B-571", NID_sect571r1},
|
||||||
|
{"K-163", NID_sect163k1},
|
||||||
|
{"K-233", NID_sect233k1},
|
||||||
|
{"K-283", NID_sect283k1},
|
||||||
|
{"K-409", NID_sect409k1},
|
||||||
|
{"K-571", NID_sect571k1},
|
||||||
|
{"P-192", NID_X9_62_prime192v1},
|
||||||
|
{"P-224", NID_secp224r1},
|
||||||
|
{"P-256", NID_X9_62_prime256v1},
|
||||||
|
{"P-384", NID_secp384r1},
|
||||||
|
{"P-521", NID_secp521r1}
|
||||||
|
};
|
||||||
|
|
||||||
|
const char *EC_curve_nid2nist(int nid)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) {
|
||||||
|
if (nist_curves[i].nid == nid)
|
||||||
|
return nist_curves[i].name;
|
||||||
|
}
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
int EC_curve_nist2nid(const char *name)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) {
|
||||||
|
if (!strcmp(nist_curves[i].name, name))
|
||||||
|
return nist_curves[i].nid;
|
||||||
|
}
|
||||||
|
return NID_undef;
|
||||||
|
}
|
||||||
|
@ -31,7 +31,7 @@ for c in `find crypto/bn -name "*gf2m.c"`; do
|
|||||||
> $c
|
> $c
|
||||||
done
|
done
|
||||||
|
|
||||||
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp?2?.c" -o -name "ectest.c"`; do
|
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp22?.c" -o -name "ectest.c"`; do
|
||||||
echo Destroying $c
|
echo Destroying $c
|
||||||
> $c
|
> $c
|
||||||
done
|
done
|
||||||
|
@ -9,16 +9,15 @@
|
|||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#include <openssl/fips.h>
|
#include <openssl/fips.h>
|
||||||
@@ -54,9 +56,6 @@
|
@@ -54,8 +56,6 @@
|
||||||
#include <openssl/fips_rand.h>
|
#include <openssl/fips_rand.h>
|
||||||
#include "fips_locl.h"
|
#include "fips_locl.h"
|
||||||
|
|
||||||
-#ifdef OPENSSL_FIPS
|
-#ifdef OPENSSL_FIPS
|
||||||
-
|
-
|
||||||
-
|
typedef struct {
|
||||||
|
unsigned char DT[16];
|
||||||
typedef struct
|
unsigned char V[16];
|
||||||
{
|
|
||||||
--- openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.orig 2012-11-03 20:03:20.546180631 +0100
|
--- openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.orig 2012-11-03 20:03:20.546180631 +0100
|
||||||
+++ openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c 2012-11-03 20:03:46.069328396 +0100
|
+++ openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c 2012-11-03 20:03:46.069328396 +0100
|
||||||
@@ -47,6 +47,8 @@
|
@@ -47,6 +47,8 @@
|
||||||
@ -37,8 +36,8 @@
|
|||||||
-#ifdef OPENSSL_FIPS
|
-#ifdef OPENSSL_FIPS
|
||||||
-
|
-
|
||||||
static const unsigned char dsa_test_2048_p[] = {
|
static const unsigned char dsa_test_2048_p[] = {
|
||||||
0xa8,0x53,0x78,0xd8,0xfd,0x3f,0x8d,0x72,0xec,0x74,0x18,0x08,
|
0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
|
||||||
0x0d,0xa2,0x13,0x17,0xe4,0x3e,0xc4,0xb6,0x2b,0xa8,0xc8,0x62,
|
0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
|
||||||
--- openssl-1.0.1c/crypto/fips/fips_rand.c.orig 2012-11-03 20:07:49.956891942 +0100
|
--- openssl-1.0.1c/crypto/fips/fips_rand.c.orig 2012-11-03 20:07:49.956891942 +0100
|
||||||
+++ openssl-1.0.1c/crypto/fips/fips_rand.c 2012-11-03 20:08:14.260048118 +0100
|
+++ openssl-1.0.1c/crypto/fips/fips_rand.c 2012-11-03 20:08:14.260048118 +0100
|
||||||
@@ -47,6 +47,8 @@
|
@@ -47,6 +47,8 @@
|
||||||
@ -58,21 +57,21 @@
|
|||||||
-
|
-
|
||||||
void *OPENSSL_stderr(void);
|
void *OPENSSL_stderr(void);
|
||||||
|
|
||||||
#define AES_BLOCK_LENGTH 16
|
# define AES_BLOCK_LENGTH 16
|
||||||
--- openssl-1.0.1c/crypto/rand/md_rand.c.orig 2012-11-03 20:19:31.461754618 +0100
|
--- openssl-1.0.1c/crypto/rand/md_rand.c.orig 2012-11-03 20:19:31.461754618 +0100
|
||||||
+++ openssl-1.0.1c/crypto/rand/md_rand.c 2012-11-03 20:20:58.294282662 +0100
|
+++ openssl-1.0.1c/crypto/rand/md_rand.c 2012-11-03 20:20:58.294282662 +0100
|
||||||
@@ -392,7 +392,11 @@
|
@@ -394,7 +394,11 @@
|
||||||
/* always poll for external entropy in FIPS mode, drbg provides the
|
/* always poll for external entropy in FIPS mode, drbg provides the
|
||||||
* expansion
|
* expansion
|
||||||
*/
|
*/
|
||||||
+#ifdef OPENSSL_FIPS
|
+#ifdef OPENSSL_FIPS
|
||||||
if (!initialized || FIPS_module_mode())
|
if (!initialized || FIPS_module_mode()) {
|
||||||
+#else
|
+#else
|
||||||
+ if (!initialized)
|
+ if (!initialized) {
|
||||||
+#endif
|
+#endif
|
||||||
{
|
RAND_poll();
|
||||||
RAND_poll();
|
initialized = 1;
|
||||||
initialized = 1;
|
}
|
||||||
--- openssl-1.0.1c/crypto/opensslconf.h.in 2012-11-09 20:34:03.434391630 +0100
|
--- openssl-1.0.1c/crypto/opensslconf.h.in 2012-11-09 20:34:03.434391630 +0100
|
||||||
+++ openssl-1.0.1c/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100
|
+++ openssl-1.0.1c/crypto/opensslconf.h.in.fips 2005-12-16 11:37:23.000000000 +0100
|
||||||
@@ -1,20 +1,5 @@
|
@@ -1,20 +1,5 @@
|
||||||
|
@ -23,7 +23,7 @@
|
|||||||
%global thread_test_threads %{?threads:%{threads}}%{!?threads:1}
|
%global thread_test_threads %{?threads:%{threads}}%{!?threads:1}
|
||||||
|
|
||||||
Name: mingw-openssl
|
Name: mingw-openssl
|
||||||
Version: 1.0.1j
|
Version: 1.0.2a
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: MinGW port of the OpenSSL toolkit
|
Summary: MinGW port of the OpenSSL toolkit
|
||||||
|
|
||||||
@ -48,61 +48,58 @@ Source12: ec_curve.c
|
|||||||
Source13: ectest.c
|
Source13: ectest.c
|
||||||
|
|
||||||
# Build changes
|
# Build changes
|
||||||
Patch1: openssl-1.0.1e-rpmbuild.patch
|
Patch1: openssl-1.0.2a-rpmbuild.patch
|
||||||
Patch2: openssl-1.0.1e-defaults.patch
|
Patch2: openssl-1.0.2a-defaults.patch
|
||||||
Patch4: openssl-1.0.0-beta5-enginesdir.patch
|
Patch4: openssl-1.0.2a-enginesdir.patch
|
||||||
Patch5: openssl-0.9.8a-no-rpath.patch
|
Patch5: openssl-1.0.2a-no-rpath.patch
|
||||||
Patch6: openssl-0.9.8b-test-use-localhost.patch
|
Patch6: openssl-1.0.2a-test-use-localhost.patch
|
||||||
Patch7: openssl-1.0.0-timezone.patch
|
Patch7: openssl-1.0.0-timezone.patch
|
||||||
Patch8: openssl-1.0.1c-perlfind.patch
|
Patch8: openssl-1.0.1c-perlfind.patch
|
||||||
Patch9: openssl-1.0.1c-aliasing.patch
|
Patch9: openssl-1.0.1c-aliasing.patch
|
||||||
# This patch must be applied first
|
|
||||||
Patch10: openssl-1.0.1i-ppc-asm-update.patch
|
|
||||||
# Bug fixes
|
# Bug fixes
|
||||||
Patch23: openssl-1.0.1c-default-paths.patch
|
Patch23: openssl-1.0.2a-default-paths.patch
|
||||||
Patch24: openssl-1.0.1e-issuer-hash.patch
|
Patch24: openssl-1.0.2a-issuer-hash.patch
|
||||||
# Functionality changes
|
# Functionality changes
|
||||||
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
Patch33: openssl-1.0.0-beta4-ca-dir.patch
|
||||||
Patch34: openssl-0.9.6-x509.patch
|
Patch34: openssl-1.0.2a-x509.patch
|
||||||
Patch35: openssl-0.9.8j-version-add-engines.patch
|
Patch35: openssl-1.0.2a-version-add-engines.patch
|
||||||
Patch39: openssl-1.0.1h-ipv6-apps.patch
|
Patch39: openssl-1.0.2a-ipv6-apps.patch
|
||||||
Patch40: openssl-1.0.1j-fips.patch
|
Patch40: openssl-1.0.2a-fips.patch
|
||||||
Patch45: openssl-1.0.1e-env-zlib.patch
|
Patch45: openssl-1.0.2a-env-zlib.patch
|
||||||
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
Patch47: openssl-1.0.2a-readme-warning.patch
|
||||||
Patch49: openssl-1.0.1i-algo-doc.patch
|
Patch49: openssl-1.0.1i-algo-doc.patch
|
||||||
Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
|
Patch50: openssl-1.0.2a-dtls1-abi.patch
|
||||||
Patch51: openssl-1.0.1e-version.patch
|
Patch51: openssl-1.0.2a-version.patch
|
||||||
Patch56: openssl-1.0.0c-rsa-x931.patch
|
Patch56: openssl-1.0.2a-rsa-x931.patch
|
||||||
Patch58: openssl-1.0.1-beta2-fips-md5-allow.patch
|
Patch58: openssl-1.0.2a-fips-md5-allow.patch
|
||||||
Patch60: openssl-1.0.0d-apps-dgst.patch
|
Patch60: openssl-1.0.2a-apps-dgst.patch
|
||||||
Patch63: openssl-1.0.0d-xmpp-starttls.patch
|
Patch63: openssl-1.0.2a-xmpp-starttls.patch
|
||||||
Patch65: openssl-1.0.0e-chil-fixes.patch
|
Patch65: openssl-1.0.2a-chil-fixes.patch
|
||||||
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
|
Patch66: openssl-1.0.2a-pkgconfig-krb5.patch
|
||||||
Patch68: openssl-1.0.1e-secure-getenv.patch
|
Patch68: openssl-1.0.2a-secure-getenv.patch
|
||||||
Patch69: openssl-1.0.1c-dh-1024.patch
|
Patch69: openssl-1.0.2a-dh-1024.patch
|
||||||
Patch70: openssl-1.0.1j-fips-ec.patch
|
Patch70: openssl-1.0.2a-fips-ec.patch
|
||||||
Patch71: openssl-1.0.1i-manfix.patch
|
Patch71: openssl-1.0.2a-manfix.patch
|
||||||
Patch72: openssl-1.0.1e-fips-ctor.patch
|
Patch72: openssl-1.0.2a-fips-ctor.patch
|
||||||
Patch73: openssl-1.0.1e-ecc-suiteb.patch
|
Patch73: openssl-1.0.2a-ecc-suiteb.patch
|
||||||
Patch74: openssl-1.0.1e-no-md5-verify.patch
|
Patch74: openssl-1.0.2a-no-md5-verify.patch
|
||||||
Patch75: openssl-1.0.1e-compat-symbols.patch
|
Patch75: openssl-1.0.2a-compat-symbols.patch
|
||||||
Patch76: openssl-1.0.1i-new-fips-reqs.patch
|
Patch76: openssl-1.0.2a-new-fips-reqs.patch
|
||||||
Patch77: openssl-1.0.1e-weak-ciphers.patch
|
Patch77: openssl-1.0.2a-weak-ciphers.patch
|
||||||
Patch90: openssl-1.0.1e-enc-fail.patch
|
Patch90: openssl-1.0.2a-enc-fail.patch
|
||||||
Patch92: openssl-1.0.1h-system-cipherlist.patch
|
Patch92: openssl-1.0.2a-system-cipherlist.patch
|
||||||
Patch93: openssl-1.0.1h-disable-sslv2v3.patch
|
Patch93: openssl-1.0.2a-disable-sslv2v3.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch80: openssl-1.0.1j-evp-wrap.patch
|
Patch80: openssl-1.0.2a-wrap-pad.patch
|
||||||
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
Patch81: openssl-1.0.2a-padlock64.patch
|
||||||
Patch84: openssl-1.0.1i-trusted-first.patch
|
Patch84: openssl-1.0.2a-trusted-first-doc.patch
|
||||||
Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
|
Patch87: openssl-1.0.2a-cc-reqs.patch
|
||||||
Patch89: openssl-1.0.1j-ephemeral-key-size.patch
|
|
||||||
|
|
||||||
# MinGW-specific patches.
|
# MinGW-specific patches.
|
||||||
# Rename *eay32.dll to lib*.dll
|
# Rename *eay32.dll to lib*.dll
|
||||||
Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch
|
Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch
|
||||||
# Fix engines/ install target after lib rename
|
# Fix engines/ install target after lib rename
|
||||||
Patch102: mingw32-openssl-1.0.0d-sfx.patch
|
Patch102: mingw32-openssl-1.0.2a-sfx.patch
|
||||||
# Some .c file contains in #include <dlfcn.h> while it
|
# Some .c file contains in #include <dlfcn.h> while it
|
||||||
# doesn't really use anything from that header
|
# doesn't really use anything from that header
|
||||||
Patch103: mingw-openssl-drop-unneeded-reference-to-dlfcn-h.patch
|
Patch103: mingw-openssl-drop-unneeded-reference-to-dlfcn-h.patch
|
||||||
@ -213,7 +210,6 @@ Static version of the MinGW port of the OpenSSL toolkit.
|
|||||||
|
|
||||||
cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
||||||
|
|
||||||
%patch10 -p1 -b .ppc-asm
|
|
||||||
%patch1 -p1 -b .rpmbuild
|
%patch1 -p1 -b .rpmbuild
|
||||||
%patch2 -p1 -b .defaults
|
%patch2 -p1 -b .defaults
|
||||||
%patch4 -p1 -b .enginesdir %{?_rawbuild}
|
%patch4 -p1 -b .enginesdir %{?_rawbuild}
|
||||||
@ -259,8 +255,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||||||
%patch80 -p1 -b .wrap
|
%patch80 -p1 -b .wrap
|
||||||
%patch81 -p1 -b .padlock64
|
%patch81 -p1 -b .padlock64
|
||||||
%patch84 -p1 -b .trusted-first
|
%patch84 -p1 -b .trusted-first
|
||||||
%patch85 -p1 -b .armcap
|
%patch87 -p1 -b .cc-reqs
|
||||||
#patch89 -p1 -b .ephemeral
|
|
||||||
|
|
||||||
# MinGW specific patches
|
# MinGW specific patches
|
||||||
%patch101 -p1 -b .mingw-libversion
|
%patch101 -p1 -b .mingw-libversion
|
||||||
@ -506,6 +501,10 @@ mkdir -m700 $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/CA/private
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 24 2015 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.2a-1
|
||||||
|
- Synced with native openssl-1.0.2a-1.fc23
|
||||||
|
- Fixes various CVE's (RHBZ #1203855 #1203856)
|
||||||
|
|
||||||
* Mon Dec 22 2014 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1j-1
|
* Mon Dec 22 2014 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1j-1
|
||||||
- Synced with native openssl-1.0.1j-3.fc22
|
- Synced with native openssl-1.0.1j-3.fc22
|
||||||
- Add support for RFC 5649
|
- Add support for RFC 5649
|
||||||
|
@ -1,15 +0,0 @@
|
|||||||
diff -up openssl-1.0.0d/engines/Makefile.mingw-sfx openssl-1.0.0d/engines/Makefile
|
|
||||||
--- openssl-1.0.0d/engines/Makefile.mingw-sfx 2011-04-23 13:04:15.452843560 +0300
|
|
||||||
+++ openssl-1.0.0d/engines/Makefile 2011-04-23 13:04:15.689846190 +0300
|
|
||||||
@@ -111,7 +111,10 @@ install:
|
|
||||||
for l in $(LIBNAMES); do \
|
|
||||||
( echo installing $$l; \
|
|
||||||
pfx=lib; \
|
|
||||||
- if [ "$(PLATFORM)" != "Cygwin" ]; then \
|
|
||||||
+ if [ "$(PLATFORM)" = "mingw" ]; then \
|
|
||||||
+ sfx=.dll; \
|
|
||||||
+ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
|
||||||
+ elif [ "$(PLATFORM)" != "Cygwin" ]; then \
|
|
||||||
case "$(CFLAGS)" in \
|
|
||||||
*DSO_BEOS*) sfx=".so";; \
|
|
||||||
*DSO_DLFCN*) sfx=`expr "$(SHLIB_EXT)" : '.*\(\.[a-z][a-z]*\)' \| ".so"`;; \
|
|
14
mingw32-openssl-1.0.2a-sfx.patch
Normal file
14
mingw32-openssl-1.0.2a-sfx.patch
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
--- openssl-1.0.2a/engines/Makefile.enginesdir 2015-03-19 14:31:14.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/engines/Makefile 2015-04-24 18:27:12.875788913 +0200
|
||||||
|
@@ -111,7 +111,10 @@
|
||||||
|
for l in $(LIBNAMES); do \
|
||||||
|
( echo installing $$l; \
|
||||||
|
pfx=lib; \
|
||||||
|
- if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
|
||||||
|
+ if [ "$(PLATFORM)" = "mingw" ]; then \
|
||||||
|
+ sfx=.dll; \
|
||||||
|
+ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
||||||
|
+ elif expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
|
||||||
|
sfx=".so"; \
|
||||||
|
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
||||||
|
else \
|
@ -1,29 +0,0 @@
|
|||||||
Do not treat duplicate certs as an error.
|
|
||||||
|
|
||||||
--- openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 15:09:05 2000
|
|
||||||
+++ openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 14:21:20 2000
|
|
||||||
@@ -163,8 +163,12 @@
|
|
||||||
}
|
|
||||||
}
|
|
||||||
i=X509_STORE_add_cert(ctx->store_ctx,x);
|
|
||||||
- if (!i) goto err;
|
|
||||||
- count++;
|
|
||||||
+ /* ignore any problems with current certificate
|
|
||||||
+ and continue with the next one */
|
|
||||||
+ if (i)
|
|
||||||
+ count++;
|
|
||||||
+ else
|
|
||||||
+ ERR_clear_error();
|
|
||||||
X509_free(x);
|
|
||||||
x=NULL;
|
|
||||||
}
|
|
||||||
@@ -179,7 +183,8 @@
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
i=X509_STORE_add_cert(ctx->store_ctx,x);
|
|
||||||
- if (!i) goto err;
|
|
||||||
+ if (!i)
|
|
||||||
+ ERR_clear_error();
|
|
||||||
ret=i;
|
|
||||||
}
|
|
||||||
else
|
|
@ -1,24 +0,0 @@
|
|||||||
diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c
|
|
||||||
--- openssl-0.9.8b/ssl/ssltest.c.use-localhost 2006-02-24 18:58:35.000000000 +0100
|
|
||||||
+++ openssl-0.9.8b/ssl/ssltest.c 2007-08-03 14:06:16.000000000 +0200
|
|
||||||
@@ -839,19 +839,8 @@ bad:
|
|
||||||
#ifndef OPENSSL_NO_KRB5
|
|
||||||
if (c_ssl && c_ssl->kssl_ctx)
|
|
||||||
{
|
|
||||||
- char localhost[MAXHOSTNAMELEN+2];
|
|
||||||
-
|
|
||||||
- if (gethostname(localhost, sizeof localhost-1) == 0)
|
|
||||||
- {
|
|
||||||
- localhost[sizeof localhost-1]='\0';
|
|
||||||
- if(strlen(localhost) == sizeof localhost-1)
|
|
||||||
- {
|
|
||||||
- BIO_printf(bio_err,"localhost name too long\n");
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
|
|
||||||
- localhost);
|
|
||||||
- }
|
|
||||||
+ "localhost");
|
|
||||||
}
|
|
||||||
#endif /* OPENSSL_NO_KRB5 */
|
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c
|
|
||||||
--- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200
|
|
||||||
+++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100
|
|
||||||
@@ -131,6 +131,7 @@
|
|
||||||
#ifndef OPENSSL_NO_BF
|
|
||||||
# include <openssl/blowfish.h>
|
|
||||||
#endif
|
|
||||||
+#include <openssl/engine.h>
|
|
||||||
|
|
||||||
#undef PROG
|
|
||||||
#define PROG version_main
|
|
||||||
@@ -140,7 +141,7 @@ int MAIN(int, char **);
|
|
||||||
int MAIN(int argc, char **argv)
|
|
||||||
{
|
|
||||||
int i,ret=0;
|
|
||||||
- int cflags=0,version=0,date=0,options=0,platform=0,dir=0;
|
|
||||||
+ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0;
|
|
||||||
|
|
||||||
apps_startup();
|
|
||||||
|
|
||||||
@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
else if (strcmp(argv[i],"-d") == 0)
|
|
||||||
dir=1;
|
|
||||||
else if (strcmp(argv[i],"-a") == 0)
|
|
||||||
- date=version=cflags=options=platform=dir=1;
|
|
||||||
+ date=version=cflags=options=platform=dir=engines=1;
|
|
||||||
else
|
|
||||||
{
|
|
||||||
BIO_printf(bio_err,"usage:version -[avbofpd]\n");
|
|
||||||
@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv)
|
|
||||||
}
|
|
||||||
if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
|
|
||||||
if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR));
|
|
||||||
+ if (engines)
|
|
||||||
+ {
|
|
||||||
+ ENGINE *e;
|
|
||||||
+ printf("engines: ");
|
|
||||||
+ e = ENGINE_get_first();
|
|
||||||
+ while (e)
|
|
||||||
+ {
|
|
||||||
+ printf("%s ", ENGINE_get_id(e));
|
|
||||||
+ e = ENGINE_get_next(e);
|
|
||||||
+ }
|
|
||||||
+ printf("\n");
|
|
||||||
+ }
|
|
||||||
end:
|
|
||||||
apps_shutdown();
|
|
||||||
OPENSSL_EXIT(ret);
|
|
@ -1,39 +0,0 @@
|
|||||||
diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
|
|
||||||
--- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100
|
|
||||||
+++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100
|
|
||||||
@@ -5,6 +5,35 @@
|
|
||||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
|
||||||
All rights reserved.
|
|
||||||
|
|
||||||
+ WARNING
|
|
||||||
+ -------
|
|
||||||
+
|
|
||||||
+ This version of OpenSSL is built in a way that supports operation in
|
|
||||||
+ the so called FIPS mode. Note though that the library as we build it
|
|
||||||
+ is not FIPS validated and the FIPS mode is present for testing purposes
|
|
||||||
+ only.
|
|
||||||
+
|
|
||||||
+ This version also contains a few differences from the upstream code
|
|
||||||
+ some of which are:
|
|
||||||
+ * There are added changes forward ported from the upstream OpenSSL
|
|
||||||
+ 0.9.8 FIPS branch however the FIPS integrity verification check
|
|
||||||
+ is implemented differently from the upstream FIPS validated OpenSSL
|
|
||||||
+ module. It verifies HMAC-SHA256 checksum of the whole shared
|
|
||||||
+ libraries. For this reason the changes are ported to files in the
|
|
||||||
+ crypto directory and not in a separate fips subdirectory. Also
|
|
||||||
+ note that the FIPS integrity verification check requires unmodified
|
|
||||||
+ libcrypto and libssl shared library files which means that it will
|
|
||||||
+ fail if these files are modified for example by prelink.
|
|
||||||
+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
|
|
||||||
+ tries to initialize the FIPS mode if it is set to 1 aborting if the
|
|
||||||
+ FIPS mode could not be initialized. It is also possible to force the
|
|
||||||
+ OpenSSL library to FIPS mode especially for debugging purposes by
|
|
||||||
+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
|
|
||||||
+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
|
|
||||||
+ will not automatically load the built in compression method ZLIB
|
|
||||||
+ when initialized. Applications can still explicitely ask for ZLIB
|
|
||||||
+ compression method.
|
|
||||||
+
|
|
||||||
DESCRIPTION
|
|
||||||
-----------
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
diff -up openssl-1.0.0c/apps/genrsa.c.x931 openssl-1.0.0c/apps/genrsa.c
|
|
||||||
--- openssl-1.0.0c/apps/genrsa.c.x931 2010-03-01 15:22:02.000000000 +0100
|
|
||||||
+++ openssl-1.0.0c/apps/genrsa.c 2011-02-01 18:32:05.000000000 +0100
|
|
||||||
@@ -95,6 +95,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
int ret=1;
|
|
||||||
int i,num=DEFBITS;
|
|
||||||
long l;
|
|
||||||
+ int use_x931 = 0;
|
|
||||||
const EVP_CIPHER *enc=NULL;
|
|
||||||
unsigned long f4=RSA_F4;
|
|
||||||
char *outfile=NULL;
|
|
||||||
@@ -138,6 +139,8 @@ int MAIN(int argc, char **argv)
|
|
||||||
f4=3;
|
|
||||||
else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
|
|
||||||
f4=RSA_F4;
|
|
||||||
+ else if (strcmp(*argv,"-x931") == 0)
|
|
||||||
+ use_x931 = 1;
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
else if (strcmp(*argv,"-engine") == 0)
|
|
||||||
{
|
|
||||||
@@ -273,7 +276,14 @@ bad:
|
|
||||||
if (!rsa)
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
- if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
|
|
||||||
+ if (use_x931)
|
|
||||||
+ {
|
|
||||||
+ if (!BN_set_word(bn, f4))
|
|
||||||
+ goto err;
|
|
||||||
+ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ else if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
app_RAND_write_file(NULL, bio_err);
|
|
@ -1,110 +0,0 @@
|
|||||||
diff -up openssl-1.0.0d/apps/ca.c.dgst openssl-1.0.0d/apps/ca.c
|
|
||||||
--- openssl-1.0.0d/apps/ca.c.dgst 2009-12-02 15:41:24.000000000 +0100
|
|
||||||
+++ openssl-1.0.0d/apps/ca.c 2011-04-05 21:09:42.000000000 +0200
|
|
||||||
@@ -157,7 +157,7 @@ static const char *ca_usage[]={
|
|
||||||
" -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
|
|
||||||
" -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
|
|
||||||
" -days arg - number of days to certify the certificate for\n",
|
|
||||||
-" -md arg - md to use, one of md2, md5, sha or sha1\n",
|
|
||||||
+" -md arg - md to use, see openssl dgst -h for list\n",
|
|
||||||
" -policy arg - The CA 'policy' to support\n",
|
|
||||||
" -keyfile arg - private key file\n",
|
|
||||||
" -keyform arg - private key file format (PEM or ENGINE)\n",
|
|
||||||
diff -up openssl-1.0.0d/apps/enc.c.dgst openssl-1.0.0d/apps/enc.c
|
|
||||||
--- openssl-1.0.0d/apps/enc.c.dgst 2010-06-15 19:25:02.000000000 +0200
|
|
||||||
+++ openssl-1.0.0d/apps/enc.c 2011-04-05 21:11:54.000000000 +0200
|
|
||||||
@@ -302,7 +302,7 @@ bad:
|
|
||||||
BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k");
|
|
||||||
BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");
|
|
||||||
BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");
|
|
||||||
- BIO_printf(bio_err,"%-14s from a passphrase. One of md2, md5, sha or sha1\n","");
|
|
||||||
+ BIO_printf(bio_err,"%-14s from a passphrase. See openssl dgst -h for list.\n","");
|
|
||||||
BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S");
|
|
||||||
BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
|
|
||||||
BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
|
|
||||||
diff -up openssl-1.0.0d/apps/req.c.dgst openssl-1.0.0d/apps/req.c
|
|
||||||
--- openssl-1.0.0d/apps/req.c.dgst 2010-03-10 14:48:21.000000000 +0100
|
|
||||||
+++ openssl-1.0.0d/apps/req.c 2011-04-05 21:12:33.000000000 +0200
|
|
||||||
@@ -421,7 +421,7 @@ bad:
|
|
||||||
#ifndef OPENSSL_NO_ECDSA
|
|
||||||
BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
|
|
||||||
#endif
|
|
||||||
- BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
|
|
||||||
+ BIO_printf(bio_err," -[digest] Digest to sign with (see openssl dgst -h for list)\n");
|
|
||||||
BIO_printf(bio_err," -config file request template file.\n");
|
|
||||||
BIO_printf(bio_err," -subj arg set or modify request subject\n");
|
|
||||||
BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
|
|
||||||
diff -up openssl-1.0.0d/apps/ts.c.dgst openssl-1.0.0d/apps/ts.c
|
|
||||||
--- openssl-1.0.0d/apps/ts.c.dgst 2009-10-18 16:42:26.000000000 +0200
|
|
||||||
+++ openssl-1.0.0d/apps/ts.c 2011-04-05 21:16:07.000000000 +0200
|
|
||||||
@@ -368,7 +368,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
BIO_printf(bio_err, "usage:\n"
|
|
||||||
"ts -query [-rand file%cfile%c...] [-config configfile] "
|
|
||||||
"[-data file_to_hash] [-digest digest_bytes]"
|
|
||||||
- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
|
|
||||||
+ "[-<hashalg>] "
|
|
||||||
"[-policy object_id] [-no_nonce] [-cert] "
|
|
||||||
"[-in request.tsq] [-out request.tsq] [-text]\n",
|
|
||||||
LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
|
|
||||||
diff -up openssl-1.0.0d/apps/x509.c.dgst openssl-1.0.0d/apps/x509.c
|
|
||||||
--- openssl-1.0.0d/apps/x509.c.dgst 2011-04-05 21:13:42.000000000 +0200
|
|
||||||
+++ openssl-1.0.0d/apps/x509.c 2011-04-05 21:13:17.000000000 +0200
|
|
||||||
@@ -141,7 +141,7 @@ static const char *x509_usage[]={
|
|
||||||
" -set_serial - serial number to use\n",
|
|
||||||
" -text - print the certificate in text form\n",
|
|
||||||
" -C - print out C code forms\n",
|
|
||||||
-" -md2/-md5/-sha1/-mdc2 - digest to use\n",
|
|
||||||
+" -<dgst> - digest to use, see openssl dgst -h output for list\n",
|
|
||||||
" -extfile - configuration file with X509V3 extensions to add\n",
|
|
||||||
" -extensions - section from config file with X509V3 extensions to add\n",
|
|
||||||
" -clrext - delete extensions before signing and input certificate\n",
|
|
||||||
diff -up openssl-1.0.0d/doc/apps/ca.pod.dgst openssl-1.0.0d/doc/apps/ca.pod
|
|
||||||
--- openssl-1.0.0d/doc/apps/ca.pod.dgst 2009-04-10 13:25:53.000000000 +0200
|
|
||||||
+++ openssl-1.0.0d/doc/apps/ca.pod 2011-04-05 21:16:39.000000000 +0200
|
|
||||||
@@ -160,7 +160,8 @@ the number of days to certify the certif
|
|
||||||
=item B<-md alg>
|
|
||||||
|
|
||||||
the message digest to use. Possible values include md5, sha1 and mdc2.
|
|
||||||
-This option also applies to CRLs.
|
|
||||||
+For full list of digests see openssl dgst -h output. This option also
|
|
||||||
+applies to CRLs.
|
|
||||||
|
|
||||||
=item B<-policy arg>
|
|
||||||
|
|
||||||
diff -up openssl-1.0.0d/doc/apps/ocsp.pod.dgst openssl-1.0.0d/doc/apps/ocsp.pod
|
|
||||||
--- openssl-1.0.0d/doc/apps/ocsp.pod.dgst 2008-02-25 19:11:47.000000000 +0100
|
|
||||||
+++ openssl-1.0.0d/doc/apps/ocsp.pod 2011-04-05 21:18:17.000000000 +0200
|
|
||||||
@@ -210,7 +210,8 @@ check is not performed.
|
|
||||||
=item B<-md5|-sha1|-sha256|-ripemod160|...>
|
|
||||||
|
|
||||||
this option sets digest algorithm to use for certificate identification
|
|
||||||
-in the OCSP request. By default SHA-1 is used.
|
|
||||||
+in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
|
|
||||||
+the list of available algorithms.
|
|
||||||
|
|
||||||
=back
|
|
||||||
|
|
||||||
diff -up openssl-1.0.0d/doc/apps/req.pod.dgst openssl-1.0.0d/doc/apps/req.pod
|
|
||||||
--- openssl-1.0.0d/doc/apps/req.pod.dgst 2009-04-10 18:42:28.000000000 +0200
|
|
||||||
+++ openssl-1.0.0d/doc/apps/req.pod 2011-04-05 21:20:47.000000000 +0200
|
|
||||||
@@ -201,7 +201,8 @@ will not be encrypted.
|
|
||||||
|
|
||||||
this specifies the message digest to sign the request with (such as
|
|
||||||
B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
|
|
||||||
-the configuration file.
|
|
||||||
+the configuration file. For full list of possible digests see openssl
|
|
||||||
+dgst -h output.
|
|
||||||
|
|
||||||
Some public key algorithms may override this choice. For instance, DSA
|
|
||||||
signatures always use SHA1, GOST R 34.10 signatures always use
|
|
||||||
diff -up openssl-1.0.0d/doc/apps/x509.pod.dgst openssl-1.0.0d/doc/apps/x509.pod
|
|
||||||
--- openssl-1.0.0d/doc/apps/x509.pod.dgst 2010-01-12 18:27:11.000000000 +0100
|
|
||||||
+++ openssl-1.0.0d/doc/apps/x509.pod 2011-04-05 21:19:56.000000000 +0200
|
|
||||||
@@ -101,6 +101,7 @@ the digest to use. This affects any sign
|
|
||||||
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
|
|
||||||
specified then SHA1 is used. If the key being used to sign with is a DSA key
|
|
||||||
then this option has no effect: SHA1 is always used with DSA keys.
|
|
||||||
+For full list of digests see openssl dgst -h output.
|
|
||||||
|
|
||||||
=item B<-engine id>
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -ru openssl-1.0.0d.old/apps/s_client.c openssl-1.0.0d/apps/s_client.c
|
|
||||||
--- openssl-1.0.0d.old/apps/s_client.c 2011-07-17 21:05:19.934181169 +0200
|
|
||||||
+++ openssl-1.0.0d/apps/s_client.c 2011-07-17 21:11:42.747824990 +0200
|
|
||||||
@@ -1186,7 +1186,7 @@
|
|
||||||
"xmlns='jabber:client' to='%s' version='1.0'>", host);
|
|
||||||
seen = BIO_read(sbio,mbuf,BUFSIZZ);
|
|
||||||
mbuf[seen] = 0;
|
|
||||||
- while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
|
|
||||||
+ while (!strcasestr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && !strcasestr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
|
|
||||||
{
|
|
||||||
if (strstr(mbuf, "/stream:features>"))
|
|
||||||
goto shut;
|
|
@ -1,24 +0,0 @@
|
|||||||
diff -up openssl-1.0.0e/engines/e_chil.c.chil openssl-1.0.0e/engines/e_chil.c
|
|
||||||
--- openssl-1.0.0e/engines/e_chil.c.chil 2010-06-15 19:25:12.000000000 +0200
|
|
||||||
+++ openssl-1.0.0e/engines/e_chil.c 2011-09-21 17:32:03.000000000 +0200
|
|
||||||
@@ -1261,6 +1261,11 @@ static int hwcrhk_insert_card(const char
|
|
||||||
UI *ui;
|
|
||||||
void *callback_data = NULL;
|
|
||||||
UI_METHOD *ui_method = NULL;
|
|
||||||
+ /* Despite what the documentation says prompt_info can be
|
|
||||||
+ * an empty string.
|
|
||||||
+ */
|
|
||||||
+ if (prompt_info && !*prompt_info)
|
|
||||||
+ prompt_info = NULL;
|
|
||||||
|
|
||||||
if (cactx)
|
|
||||||
{
|
|
||||||
@@ -1287,7 +1292,7 @@ static int hwcrhk_insert_card(const char
|
|
||||||
|
|
||||||
if (ui)
|
|
||||||
{
|
|
||||||
- char answer;
|
|
||||||
+ char answer = '\0';
|
|
||||||
char buf[BUFSIZ];
|
|
||||||
/* Despite what the documentation says wrong_info can be
|
|
||||||
* an empty string.
|
|
@ -1,23 +0,0 @@
|
|||||||
diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
|
|
||||||
--- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi 2012-02-06 17:07:34.630336118 +0100
|
|
||||||
+++ openssl-1.0.1-beta2/ssl/dtls1.h 2012-02-06 17:10:08.956623707 +0100
|
|
||||||
@@ -222,9 +222,6 @@ typedef struct dtls1_state_st
|
|
||||||
*/
|
|
||||||
record_pqueue buffered_app_data;
|
|
||||||
|
|
||||||
- /* Is set when listening for new connections with dtls1_listen() */
|
|
||||||
- unsigned int listen;
|
|
||||||
-
|
|
||||||
unsigned int mtu; /* max DTLS packet size */
|
|
||||||
|
|
||||||
struct hm_header_st w_msg_hdr;
|
|
||||||
@@ -248,6 +245,9 @@ typedef struct dtls1_state_st
|
|
||||||
unsigned int retransmitting;
|
|
||||||
unsigned int change_cipher_spec_ok;
|
|
||||||
|
|
||||||
+ /* Is set when listening for new connections with dtls1_listen() */
|
|
||||||
+ unsigned int listen;
|
|
||||||
+
|
|
||||||
#ifndef OPENSSL_NO_SCTP
|
|
||||||
/* used when SSL_ST_XX_FLUSH is entered */
|
|
||||||
int next_state;
|
|
@ -1,21 +0,0 @@
|
|||||||
diff -up openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.1-beta2/crypto/md5/md5_dgst.c
|
|
||||||
--- openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow 2012-02-06 20:09:56.000000000 +0100
|
|
||||||
+++ openssl-1.0.1-beta2/crypto/md5/md5_dgst.c 2012-02-06 20:14:02.332117603 +0100
|
|
||||||
@@ -71,7 +71,16 @@ const char MD5_version[]="MD5" OPENSSL_V
|
|
||||||
#define INIT_DATA_C (unsigned long)0x98badcfeL
|
|
||||||
#define INIT_DATA_D (unsigned long)0x10325476L
|
|
||||||
|
|
||||||
-nonfips_md_init(MD5)
|
|
||||||
+int MD5_Init(MD5_CTX *c)
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+ {
|
|
||||||
+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
|
|
||||||
+ OpenSSLDie(__FILE__, __LINE__, \
|
|
||||||
+ "Digest MD5 forbidden in FIPS mode!");
|
|
||||||
+ return private_MD5_Init(c);
|
|
||||||
+ }
|
|
||||||
+int private_MD5_Init(MD5_CTX *c)
|
|
||||||
+#endif
|
|
||||||
{
|
|
||||||
memset (c,0,sizeof(*c));
|
|
||||||
c->A=INIT_DATA_A;
|
|
@ -1,193 +0,0 @@
|
|||||||
diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
|
|
||||||
--- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 2011-06-21 18:42:15.000000000 +0200
|
|
||||||
+++ openssl-1.0.1-beta2/engines/e_padlock.c 2012-02-06 20:18:52.039537799 +0100
|
|
||||||
@@ -101,7 +101,10 @@
|
|
||||||
compiler choice is limited to GCC and Microsoft C. */
|
|
||||||
#undef COMPILE_HW_PADLOCK
|
|
||||||
#if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
|
|
||||||
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
|
|
||||||
+# if (defined(__GNUC__) && __GNUC__>=2 && \
|
|
||||||
+ (defined(__i386__) || defined(__i386) || \
|
|
||||||
+ defined(__x86_64__) || defined(__x86_64)) \
|
|
||||||
+ ) || \
|
|
||||||
(defined(_MSC_VER) && defined(_M_IX86))
|
|
||||||
# define COMPILE_HW_PADLOCK
|
|
||||||
# endif
|
|
||||||
@@ -137,7 +140,7 @@ void ENGINE_load_padlock (void)
|
|
||||||
# endif
|
|
||||||
#elif defined(__GNUC__)
|
|
||||||
# ifndef alloca
|
|
||||||
-# define alloca(s) __builtin_alloca(s)
|
|
||||||
+# define alloca(s) __builtin_alloca((s))
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
|
|
||||||
* =======================================================
|
|
||||||
*/
|
|
||||||
#if defined(__GNUC__) && __GNUC__>=2
|
|
||||||
+#if defined(__i386__) || defined(__i386)
|
|
||||||
/*
|
|
||||||
* As for excessive "push %ebx"/"pop %ebx" found all over.
|
|
||||||
* When generating position-independent code GCC won't let
|
|
||||||
@@ -383,21 +387,6 @@ padlock_available(void)
|
|
||||||
return padlock_use_ace + padlock_use_rng;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#ifndef OPENSSL_NO_AES
|
|
||||||
-/* Our own htonl()/ntohl() */
|
|
||||||
-static inline void
|
|
||||||
-padlock_bswapl(AES_KEY *ks)
|
|
||||||
-{
|
|
||||||
- size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
|
|
||||||
- unsigned int *key = ks->rd_key;
|
|
||||||
-
|
|
||||||
- while (i--) {
|
|
||||||
- asm volatile ("bswapl %0" : "+r"(*key));
|
|
||||||
- key++;
|
|
||||||
- }
|
|
||||||
-}
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
/* Force key reload from memory to the CPU microcode.
|
|
||||||
Loading EFLAGS from the stack clears EFLAGS[30]
|
|
||||||
which does the trick. */
|
|
||||||
@@ -455,12 +444,127 @@ static inline void *name(size_t cnt, \
|
|
||||||
: "edx", "cc", "memory"); \
|
|
||||||
return iv; \
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#elif defined(__x86_64__) || defined(__x86_64)
|
|
||||||
+
|
|
||||||
+/* Load supported features of the CPU to see if
|
|
||||||
+ the PadLock is available. */
|
|
||||||
+static int
|
|
||||||
+padlock_available(void)
|
|
||||||
+{
|
|
||||||
+ char vendor_string[16];
|
|
||||||
+ unsigned int eax, edx;
|
|
||||||
|
|
||||||
+ /* Are we running on the Centaur (VIA) CPU? */
|
|
||||||
+ eax = 0x00000000;
|
|
||||||
+ vendor_string[12] = 0;
|
|
||||||
+ asm volatile (
|
|
||||||
+ "cpuid\n"
|
|
||||||
+ "movl %%ebx,(%1)\n"
|
|
||||||
+ "movl %%edx,4(%1)\n"
|
|
||||||
+ "movl %%ecx,8(%1)\n"
|
|
||||||
+ : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
|
|
||||||
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ /* Check for Centaur Extended Feature Flags presence */
|
|
||||||
+ eax = 0xC0000000;
|
|
||||||
+ asm volatile ("cpuid"
|
|
||||||
+ : "+a"(eax) : : "rbx", "rcx", "rdx");
|
|
||||||
+ if (eax < 0xC0000001)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ /* Read the Centaur Extended Feature Flags */
|
|
||||||
+ eax = 0xC0000001;
|
|
||||||
+ asm volatile ("cpuid"
|
|
||||||
+ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
|
|
||||||
+
|
|
||||||
+ /* Fill up some flags */
|
|
||||||
+ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
|
|
||||||
+ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
|
|
||||||
+
|
|
||||||
+ return padlock_use_ace + padlock_use_rng;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* Force key reload from memory to the CPU microcode.
|
|
||||||
+ Loading EFLAGS from the stack clears EFLAGS[30]
|
|
||||||
+ which does the trick. */
|
|
||||||
+static inline void
|
|
||||||
+padlock_reload_key(void)
|
|
||||||
+{
|
|
||||||
+ asm volatile ("pushfq; popfq");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_NO_AES
|
|
||||||
+/*
|
|
||||||
+ * This is heuristic key context tracing. At first one
|
|
||||||
+ * believes that one should use atomic swap instructions,
|
|
||||||
+ * but it's not actually necessary. Point is that if
|
|
||||||
+ * padlock_saved_context was changed by another thread
|
|
||||||
+ * after we've read it and before we compare it with cdata,
|
|
||||||
+ * our key *shall* be reloaded upon thread context switch
|
|
||||||
+ * and we are therefore set in either case...
|
|
||||||
+ */
|
|
||||||
+static inline void
|
|
||||||
+padlock_verify_context(struct padlock_cipher_data *cdata)
|
|
||||||
+{
|
|
||||||
+ asm volatile (
|
|
||||||
+ "pushfq\n"
|
|
||||||
+" btl $30,(%%rsp)\n"
|
|
||||||
+" jnc 1f\n"
|
|
||||||
+" cmpq %2,%1\n"
|
|
||||||
+" je 1f\n"
|
|
||||||
+" popfq\n"
|
|
||||||
+" subq $8,%%rsp\n"
|
|
||||||
+"1: addq $8,%%rsp\n"
|
|
||||||
+" movq %2,%0"
|
|
||||||
+ :"+m"(padlock_saved_context)
|
|
||||||
+ : "r"(padlock_saved_context), "r"(cdata) : "cc");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* Template for padlock_xcrypt_* modes */
|
|
||||||
+/* BIG FAT WARNING:
|
|
||||||
+ * The offsets used with 'leal' instructions
|
|
||||||
+ * describe items of the 'padlock_cipher_data'
|
|
||||||
+ * structure.
|
|
||||||
+ */
|
|
||||||
+#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
|
|
||||||
+static inline void *name(size_t cnt, \
|
|
||||||
+ struct padlock_cipher_data *cdata, \
|
|
||||||
+ void *out, const void *inp) \
|
|
||||||
+{ void *iv; \
|
|
||||||
+ asm volatile ( "leaq 16(%0),%%rdx\n" \
|
|
||||||
+ " leaq 32(%0),%%rbx\n" \
|
|
||||||
+ rep_xcrypt "\n" \
|
|
||||||
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
|
|
||||||
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
|
|
||||||
+ : "rbx", "rdx", "cc", "memory"); \
|
|
||||||
+ return iv; \
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#endif /* cpu */
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_NO_AES
|
|
||||||
/* Generate all functions with appropriate opcodes */
|
|
||||||
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
|
|
||||||
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
|
|
||||||
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
|
|
||||||
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
|
|
||||||
+
|
|
||||||
+/* Our own htonl()/ntohl() */
|
|
||||||
+static inline void
|
|
||||||
+padlock_bswapl(AES_KEY *ks)
|
|
||||||
+{
|
|
||||||
+ size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
|
|
||||||
+ unsigned int *key = ks->rd_key;
|
|
||||||
+
|
|
||||||
+ while (i--) {
|
|
||||||
+ asm volatile ("bswapl %0" : "+r"(*key));
|
|
||||||
+ key++;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* The RNG call itself */
|
|
||||||
@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
|
|
||||||
static inline unsigned char *
|
|
||||||
padlock_memcpy(void *dst,const void *src,size_t n)
|
|
||||||
{
|
|
||||||
- long *d=dst;
|
|
||||||
- const long *s=src;
|
|
||||||
+ size_t *d=dst;
|
|
||||||
+ const size_t *s=src;
|
|
||||||
|
|
||||||
n /= sizeof(*d);
|
|
||||||
do { *d++ = *s++; } while (--n);
|
|
@ -1,30 +0,0 @@
|
|||||||
diff -up openssl-1.0.1/Makefile.org.krb5 openssl-1.0.1/Makefile.org
|
|
||||||
--- openssl-1.0.1/Makefile.org.krb5 2012-03-14 21:15:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1/Makefile.org 2012-04-11 16:28:31.254725422 +0200
|
|
||||||
@@ -370,7 +370,7 @@ libcrypto.pc: Makefile
|
|
||||||
echo 'Requires: '; \
|
|
||||||
echo 'Libs: -L$${libdir} -lcrypto'; \
|
|
||||||
echo 'Libs.private: $(EX_LIBS)'; \
|
|
||||||
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
|
|
||||||
+ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
|
|
||||||
|
|
||||||
libssl.pc: Makefile
|
|
||||||
@ ( echo 'prefix=$(INSTALLTOP)'; \
|
|
||||||
@@ -383,7 +383,7 @@ libssl.pc: Makefile
|
|
||||||
echo 'Version: '$(VERSION); \
|
|
||||||
echo 'Requires: '; \
|
|
||||||
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
|
|
||||||
- echo 'Libs.private: $(EX_LIBS)'; \
|
|
||||||
+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
|
|
||||||
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
|
|
||||||
|
|
||||||
openssl.pc: Makefile
|
|
||||||
@@ -397,7 +397,7 @@ openssl.pc: Makefile
|
|
||||||
echo 'Version: '$(VERSION); \
|
|
||||||
echo 'Requires: '; \
|
|
||||||
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
|
|
||||||
- echo 'Libs.private: $(EX_LIBS)'; \
|
|
||||||
+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
|
|
||||||
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
|
|
||||||
|
|
||||||
Makefile: Makefile.org Configure config
|
|
@ -1,100 +0,0 @@
|
|||||||
diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c
|
|
||||||
--- openssl-1.0.1c/apps/s_client.c.default-paths 2012-03-18 19:16:05.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/apps/s_client.c 2012-12-06 18:24:06.425933203 +0100
|
|
||||||
@@ -1166,12 +1166,19 @@ bad:
|
|
||||||
if (!set_cert_key_stuff(ctx,cert,key))
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
|
|
||||||
- (!SSL_CTX_set_default_verify_paths(ctx)))
|
|
||||||
+ if (CAfile == NULL && CApath == NULL)
|
|
||||||
{
|
|
||||||
- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
|
|
||||||
- ERR_print_errors(bio_err);
|
|
||||||
- /* goto end; */
|
|
||||||
+ if (!SSL_CTX_set_default_verify_paths(ctx))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_TLSEXT
|
|
||||||
diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c
|
|
||||||
--- openssl-1.0.1c/apps/s_server.c.default-paths 2012-03-18 19:16:05.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/apps/s_server.c 2012-12-06 18:25:11.199329611 +0100
|
|
||||||
@@ -1565,13 +1565,21 @@ bad:
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
|
|
||||||
- (!SSL_CTX_set_default_verify_paths(ctx)))
|
|
||||||
+ if (CAfile == NULL && CApath == NULL)
|
|
||||||
{
|
|
||||||
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
|
|
||||||
- ERR_print_errors(bio_err);
|
|
||||||
- /* goto end; */
|
|
||||||
+ if (!SSL_CTX_set_default_verify_paths(ctx))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (vpm)
|
|
||||||
SSL_CTX_set1_param(ctx, vpm);
|
|
||||||
|
|
||||||
@@ -1622,8 +1630,11 @@ bad:
|
|
||||||
else
|
|
||||||
SSL_CTX_sess_set_cache_size(ctx2,128);
|
|
||||||
|
|
||||||
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
|
|
||||||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
|
|
||||||
{
|
|
||||||
ERR_print_errors(bio_err);
|
|
||||||
}
|
|
||||||
diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c
|
|
||||||
--- openssl-1.0.1c/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
|
|
||||||
+++ openssl-1.0.1c/apps/s_time.c 2012-12-06 18:27:41.694574044 +0100
|
|
||||||
@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
|
|
||||||
|
|
||||||
SSL_load_error_strings();
|
|
||||||
|
|
||||||
- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
|
|
||||||
- (!SSL_CTX_set_default_verify_paths(tm_ctx)))
|
|
||||||
+ if (CAfile == NULL && CApath == NULL)
|
|
||||||
{
|
|
||||||
- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
|
|
||||||
- ERR_print_errors(bio_err);
|
|
||||||
- /* goto end; */
|
|
||||||
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
if (tm_cipher == NULL)
|
|
@ -1,61 +0,0 @@
|
|||||||
diff -up openssl-1.0.1c/apps/s_server.c.dh1024 openssl-1.0.1c/apps/s_server.c
|
|
||||||
--- openssl-1.0.1c/apps/s_server.c.dh1024 2012-11-14 20:27:50.000000000 +0100
|
|
||||||
+++ openssl-1.0.1c/apps/s_server.c 2012-11-15 20:56:15.247774465 +0100
|
|
||||||
@@ -222,27 +222,31 @@ static void s_server_init(void);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DH
|
|
||||||
-static unsigned char dh512_p[]={
|
|
||||||
- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
|
|
||||||
- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
|
|
||||||
- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
|
|
||||||
- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
|
|
||||||
- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
|
|
||||||
- 0x47,0x74,0xE8,0x33,
|
|
||||||
- };
|
|
||||||
-static unsigned char dh512_g[]={
|
|
||||||
- 0x02,
|
|
||||||
- };
|
|
||||||
-
|
|
||||||
-static DH *get_dh512(void)
|
|
||||||
+static DH *get_dh1024()
|
|
||||||
{
|
|
||||||
- DH *dh=NULL;
|
|
||||||
+ static unsigned char dh1024_p[]={
|
|
||||||
+ 0x99,0x58,0xFA,0x90,0x53,0x2F,0xE0,0x61,0x83,0x9D,0x54,0x63,
|
|
||||||
+ 0xBD,0x35,0x5A,0x31,0xF3,0xC6,0x79,0xE5,0xA0,0x0F,0x66,0x79,
|
|
||||||
+ 0x3C,0xA0,0x7F,0xE8,0xA2,0x5F,0xDF,0x11,0x08,0xA3,0xF0,0x3C,
|
|
||||||
+ 0xC3,0x3C,0x5D,0x50,0x2C,0xD5,0xD6,0x58,0x12,0xDB,0xC1,0xEF,
|
|
||||||
+ 0xB4,0x47,0x4A,0x5A,0x39,0x8A,0x4E,0xEB,0x44,0xE2,0x07,0xFB,
|
|
||||||
+ 0x3D,0xA3,0xC7,0x6E,0x52,0xF3,0x2B,0x7B,0x10,0xA5,0x98,0xE3,
|
|
||||||
+ 0x38,0x2A,0xE2,0x7F,0xA4,0x8F,0x26,0x87,0x9B,0x66,0x7A,0xED,
|
|
||||||
+ 0x2D,0x4C,0xE7,0x33,0x77,0x47,0x94,0x43,0xB6,0xAA,0x97,0x23,
|
|
||||||
+ 0x8A,0xFC,0xA5,0xA6,0x64,0x09,0xC0,0x27,0xC0,0xEF,0xCB,0x05,
|
|
||||||
+ 0x90,0x9D,0xD5,0x75,0xBA,0x00,0xE0,0xFB,0xA8,0x81,0x52,0xA4,
|
|
||||||
+ 0xB2,0x83,0x22,0x5B,0xCB,0xD7,0x16,0x93,
|
|
||||||
+ };
|
|
||||||
+ static unsigned char dh1024_g[]={
|
|
||||||
+ 0x02,
|
|
||||||
+ };
|
|
||||||
+ DH *dh;
|
|
||||||
|
|
||||||
if ((dh=DH_new()) == NULL) return(NULL);
|
|
||||||
- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
|
|
||||||
- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
|
|
||||||
+ dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
|
|
||||||
+ dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
|
|
||||||
if ((dh->p == NULL) || (dh->g == NULL))
|
|
||||||
- return(NULL);
|
|
||||||
+ { DH_free(dh); return(NULL); }
|
|
||||||
return(dh);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
@@ -1657,7 +1661,7 @@ bad:
|
|
||||||
else
|
|
||||||
{
|
|
||||||
BIO_printf(bio_s_out,"Using default temp DH parameters\n");
|
|
||||||
- dh=get_dh512();
|
|
||||||
+ dh=get_dh1024();
|
|
||||||
}
|
|
||||||
(void)BIO_flush(bio_s_out);
|
|
||||||
|
|
@ -1,93 +0,0 @@
|
|||||||
diff --git a/crypto/armcap.c b/crypto/armcap.c
|
|
||||||
index 5258d2f..efb4009 100644
|
|
||||||
--- a/crypto/armcap.c
|
|
||||||
+++ b/crypto/armcap.c
|
|
||||||
@@ -9,11 +9,6 @@
|
|
||||||
|
|
||||||
unsigned int OPENSSL_armcap_P;
|
|
||||||
|
|
||||||
-static sigset_t all_masked;
|
|
||||||
-
|
|
||||||
-static sigjmp_buf ill_jmp;
|
|
||||||
-static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* Following subroutines could have been inlined, but it's not all
|
|
||||||
* ARM compilers support inline assembler...
|
|
||||||
@@ -29,24 +24,26 @@ unsigned int OPENSSL_rdtsc(void)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#if defined(__GNUC__) && __GNUC__>=2
|
|
||||||
-void OPENSSL_cpuid_setup(void) __attribute__((constructor));
|
|
||||||
-#endif
|
|
||||||
-void OPENSSL_cpuid_setup(void)
|
|
||||||
+#if defined(__GLIBC__) && __GLIBC__>=2 && __GLIBC_MINOR__>=16
|
|
||||||
+#include <sys/auxv.h>
|
|
||||||
+
|
|
||||||
+void OPENSSL_cpuid_find(void)
|
|
||||||
+ {
|
|
||||||
+ unsigned long hwcap = getauxval(AT_HWCAP);
|
|
||||||
+ char *plat = (char *)getauxval(AT_PLATFORM);
|
|
||||||
+
|
|
||||||
+ OPENSSL_armcap_P |= hwcap & HWCAP_ARM_NEON ? ARMV7_NEON : 0;
|
|
||||||
+ OPENSSL_armcap_P |= plat ? (plat[1] == '7' ? ARMV7_TICK : 0) : 0;
|
|
||||||
+ }
|
|
||||||
+#else
|
|
||||||
+static sigset_t all_masked;
|
|
||||||
+static sigjmp_buf ill_jmp;
|
|
||||||
+static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
|
|
||||||
+
|
|
||||||
+void OPENSSL_cpuid_find(void)
|
|
||||||
{
|
|
||||||
- char *e;
|
|
||||||
struct sigaction ill_oact,ill_act;
|
|
||||||
sigset_t oset;
|
|
||||||
- static int trigger=0;
|
|
||||||
-
|
|
||||||
- if (trigger) return;
|
|
||||||
- trigger=1;
|
|
||||||
-
|
|
||||||
- if ((e=getenv("OPENSSL_armcap")))
|
|
||||||
- {
|
|
||||||
- OPENSSL_armcap_P=strtoul(e,NULL,0);
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
|
|
||||||
sigfillset(&all_masked);
|
|
||||||
sigdelset(&all_masked,SIGILL);
|
|
||||||
@@ -55,8 +52,6 @@ void OPENSSL_cpuid_setup(void)
|
|
||||||
sigdelset(&all_masked,SIGBUS);
|
|
||||||
sigdelset(&all_masked,SIGSEGV);
|
|
||||||
|
|
||||||
- OPENSSL_armcap_P = 0;
|
|
||||||
-
|
|
||||||
memset(&ill_act,0,sizeof(ill_act));
|
|
||||||
ill_act.sa_handler = ill_handler;
|
|
||||||
ill_act.sa_mask = all_masked;
|
|
||||||
@@ -78,3 +73,25 @@ void OPENSSL_cpuid_setup(void)
|
|
||||||
sigaction (SIGILL,&ill_oact,NULL);
|
|
||||||
sigprocmask(SIG_SETMASK,&oset,NULL);
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#if defined(__GNUC__) && __GNUC__>=2
|
|
||||||
+void OPENSSL_cpuid_setup(void) __attribute__((constructor));
|
|
||||||
+#endif
|
|
||||||
+void OPENSSL_cpuid_setup(void)
|
|
||||||
+ {
|
|
||||||
+ char *e;
|
|
||||||
+ static int trigger=0;
|
|
||||||
+
|
|
||||||
+ if (trigger) return;
|
|
||||||
+ trigger=1;
|
|
||||||
+
|
|
||||||
+ if ((e=getenv("OPENSSL_armcap")))
|
|
||||||
+ {
|
|
||||||
+ OPENSSL_armcap_P=strtoul(e,NULL,0);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ OPENSSL_armcap_P = 0;
|
|
||||||
+ OPENSSL_cpuid_find();
|
|
||||||
+ }
|
|
@ -1,46 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.compat openssl-1.0.1e/crypto/dsa/dsa_key.c
|
|
||||||
--- openssl-1.0.1e/crypto/dsa/dsa_key.c.compat 2013-11-26 14:36:35.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-12-11 16:34:58.638549687 +0100
|
|
||||||
@@ -68,6 +68,11 @@
|
|
||||||
#include <openssl/fips.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
|
|
||||||
+/* just a compatibility symbol - no-op */
|
|
||||||
+void FIPS_corrupt_dsa_keygen(void)
|
|
||||||
+ {
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
static int fips_check_dsa(DSA *dsa)
|
|
||||||
{
|
|
||||||
EVP_PKEY *pk;
|
|
||||||
diff -up openssl-1.0.1e/crypto/engine/eng_all.c.compat openssl-1.0.1e/crypto/engine/eng_all.c
|
|
||||||
--- openssl-1.0.1e/crypto/engine/eng_all.c.compat 2013-11-26 14:36:35.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/engine/eng_all.c 2013-12-11 16:32:13.512820424 +0100
|
|
||||||
@@ -62,6 +62,11 @@
|
|
||||||
#include <openssl/fips.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+/* just backwards compatibility symbol - no-op */
|
|
||||||
+void ENGINE_load_aesni (void)
|
|
||||||
+{
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void ENGINE_load_builtin_engines(void)
|
|
||||||
{
|
|
||||||
/* Some ENGINEs need this */
|
|
||||||
diff -up openssl-1.0.1e/crypto/fips/fips.c.compat openssl-1.0.1e/crypto/fips/fips.c
|
|
||||||
--- openssl-1.0.1e/crypto/fips/fips.c.compat 2013-11-26 14:36:35.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/fips/fips.c 2013-12-11 16:38:52.524831858 +0100
|
|
||||||
@@ -111,6 +111,12 @@ int FIPS_module_mode(void)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* just a compat symbol - return NULL */
|
|
||||||
+const void *FIPS_rand_check(void)
|
|
||||||
+ {
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
int FIPS_selftest_failed(void)
|
|
||||||
{
|
|
||||||
int ret = 0;
|
|
@ -1,124 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/apps/speed.c.suiteb openssl-1.0.1e/apps/speed.c
|
|
||||||
--- openssl-1.0.1e/apps/speed.c.suiteb 2013-11-08 18:02:53.815229706 +0100
|
|
||||||
+++ openssl-1.0.1e/apps/speed.c 2013-11-08 18:04:47.016724297 +0100
|
|
||||||
@@ -966,49 +966,23 @@ int MAIN(int argc, char **argv)
|
|
||||||
else
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_ECDSA
|
|
||||||
- if (strcmp(*argv,"ecdsap160") == 0) ecdsa_doit[R_EC_P160]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsap192") == 0) ecdsa_doit[R_EC_P192]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsap224") == 0) ecdsa_doit[R_EC_P224]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2;
|
|
||||||
+ if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2;
|
|
||||||
else if (strcmp(*argv,"ecdsap384") == 0) ecdsa_doit[R_EC_P384]=2;
|
|
||||||
else if (strcmp(*argv,"ecdsap521") == 0) ecdsa_doit[R_EC_P521]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsak163") == 0) ecdsa_doit[R_EC_K163]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsak233") == 0) ecdsa_doit[R_EC_K233]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsak283") == 0) ecdsa_doit[R_EC_K283]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsak409") == 0) ecdsa_doit[R_EC_K409]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsak571") == 0) ecdsa_doit[R_EC_K571]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsab163") == 0) ecdsa_doit[R_EC_B163]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsab233") == 0) ecdsa_doit[R_EC_B233]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsab283") == 0) ecdsa_doit[R_EC_B283]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsab409") == 0) ecdsa_doit[R_EC_B409]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdsab571") == 0) ecdsa_doit[R_EC_B571]=2;
|
|
||||||
else if (strcmp(*argv,"ecdsa") == 0)
|
|
||||||
{
|
|
||||||
- for (i=0; i < EC_NUM; i++)
|
|
||||||
+ for (i=R_EC_P256; i <= R_EC_P521; i++)
|
|
||||||
ecdsa_doit[i]=1;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_ECDH
|
|
||||||
- if (strcmp(*argv,"ecdhp160") == 0) ecdh_doit[R_EC_P160]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhp192") == 0) ecdh_doit[R_EC_P192]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhp224") == 0) ecdh_doit[R_EC_P224]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2;
|
|
||||||
+ if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2;
|
|
||||||
else if (strcmp(*argv,"ecdhp384") == 0) ecdh_doit[R_EC_P384]=2;
|
|
||||||
else if (strcmp(*argv,"ecdhp521") == 0) ecdh_doit[R_EC_P521]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhk163") == 0) ecdh_doit[R_EC_K163]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhk233") == 0) ecdh_doit[R_EC_K233]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhk283") == 0) ecdh_doit[R_EC_K283]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhk409") == 0) ecdh_doit[R_EC_K409]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhk571") == 0) ecdh_doit[R_EC_K571]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhb163") == 0) ecdh_doit[R_EC_B163]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhb233") == 0) ecdh_doit[R_EC_B233]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhb283") == 0) ecdh_doit[R_EC_B283]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhb409") == 0) ecdh_doit[R_EC_B409]=2;
|
|
||||||
- else if (strcmp(*argv,"ecdhb571") == 0) ecdh_doit[R_EC_B571]=2;
|
|
||||||
else if (strcmp(*argv,"ecdh") == 0)
|
|
||||||
{
|
|
||||||
- for (i=0; i < EC_NUM; i++)
|
|
||||||
+ for (i=R_EC_P256; i <= R_EC_P521; i++)
|
|
||||||
ecdh_doit[i]=1;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
@@ -1097,15 +1071,11 @@ int MAIN(int argc, char **argv)
|
|
||||||
BIO_printf(bio_err,"dsa512 dsa1024 dsa2048\n");
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_ECDSA
|
|
||||||
- BIO_printf(bio_err,"ecdsap160 ecdsap192 ecdsap224 ecdsap256 ecdsap384 ecdsap521\n");
|
|
||||||
- BIO_printf(bio_err,"ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
|
|
||||||
- BIO_printf(bio_err,"ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
|
|
||||||
+ BIO_printf(bio_err,"ecdsap256 ecdsap384 ecdsap521\n");
|
|
||||||
BIO_printf(bio_err,"ecdsa\n");
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_ECDH
|
|
||||||
- BIO_printf(bio_err,"ecdhp160 ecdhp192 ecdhp224 ecdhp256 ecdhp384 ecdhp521\n");
|
|
||||||
- BIO_printf(bio_err,"ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
|
|
||||||
- BIO_printf(bio_err,"ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
|
|
||||||
+ BIO_printf(bio_err,"ecdhp256 ecdhp384 ecdhp521\n");
|
|
||||||
BIO_printf(bio_err,"ecdh\n");
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -1184,11 +1154,11 @@ int MAIN(int argc, char **argv)
|
|
||||||
if (!FIPS_mode() || i != R_DSA_512)
|
|
||||||
dsa_doit[i]=1;
|
|
||||||
#ifndef OPENSSL_NO_ECDSA
|
|
||||||
- for (i=0; i<EC_NUM; i++)
|
|
||||||
+ for (i=R_EC_P256; i <= R_EC_P521; i++)
|
|
||||||
ecdsa_doit[i]=1;
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_ECDH
|
|
||||||
- for (i=0; i<EC_NUM; i++)
|
|
||||||
+ for (i=R_EC_P256; i <= R_EC_P521; i++)
|
|
||||||
ecdh_doit[i]=1;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
diff -up openssl-1.0.1e/ssl/t1_lib.c.suiteb openssl-1.0.1e/ssl/t1_lib.c
|
|
||||||
--- openssl-1.0.1e/ssl/t1_lib.c.suiteb 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/ssl/t1_lib.c 2013-11-08 18:05:27.551617554 +0100
|
|
||||||
@@ -204,31 +204,9 @@ static int nid_list[] =
|
|
||||||
|
|
||||||
static int pref_list[] =
|
|
||||||
{
|
|
||||||
- NID_sect571r1, /* sect571r1 (14) */
|
|
||||||
- NID_sect571k1, /* sect571k1 (13) */
|
|
||||||
NID_secp521r1, /* secp521r1 (25) */
|
|
||||||
- NID_sect409k1, /* sect409k1 (11) */
|
|
||||||
- NID_sect409r1, /* sect409r1 (12) */
|
|
||||||
NID_secp384r1, /* secp384r1 (24) */
|
|
||||||
- NID_sect283k1, /* sect283k1 (9) */
|
|
||||||
- NID_sect283r1, /* sect283r1 (10) */
|
|
||||||
- NID_secp256k1, /* secp256k1 (22) */
|
|
||||||
NID_X9_62_prime256v1, /* secp256r1 (23) */
|
|
||||||
- NID_sect239k1, /* sect239k1 (8) */
|
|
||||||
- NID_sect233k1, /* sect233k1 (6) */
|
|
||||||
- NID_sect233r1, /* sect233r1 (7) */
|
|
||||||
- NID_secp224k1, /* secp224k1 (20) */
|
|
||||||
- NID_secp224r1, /* secp224r1 (21) */
|
|
||||||
- NID_sect193r1, /* sect193r1 (4) */
|
|
||||||
- NID_sect193r2, /* sect193r2 (5) */
|
|
||||||
- NID_secp192k1, /* secp192k1 (18) */
|
|
||||||
- NID_X9_62_prime192v1, /* secp192r1 (19) */
|
|
||||||
- NID_sect163k1, /* sect163k1 (1) */
|
|
||||||
- NID_sect163r1, /* sect163r1 (2) */
|
|
||||||
- NID_sect163r2, /* sect163r2 (3) */
|
|
||||||
- NID_secp160k1, /* secp160k1 (15) */
|
|
||||||
- NID_secp160r1, /* secp160r1 (16) */
|
|
||||||
- NID_secp160r2, /* secp160r2 (17) */
|
|
||||||
};
|
|
||||||
|
|
||||||
int tls1_ec_curve_id2nid(int curve_id)
|
|
@ -1,39 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/crypto/evp/bio_enc.c.enc-fail openssl-1.0.1e/crypto/evp/bio_enc.c
|
|
||||||
--- openssl-1.0.1e/crypto/evp/bio_enc.c.enc-fail 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/evp/bio_enc.c 2014-03-04 15:21:12.185821738 +0100
|
|
||||||
@@ -198,10 +198,15 @@ static int enc_read(BIO *b, char *out, i
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
- EVP_CipherUpdate(&(ctx->cipher),
|
|
||||||
+ if (!EVP_CipherUpdate(&(ctx->cipher),
|
|
||||||
(unsigned char *)ctx->buf,&ctx->buf_len,
|
|
||||||
- (unsigned char *)&(ctx->buf[BUF_OFFSET]),i);
|
|
||||||
- ctx->cont=1;
|
|
||||||
+ (unsigned char *)&(ctx->buf[BUF_OFFSET]),i))
|
|
||||||
+ {
|
|
||||||
+ ctx->ok = 0;
|
|
||||||
+ ctx->cont = 0;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ ctx->cont=1;
|
|
||||||
/* Note: it is possible for EVP_CipherUpdate to
|
|
||||||
* decrypt zero bytes because this is or looks like
|
|
||||||
* the final block: if this happens we should retry
|
|
||||||
@@ -257,9 +262,14 @@ static int enc_write(BIO *b, const char
|
|
||||||
while (inl > 0)
|
|
||||||
{
|
|
||||||
n=(inl > ENC_BLOCK_SIZE)?ENC_BLOCK_SIZE:inl;
|
|
||||||
- EVP_CipherUpdate(&(ctx->cipher),
|
|
||||||
+ if (!EVP_CipherUpdate(&(ctx->cipher),
|
|
||||||
(unsigned char *)ctx->buf,&ctx->buf_len,
|
|
||||||
- (unsigned char *)in,n);
|
|
||||||
+ (unsigned char *)in,n))
|
|
||||||
+ {
|
|
||||||
+ BIO_copy_next_retry(b);
|
|
||||||
+ ctx->ok = 0;
|
|
||||||
+ return ret - inl;
|
|
||||||
+ }
|
|
||||||
inl-=n;
|
|
||||||
in+=n;
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
|
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2013-02-11 16:02:48.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-02-19 16:32:51.000000000 +0100
|
|
||||||
@@ -47,6 +47,13 @@ Once the identities of the compression m
|
|
||||||
been standardized, the compression API will most likely be changed. Using
|
|
||||||
it in the current state is not recommended.
|
|
||||||
|
|
||||||
+It is also not recommended to use compression if data transfered contain
|
|
||||||
+untrusted parts that can be manipulated by an attacker as he could then
|
|
||||||
+get information about the encrypted data. See the CRIME attack. For
|
|
||||||
+that reason the default loading of the zlib compression method is
|
|
||||||
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
|
|
||||||
+is present during the library initialization.
|
|
||||||
+
|
|
||||||
=head1 RETURN VALUES
|
|
||||||
|
|
||||||
SSL_COMP_add_compression_method() may return the following values:
|
|
||||||
diff -up openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib openssl-1.0.1e/ssl/ssl_ciph.c
|
|
||||||
--- openssl-1.0.1e/ssl/ssl_ciph.c.env-zlib 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-02-19 16:37:36.163545085 +0100
|
|
||||||
@@ -140,6 +140,8 @@
|
|
||||||
* OTHERWISE.
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <openssl/objects.h>
|
|
||||||
#ifndef OPENSSL_NO_COMP
|
|
||||||
@@ -455,7 +457,7 @@ static void load_builtin_compressions(vo
|
|
||||||
|
|
||||||
MemCheck_off();
|
|
||||||
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
|
|
||||||
- if (ssl_comp_methods != NULL)
|
|
||||||
+ if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
|
|
||||||
{
|
|
||||||
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
|
||||||
if (comp != NULL)
|
|
@ -1,179 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
|
|
||||||
--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-26 13:52:30.767885457 +0200
|
|
||||||
+++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-26 14:01:29.406010187 +0200
|
|
||||||
@@ -60,6 +60,8 @@
|
|
||||||
#include <dlfcn.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
#include "fips_locl.h"
|
|
||||||
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
|
|
||||||
return hex;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#define HMAC_PREFIX "."
|
|
||||||
-#define HMAC_SUFFIX ".hmac"
|
|
||||||
+#define HMAC_PREFIX "."
|
|
||||||
+#ifndef HMAC_SUFFIX
|
|
||||||
+#define HMAC_SUFFIX ".hmac"
|
|
||||||
+#endif
|
|
||||||
#define READ_BUFFER_LENGTH 16384
|
|
||||||
|
|
||||||
static char *
|
|
||||||
@@ -279,19 +283,13 @@ end:
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-FIPSCHECK_verify(const char *libname, const char *symbolname)
|
|
||||||
+FIPSCHECK_verify(const char *path)
|
|
||||||
{
|
|
||||||
- char path[PATH_MAX+1];
|
|
||||||
- int rv;
|
|
||||||
+ int rv = 0;
|
|
||||||
FILE *hf;
|
|
||||||
char *hmacpath, *p;
|
|
||||||
char *hmac = NULL;
|
|
||||||
size_t n;
|
|
||||||
-
|
|
||||||
- rv = get_library_path(libname, symbolname, path, sizeof(path));
|
|
||||||
-
|
|
||||||
- if (rv < 0)
|
|
||||||
- return 0;
|
|
||||||
|
|
||||||
hmacpath = make_hmac_path(path);
|
|
||||||
if (hmacpath == NULL)
|
|
||||||
@@ -341,6 +339,53 @@ end:
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+verify_checksums(void)
|
|
||||||
+ {
|
|
||||||
+ int rv;
|
|
||||||
+ char path[PATH_MAX+1];
|
|
||||||
+ char *p;
|
|
||||||
+
|
|
||||||
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
|
|
||||||
+ are in the same directory */
|
|
||||||
+
|
|
||||||
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
|
|
||||||
+ if (rv < 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ rv = FIPSCHECK_verify(path);
|
|
||||||
+ if (!rv)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ /* replace libcrypto with libssl */
|
|
||||||
+ while ((p = strstr(path, "libcrypto.so")) != NULL)
|
|
||||||
+ {
|
|
||||||
+ p = stpcpy(p, "libssl");
|
|
||||||
+ memmove(p, p+3, strlen(p+2));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rv = FIPSCHECK_verify(path);
|
|
||||||
+ if (!rv)
|
|
||||||
+ return 0;
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#ifndef FIPS_MODULE_PATH
|
|
||||||
+#define FIPS_MODULE_PATH "/etc/system-fips"
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+FIPS_module_installed(void)
|
|
||||||
+ {
|
|
||||||
+ int rv;
|
|
||||||
+ rv = access(FIPS_MODULE_PATH, F_OK);
|
|
||||||
+ if (rv < 0 && errno != ENOENT)
|
|
||||||
+ rv = 0;
|
|
||||||
+
|
|
||||||
+ /* Installed == true */
|
|
||||||
+ return !rv;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
int FIPS_module_mode_set(int onoff, const char *auth)
|
|
||||||
{
|
|
||||||
int ret = 0;
|
|
||||||
@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
|
|
||||||
- {
|
|
||||||
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
|
||||||
- fips_selftest_fail = 1;
|
|
||||||
- ret = 0;
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
|
|
||||||
+ if(!verify_checksums())
|
|
||||||
{
|
|
||||||
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
|
||||||
fips_selftest_fail = 1;
|
|
||||||
diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
|
|
||||||
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-26 13:52:30.814886515 +0200
|
|
||||||
+++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-26 13:52:30.816886560 +0200
|
|
||||||
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
|
|
||||||
|
|
||||||
int FIPS_module_mode_set(int onoff, const char *auth);
|
|
||||||
int FIPS_module_mode(void);
|
|
||||||
+int FIPS_module_installed(void);
|
|
||||||
const void *FIPS_rand_check(void);
|
|
||||||
int FIPS_selftest(void);
|
|
||||||
int FIPS_selftest_failed(void);
|
|
||||||
diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
|
|
||||||
--- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-26 13:52:30.807886357 +0200
|
|
||||||
+++ openssl-1.0.1e/crypto/o_init.c 2013-09-26 14:00:21.000000000 +0200
|
|
||||||
@@ -71,6 +71,9 @@ static void init_fips_mode(void)
|
|
||||||
char buf[2] = "0";
|
|
||||||
int fd;
|
|
||||||
|
|
||||||
+ /* Ensure the selftests always run */
|
|
||||||
+ FIPS_mode_set(1);
|
|
||||||
+
|
|
||||||
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
|
|
||||||
{
|
|
||||||
buf[0] = '1';
|
|
||||||
@@ -85,9 +88,15 @@ static void init_fips_mode(void)
|
|
||||||
* otherwise.
|
|
||||||
*/
|
|
||||||
|
|
||||||
- if (buf[0] == '1')
|
|
||||||
+ if (buf[0] != '1')
|
|
||||||
+ {
|
|
||||||
+ /* drop down to non-FIPS mode if it is not requested */
|
|
||||||
+ FIPS_mode_set(0);
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
{
|
|
||||||
- FIPS_mode_set(1);
|
|
||||||
+ /* abort if selftest failed */
|
|
||||||
+ FIPS_selftest_check();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
@@ -96,13 +105,17 @@ static void init_fips_mode(void)
|
|
||||||
* Currently only sets FIPS callbacks
|
|
||||||
*/
|
|
||||||
|
|
||||||
-void OPENSSL_init_library(void)
|
|
||||||
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
|
|
||||||
{
|
|
||||||
static int done = 0;
|
|
||||||
if (done)
|
|
||||||
return;
|
|
||||||
done = 1;
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
+ if (!FIPS_module_installed())
|
|
||||||
+ {
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
RAND_init_fips();
|
|
||||||
init_fips_mode();
|
|
||||||
if (!FIPS_mode())
|
|
@ -1,11 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1e/crypto/x509/x509_cmp.c
|
|
||||||
--- openssl-1.0.1e/crypto/x509/x509_cmp.c.issuer-hash 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/x509/x509_cmp.c 2013-02-19 12:46:11.315788592 +0100
|
|
||||||
@@ -85,6 +85,7 @@ unsigned long X509_issuer_and_serial_has
|
|
||||||
char *f;
|
|
||||||
|
|
||||||
EVP_MD_CTX_init(&ctx);
|
|
||||||
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
|
||||||
f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
|
|
||||||
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
|
|
||||||
goto err;
|
|
@ -1,25 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.1e/crypto/asn1/a_verify.c
|
|
||||||
--- openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/asn1/a_verify.c 2013-11-13 16:30:04.628791616 +0100
|
|
||||||
@@ -56,6 +56,9 @@
|
|
||||||
* [including the GNU Public Licence.]
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
+
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <time.h>
|
|
||||||
|
|
||||||
@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
|
|
||||||
goto err;
|
|
||||||
ret = -1;
|
|
||||||
}
|
|
||||||
+ else if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL)
|
|
||||||
+ {
|
|
||||||
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
{
|
|
||||||
const EVP_MD *type;
|
|
File diff suppressed because it is too large
Load Diff
@ -1,112 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/Configure.rpmbuild openssl-1.0.1e/Configure
|
|
||||||
--- openssl-1.0.1e/Configure.rpmbuild 2014-08-13 19:19:53.211005598 +0200
|
|
||||||
+++ openssl-1.0.1e/Configure 2014-08-13 19:29:21.704099285 +0200
|
|
||||||
@@ -345,24 +345,24 @@ my %table=(
|
|
||||||
####
|
|
||||||
# *-generic* is endian-neutral target, but ./config is free to
|
|
||||||
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
|
||||||
-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
# It's believed that majority of ARM toolchains predefine appropriate -march.
|
|
||||||
# If you compiler does not, do complement config command line with one!
|
|
||||||
-"linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-armv4", "gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
#### IA-32 targets...
|
|
||||||
"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
|
|
||||||
####
|
|
||||||
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
|
||||||
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
|
|
||||||
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
|
||||||
+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
|
||||||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
|
||||||
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
|
||||||
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
|
||||||
+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
|
||||||
#### So called "highgprs" target for z/Architecture CPUs
|
|
||||||
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
|
|
||||||
# /proc/cpuinfo. The idea is to preserve most significant bits of
|
|
||||||
@@ -376,16 +376,17 @@ my %table=(
|
|
||||||
# ldconfig and run-time linker to autodiscover. Unfortunately it
|
|
||||||
# doesn't work just yet, because of couple of bugs in glibc
|
|
||||||
# sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
|
|
||||||
-"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
|
|
||||||
+"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
|
|
||||||
#### SPARC Linux setups
|
|
||||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
|
||||||
# assisted with debugging of following two configs.
|
|
||||||
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
# it's a real mess with -mcpu=ultrasparc option under Linux, but
|
|
||||||
# -Wa,-Av8plus should do the trick no matter what.
|
|
||||||
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
# GCC 3.1 is a requirement
|
|
||||||
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
|
||||||
+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
|
||||||
+"linux-aarch64","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
|
||||||
#### Alpha Linux with GNU C and Compaq C setups
|
|
||||||
# Special notes:
|
|
||||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
|
||||||
@@ -399,8 +400,8 @@ my %table=(
|
|
||||||
#
|
|
||||||
# <appro@fy.chalmers.se>
|
|
||||||
#
|
|
||||||
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
|
||||||
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
|
||||||
|
|
||||||
@@ -1675,7 +1676,7 @@ while (<IN>)
|
|
||||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
|
||||||
{
|
|
||||||
my $sotmp = $1;
|
|
||||||
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
|
|
||||||
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
|
|
||||||
}
|
|
||||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
|
||||||
{
|
|
||||||
diff -up openssl-1.0.1e/Makefile.org.rpmbuild openssl-1.0.1e/Makefile.org
|
|
||||||
--- openssl-1.0.1e/Makefile.org.rpmbuild 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/Makefile.org 2014-08-13 19:19:53.218005759 +0200
|
|
||||||
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
|
||||||
SHLIB_MAJOR=
|
|
||||||
SHLIB_MINOR=
|
|
||||||
SHLIB_EXT=
|
|
||||||
+SHLIB_SONAMEVER=10
|
|
||||||
PLATFORM=dist
|
|
||||||
OPTIONS=
|
|
||||||
CONFIGURE_ARGS=
|
|
||||||
@@ -333,10 +334,9 @@ clean-shared:
|
|
||||||
link-shared:
|
|
||||||
@ set -e; for i in $(SHLIBDIRS); do \
|
|
||||||
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
|
||||||
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
|
||||||
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
|
||||||
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
|
||||||
symlink.$(SHLIB_TARGET); \
|
|
||||||
- libs="$$libs -l$$i"; \
|
|
||||||
done
|
|
||||||
|
|
||||||
build-shared: do_$(SHLIB_TARGET) link-shared
|
|
||||||
@@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
|
|
||||||
libs="$(LIBKRB5) $$libs"; \
|
|
||||||
fi; \
|
|
||||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
|
||||||
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
|
||||||
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
|
||||||
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
|
||||||
LIBDEPS="$$libs $(EX_LIBS)" \
|
|
||||||
link_a.$(SHLIB_TARGET); \
|
|
@ -1,244 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_api.c
|
|
||||||
--- openssl-1.0.1e/crypto/conf/conf_api.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/conf/conf_api.c 2013-02-19 13:02:02.531188124 +0100
|
|
||||||
@@ -63,6 +63,8 @@
|
|
||||||
# define NDEBUG
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <assert.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
@@ -142,7 +144,7 @@ char *_CONF_get_string(const CONF *conf,
|
|
||||||
if (v != NULL) return(v->value);
|
|
||||||
if (strcmp(section,"ENV") == 0)
|
|
||||||
{
|
|
||||||
- p=getenv(name);
|
|
||||||
+ p=secure_getenv(name);
|
|
||||||
if (p != NULL) return(p);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -155,7 +157,7 @@ char *_CONF_get_string(const CONF *conf,
|
|
||||||
return(NULL);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
- return(getenv(name));
|
|
||||||
+ return (secure_getenv(name));
|
|
||||||
}
|
|
||||||
|
|
||||||
#if 0 /* There's no way to provide error checking with this function, so
|
|
||||||
diff -up openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1e/crypto/conf/conf_mod.c
|
|
||||||
--- openssl-1.0.1e/crypto/conf/conf_mod.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/conf/conf_mod.c 2013-02-19 13:02:02.531188124 +0100
|
|
||||||
@@ -56,6 +56,8 @@
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <ctype.h>
|
|
||||||
#include <openssl/crypto.h>
|
|
||||||
@@ -548,8 +550,8 @@ char *CONF_get1_default_config_file(void
|
|
||||||
char *file;
|
|
||||||
int len;
|
|
||||||
|
|
||||||
- file = getenv("OPENSSL_CONF");
|
|
||||||
- if (file)
|
|
||||||
+ file = secure_getenv("OPENSSL_CONF");
|
|
||||||
+ if (file)
|
|
||||||
return BUF_strdup(file);
|
|
||||||
|
|
||||||
len = strlen(X509_get_default_cert_area());
|
|
||||||
diff -up openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1e/crypto/engine/eng_list.c
|
|
||||||
--- openssl-1.0.1e/crypto/engine/eng_list.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/engine/eng_list.c 2013-02-19 13:02:02.536188233 +0100
|
|
||||||
@@ -61,6 +61,8 @@
|
|
||||||
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include "eng_int.h"
|
|
||||||
|
|
||||||
/* The linked-list of pointers to engine types. engine_list_head
|
|
||||||
@@ -399,9 +401,9 @@ ENGINE *ENGINE_by_id(const char *id)
|
|
||||||
if (strcmp(id, "dynamic"))
|
|
||||||
{
|
|
||||||
#ifdef OPENSSL_SYS_VMS
|
|
||||||
- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
|
|
||||||
+ if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
|
|
||||||
#else
|
|
||||||
- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
|
|
||||||
+ if((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
|
|
||||||
#endif
|
|
||||||
iterator = ENGINE_by_id("dynamic");
|
|
||||||
if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
|
|
||||||
diff -up openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1e/crypto/md5/md5_dgst.c
|
|
||||||
--- openssl-1.0.1e/crypto/md5/md5_dgst.c.secure-getenv 2013-02-19 13:02:02.492187275 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/md5/md5_dgst.c 2013-02-19 13:02:02.537188254 +0100
|
|
||||||
@@ -56,6 +56,8 @@
|
|
||||||
* [including the GNU Public Licence.]
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <stdio.h>
|
|
||||||
#include "md5_locl.h"
|
|
||||||
#include <openssl/opensslv.h>
|
|
||||||
@@ -74,7 +76,7 @@ const char MD5_version[]="MD5" OPENSSL_V
|
|
||||||
int MD5_Init(MD5_CTX *c)
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
{
|
|
||||||
- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
|
|
||||||
+ if (FIPS_mode() && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
|
|
||||||
OpenSSLDie(__FILE__, __LINE__, \
|
|
||||||
"Digest MD5 forbidden in FIPS mode!");
|
|
||||||
return private_MD5_Init(c);
|
|
||||||
diff -up openssl-1.0.1e/crypto/o_init.c.secure-getenv openssl-1.0.1e/crypto/o_init.c
|
|
||||||
--- openssl-1.0.1e/crypto/o_init.c.secure-getenv 2013-02-19 13:02:02.428185882 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/o_init.c 2013-02-19 13:02:02.538188276 +0100
|
|
||||||
@@ -52,6 +52,8 @@
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <e_os.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
@@ -71,7 +73,7 @@ static void init_fips_mode(void)
|
|
||||||
char buf[2] = "0";
|
|
||||||
int fd;
|
|
||||||
|
|
||||||
- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
|
|
||||||
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
|
|
||||||
{
|
|
||||||
buf[0] = '1';
|
|
||||||
}
|
|
||||||
diff -up openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv openssl-1.0.1e/crypto/rand/randfile.c
|
|
||||||
--- openssl-1.0.1e/crypto/rand/randfile.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/rand/randfile.c 2013-02-19 13:03:06.971591052 +0100
|
|
||||||
@@ -60,6 +60,8 @@
|
|
||||||
#if !defined(OPENSSL_SYS_VXWORKS)
|
|
||||||
#define _XOPEN_SOURCE 500
|
|
||||||
#endif
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
|
|
||||||
#include <errno.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
@@ -277,8 +279,7 @@ const char *RAND_file_name(char *buf, si
|
|
||||||
struct stat sb;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if (OPENSSL_issetugid() == 0)
|
|
||||||
- s=getenv("RANDFILE");
|
|
||||||
+ s=secure_getenv("RANDFILE");
|
|
||||||
if (s != NULL && *s && strlen(s) + 1 < size)
|
|
||||||
{
|
|
||||||
if (BUF_strlcpy(buf,s,size) >= size)
|
|
||||||
@@ -286,8 +287,7 @@ const char *RAND_file_name(char *buf, si
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
- if (OPENSSL_issetugid() == 0)
|
|
||||||
- s=getenv("HOME");
|
|
||||||
+ s=secure_getenv("HOME");
|
|
||||||
#ifdef DEFAULT_HOME
|
|
||||||
if (s == NULL)
|
|
||||||
{
|
|
||||||
diff -up openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1e/crypto/x509/by_dir.c
|
|
||||||
--- openssl-1.0.1e/crypto/x509/by_dir.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/x509/by_dir.c 2013-02-19 13:02:02.539188298 +0100
|
|
||||||
@@ -56,6 +56,8 @@
|
|
||||||
* [including the GNU Public Licence.]
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <time.h>
|
|
||||||
#include <errno.h>
|
|
||||||
@@ -135,7 +137,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
|
|
||||||
case X509_L_ADD_DIR:
|
|
||||||
if (argl == X509_FILETYPE_DEFAULT)
|
|
||||||
{
|
|
||||||
- dir=(char *)getenv(X509_get_default_cert_dir_env());
|
|
||||||
+ dir=(char *)secure_getenv(X509_get_default_cert_dir_env());
|
|
||||||
if (dir)
|
|
||||||
ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
|
|
||||||
else
|
|
||||||
diff -up openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv openssl-1.0.1e/crypto/x509/by_file.c
|
|
||||||
--- openssl-1.0.1e/crypto/x509/by_file.c.secure-getenv 2013-02-19 13:02:02.236181701 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/x509/by_file.c 2013-02-19 13:02:02.554188624 +0100
|
|
||||||
@@ -56,6 +56,8 @@
|
|
||||||
* [including the GNU Public Licence.]
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <time.h>
|
|
||||||
#include <errno.h>
|
|
||||||
@@ -100,7 +102,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
|
|
||||||
case X509_L_FILE_LOAD:
|
|
||||||
if (argl == X509_FILETYPE_DEFAULT)
|
|
||||||
{
|
|
||||||
- file = (char *)getenv(X509_get_default_cert_file_env());
|
|
||||||
+ file = (char *)secure_getenv(X509_get_default_cert_file_env());
|
|
||||||
if (file)
|
|
||||||
ok = (X509_load_cert_crl_file(ctx,file,
|
|
||||||
X509_FILETYPE_PEM) != 0);
|
|
||||||
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1e/crypto/x509/x509_vfy.c
|
|
||||||
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-02-19 13:02:02.556188668 +0100
|
|
||||||
@@ -56,6 +56,8 @@
|
|
||||||
* [including the GNU Public Licence.]
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <time.h>
|
|
||||||
#include <errno.h>
|
|
||||||
@@ -481,7 +483,7 @@ static int check_chain_extensions(X509_S
|
|
||||||
!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
|
|
||||||
/* A hack to keep people who don't want to modify their
|
|
||||||
software happy */
|
|
||||||
- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
|
|
||||||
+ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
|
|
||||||
allow_proxy_certs = 1;
|
|
||||||
purpose = ctx->param->purpose;
|
|
||||||
}
|
|
||||||
diff -up openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1e/engines/ccgost/gost_ctl.c
|
|
||||||
--- openssl-1.0.1e/engines/ccgost/gost_ctl.c.secure-getenv 2013-02-11 16:26:04.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/engines/ccgost/gost_ctl.c 2013-02-19 13:02:02.557188690 +0100
|
|
||||||
@@ -6,6 +6,8 @@
|
|
||||||
* Implementation of control commands for GOST engine *
|
|
||||||
* OpenSSL 0.9.9 libraries required *
|
|
||||||
**********************************************************************/
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <openssl/crypto.h>
|
|
||||||
@@ -65,7 +67,7 @@ const char *get_gost_engine_param(int pa
|
|
||||||
{
|
|
||||||
return gost_params[param];
|
|
||||||
}
|
|
||||||
- tmp = getenv(gost_envnames[param]);
|
|
||||||
+ tmp = secure_getenv(gost_envnames[param]);
|
|
||||||
if (tmp)
|
|
||||||
{
|
|
||||||
if (gost_params[param]) OPENSSL_free(gost_params[param]);
|
|
||||||
@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
|
|
||||||
{
|
|
||||||
const char *tmp;
|
|
||||||
if (param <0 || param >GOST_PARAM_MAX) return 0;
|
|
||||||
- tmp = getenv(gost_envnames[param]);
|
|
||||||
+ tmp = secure_getenv(gost_envnames[param]);
|
|
||||||
/* if there is value in the environment, use it, else -passed string * */
|
|
||||||
if (!tmp) tmp=value;
|
|
||||||
if (gost_params[param]) OPENSSL_free(gost_params[param]);
|
|
@ -1,63 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/crypto/cversion.c.version openssl-1.0.1e/crypto/cversion.c
|
|
||||||
--- openssl-1.0.1e/crypto/cversion.c.version 2013-02-11 16:02:47.000000000 +0100
|
|
||||||
+++ openssl-1.0.1e/crypto/cversion.c 2013-07-26 12:28:12.739161925 +0200
|
|
||||||
@@ -62,7 +62,7 @@
|
|
||||||
#include "buildinf.h"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-const char *SSLeay_version(int t)
|
|
||||||
+const char *_current_SSLeay_version(int t)
|
|
||||||
{
|
|
||||||
if (t == SSLEAY_VERSION)
|
|
||||||
return OPENSSL_VERSION_TEXT;
|
|
||||||
@@ -110,8 +110,25 @@ const char *SSLeay_version(int t)
|
|
||||||
return("not available");
|
|
||||||
}
|
|
||||||
|
|
||||||
-unsigned long SSLeay(void)
|
|
||||||
+const char *_original_SSLeay_version(int t)
|
|
||||||
+ {
|
|
||||||
+ if (t == SSLEAY_VERSION)
|
|
||||||
+ return "OpenSSL 1.0.0-fips 29 Mar 2010";
|
|
||||||
+ else
|
|
||||||
+ return _current_SSLeay_version(t);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+unsigned long _original_SSLeay(void)
|
|
||||||
+ {
|
|
||||||
+ return(0x10000003);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+unsigned long _current_SSLeay(void)
|
|
||||||
{
|
|
||||||
return(SSLEAY_VERSION_NUMBER);
|
|
||||||
}
|
|
||||||
|
|
||||||
+__asm__(".symver _original_SSLeay,SSLeay@");
|
|
||||||
+__asm__(".symver _original_SSLeay_version,SSLeay_version@");
|
|
||||||
+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1");
|
|
||||||
+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.1");
|
|
||||||
diff -up openssl-1.0.1e/Makefile.shared.version openssl-1.0.1e/Makefile.shared
|
|
||||||
--- openssl-1.0.1e/Makefile.shared.version 2013-07-26 12:23:43.615545603 +0200
|
|
||||||
+++ openssl-1.0.1e/Makefile.shared 2013-07-26 12:23:43.701547398 +0200
|
|
||||||
@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
|
|
||||||
SHLIB_SUFFIX=; \
|
|
||||||
ALLSYMSFLAGS='-Wl,--whole-archive'; \
|
|
||||||
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
|
|
||||||
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
|
||||||
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
|
||||||
|
|
||||||
DO_GNU_APP=LDFLAGS="$(CFLAGS)"
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/version.map.version openssl-1.0.1e/version.map
|
|
||||||
--- openssl-1.0.1e/version.map.version 2013-07-26 12:23:43.701547398 +0200
|
|
||||||
+++ openssl-1.0.1e/version.map 2013-07-26 12:29:10.698371472 +0200
|
|
||||||
@@ -0,0 +1,8 @@
|
|
||||||
+OPENSSL_1.0.1 {
|
|
||||||
+ global:
|
|
||||||
+ SSLeay;
|
|
||||||
+ SSLeay_version;
|
|
||||||
+ local:
|
|
||||||
+ _original*;
|
|
||||||
+ _current*;
|
|
||||||
+};
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up openssl-1.0.1e/ssl/ssl.h.weak-ciphers openssl-1.0.1e/ssl/ssl.h
|
|
||||||
--- openssl-1.0.1e/ssl/ssl.h.weak-ciphers 2013-12-18 15:50:40.881620314 +0100
|
|
||||||
+++ openssl-1.0.1e/ssl/ssl.h 2013-12-18 14:25:25.596566704 +0100
|
|
||||||
@@ -331,7 +331,7 @@ extern "C" {
|
|
||||||
/* The following cipher list is used by default.
|
|
||||||
* It also is substituted when an application-defined cipher list string
|
|
||||||
* starts with 'DEFAULT'. */
|
|
||||||
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
|
|
||||||
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
|
|
||||||
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
|
|
||||||
* starts with a reasonable order, and all we have to do for DEFAULT is
|
|
||||||
* throwing out anonymous and unencrypted ciphersuites!
|
|
@ -1,13 +0,0 @@
|
|||||||
diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
|
|
||||||
--- openssl-1.0.1h/ssl/ssl_lib.c.v2v3 2014-06-11 16:02:52.000000000 +0200
|
|
||||||
+++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-30 14:18:04.290248080 +0200
|
|
||||||
@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
|
||||||
*/
|
|
||||||
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
|
|
||||||
|
|
||||||
+ /* Disable SSLv2 by default (affects the SSLv23_method() only) */
|
|
||||||
+ ret->options |= SSL_OP_NO_SSLv2;
|
|
||||||
+
|
|
||||||
return(ret);
|
|
||||||
err:
|
|
||||||
SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
|
|
@ -1,529 +0,0 @@
|
|||||||
diff -up openssl-1.0.1h/apps/s_apps.h.ipv6-apps openssl-1.0.1h/apps/s_apps.h
|
|
||||||
--- openssl-1.0.1h/apps/s_apps.h.ipv6-apps 2014-06-05 14:33:38.515668750 +0200
|
|
||||||
+++ openssl-1.0.1h/apps/s_apps.h 2014-06-05 14:33:38.540669335 +0200
|
|
||||||
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
|
|
||||||
#define PORT_STR "4433"
|
|
||||||
#define PROTOCOL "tcp"
|
|
||||||
|
|
||||||
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
|
|
||||||
+int do_server(char *port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
|
|
||||||
#ifdef HEADER_X509_H
|
|
||||||
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
|
|
||||||
#endif
|
|
||||||
@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
|
|
||||||
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
|
|
||||||
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
|
|
||||||
#endif
|
|
||||||
-int init_client(int *sock, char *server, int port, int type);
|
|
||||||
+int init_client(int *sock, char *server, char *port, int type);
|
|
||||||
int should_retry(int i);
|
|
||||||
-int extract_port(char *str, short *port_ptr);
|
|
||||||
-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
|
|
||||||
+int extract_host_port(char *str,char **host_ptr,char **port_ptr);
|
|
||||||
|
|
||||||
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
|
||||||
int argi, long argl, long ret);
|
|
||||||
diff -up openssl-1.0.1h/apps/s_client.c.ipv6-apps openssl-1.0.1h/apps/s_client.c
|
|
||||||
--- openssl-1.0.1h/apps/s_client.c.ipv6-apps 2014-06-05 14:33:38.533669171 +0200
|
|
||||||
+++ openssl-1.0.1h/apps/s_client.c 2014-06-05 14:33:38.540669335 +0200
|
|
||||||
@@ -567,7 +567,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
int cbuf_len,cbuf_off;
|
|
||||||
int sbuf_len,sbuf_off;
|
|
||||||
fd_set readfds,writefds;
|
|
||||||
- short port=PORT;
|
|
||||||
+ char *port_str = PORT_STR;
|
|
||||||
int full_log=1;
|
|
||||||
char *host=SSL_HOST_NAME;
|
|
||||||
char *cert_file=NULL,*key_file=NULL;
|
|
||||||
@@ -668,13 +668,12 @@ int MAIN(int argc, char **argv)
|
|
||||||
else if (strcmp(*argv,"-port") == 0)
|
|
||||||
{
|
|
||||||
if (--argc < 1) goto bad;
|
|
||||||
- port=atoi(*(++argv));
|
|
||||||
- if (port == 0) goto bad;
|
|
||||||
+ port_str= *(++argv);
|
|
||||||
}
|
|
||||||
else if (strcmp(*argv,"-connect") == 0)
|
|
||||||
{
|
|
||||||
if (--argc < 1) goto bad;
|
|
||||||
- if (!extract_host_port(*(++argv),&host,NULL,&port))
|
|
||||||
+ if (!extract_host_port(*(++argv),&host,&port_str))
|
|
||||||
goto bad;
|
|
||||||
}
|
|
||||||
else if (strcmp(*argv,"-verify") == 0)
|
|
||||||
@@ -1267,7 +1266,7 @@ bad:
|
|
||||||
|
|
||||||
re_start:
|
|
||||||
|
|
||||||
- if (init_client(&s,host,port,socket_type) == 0)
|
|
||||||
+ if (init_client(&s,host,port_str,socket_type) == 0)
|
|
||||||
{
|
|
||||||
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
|
|
||||||
SHUTDOWN(s);
|
|
||||||
diff -up openssl-1.0.1h/apps/s_server.c.ipv6-apps openssl-1.0.1h/apps/s_server.c
|
|
||||||
--- openssl-1.0.1h/apps/s_server.c.ipv6-apps 2014-06-05 14:33:38.533669171 +0200
|
|
||||||
+++ openssl-1.0.1h/apps/s_server.c 2014-06-05 14:33:38.541669358 +0200
|
|
||||||
@@ -933,7 +933,7 @@ int MAIN(int argc, char *argv[])
|
|
||||||
{
|
|
||||||
X509_VERIFY_PARAM *vpm = NULL;
|
|
||||||
int badarg = 0;
|
|
||||||
- short port=PORT;
|
|
||||||
+ char *port_str = PORT_STR;
|
|
||||||
char *CApath=NULL,*CAfile=NULL;
|
|
||||||
unsigned char *context = NULL;
|
|
||||||
char *dhfile = NULL;
|
|
||||||
@@ -1004,8 +1004,7 @@ int MAIN(int argc, char *argv[])
|
|
||||||
(strcmp(*argv,"-accept") == 0))
|
|
||||||
{
|
|
||||||
if (--argc < 1) goto bad;
|
|
||||||
- if (!extract_port(*(++argv),&port))
|
|
||||||
- goto bad;
|
|
||||||
+ port_str= *(++argv);
|
|
||||||
}
|
|
||||||
else if (strcmp(*argv,"-verify") == 0)
|
|
||||||
{
|
|
||||||
@@ -1892,9 +1891,9 @@ bad:
|
|
||||||
BIO_printf(bio_s_out,"ACCEPT\n");
|
|
||||||
(void)BIO_flush(bio_s_out);
|
|
||||||
if (www)
|
|
||||||
- do_server(port,socket_type,&accept_socket,www_body, context);
|
|
||||||
+ do_server(port_str,socket_type,&accept_socket,www_body, context);
|
|
||||||
else
|
|
||||||
- do_server(port,socket_type,&accept_socket,sv_body, context);
|
|
||||||
+ do_server(port_str,socket_type,&accept_socket,sv_body, context);
|
|
||||||
print_stats(bio_s_out,ctx);
|
|
||||||
ret=0;
|
|
||||||
end:
|
|
||||||
diff -up openssl-1.0.1h/apps/s_socket.c.ipv6-apps openssl-1.0.1h/apps/s_socket.c
|
|
||||||
--- openssl-1.0.1h/apps/s_socket.c.ipv6-apps 2014-06-05 11:44:33.000000000 +0200
|
|
||||||
+++ openssl-1.0.1h/apps/s_socket.c 2014-06-05 14:39:53.226442195 +0200
|
|
||||||
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
|
|
||||||
static void ssl_sock_cleanup(void);
|
|
||||||
#endif
|
|
||||||
static int ssl_sock_init(void);
|
|
||||||
-static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
|
|
||||||
-static int init_server(int *sock, int port, int type);
|
|
||||||
-static int init_server_long(int *sock, int port,char *ip, int type);
|
|
||||||
+static int init_server(int *sock, char *port, int type);
|
|
||||||
static int do_accept(int acc_sock, int *sock, char **host);
|
|
||||||
static int host_ip(char *str, unsigned char ip[4]);
|
|
||||||
|
|
||||||
@@ -234,57 +232,71 @@ static int ssl_sock_init(void)
|
|
||||||
return(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
-int init_client(int *sock, char *host, int port, int type)
|
|
||||||
+int init_client(int *sock, char *host, char *port, int type)
|
|
||||||
{
|
|
||||||
- unsigned char ip[4];
|
|
||||||
-
|
|
||||||
- memset(ip, '\0', sizeof ip);
|
|
||||||
- if (!host_ip(host,&(ip[0])))
|
|
||||||
- return 0;
|
|
||||||
- return init_client_ip(sock,ip,port,type);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
|
|
||||||
- {
|
|
||||||
- unsigned long addr;
|
|
||||||
- struct sockaddr_in them;
|
|
||||||
- int s,i;
|
|
||||||
+ struct addrinfo *res, *res0, hints;
|
|
||||||
+ char * failed_call = NULL;
|
|
||||||
+ int s;
|
|
||||||
+ int e;
|
|
||||||
|
|
||||||
if (!ssl_sock_init()) return(0);
|
|
||||||
|
|
||||||
- memset((char *)&them,0,sizeof(them));
|
|
||||||
- them.sin_family=AF_INET;
|
|
||||||
- them.sin_port=htons((unsigned short)port);
|
|
||||||
- addr=(unsigned long)
|
|
||||||
- ((unsigned long)ip[0]<<24L)|
|
|
||||||
- ((unsigned long)ip[1]<<16L)|
|
|
||||||
- ((unsigned long)ip[2]<< 8L)|
|
|
||||||
- ((unsigned long)ip[3]);
|
|
||||||
- them.sin_addr.s_addr=htonl(addr);
|
|
||||||
-
|
|
||||||
- if (type == SOCK_STREAM)
|
|
||||||
- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
|
|
||||||
- else /* ( type == SOCK_DGRAM) */
|
|
||||||
- s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
|
|
||||||
-
|
|
||||||
- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
|
|
||||||
+ memset(&hints, '\0', sizeof(hints));
|
|
||||||
+ hints.ai_socktype = type;
|
|
||||||
+ hints.ai_flags = AI_ADDRCONFIG;
|
|
||||||
+
|
|
||||||
+ e = getaddrinfo(host, port, &hints, &res);
|
|
||||||
+ if (e)
|
|
||||||
+ {
|
|
||||||
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
|
|
||||||
+ if (e == EAI_SYSTEM)
|
|
||||||
+ perror("getaddrinfo");
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
+ res0 = res;
|
|
||||||
+ while (res)
|
|
||||||
+ {
|
|
||||||
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
|
|
||||||
+ if (s == INVALID_SOCKET)
|
|
||||||
+ {
|
|
||||||
+ failed_call = "socket";
|
|
||||||
+ goto nextres;
|
|
||||||
+ }
|
|
||||||
#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
|
|
||||||
if (type == SOCK_STREAM)
|
|
||||||
{
|
|
||||||
- i=0;
|
|
||||||
- i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
|
|
||||||
- if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
|
|
||||||
+ int i=0;
|
|
||||||
+ i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,
|
|
||||||
+ (char *)&i,sizeof(i));
|
|
||||||
+ if (i < 0) {
|
|
||||||
+ failed_call = "keepalive";
|
|
||||||
+ goto nextres;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
-
|
|
||||||
- if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
|
|
||||||
- { closesocket(s); perror("connect"); return(0); }
|
|
||||||
+ if (connect(s,(struct sockaddr *)res->ai_addr,
|
|
||||||
+ res->ai_addrlen) == 0)
|
|
||||||
+ {
|
|
||||||
+ freeaddrinfo(res0);
|
|
||||||
*sock=s;
|
|
||||||
return(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
|
|
||||||
+ failed_call = "socket";
|
|
||||||
+nextres:
|
|
||||||
+ if (s != INVALID_SOCKET)
|
|
||||||
+ close(s);
|
|
||||||
+ res = res->ai_next;
|
|
||||||
+ }
|
|
||||||
+ freeaddrinfo(res0);
|
|
||||||
+ closesocket(s);
|
|
||||||
+
|
|
||||||
+ perror(failed_call);
|
|
||||||
+ return(0);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+int do_server(char *port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
|
|
||||||
{
|
|
||||||
int sock;
|
|
||||||
char *name = NULL;
|
|
||||||
@@ -322,33 +334,50 @@ int do_server(int port, int type, int *r
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int init_server_long(int *sock, int port, char *ip, int type)
|
|
||||||
+static int init_server(int *sock, char *port, int type)
|
|
||||||
{
|
|
||||||
- int ret=0;
|
|
||||||
- struct sockaddr_in server;
|
|
||||||
- int s= -1;
|
|
||||||
+ struct addrinfo *res, *res0 = NULL, hints;
|
|
||||||
+ char * failed_call = NULL;
|
|
||||||
+ int s = INVALID_SOCKET;
|
|
||||||
+ int e;
|
|
||||||
|
|
||||||
if (!ssl_sock_init()) return(0);
|
|
||||||
|
|
||||||
- memset((char *)&server,0,sizeof(server));
|
|
||||||
- server.sin_family=AF_INET;
|
|
||||||
- server.sin_port=htons((unsigned short)port);
|
|
||||||
- if (ip == NULL)
|
|
||||||
- server.sin_addr.s_addr=INADDR_ANY;
|
|
||||||
- else
|
|
||||||
-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
|
|
||||||
-#ifndef BIT_FIELD_LIMITS
|
|
||||||
- memcpy(&server.sin_addr.s_addr,ip,4);
|
|
||||||
-#else
|
|
||||||
- memcpy(&server.sin_addr,ip,4);
|
|
||||||
-#endif
|
|
||||||
+ memset(&hints, '\0', sizeof(hints));
|
|
||||||
+ hints.ai_family = AF_INET6;
|
|
||||||
+tryipv4:
|
|
||||||
+ hints.ai_socktype = type;
|
|
||||||
+ hints.ai_flags = AI_PASSIVE;
|
|
||||||
|
|
||||||
- if (type == SOCK_STREAM)
|
|
||||||
- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
|
|
||||||
- else /* type == SOCK_DGRAM */
|
|
||||||
- s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP);
|
|
||||||
+ e = getaddrinfo(NULL, port, &hints, &res);
|
|
||||||
+ if (e)
|
|
||||||
+ {
|
|
||||||
+ if (hints.ai_family == AF_INET)
|
|
||||||
+ {
|
|
||||||
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
|
|
||||||
+ if (e == EAI_SYSTEM)
|
|
||||||
+ perror("getaddrinfo");
|
|
||||||
+ return (0);
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ res = NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if (s == INVALID_SOCKET) goto err;
|
|
||||||
+ res0 = res;
|
|
||||||
+ while (res)
|
|
||||||
+ {
|
|
||||||
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
|
|
||||||
+ if (s == INVALID_SOCKET)
|
|
||||||
+ {
|
|
||||||
+ failed_call = "socket";
|
|
||||||
+ goto nextres;
|
|
||||||
+ }
|
|
||||||
+ if (hints.ai_family == AF_INET6)
|
|
||||||
+ {
|
|
||||||
+ int j = 0;
|
|
||||||
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
|
||||||
+ (void *) &j, sizeof j);
|
|
||||||
+ }
|
|
||||||
#if defined SOL_SOCKET && defined SO_REUSEADDR
|
|
||||||
{
|
|
||||||
int j = 1;
|
|
||||||
@@ -356,35 +385,49 @@ static int init_server_long(int *sock, i
|
|
||||||
(void *) &j, sizeof j);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
- if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
|
|
||||||
+
|
|
||||||
+ if (bind(s,(struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1)
|
|
||||||
{
|
|
||||||
-#ifndef OPENSSL_SYS_WINDOWS
|
|
||||||
- perror("bind");
|
|
||||||
-#endif
|
|
||||||
- goto err;
|
|
||||||
+ failed_call = "bind";
|
|
||||||
+ goto nextres;
|
|
||||||
}
|
|
||||||
- /* Make it 128 for linux */
|
|
||||||
- if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
|
|
||||||
- *sock=s;
|
|
||||||
- ret=1;
|
|
||||||
-err:
|
|
||||||
- if ((ret == 0) && (s != -1))
|
|
||||||
+ if (type==SOCK_STREAM && listen(s,128) == -1)
|
|
||||||
{
|
|
||||||
- SHUTDOWN(s);
|
|
||||||
+ failed_call = "listen";
|
|
||||||
+ goto nextres;
|
|
||||||
}
|
|
||||||
- return(ret);
|
|
||||||
+
|
|
||||||
+ *sock=s;
|
|
||||||
+ return(1);
|
|
||||||
+
|
|
||||||
+nextres:
|
|
||||||
+ if (s != INVALID_SOCKET)
|
|
||||||
+ close(s);
|
|
||||||
+ res = res->ai_next;
|
|
||||||
}
|
|
||||||
+ if (res0)
|
|
||||||
+ freeaddrinfo(res0);
|
|
||||||
|
|
||||||
-static int init_server(int *sock, int port, int type)
|
|
||||||
+ if (s == INVALID_SOCKET)
|
|
||||||
{
|
|
||||||
- return(init_server_long(sock, port, NULL, type));
|
|
||||||
+ if (hints.ai_family == AF_INET6)
|
|
||||||
+ {
|
|
||||||
+ hints.ai_family = AF_INET;
|
|
||||||
+ goto tryipv4;
|
|
||||||
+ }
|
|
||||||
+ perror("socket");
|
|
||||||
+ return(0);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ perror(failed_call);
|
|
||||||
+ return(0);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int do_accept(int acc_sock, int *sock, char **host)
|
|
||||||
{
|
|
||||||
+ static struct sockaddr_storage from;
|
|
||||||
+ char buffer[NI_MAXHOST];
|
|
||||||
int ret;
|
|
||||||
- struct hostent *h1,*h2;
|
|
||||||
- static struct sockaddr_in from;
|
|
||||||
int len;
|
|
||||||
/* struct linger ling; */
|
|
||||||
|
|
||||||
@@ -424,145 +467,66 @@ redoit:
|
|
||||||
ling.l_onoff=1;
|
|
||||||
ling.l_linger=0;
|
|
||||||
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
|
|
||||||
- if (i < 0) { perror("linger"); return(0); }
|
|
||||||
+ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
|
|
||||||
i=0;
|
|
||||||
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
|
|
||||||
- if (i < 0) { perror("keepalive"); return(0); }
|
|
||||||
+ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
|
|
||||||
*/
|
|
||||||
|
|
||||||
if (host == NULL) goto end;
|
|
||||||
-#ifndef BIT_FIELD_LIMITS
|
|
||||||
- /* I should use WSAAsyncGetHostByName() under windows */
|
|
||||||
- h1=gethostbyaddr((char *)&from.sin_addr.s_addr,
|
|
||||||
- sizeof(from.sin_addr.s_addr),AF_INET);
|
|
||||||
-#else
|
|
||||||
- h1=gethostbyaddr((char *)&from.sin_addr,
|
|
||||||
- sizeof(struct in_addr),AF_INET);
|
|
||||||
-#endif
|
|
||||||
- if (h1 == NULL)
|
|
||||||
+
|
|
||||||
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
|
|
||||||
+ buffer, sizeof(buffer),
|
|
||||||
+ NULL, 0, 0))
|
|
||||||
{
|
|
||||||
- BIO_printf(bio_err,"bad gethostbyaddr\n");
|
|
||||||
+ BIO_printf(bio_err,"getnameinfo failed\n");
|
|
||||||
*host=NULL;
|
|
||||||
/* return(0); */
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
- if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
|
|
||||||
+ if ((*host=(char *)OPENSSL_malloc(strlen(buffer)+1)) == NULL)
|
|
||||||
{
|
|
||||||
perror("OPENSSL_malloc");
|
|
||||||
closesocket(ret);
|
|
||||||
return(0);
|
|
||||||
}
|
|
||||||
- BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
|
|
||||||
-
|
|
||||||
- h2=GetHostByName(*host);
|
|
||||||
- if (h2 == NULL)
|
|
||||||
- {
|
|
||||||
- BIO_printf(bio_err,"gethostbyname failure\n");
|
|
||||||
- closesocket(ret);
|
|
||||||
- return(0);
|
|
||||||
- }
|
|
||||||
- if (h2->h_addrtype != AF_INET)
|
|
||||||
- {
|
|
||||||
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
|
|
||||||
- closesocket(ret);
|
|
||||||
- return(0);
|
|
||||||
- }
|
|
||||||
+ strcpy(*host, buffer);
|
|
||||||
}
|
|
||||||
end:
|
|
||||||
*sock=ret;
|
|
||||||
return(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
|
||||||
- short *port_ptr)
|
|
||||||
+int extract_host_port(char *str, char **host_ptr,
|
|
||||||
+ char **port_ptr)
|
|
||||||
{
|
|
||||||
- char *h,*p;
|
|
||||||
+ char *h,*p,*x;
|
|
||||||
|
|
||||||
- h=str;
|
|
||||||
- p=strchr(str,':');
|
|
||||||
+ x=h=str;
|
|
||||||
+ if (*h == '[')
|
|
||||||
+ {
|
|
||||||
+ h++;
|
|
||||||
+ p=strchr(h,']');
|
|
||||||
if (p == NULL)
|
|
||||||
{
|
|
||||||
- BIO_printf(bio_err,"no port defined\n");
|
|
||||||
+ BIO_printf(bio_err,"no ending bracket for IPv6 address\n");
|
|
||||||
return(0);
|
|
||||||
}
|
|
||||||
*(p++)='\0';
|
|
||||||
-
|
|
||||||
- if ((ip != NULL) && !host_ip(str,ip))
|
|
||||||
- goto err;
|
|
||||||
- if (host_ptr != NULL) *host_ptr=h;
|
|
||||||
-
|
|
||||||
- if (!extract_port(p,port_ptr))
|
|
||||||
- goto err;
|
|
||||||
- return(1);
|
|
||||||
-err:
|
|
||||||
- return(0);
|
|
||||||
+ x = p;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
-static int host_ip(char *str, unsigned char ip[4])
|
|
||||||
- {
|
|
||||||
- unsigned int in[4];
|
|
||||||
- int i;
|
|
||||||
-
|
|
||||||
- if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
|
|
||||||
- {
|
|
||||||
- for (i=0; i<4; i++)
|
|
||||||
- if (in[i] > 255)
|
|
||||||
- {
|
|
||||||
- BIO_printf(bio_err,"invalid IP address\n");
|
|
||||||
- goto err;
|
|
||||||
- }
|
|
||||||
- ip[0]=in[0];
|
|
||||||
- ip[1]=in[1];
|
|
||||||
- ip[2]=in[2];
|
|
||||||
- ip[3]=in[3];
|
|
||||||
- }
|
|
||||||
- else
|
|
||||||
- { /* do a gethostbyname */
|
|
||||||
- struct hostent *he;
|
|
||||||
-
|
|
||||||
- if (!ssl_sock_init()) return(0);
|
|
||||||
-
|
|
||||||
- he=GetHostByName(str);
|
|
||||||
- if (he == NULL)
|
|
||||||
- {
|
|
||||||
- BIO_printf(bio_err,"gethostbyname failure\n");
|
|
||||||
- goto err;
|
|
||||||
- }
|
|
||||||
- /* cast to short because of win16 winsock definition */
|
|
||||||
- if ((short)he->h_addrtype != AF_INET)
|
|
||||||
+ p=strchr(x,':');
|
|
||||||
+ if (p == NULL)
|
|
||||||
{
|
|
||||||
- BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
|
|
||||||
- return(0);
|
|
||||||
- }
|
|
||||||
- ip[0]=he->h_addr_list[0][0];
|
|
||||||
- ip[1]=he->h_addr_list[0][1];
|
|
||||||
- ip[2]=he->h_addr_list[0][2];
|
|
||||||
- ip[3]=he->h_addr_list[0][3];
|
|
||||||
- }
|
|
||||||
- return(1);
|
|
||||||
-err:
|
|
||||||
+ BIO_printf(bio_err,"no port defined\n");
|
|
||||||
return(0);
|
|
||||||
}
|
|
||||||
+ *(p++)='\0';
|
|
||||||
|
|
||||||
-int extract_port(char *str, short *port_ptr)
|
|
||||||
- {
|
|
||||||
- int i;
|
|
||||||
- struct servent *s;
|
|
||||||
+ if (host_ptr != NULL) *host_ptr=h;
|
|
||||||
+ if (port_ptr != NULL) *port_ptr=p;
|
|
||||||
|
|
||||||
- i=atoi(str);
|
|
||||||
- if (i != 0)
|
|
||||||
- *port_ptr=(unsigned short)i;
|
|
||||||
- else
|
|
||||||
- {
|
|
||||||
- s=getservbyname(str,"tcp");
|
|
||||||
- if (s == NULL)
|
|
||||||
- {
|
|
||||||
- BIO_printf(bio_err,"getservbyname failure for %s\n",str);
|
|
||||||
- return(0);
|
|
||||||
- }
|
|
||||||
- *port_ptr=ntohs((unsigned short)s->s_port);
|
|
||||||
- }
|
|
||||||
return(1);
|
|
||||||
}
|
|
||||||
|
|
@ -1,289 +0,0 @@
|
|||||||
diff -up openssl-1.0.1h/Configure.system openssl-1.0.1h/Configure
|
|
||||||
--- openssl-1.0.1h/Configure.system 2014-06-05 14:47:37.509312875 +0200
|
|
||||||
+++ openssl-1.0.1h/Configure 2014-06-11 14:05:28.560359069 +0200
|
|
||||||
@@ -10,7 +10,7 @@ use strict;
|
|
||||||
|
|
||||||
# see INSTALL for instructions.
|
|
||||||
|
|
||||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
|
|
||||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
|
|
||||||
|
|
||||||
# Options:
|
|
||||||
#
|
|
||||||
@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher>
|
|
||||||
# --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently
|
|
||||||
# supported values are "MIT" and "Heimdal". A value is required.
|
|
||||||
#
|
|
||||||
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
|
||||||
+# cipher is specified (default).
|
|
||||||
+#
|
|
||||||
# --test-sanity Make a number of sanity checks on the data in this file.
|
|
||||||
# This is a debugging tool for OpenSSL developers.
|
|
||||||
#
|
|
||||||
@@ -663,6 +666,7 @@ my $prefix="";
|
|
||||||
my $libdir="";
|
|
||||||
my $openssldir="";
|
|
||||||
my $enginesdir="";
|
|
||||||
+my $system_ciphers_file="";
|
|
||||||
my $exe_ext="";
|
|
||||||
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
|
|
||||||
my $cross_compile_prefix="";
|
|
||||||
@@ -895,6 +899,10 @@ PROCESS_ARGS:
|
|
||||||
{
|
|
||||||
$enginesdir=$1;
|
|
||||||
}
|
|
||||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
|
||||||
+ {
|
|
||||||
+ $system_ciphers_file=$1;
|
|
||||||
+ }
|
|
||||||
elsif (/^--install.prefix=(.*)$/)
|
|
||||||
{
|
|
||||||
$install_prefix=$1;
|
|
||||||
@@ -1053,6 +1061,7 @@ print "Configuring for $target\n";
|
|
||||||
|
|
||||||
&usage if (!defined($table{$target}));
|
|
||||||
|
|
||||||
+chop $system_ciphers_file if $system_ciphers_file =~ /\/$/;
|
|
||||||
|
|
||||||
foreach (sort (keys %disabled))
|
|
||||||
{
|
|
||||||
@@ -1607,6 +1616,7 @@ while (<IN>)
|
|
||||||
s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
|
|
||||||
s/^MULTILIB=.*$/MULTILIB=$multilib/;
|
|
||||||
s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
|
|
||||||
+ s/^SYSTEM_CIPHERS_FILE=.*$/SYSTEM_CIPHERS_FILE=$system_ciphers_file/;
|
|
||||||
s/^LIBDIR=.*$/LIBDIR=$libdir/;
|
|
||||||
s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
|
|
||||||
s/^PLATFORM=.*$/PLATFORM=$target/;
|
|
||||||
@@ -1812,6 +1822,14 @@ while (<IN>)
|
|
||||||
$foo =~ s/\\/\\\\/g;
|
|
||||||
print OUT "#define ENGINESDIR \"$foo\"\n";
|
|
||||||
}
|
|
||||||
+ elsif (/^#((define)|(undef))\s+SYSTEM_CIPHERS_FILE/)
|
|
||||||
+ {
|
|
||||||
+ my $foo = "$system_ciphers_file";
|
|
||||||
+ if ($foo ne '') {
|
|
||||||
+ $foo =~ s/\\/\\\\/g;
|
|
||||||
+ print OUT "#define SYSTEM_CIPHERS_FILE \"$foo\"\n";
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
|
|
||||||
{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
|
|
||||||
if $export_var_as_fn;
|
|
||||||
diff -up openssl-1.0.1h/crypto/opensslconf.h.in.system openssl-1.0.1h/crypto/opensslconf.h.in
|
|
||||||
--- openssl-1.0.1h/crypto/opensslconf.h.in.system 2014-06-05 14:47:37.437311188 +0200
|
|
||||||
+++ openssl-1.0.1h/crypto/opensslconf.h.in 2014-06-11 13:31:44.497722345 +0200
|
|
||||||
@@ -25,6 +25,8 @@
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#undef SYSTEM_CIPHERS_FILE
|
|
||||||
+
|
|
||||||
#undef OPENSSL_UNISTD
|
|
||||||
#define OPENSSL_UNISTD <unistd.h>
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1h/ssl/ssl_ciph.c.system openssl-1.0.1h/ssl/ssl_ciph.c
|
|
||||||
--- openssl-1.0.1h/ssl/ssl_ciph.c.system 2014-06-05 14:47:37.441311282 +0200
|
|
||||||
+++ openssl-1.0.1h/ssl/ssl_ciph.c 2014-06-11 13:55:28.194381937 +0200
|
|
||||||
@@ -1352,6 +1352,54 @@ static int ssl_cipher_process_rulestr(co
|
|
||||||
return(retval);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+static char* load_system_str(const char* suffix)
|
|
||||||
+ {
|
|
||||||
+ FILE* fp;
|
|
||||||
+ char buf[1024];
|
|
||||||
+ char *new_rules;
|
|
||||||
+ unsigned len, slen;
|
|
||||||
+
|
|
||||||
+ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
|
|
||||||
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL)
|
|
||||||
+ {
|
|
||||||
+ /* cannot open or file is empty */
|
|
||||||
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (fp)
|
|
||||||
+ fclose(fp);
|
|
||||||
+
|
|
||||||
+ slen = strlen(suffix);
|
|
||||||
+ len = strlen(buf);
|
|
||||||
+
|
|
||||||
+ if (buf[len-1] == '\n')
|
|
||||||
+ {
|
|
||||||
+ len--;
|
|
||||||
+ buf[len] = 0;
|
|
||||||
+ }
|
|
||||||
+ if (buf[len-1] == '\r')
|
|
||||||
+ {
|
|
||||||
+ len--;
|
|
||||||
+ buf[len] = 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
|
||||||
+ if (new_rules == 0)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ memcpy(new_rules, buf, len);
|
|
||||||
+ if (slen > 0)
|
|
||||||
+ {
|
|
||||||
+ memcpy(&new_rules[len], suffix, slen);
|
|
||||||
+ len += slen;
|
|
||||||
+ }
|
|
||||||
+ new_rules[len] = 0;
|
|
||||||
+
|
|
||||||
+ return new_rules;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
|
||||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
|
||||||
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
|
|
||||||
@@ -1359,16 +1407,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
{
|
|
||||||
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
|
|
||||||
unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
|
|
||||||
- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
|
|
||||||
+ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list;
|
|
||||||
const char *rule_p;
|
|
||||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
|
||||||
const SSL_CIPHER **ca_list = NULL;
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+ char *new_rules = NULL;
|
|
||||||
+
|
|
||||||
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0)
|
|
||||||
+ {
|
|
||||||
+ char *p = rule_str + 14;
|
|
||||||
+
|
|
||||||
+ new_rules = load_system_str(p);
|
|
||||||
+ rule_str = new_rules;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Return with error if nothing to do.
|
|
||||||
*/
|
|
||||||
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
|
||||||
- return NULL;
|
|
||||||
+ {
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/*
|
|
||||||
* To reduce the work to do we only want to process the compiled
|
|
||||||
@@ -1389,7 +1450,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
if (co_list == NULL)
|
|
||||||
{
|
|
||||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
|
|
||||||
- return(NULL); /* Failure */
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
|
||||||
@@ -1431,8 +1492,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
* in force within each class */
|
|
||||||
if (!ssl_cipher_strength_sort(&head, &tail))
|
|
||||||
{
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
- return NULL;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Now disable everything (maintaining the ordering!) */
|
|
||||||
@@ -1452,9 +1512,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
|
|
||||||
if (ca_list == NULL)
|
|
||||||
{
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
|
|
||||||
- return(NULL); /* Failure */
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
|
||||||
disabled_mkey, disabled_auth, disabled_enc,
|
|
||||||
@@ -1482,8 +1541,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
|
|
||||||
if (!ok)
|
|
||||||
{ /* Rule processing failure */
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
- return(NULL);
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1492,8 +1550,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
*/
|
|
||||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
|
|
||||||
{
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
- return(NULL);
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1514,13 +1571,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- OPENSSL_free(co_list); /* Not needed any longer */
|
|
||||||
|
|
||||||
tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
|
|
||||||
if (tmp_cipher_list == NULL)
|
|
||||||
{
|
|
||||||
sk_SSL_CIPHER_free(cipherstack);
|
|
||||||
- return NULL;
|
|
||||||
+ cipherstack = NULL;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
if (*cipher_list != NULL)
|
|
||||||
sk_SSL_CIPHER_free(*cipher_list);
|
|
||||||
@@ -1531,6 +1588,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
|
|
||||||
|
|
||||||
sk_SSL_CIPHER_sort(*cipher_list_by_id);
|
|
||||||
+
|
|
||||||
+end:
|
|
||||||
+ OPENSSL_free(co_list);
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+ OPENSSL_free(new_rules);
|
|
||||||
+#endif
|
|
||||||
return(cipherstack);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1h/ssl/ssl.h.system openssl-1.0.1h/ssl/ssl.h
|
|
||||||
--- openssl-1.0.1h/ssl/ssl.h.system 2014-06-05 14:47:37.000000000 +0200
|
|
||||||
+++ openssl-1.0.1h/ssl/ssl.h 2014-06-11 14:08:35.243461447 +0200
|
|
||||||
@@ -338,6 +338,11 @@ extern "C" {
|
|
||||||
* (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
|
|
||||||
* some of them.)
|
|
||||||
*/
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+#define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
|
||||||
+#else
|
|
||||||
+#define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
|
||||||
#define SSL_SENT_SHUTDOWN 1
|
|
||||||
diff -up openssl-1.0.1h/ssl/ssl_lib.c.system openssl-1.0.1h/ssl/ssl_lib.c
|
|
||||||
--- openssl-1.0.1h/ssl/ssl_lib.c.system 2014-06-05 11:44:33.000000000 +0200
|
|
||||||
+++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-11 13:59:40.696578139 +0200
|
|
||||||
@@ -263,7 +263,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
|
||||||
|
|
||||||
sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list),
|
|
||||||
&(ctx->cipher_list_by_id),
|
|
||||||
- meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
|
|
||||||
+ meth->version == SSL2_VERSION ? "SSLv2" : SSL_SYSTEM_DEFAULT_CIPHER_LIST);
|
|
||||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0))
|
|
||||||
{
|
|
||||||
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
|
||||||
@@ -1767,7 +1767,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
|
||||||
|
|
||||||
ssl_create_cipher_list(ret->method,
|
|
||||||
&ret->cipher_list,&ret->cipher_list_by_id,
|
|
||||||
- meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST);
|
|
||||||
+ meth->version == SSL2_VERSION ? "SSLv2" : SSL_SYSTEM_DEFAULT_CIPHER_LIST);
|
|
||||||
if (ret->cipher_list == NULL
|
|
||||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0)
|
|
||||||
{
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,330 +0,0 @@
|
|||||||
diff -up openssl-1.0.1i/apps/apps.c.trusted-first openssl-1.0.1i/apps/apps.c
|
|
||||||
--- openssl-1.0.1i/apps/apps.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/apps/apps.c 2014-08-07 13:54:27.751103405 +0200
|
|
||||||
@@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg
|
|
||||||
flags |= X509_V_FLAG_NOTIFY_POLICY;
|
|
||||||
else if (!strcmp(arg, "-check_ss_sig"))
|
|
||||||
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
|
|
||||||
+ else if (!strcmp(arg, "-trusted_first"))
|
|
||||||
+ flags |= X509_V_FLAG_TRUSTED_FIRST;
|
|
||||||
else
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1i/apps/cms.c.trusted-first openssl-1.0.1i/apps/cms.c
|
|
||||||
--- openssl-1.0.1i/apps/cms.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/apps/cms.c 2014-08-07 13:54:27.751103405 +0200
|
|
||||||
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
|
||||||
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
|
||||||
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
|
||||||
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
|
||||||
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
|
||||||
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
diff -up openssl-1.0.1i/apps/ocsp.c.trusted-first openssl-1.0.1i/apps/ocsp.c
|
|
||||||
--- openssl-1.0.1i/apps/ocsp.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/apps/ocsp.c 2014-08-07 13:54:27.752103409 +0200
|
|
||||||
@@ -605,6 +605,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
BIO_printf (bio_err, "-path path to use in OCSP request\n");
|
|
||||||
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
|
||||||
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
|
||||||
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
|
||||||
BIO_printf (bio_err, "-VAfile file validator certificates file\n");
|
|
||||||
BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
|
|
||||||
BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
|
|
||||||
diff -up openssl-1.0.1i/apps/s_client.c.trusted-first openssl-1.0.1i/apps/s_client.c
|
|
||||||
--- openssl-1.0.1i/apps/s_client.c.trusted-first 2014-08-07 13:54:27.752103409 +0200
|
|
||||||
+++ openssl-1.0.1i/apps/s_client.c 2014-08-07 15:06:28.443918055 +0200
|
|
||||||
@@ -299,6 +299,7 @@ static void sc_usage(void)
|
|
||||||
BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
|
|
||||||
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
|
||||||
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
|
|
||||||
+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
|
|
||||||
BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
|
||||||
BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
|
|
||||||
BIO_printf(bio_err," -prexit - print session information even on connection failure\n");
|
|
||||||
diff -up openssl-1.0.1i/apps/smime.c.trusted-first openssl-1.0.1i/apps/smime.c
|
|
||||||
--- openssl-1.0.1i/apps/smime.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/apps/smime.c 2014-08-07 13:54:27.753103414 +0200
|
|
||||||
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
|
||||||
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
|
||||||
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
|
||||||
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
|
||||||
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
|
||||||
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
diff -up openssl-1.0.1i/apps/s_server.c.trusted-first openssl-1.0.1i/apps/s_server.c
|
|
||||||
--- openssl-1.0.1i/apps/s_server.c.trusted-first 2014-08-07 13:54:27.718103241 +0200
|
|
||||||
+++ openssl-1.0.1i/apps/s_server.c 2014-08-07 13:54:27.753103414 +0200
|
|
||||||
@@ -502,6 +502,7 @@ static void sv_usage(void)
|
|
||||||
BIO_printf(bio_err," -state - Print the SSL states\n");
|
|
||||||
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
|
||||||
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
|
|
||||||
+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
|
|
||||||
BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
|
|
||||||
BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
|
|
||||||
BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
|
|
||||||
diff -up openssl-1.0.1i/apps/s_time.c.trusted-first openssl-1.0.1i/apps/s_time.c
|
|
||||||
--- openssl-1.0.1i/apps/s_time.c.trusted-first 2014-08-07 13:54:27.432101823 +0200
|
|
||||||
+++ openssl-1.0.1i/apps/s_time.c 2014-08-07 13:54:27.753103414 +0200
|
|
||||||
@@ -179,6 +179,7 @@ static void s_time_usage(void)
|
|
||||||
file if not specified by this option\n\
|
|
||||||
-CApath arg - PEM format directory of CA's\n\
|
|
||||||
-CAfile arg - PEM format file of CA's\n\
|
|
||||||
+-trusted_first - Use trusted CA's first when building the trust chain\n\
|
|
||||||
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
|
|
||||||
|
|
||||||
printf( "usage: s_time <args>\n\n" );
|
|
||||||
diff -up openssl-1.0.1i/apps/ts.c.trusted-first openssl-1.0.1i/apps/ts.c
|
|
||||||
--- openssl-1.0.1i/apps/ts.c.trusted-first 2014-08-07 13:54:27.707103186 +0200
|
|
||||||
+++ openssl-1.0.1i/apps/ts.c 2014-08-07 13:54:27.753103414 +0200
|
|
||||||
@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
|
|
||||||
"[-queryfile request.tsq] "
|
|
||||||
"-in response.tsr [-token_in] "
|
|
||||||
- "-CApath ca_path -CAfile ca_file.pem "
|
|
||||||
+ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
|
|
||||||
"-untrusted cert_file.pem\n");
|
|
||||||
cleanup:
|
|
||||||
/* Clean up. */
|
|
||||||
diff -up openssl-1.0.1i/apps/verify.c.trusted-first openssl-1.0.1i/apps/verify.c
|
|
||||||
--- openssl-1.0.1i/apps/verify.c.trusted-first 2014-08-06 23:10:56.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/apps/verify.c 2014-08-07 13:54:27.754103419 +0200
|
|
||||||
@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv)
|
|
||||||
|
|
||||||
end:
|
|
||||||
if (ret == 1) {
|
|
||||||
- BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
|
|
||||||
+ BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
|
|
||||||
BIO_printf(bio_err," [-attime timestamp]");
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
BIO_printf(bio_err," [-engine e]");
|
|
||||||
diff -up openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.c
|
|
||||||
--- openssl-1.0.1i/crypto/x509/x509_vfy.c.trusted-first 2014-08-07 13:54:27.716103231 +0200
|
|
||||||
+++ openssl-1.0.1i/crypto/x509/x509_vfy.c 2014-08-07 13:54:27.754103419 +0200
|
|
||||||
@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
|
||||||
|
|
||||||
/* If we are self signed, we break */
|
|
||||||
if (ctx->check_issued(ctx, x,x)) break;
|
|
||||||
+ /* If asked see if we can find issuer in trusted store first */
|
|
||||||
+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
|
|
||||||
+ {
|
|
||||||
+ ok = ctx->get_issuer(&xtmp, ctx, x);
|
|
||||||
+ if (ok < 0)
|
|
||||||
+ return ok;
|
|
||||||
+ /* If successful for now free up cert so it
|
|
||||||
+ * will be picked up again later.
|
|
||||||
+ */
|
|
||||||
+ if (ok > 0)
|
|
||||||
+ {
|
|
||||||
+ X509_free(xtmp);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* If we were passed a cert chain, use it first */
|
|
||||||
if (ctx->untrusted != NULL)
|
|
||||||
diff -up openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1i/crypto/x509/x509_vfy.h
|
|
||||||
--- openssl-1.0.1i/crypto/x509/x509_vfy.h.trusted-first 2014-08-07 13:54:27.360101466 +0200
|
|
||||||
+++ openssl-1.0.1i/crypto/x509/x509_vfy.h 2014-08-07 13:54:27.754103419 +0200
|
|
||||||
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
|
|
||||||
#define X509_V_FLAG_USE_DELTAS 0x2000
|
|
||||||
/* Check selfsigned CA signature */
|
|
||||||
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
|
|
||||||
+/* Use trusted store first */
|
|
||||||
+#define X509_V_FLAG_TRUSTED_FIRST 0x8000
|
|
||||||
|
|
||||||
|
|
||||||
#define X509_VP_FLAG_DEFAULT 0x1
|
|
||||||
diff -up openssl-1.0.1i/doc/apps/cms.pod.trusted-first openssl-1.0.1i/doc/apps/cms.pod
|
|
||||||
--- openssl-1.0.1i/doc/apps/cms.pod.trusted-first 2014-08-06 23:10:56.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/doc/apps/cms.pod 2014-08-07 13:54:27.754103419 +0200
|
|
||||||
@@ -35,6 +35,7 @@ B<openssl> B<cms>
|
|
||||||
[B<-print>]
|
|
||||||
[B<-CAfile file>]
|
|
||||||
[B<-CApath dir>]
|
|
||||||
+[B<-trusted_first>]
|
|
||||||
[B<-md digest>]
|
|
||||||
[B<-[cipher]>]
|
|
||||||
[B<-nointern>]
|
|
||||||
@@ -243,6 +244,12 @@ B<-verify>. This directory must be a sta
|
|
||||||
is a hash of each subject name (using B<x509 -hash>) should be linked
|
|
||||||
to each certificate.
|
|
||||||
|
|
||||||
+=item B<-trusted_first>
|
|
||||||
+
|
|
||||||
+Use certificates in CA file or CA directory before untrusted certificates
|
|
||||||
+from the message when building the trust chain to verify certificates.
|
|
||||||
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
||||||
+
|
|
||||||
=item B<-md digest>
|
|
||||||
|
|
||||||
digest algorithm to use when signing or resigning. If not present then the
|
|
||||||
diff -up openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first openssl-1.0.1i/doc/apps/ocsp.pod
|
|
||||||
--- openssl-1.0.1i/doc/apps/ocsp.pod.trusted-first 2014-08-07 13:54:27.708103191 +0200
|
|
||||||
+++ openssl-1.0.1i/doc/apps/ocsp.pod 2014-08-07 13:54:27.755103424 +0200
|
|
||||||
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
|
|
||||||
[B<-path>]
|
|
||||||
[B<-CApath dir>]
|
|
||||||
[B<-CAfile file>]
|
|
||||||
+[B<-trusted_first>]
|
|
||||||
[B<-VAfile file>]
|
|
||||||
[B<-validity_period n>]
|
|
||||||
[B<-status_age n>]
|
|
||||||
@@ -138,6 +139,13 @@ or "/" by default.
|
|
||||||
file or pathname containing trusted CA certificates. These are used to verify
|
|
||||||
the signature on the OCSP response.
|
|
||||||
|
|
||||||
+=item B<-trusted_first>
|
|
||||||
+
|
|
||||||
+Use certificates in CA file or CA directory over certificates provided
|
|
||||||
+in the response or residing in other certificates file when building the trust
|
|
||||||
+chain to verify responder certificate.
|
|
||||||
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
||||||
+
|
|
||||||
=item B<-verify_other file>
|
|
||||||
|
|
||||||
file containing additional certificates to search when attempting to locate
|
|
||||||
diff -up openssl-1.0.1i/doc/apps/s_client.pod.trusted-first openssl-1.0.1i/doc/apps/s_client.pod
|
|
||||||
--- openssl-1.0.1i/doc/apps/s_client.pod.trusted-first 2014-08-07 13:54:27.726103281 +0200
|
|
||||||
+++ openssl-1.0.1i/doc/apps/s_client.pod 2014-08-07 13:54:27.755103424 +0200
|
|
||||||
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
|
|
||||||
[B<-pass arg>]
|
|
||||||
[B<-CApath directory>]
|
|
||||||
[B<-CAfile filename>]
|
|
||||||
+[B<-trusted_first>]
|
|
||||||
[B<-reconnect>]
|
|
||||||
[B<-pause>]
|
|
||||||
[B<-showcerts>]
|
|
||||||
@@ -121,7 +122,7 @@ also used when building the client certi
|
|
||||||
A file containing trusted certificates to use during server authentication
|
|
||||||
and to use when attempting to build the client certificate chain.
|
|
||||||
|
|
||||||
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
|
||||||
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
|
|
||||||
|
|
||||||
Set various certificate chain valiadition option. See the
|
|
||||||
L<B<verify>|verify(1)> manual page for details.
|
|
||||||
diff -up openssl-1.0.1i/doc/apps/smime.pod.trusted-first openssl-1.0.1i/doc/apps/smime.pod
|
|
||||||
--- openssl-1.0.1i/doc/apps/smime.pod.trusted-first 2014-07-22 21:43:11.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/doc/apps/smime.pod 2014-08-07 13:54:27.755103424 +0200
|
|
||||||
@@ -15,6 +15,9 @@ B<openssl> B<smime>
|
|
||||||
[B<-pk7out>]
|
|
||||||
[B<-[cipher]>]
|
|
||||||
[B<-in file>]
|
|
||||||
+[B<-CAfile file>]
|
|
||||||
+[B<-CApath dir>]
|
|
||||||
+[B<-trusted_first>]
|
|
||||||
[B<-certfile file>]
|
|
||||||
[B<-signer file>]
|
|
||||||
[B<-recip file>]
|
|
||||||
@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
|
|
||||||
is a hash of each subject name (using B<x509 -hash>) should be linked
|
|
||||||
to each certificate.
|
|
||||||
|
|
||||||
+=item B<-trusted_first>
|
|
||||||
+
|
|
||||||
+Use certificates in CA file or CA directory over certificates provided
|
|
||||||
+in the message when building the trust chain to verify a certificate.
|
|
||||||
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
||||||
+
|
|
||||||
=item B<-md digest>
|
|
||||||
|
|
||||||
digest algorithm to use when signing or resigning. If not present then the
|
|
||||||
diff -up openssl-1.0.1i/doc/apps/s_server.pod.trusted-first openssl-1.0.1i/doc/apps/s_server.pod
|
|
||||||
--- openssl-1.0.1i/doc/apps/s_server.pod.trusted-first 2014-08-07 13:54:27.726103281 +0200
|
|
||||||
+++ openssl-1.0.1i/doc/apps/s_server.pod 2014-08-07 15:07:12.315099577 +0200
|
|
||||||
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
|
|
||||||
[B<-state>]
|
|
||||||
[B<-CApath directory>]
|
|
||||||
[B<-CAfile filename>]
|
|
||||||
+[B<-trusted_first>]
|
|
||||||
[B<-nocert>]
|
|
||||||
[B<-cipher cipherlist>]
|
|
||||||
[B<-serverpref>]
|
|
||||||
@@ -178,6 +179,12 @@ and to use when attempting to build the
|
|
||||||
is also used in the list of acceptable client CAs passed to the client when
|
|
||||||
a certificate is requested.
|
|
||||||
|
|
||||||
+=item B<-trusted_first>
|
|
||||||
+
|
|
||||||
+Use certificates in CA file or CA directory before other certificates
|
|
||||||
+when building the trust chain to verify client certificates.
|
|
||||||
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
||||||
+
|
|
||||||
=item B<-state>
|
|
||||||
|
|
||||||
prints out the SSL session states.
|
|
||||||
diff -up openssl-1.0.1i/doc/apps/s_time.pod.trusted-first openssl-1.0.1i/doc/apps/s_time.pod
|
|
||||||
--- openssl-1.0.1i/doc/apps/s_time.pod.trusted-first 2014-07-22 21:41:23.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/doc/apps/s_time.pod 2014-08-07 13:54:27.755103424 +0200
|
|
||||||
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
|
|
||||||
[B<-key filename>]
|
|
||||||
[B<-CApath directory>]
|
|
||||||
[B<-CAfile filename>]
|
|
||||||
+[B<-trusted_first>]
|
|
||||||
[B<-reuse>]
|
|
||||||
[B<-new>]
|
|
||||||
[B<-verify depth>]
|
|
||||||
@@ -76,6 +77,12 @@ also used when building the client certi
|
|
||||||
A file containing trusted certificates to use during server authentication
|
|
||||||
and to use when attempting to build the client certificate chain.
|
|
||||||
|
|
||||||
+=item B<-trusted_first>
|
|
||||||
+
|
|
||||||
+Use certificates in CA file or CA directory over the certificates provided
|
|
||||||
+by the server when building the trust chain to verify server certificate.
|
|
||||||
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
||||||
+
|
|
||||||
=item B<-new>
|
|
||||||
|
|
||||||
performs the timing test using a new session ID for each connection.
|
|
||||||
diff -up openssl-1.0.1i/doc/apps/ts.pod.trusted-first openssl-1.0.1i/doc/apps/ts.pod
|
|
||||||
--- openssl-1.0.1i/doc/apps/ts.pod.trusted-first 2014-07-22 21:41:23.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/doc/apps/ts.pod 2014-08-07 13:54:27.756103429 +0200
|
|
||||||
@@ -46,6 +46,7 @@ B<-verify>
|
|
||||||
[B<-token_in>]
|
|
||||||
[B<-CApath> trusted_cert_path]
|
|
||||||
[B<-CAfile> trusted_certs.pem]
|
|
||||||
+[B<-trusted_first>]
|
|
||||||
[B<-untrusted> cert_file.pem]
|
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
|
||||||
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
|
|
||||||
or B<-CApath> must be specified.
|
|
||||||
(Optional)
|
|
||||||
|
|
||||||
+=item B<-trusted_first>
|
|
||||||
+
|
|
||||||
+Use certificates in CA file or CA directory before other certificates
|
|
||||||
+when building the trust chain to verify certificates.
|
|
||||||
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
||||||
+
|
|
||||||
=item B<-untrusted> cert_file.pem
|
|
||||||
|
|
||||||
Set of additional untrusted certificates in PEM format which may be
|
|
||||||
diff -up openssl-1.0.1i/doc/apps/verify.pod.trusted-first openssl-1.0.1i/doc/apps/verify.pod
|
|
||||||
--- openssl-1.0.1i/doc/apps/verify.pod.trusted-first 2014-08-06 23:10:56.000000000 +0200
|
|
||||||
+++ openssl-1.0.1i/doc/apps/verify.pod 2014-08-07 13:54:27.756103429 +0200
|
|
||||||
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
|
|
||||||
B<openssl> B<verify>
|
|
||||||
[B<-CApath directory>]
|
|
||||||
[B<-CAfile file>]
|
|
||||||
+[B<-trusted_first>]
|
|
||||||
[B<-purpose purpose>]
|
|
||||||
[B<-policy arg>]
|
|
||||||
[B<-ignore_critical>]
|
|
||||||
@@ -56,6 +57,12 @@ in PEM format concatenated together.
|
|
||||||
A file of untrusted certificates. The file should contain multiple certificates
|
|
||||||
in PEM format concatenated together.
|
|
||||||
|
|
||||||
+=item B<-trusted_first>
|
|
||||||
+
|
|
||||||
+Use certificates in CA file or CA directory before the certificates in the untrusted
|
|
||||||
+file when building the trust chain to verify certificates.
|
|
||||||
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
|
||||||
+
|
|
||||||
=item B<-purpose purpose>
|
|
||||||
|
|
||||||
The intended use for the certificate. If this option is not specified,
|
|
@ -1,135 +0,0 @@
|
|||||||
diff -up openssl-1.0.1j/apps/s_apps.h.ephemeral openssl-1.0.1j/apps/s_apps.h
|
|
||||||
--- openssl-1.0.1j/apps/s_apps.h.ephemeral 2014-10-16 13:32:30.772817591 +0200
|
|
||||||
+++ openssl-1.0.1j/apps/s_apps.h 2014-10-16 13:32:30.865819691 +0200
|
|
||||||
@@ -156,6 +156,7 @@ int MS_CALLBACK verify_callback(int ok,
|
|
||||||
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
|
|
||||||
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
|
|
||||||
#endif
|
|
||||||
+int ssl_print_tmp_key(BIO *out, SSL *s);
|
|
||||||
int init_client(int *sock, char *server, char *port, int type);
|
|
||||||
int should_retry(int i);
|
|
||||||
int extract_host_port(char *str,char **host_ptr,char **port_ptr);
|
|
||||||
diff -up openssl-1.0.1j/apps/s_cb.c.ephemeral openssl-1.0.1j/apps/s_cb.c
|
|
||||||
--- openssl-1.0.1j/apps/s_cb.c.ephemeral 2014-10-15 14:53:39.000000000 +0200
|
|
||||||
+++ openssl-1.0.1j/apps/s_cb.c 2014-10-16 13:32:30.865819691 +0200
|
|
||||||
@@ -338,6 +338,38 @@ void MS_CALLBACK apps_ssl_info_callback(
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+int ssl_print_tmp_key(BIO *out, SSL *s)
|
|
||||||
+ {
|
|
||||||
+ EVP_PKEY *key;
|
|
||||||
+ if (!SSL_get_server_tmp_key(s, &key))
|
|
||||||
+ return 1;
|
|
||||||
+ BIO_puts(out, "Server Temp Key: ");
|
|
||||||
+ switch (EVP_PKEY_id(key))
|
|
||||||
+ {
|
|
||||||
+ case EVP_PKEY_RSA:
|
|
||||||
+ BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ case EVP_PKEY_DH:
|
|
||||||
+ BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ case EVP_PKEY_EC:
|
|
||||||
+ {
|
|
||||||
+ EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
|
|
||||||
+ int nid;
|
|
||||||
+ const char *cname;
|
|
||||||
+ nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
|
|
||||||
+ EC_KEY_free(ec);
|
|
||||||
+ cname = OBJ_nid2sn(nid);
|
|
||||||
+ BIO_printf(out, "ECDH, %s, %d bits\n",
|
|
||||||
+ cname, EVP_PKEY_bits(key));
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ EVP_PKEY_free(key);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
|
|
||||||
void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
|
|
||||||
{
|
|
||||||
diff -up openssl-1.0.1j/apps/s_client.c.ephemeral openssl-1.0.1j/apps/s_client.c
|
|
||||||
--- openssl-1.0.1j/apps/s_client.c.ephemeral 2014-10-16 13:32:30.860819578 +0200
|
|
||||||
+++ openssl-1.0.1j/apps/s_client.c 2014-10-16 13:32:30.865819691 +0200
|
|
||||||
@@ -2044,6 +2044,8 @@ static void print_stuff(BIO *bio, SSL *s
|
|
||||||
BIO_write(bio,"\n",1);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ssl_print_tmp_key(bio, s);
|
|
||||||
+
|
|
||||||
BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
|
|
||||||
BIO_number_read(SSL_get_rbio(s)),
|
|
||||||
BIO_number_written(SSL_get_wbio(s)));
|
|
||||||
diff -up openssl-1.0.1j/ssl/ssl.h.ephemeral openssl-1.0.1j/ssl/ssl.h
|
|
||||||
--- openssl-1.0.1j/ssl/ssl.h.ephemeral 2014-10-16 13:32:30.851819375 +0200
|
|
||||||
+++ openssl-1.0.1j/ssl/ssl.h 2014-10-16 13:33:23.233001903 +0200
|
|
||||||
@@ -1585,6 +1585,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|
||||||
#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
|
|
||||||
#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
|
|
||||||
|
|
||||||
+#define SSL_CTRL_GET_SERVER_TMP_KEY 109
|
|
||||||
#define SSL_CTRL_CHECK_PROTO_VERSION 119
|
|
||||||
|
|
||||||
#define DTLSv1_get_timeout(ssl, arg) \
|
|
||||||
@@ -1628,6 +1629,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|
||||||
#define SSL_CTX_clear_extra_chain_certs(ctx) \
|
|
||||||
SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
|
|
||||||
|
|
||||||
+#define SSL_get_server_tmp_key(s, pk) \
|
|
||||||
+ SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
|
|
||||||
+
|
|
||||||
#ifndef OPENSSL_NO_BIO
|
|
||||||
BIO_METHOD *BIO_f_ssl(void);
|
|
||||||
BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
|
|
||||||
diff -up openssl-1.0.1j/ssl/s3_lib.c.ephemeral openssl-1.0.1j/ssl/s3_lib.c
|
|
||||||
--- openssl-1.0.1j/ssl/s3_lib.c.ephemeral 2014-10-16 13:32:30.866819713 +0200
|
|
||||||
+++ openssl-1.0.1j/ssl/s3_lib.c 2014-10-16 13:34:08.918033262 +0200
|
|
||||||
@@ -3356,6 +3356,45 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
|
|
||||||
|
|
||||||
#endif /* !OPENSSL_NO_TLSEXT */
|
|
||||||
|
|
||||||
+ case SSL_CTRL_GET_SERVER_TMP_KEY:
|
|
||||||
+ if (s->server || !s->session || !s->session->sess_cert)
|
|
||||||
+ return 0;
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ SESS_CERT *sc;
|
|
||||||
+ EVP_PKEY *ptmp;
|
|
||||||
+ int rv = 0;
|
|
||||||
+ sc = s->session->sess_cert;
|
|
||||||
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
|
|
||||||
+ if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
|
|
||||||
+ && !sc->peer_ecdh_tmp)
|
|
||||||
+ return 0;
|
|
||||||
+#endif
|
|
||||||
+ ptmp = EVP_PKEY_new();
|
|
||||||
+ if (!ptmp)
|
|
||||||
+ return 0;
|
|
||||||
+ if (0);
|
|
||||||
+#ifndef OPENSSL_NO_RSA
|
|
||||||
+ else if (sc->peer_rsa_tmp)
|
|
||||||
+ rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
|
|
||||||
+#endif
|
|
||||||
+#ifndef OPENSSL_NO_DH
|
|
||||||
+ else if (sc->peer_dh_tmp)
|
|
||||||
+ rv = EVP_PKEY_set1_DH(ptmp, sc->peer_dh_tmp);
|
|
||||||
+#endif
|
|
||||||
+#ifndef OPENSSL_NO_ECDH
|
|
||||||
+ else if (sc->peer_ecdh_tmp)
|
|
||||||
+ rv = EVP_PKEY_set1_EC_KEY(ptmp, sc->peer_ecdh_tmp);
|
|
||||||
+#endif
|
|
||||||
+ if (rv)
|
|
||||||
+ {
|
|
||||||
+ *(EVP_PKEY **)parg = ptmp;
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ EVP_PKEY_free(ptmp);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
case SSL_CTRL_CHECK_PROTO_VERSION:
|
|
||||||
/* For library-internal use; checks that the current protocol
|
|
||||||
* is the highest enabled version (according to s->ctx->method,
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
110
openssl-1.0.2a-apps-dgst.patch
Normal file
110
openssl-1.0.2a-apps-dgst.patch
Normal file
@ -0,0 +1,110 @@
|
|||||||
|
diff -up openssl-1.0.2a/apps/ca.c.dgst openssl-1.0.2a/apps/ca.c
|
||||||
|
--- openssl-1.0.2a/apps/ca.c.dgst 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/ca.c 2015-04-21 17:01:38.841551616 +0200
|
||||||
|
@@ -157,7 +157,7 @@ static const char *ca_usage[] = {
|
||||||
|
" -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
|
||||||
|
" -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
|
||||||
|
" -days arg - number of days to certify the certificate for\n",
|
||||||
|
- " -md arg - md to use, one of md2, md5, sha or sha1\n",
|
||||||
|
+ " -md arg - md to use, see openssl dgst -h for list\n",
|
||||||
|
" -policy arg - The CA 'policy' to support\n",
|
||||||
|
" -keyfile arg - private key file\n",
|
||||||
|
" -keyform arg - private key file format (PEM or ENGINE)\n",
|
||||||
|
diff -up openssl-1.0.2a/apps/enc.c.dgst openssl-1.0.2a/apps/enc.c
|
||||||
|
--- openssl-1.0.2a/apps/enc.c.dgst 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/enc.c 2015-04-21 17:01:38.841551616 +0200
|
||||||
|
@@ -294,7 +294,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
"%-14s the next argument is the md to use to create a key\n",
|
||||||
|
"-md");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
- "%-14s from a passphrase. One of md2, md5, sha or sha1\n",
|
||||||
|
+ "%-14s from a passphrase. See openssl dgst -h for list.\n",
|
||||||
|
"");
|
||||||
|
BIO_printf(bio_err, "%-14s salt in hex is the next argument\n",
|
||||||
|
"-S");
|
||||||
|
diff -up openssl-1.0.2a/apps/req.c.dgst openssl-1.0.2a/apps/req.c
|
||||||
|
--- openssl-1.0.2a/apps/req.c.dgst 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/req.c 2015-04-21 17:01:38.842551640 +0200
|
||||||
|
@@ -414,7 +414,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
" -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n");
|
||||||
|
#endif
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
- " -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
|
||||||
|
+ " -[digest] Digest to sign with (see openssl dgst -h for list)\n");
|
||||||
|
BIO_printf(bio_err, " -config file request template file.\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
" -subj arg set or modify request subject\n");
|
||||||
|
diff -up openssl-1.0.2a/apps/ts.c.dgst openssl-1.0.2a/apps/ts.c
|
||||||
|
--- openssl-1.0.2a/apps/ts.c.dgst 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/ts.c 2015-04-21 17:01:38.842551640 +0200
|
||||||
|
@@ -337,7 +337,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf(bio_err, "usage:\n"
|
||||||
|
"ts -query [-rand file%cfile%c...] [-config configfile] "
|
||||||
|
"[-data file_to_hash] [-digest digest_bytes]"
|
||||||
|
- "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
|
||||||
|
+ "[-<hashalg>] "
|
||||||
|
"[-policy object_id] [-no_nonce] [-cert] "
|
||||||
|
"[-in request.tsq] [-out request.tsq] [-text]\n",
|
||||||
|
LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
|
||||||
|
diff -up openssl-1.0.2a/apps/x509.c.dgst openssl-1.0.2a/apps/x509.c
|
||||||
|
--- openssl-1.0.2a/apps/x509.c.dgst 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/x509.c 2015-04-21 17:01:38.842551640 +0200
|
||||||
|
@@ -141,7 +141,7 @@ static const char *x509_usage[] = {
|
||||||
|
" -set_serial - serial number to use\n",
|
||||||
|
" -text - print the certificate in text form\n",
|
||||||
|
" -C - print out C code forms\n",
|
||||||
|
- " -md2/-md5/-sha1/-mdc2 - digest to use\n",
|
||||||
|
+ " -<dgst> - digest to use, see openssl dgst -h output for list\n",
|
||||||
|
" -extfile - configuration file with X509V3 extensions to add\n",
|
||||||
|
" -extensions - section from config file with X509V3 extensions to add\n",
|
||||||
|
" -clrext - delete extensions before signing and input certificate\n",
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/ca.pod.dgst openssl-1.0.2a/doc/apps/ca.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/ca.pod.dgst 2015-01-20 13:33:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/ca.pod 2015-04-21 17:01:38.842551640 +0200
|
||||||
|
@@ -168,7 +168,8 @@ the number of days to certify the certif
|
||||||
|
=item B<-md alg>
|
||||||
|
|
||||||
|
the message digest to use. Possible values include md5, sha1 and mdc2.
|
||||||
|
-This option also applies to CRLs.
|
||||||
|
+For full list of digests see openssl dgst -h output. This option also
|
||||||
|
+applies to CRLs.
|
||||||
|
|
||||||
|
=item B<-policy arg>
|
||||||
|
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/ocsp.pod.dgst openssl-1.0.2a/doc/apps/ocsp.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/ocsp.pod.dgst 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-21 17:01:38.842551640 +0200
|
||||||
|
@@ -219,7 +219,8 @@ check is not performed.
|
||||||
|
=item B<-md5|-sha1|-sha256|-ripemod160|...>
|
||||||
|
|
||||||
|
this option sets digest algorithm to use for certificate identification
|
||||||
|
-in the OCSP request. By default SHA-1 is used.
|
||||||
|
+in the OCSP request. By default SHA-1 is used. See openssl dgst -h output for
|
||||||
|
+the list of available algorithms.
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/req.pod.dgst openssl-1.0.2a/doc/apps/req.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/req.pod.dgst 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/req.pod 2015-04-21 17:01:38.843551664 +0200
|
||||||
|
@@ -201,7 +201,8 @@ will not be encrypted.
|
||||||
|
|
||||||
|
this specifies the message digest to sign the request with (such as
|
||||||
|
B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
|
||||||
|
-the configuration file.
|
||||||
|
+the configuration file. For full list of possible digests see openssl
|
||||||
|
+dgst -h output.
|
||||||
|
|
||||||
|
Some public key algorithms may override this choice. For instance, DSA
|
||||||
|
signatures always use SHA1, GOST R 34.10 signatures always use
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/x509.pod.dgst openssl-1.0.2a/doc/apps/x509.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/x509.pod.dgst 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/x509.pod 2015-04-21 17:01:38.843551664 +0200
|
||||||
|
@@ -107,6 +107,7 @@ the digest to use. This affects any sign
|
||||||
|
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
|
||||||
|
specified then SHA1 is used. If the key being used to sign with is a DSA key
|
||||||
|
then this option has no effect: SHA1 is always used with DSA keys.
|
||||||
|
+For full list of digests see openssl dgst -h output.
|
||||||
|
|
||||||
|
=item B<-engine id>
|
||||||
|
|
27
openssl-1.0.2a-cc-reqs.patch
Normal file
27
openssl-1.0.2a-cc-reqs.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c
|
||||||
|
--- openssl-1.0.2a/crypto/rsa/rsa_gen.c.cc-reqs 2015-04-09 18:22:58.638448432 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-09 18:22:57.264416692 +0200
|
||||||
|
@@ -474,6 +474,12 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||||
|
if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
+ /* prepare minimum p and q difference */
|
||||||
|
+ if (!BN_one(r3))
|
||||||
|
+ goto err;
|
||||||
|
+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
BN_copy(rsa->e, e_value);
|
||||||
|
|
||||||
|
/* generate p and q */
|
||||||
|
@@ -501,7 +507,9 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||||
|
do {
|
||||||
|
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
|
||||||
|
goto err;
|
||||||
|
- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
|
||||||
|
+ if (!BN_sub(r2, rsa->q, rsa->p))
|
||||||
|
+ goto err;
|
||||||
|
+ } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
|
||||||
|
if (degenerate == 3) {
|
||||||
|
ok = 0; /* we set our own err */
|
||||||
|
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
|
24
openssl-1.0.2a-chil-fixes.patch
Normal file
24
openssl-1.0.2a-chil-fixes.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
diff -up openssl-1.0.2a/engines/e_chil.c.chil openssl-1.0.2a/engines/e_chil.c
|
||||||
|
--- openssl-1.0.2a/engines/e_chil.c.chil 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/engines/e_chil.c 2015-04-21 17:06:25.480293443 +0200
|
||||||
|
@@ -1247,6 +1247,11 @@ static int hwcrhk_insert_card(const char
|
||||||
|
UI *ui;
|
||||||
|
void *callback_data = NULL;
|
||||||
|
UI_METHOD *ui_method = NULL;
|
||||||
|
+ /* Despite what the documentation says prompt_info can be
|
||||||
|
+ * an empty string.
|
||||||
|
+ */
|
||||||
|
+ if (prompt_info && !*prompt_info)
|
||||||
|
+ prompt_info = NULL;
|
||||||
|
|
||||||
|
if (cactx) {
|
||||||
|
if (cactx->ui_method)
|
||||||
|
@@ -1268,7 +1273,7 @@ static int hwcrhk_insert_card(const char
|
||||||
|
ui = UI_new_method(ui_method);
|
||||||
|
|
||||||
|
if (ui) {
|
||||||
|
- char answer;
|
||||||
|
+ char answer = '\0';
|
||||||
|
char buf[BUFSIZ];
|
||||||
|
/*
|
||||||
|
* Despite what the documentation says wrong_info can be an empty
|
46
openssl-1.0.2a-compat-symbols.patch
Normal file
46
openssl-1.0.2a-compat-symbols.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.compat openssl-1.0.2a/crypto/dsa/dsa_key.c
|
||||||
|
--- openssl-1.0.2a/crypto/dsa/dsa_key.c.compat 2015-04-09 18:21:11.687977858 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-09 18:21:07.869889659 +0200
|
||||||
|
@@ -68,6 +68,11 @@
|
||||||
|
# include <openssl/fips.h>
|
||||||
|
# include <openssl/evp.h>
|
||||||
|
|
||||||
|
+/* just a compatibility symbol - no-op */
|
||||||
|
+void FIPS_corrupt_dsa_keygen(void)
|
||||||
|
+{
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int fips_check_dsa(DSA *dsa)
|
||||||
|
{
|
||||||
|
EVP_PKEY *pk;
|
||||||
|
diff -up openssl-1.0.2a/crypto/engine/eng_all.c.compat openssl-1.0.2a/crypto/engine/eng_all.c
|
||||||
|
--- openssl-1.0.2a/crypto/engine/eng_all.c.compat 2015-04-09 18:21:11.688977881 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-09 18:21:09.159919459 +0200
|
||||||
|
@@ -63,6 +63,11 @@
|
||||||
|
# include <openssl/fips.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+/* just backwards compatibility symbol - no-op */
|
||||||
|
+void ENGINE_load_aesni(void)
|
||||||
|
+{
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
void ENGINE_load_builtin_engines(void)
|
||||||
|
{
|
||||||
|
/* Some ENGINEs need this */
|
||||||
|
diff -up openssl-1.0.2a/crypto/fips/fips.c.compat openssl-1.0.2a/crypto/fips/fips.c
|
||||||
|
--- openssl-1.0.2a/crypto/fips/fips.c.compat 2015-04-09 18:21:11.689977904 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-09 18:21:09.925937154 +0200
|
||||||
|
@@ -113,6 +113,12 @@ int FIPS_module_mode(void)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* just a compat symbol - return NULL */
|
||||||
|
+const void *FIPS_rand_check(void)
|
||||||
|
+{
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int FIPS_selftest_failed(void)
|
||||||
|
{
|
||||||
|
int ret = 0;
|
94
openssl-1.0.2a-default-paths.patch
Normal file
94
openssl-1.0.2a-default-paths.patch
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c
|
||||||
|
--- openssl-1.0.2a/apps/s_client.c.default-paths 2015-04-20 14:48:31.462166971 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 14:52:55.125316170 +0200
|
||||||
|
@@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv)
|
||||||
|
|
||||||
|
SSL_CTX_set_verify(ctx, verify, verify_callback);
|
||||||
|
|
||||||
|
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
|
||||||
|
- (!SSL_CTX_set_default_verify_paths(ctx))) {
|
||||||
|
- /*
|
||||||
|
- * BIO_printf(bio_err,"error setting default verify locations\n");
|
||||||
|
- */
|
||||||
|
- ERR_print_errors(bio_err);
|
||||||
|
- /* goto end; */
|
||||||
|
+ if (CAfile == NULL && CApath == NULL) {
|
||||||
|
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
|
||||||
|
+ ERR_print_errors(bio_err);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
|
||||||
|
+ ERR_print_errors(bio_err);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
- ssl_ctx_add_crls(ctx, crls, crl_download);
|
||||||
|
- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
|
||||||
|
- goto end;
|
||||||
|
-
|
||||||
|
#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
if (servername != NULL) {
|
||||||
|
tlsextcbp.biodebug = bio_err;
|
||||||
|
diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c
|
||||||
|
--- openssl-1.0.2a/apps/s_server.c.default-paths 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 14:48:31.462166971 +0200
|
||||||
|
@@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[])
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
|
||||||
|
- (!SSL_CTX_set_default_verify_paths(ctx))) {
|
||||||
|
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
|
||||||
|
- ERR_print_errors(bio_err);
|
||||||
|
- /* goto end; */
|
||||||
|
+ if (CAfile == NULL && CApath == NULL) {
|
||||||
|
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
|
||||||
|
+ ERR_print_errors(bio_err);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
|
||||||
|
+ ERR_print_errors(bio_err);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+
|
||||||
|
if (vpm)
|
||||||
|
SSL_CTX_set1_param(ctx, vpm);
|
||||||
|
|
||||||
|
@@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[])
|
||||||
|
else
|
||||||
|
SSL_CTX_sess_set_cache_size(ctx2, 128);
|
||||||
|
|
||||||
|
- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
|
||||||
|
- (!SSL_CTX_set_default_verify_paths(ctx2))) {
|
||||||
|
+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
|
||||||
|
+ ERR_print_errors(bio_err);
|
||||||
|
+ }
|
||||||
|
+ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
|
||||||
|
ERR_print_errors(bio_err);
|
||||||
|
}
|
||||||
|
if (vpm)
|
||||||
|
diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c
|
||||||
|
--- openssl-1.0.2a/apps/s_time.c.default-paths 2015-04-20 14:48:31.462166971 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_time.c 2015-04-20 14:55:14.232542738 +0200
|
||||||
|
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
|
||||||
|
|
||||||
|
SSL_load_error_strings();
|
||||||
|
|
||||||
|
- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
|
||||||
|
- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
|
||||||
|
- /*
|
||||||
|
- * BIO_printf(bio_err,"error setting default verify locations\n");
|
||||||
|
- */
|
||||||
|
- ERR_print_errors(bio_err);
|
||||||
|
- /* goto end; */
|
||||||
|
+ if (CAfile == NULL && CApath == NULL) {
|
||||||
|
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
|
||||||
|
+ ERR_print_errors(bio_err);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
|
||||||
|
+ ERR_print_errors(bio_err);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (tm_cipher == NULL)
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf
|
diff -up openssl-1.0.2a/apps/openssl.cnf.defaults openssl-1.0.2a/apps/openssl.cnf
|
||||||
--- openssl-1.0.1e/apps/openssl.cnf.defaults 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.2a/apps/openssl.cnf.defaults 2015-03-19 14:30:36.000000000 +0100
|
||||||
+++ openssl-1.0.1e/apps/openssl.cnf 2014-02-06 18:00:00.170929334 +0100
|
+++ openssl-1.0.2a/apps/openssl.cnf 2015-04-20 14:37:10.112271850 +0200
|
||||||
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
|
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
|
||||||
|
|
||||||
default_days = 365 # how long to certify for
|
default_days = 365 # how long to certify for
|
||||||
@ -10,12 +10,10 @@ diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cn
|
|||||||
preserve = no # keep passed DN ordering
|
preserve = no # keep passed DN ordering
|
||||||
|
|
||||||
# A few difference way of specifying how similar the request should look
|
# A few difference way of specifying how similar the request should look
|
||||||
@@ -103,7 +103,8 @@ emailAddress = optional
|
@@ -104,6 +104,7 @@ emailAddress = optional
|
||||||
|
|
||||||
####################################################################
|
####################################################################
|
||||||
[ req ]
|
[ req ]
|
||||||
-default_bits = 1024
|
default_bits = 2048
|
||||||
+default_bits = 2048
|
|
||||||
+default_md = sha256
|
+default_md = sha256
|
||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
75
openssl-1.0.2a-dh-1024.patch
Normal file
75
openssl-1.0.2a-dh-1024.patch
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
diff -up openssl-1.0.2a/apps/s_server.c.dh1024 openssl-1.0.2a/apps/s_server.c
|
||||||
|
--- openssl-1.0.2a/apps/s_server.c.dh1024 2015-04-09 18:19:55.978228949 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_server.c 2015-04-09 18:19:50.842110304 +0200
|
||||||
|
@@ -230,29 +230,44 @@ static void s_server_init(void);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
-static unsigned char dh512_p[] = {
|
||||||
|
- 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
|
||||||
|
- 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
|
||||||
|
- 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
|
||||||
|
- 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
|
||||||
|
- 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
|
||||||
|
- 0x47, 0x74, 0xE8, 0x33,
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-static unsigned char dh512_g[] = {
|
||||||
|
- 0x02,
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-static DH *get_dh512(void)
|
||||||
|
+static DH *get_dh1024()
|
||||||
|
{
|
||||||
|
- DH *dh = NULL;
|
||||||
|
+ static unsigned char dh1024_p[] = {
|
||||||
|
+ 0x99, 0x58, 0xFA, 0x90, 0x53, 0x2F, 0xE0, 0x61, 0x83, 0x9D, 0x54,
|
||||||
|
+ 0x63,
|
||||||
|
+ 0xBD, 0x35, 0x5A, 0x31, 0xF3, 0xC6, 0x79, 0xE5, 0xA0, 0x0F, 0x66,
|
||||||
|
+ 0x79,
|
||||||
|
+ 0x3C, 0xA0, 0x7F, 0xE8, 0xA2, 0x5F, 0xDF, 0x11, 0x08, 0xA3, 0xF0,
|
||||||
|
+ 0x3C,
|
||||||
|
+ 0xC3, 0x3C, 0x5D, 0x50, 0x2C, 0xD5, 0xD6, 0x58, 0x12, 0xDB, 0xC1,
|
||||||
|
+ 0xEF,
|
||||||
|
+ 0xB4, 0x47, 0x4A, 0x5A, 0x39, 0x8A, 0x4E, 0xEB, 0x44, 0xE2, 0x07,
|
||||||
|
+ 0xFB,
|
||||||
|
+ 0x3D, 0xA3, 0xC7, 0x6E, 0x52, 0xF3, 0x2B, 0x7B, 0x10, 0xA5, 0x98,
|
||||||
|
+ 0xE3,
|
||||||
|
+ 0x38, 0x2A, 0xE2, 0x7F, 0xA4, 0x8F, 0x26, 0x87, 0x9B, 0x66, 0x7A,
|
||||||
|
+ 0xED,
|
||||||
|
+ 0x2D, 0x4C, 0xE7, 0x33, 0x77, 0x47, 0x94, 0x43, 0xB6, 0xAA, 0x97,
|
||||||
|
+ 0x23,
|
||||||
|
+ 0x8A, 0xFC, 0xA5, 0xA6, 0x64, 0x09, 0xC0, 0x27, 0xC0, 0xEF, 0xCB,
|
||||||
|
+ 0x05,
|
||||||
|
+ 0x90, 0x9D, 0xD5, 0x75, 0xBA, 0x00, 0xE0, 0xFB, 0xA8, 0x81, 0x52,
|
||||||
|
+ 0xA4,
|
||||||
|
+ 0xB2, 0x83, 0x22, 0x5B, 0xCB, 0xD7, 0x16, 0x93,
|
||||||
|
+ };
|
||||||
|
+ static unsigned char dh1024_g[] = {
|
||||||
|
+ 0x02,
|
||||||
|
+ };
|
||||||
|
+ DH *dh;
|
||||||
|
|
||||||
|
if ((dh = DH_new()) == NULL)
|
||||||
|
return (NULL);
|
||||||
|
- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
|
||||||
|
- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
|
||||||
|
- if ((dh->p == NULL) || (dh->g == NULL))
|
||||||
|
+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
|
||||||
|
+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
|
||||||
|
+ if ((dh->p == NULL) || (dh->g == NULL)) {
|
||||||
|
+ DH_free(dh);
|
||||||
|
return (NULL);
|
||||||
|
+ }
|
||||||
|
return (dh);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
@@ -1872,7 +1987,7 @@ int MAIN(int argc, char *argv[])
|
||||||
|
BIO_printf(bio_s_out, "Setting temp DH parameters\n");
|
||||||
|
} else {
|
||||||
|
BIO_printf(bio_s_out, "Using default temp DH parameters\n");
|
||||||
|
- dh = get_dh512();
|
||||||
|
+ dh = get_dh1024();
|
||||||
|
}
|
||||||
|
(void)BIO_flush(bio_s_out);
|
||||||
|
|
13
openssl-1.0.2a-disable-sslv2v3.patch
Normal file
13
openssl-1.0.2a-disable-sslv2v3.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff -up openssl-1.0.2a/ssl/ssl_lib.c.v2v3 openssl-1.0.2a/ssl/ssl_lib.c
|
||||||
|
--- openssl-1.0.2a/ssl/ssl_lib.c.v2v3 2015-04-22 15:37:15.974345757 +0200
|
||||||
|
+++ openssl-1.0.2a/ssl/ssl_lib.c 2015-04-22 15:39:39.114782365 +0200
|
||||||
|
@@ -2048,6 +2048,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||||
|
*/
|
||||||
|
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
|
||||||
|
|
||||||
|
+ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
|
||||||
|
+ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
|
||||||
|
+
|
||||||
|
return (ret);
|
||||||
|
err:
|
||||||
|
SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
|
23
openssl-1.0.2a-dtls1-abi.patch
Normal file
23
openssl-1.0.2a-dtls1-abi.patch
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
diff -up openssl-1.0.2a/ssl/dtls1.h.dtls1-abi openssl-1.0.2a/ssl/dtls1.h
|
||||||
|
--- openssl-1.0.2a/ssl/dtls1.h.dtls1-abi 2015-04-21 10:49:57.984781143 +0200
|
||||||
|
+++ openssl-1.0.2a/ssl/dtls1.h 2015-04-21 16:41:37.835164264 +0200
|
||||||
|
@@ -214,9 +214,6 @@ typedef struct dtls1_state_st {
|
||||||
|
* loss.
|
||||||
|
*/
|
||||||
|
record_pqueue buffered_app_data;
|
||||||
|
- /* Is set when listening for new connections with dtls1_listen() */
|
||||||
|
- unsigned int listen;
|
||||||
|
- unsigned int link_mtu; /* max on-the-wire DTLS packet size */
|
||||||
|
unsigned int mtu; /* max DTLS packet size */
|
||||||
|
struct hm_header_st w_msg_hdr;
|
||||||
|
struct hm_header_st r_msg_hdr;
|
||||||
|
@@ -241,6 +238,9 @@ typedef struct dtls1_state_st {
|
||||||
|
* Cleared after the message has been processed.
|
||||||
|
*/
|
||||||
|
unsigned int change_cipher_spec_ok;
|
||||||
|
+ /* Is set when listening for new connections with dtls1_listen() */
|
||||||
|
+ unsigned int listen;
|
||||||
|
+ unsigned int link_mtu; /* max on-the-wire DTLS packet size */
|
||||||
|
# ifndef OPENSSL_NO_SCTP
|
||||||
|
/* used when SSL_ST_XX_FLUSH is entered */
|
||||||
|
int next_state;
|
199
openssl-1.0.2a-ecc-suiteb.patch
Normal file
199
openssl-1.0.2a-ecc-suiteb.patch
Normal file
@ -0,0 +1,199 @@
|
|||||||
|
diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c
|
||||||
|
--- openssl-1.0.2a/apps/speed.c.suiteb 2015-04-21 17:46:15.452321183 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/speed.c 2015-04-22 14:52:45.362272296 +0200
|
||||||
|
@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
|
||||||
|
} else
|
||||||
|
# endif
|
||||||
|
# ifndef OPENSSL_NO_ECDSA
|
||||||
|
- if (strcmp(*argv, "ecdsap160") == 0)
|
||||||
|
- ecdsa_doit[R_EC_P160] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsap192") == 0)
|
||||||
|
- ecdsa_doit[R_EC_P192] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsap224") == 0)
|
||||||
|
- ecdsa_doit[R_EC_P224] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsap256") == 0)
|
||||||
|
+ if (strcmp(*argv, "ecdsap256") == 0)
|
||||||
|
ecdsa_doit[R_EC_P256] = 2;
|
||||||
|
else if (strcmp(*argv, "ecdsap384") == 0)
|
||||||
|
ecdsa_doit[R_EC_P384] = 2;
|
||||||
|
else if (strcmp(*argv, "ecdsap521") == 0)
|
||||||
|
ecdsa_doit[R_EC_P521] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsak163") == 0)
|
||||||
|
- ecdsa_doit[R_EC_K163] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsak233") == 0)
|
||||||
|
- ecdsa_doit[R_EC_K233] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsak283") == 0)
|
||||||
|
- ecdsa_doit[R_EC_K283] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsak409") == 0)
|
||||||
|
- ecdsa_doit[R_EC_K409] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsak571") == 0)
|
||||||
|
- ecdsa_doit[R_EC_K571] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsab163") == 0)
|
||||||
|
- ecdsa_doit[R_EC_B163] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsab233") == 0)
|
||||||
|
- ecdsa_doit[R_EC_B233] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsab283") == 0)
|
||||||
|
- ecdsa_doit[R_EC_B283] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsab409") == 0)
|
||||||
|
- ecdsa_doit[R_EC_B409] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdsab571") == 0)
|
||||||
|
- ecdsa_doit[R_EC_B571] = 2;
|
||||||
|
else if (strcmp(*argv, "ecdsa") == 0) {
|
||||||
|
- for (i = 0; i < EC_NUM; i++)
|
||||||
|
+ for (i = R_EC_P256; i <= R_EC_P521; i++)
|
||||||
|
ecdsa_doit[i] = 1;
|
||||||
|
} else
|
||||||
|
# endif
|
||||||
|
# ifndef OPENSSL_NO_ECDH
|
||||||
|
- if (strcmp(*argv, "ecdhp160") == 0)
|
||||||
|
- ecdh_doit[R_EC_P160] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhp192") == 0)
|
||||||
|
- ecdh_doit[R_EC_P192] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhp224") == 0)
|
||||||
|
- ecdh_doit[R_EC_P224] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhp256") == 0)
|
||||||
|
+ if (strcmp(*argv, "ecdhp256") == 0)
|
||||||
|
ecdh_doit[R_EC_P256] = 2;
|
||||||
|
else if (strcmp(*argv, "ecdhp384") == 0)
|
||||||
|
ecdh_doit[R_EC_P384] = 2;
|
||||||
|
else if (strcmp(*argv, "ecdhp521") == 0)
|
||||||
|
ecdh_doit[R_EC_P521] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhk163") == 0)
|
||||||
|
- ecdh_doit[R_EC_K163] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhk233") == 0)
|
||||||
|
- ecdh_doit[R_EC_K233] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhk283") == 0)
|
||||||
|
- ecdh_doit[R_EC_K283] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhk409") == 0)
|
||||||
|
- ecdh_doit[R_EC_K409] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhk571") == 0)
|
||||||
|
- ecdh_doit[R_EC_K571] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhb163") == 0)
|
||||||
|
- ecdh_doit[R_EC_B163] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhb233") == 0)
|
||||||
|
- ecdh_doit[R_EC_B233] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhb283") == 0)
|
||||||
|
- ecdh_doit[R_EC_B283] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhb409") == 0)
|
||||||
|
- ecdh_doit[R_EC_B409] = 2;
|
||||||
|
- else if (strcmp(*argv, "ecdhb571") == 0)
|
||||||
|
- ecdh_doit[R_EC_B571] = 2;
|
||||||
|
else if (strcmp(*argv, "ecdh") == 0) {
|
||||||
|
- for (i = 0; i < EC_NUM; i++)
|
||||||
|
+ for (i = R_EC_P256; i <= R_EC_P521; i++)
|
||||||
|
ecdh_doit[i] = 1;
|
||||||
|
} else
|
||||||
|
# endif
|
||||||
|
@@ -1156,21 +1104,11 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
|
||||||
|
# endif
|
||||||
|
# ifndef OPENSSL_NO_ECDSA
|
||||||
|
- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
|
||||||
|
- "ecdsap256 ecdsap384 ecdsap521\n");
|
||||||
|
- BIO_printf(bio_err,
|
||||||
|
- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
|
||||||
|
- BIO_printf(bio_err,
|
||||||
|
- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
|
||||||
|
+ BIO_printf(bio_err, "ecdsap256 ecdsap384 ecdsap521\n");
|
||||||
|
BIO_printf(bio_err, "ecdsa\n");
|
||||||
|
# endif
|
||||||
|
# ifndef OPENSSL_NO_ECDH
|
||||||
|
- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 "
|
||||||
|
- "ecdhp256 ecdhp384 ecdhp521\n");
|
||||||
|
- BIO_printf(bio_err,
|
||||||
|
- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
|
||||||
|
- BIO_printf(bio_err,
|
||||||
|
- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
|
||||||
|
+ BIO_printf(bio_err, "ecdhp256 ecdhp384 ecdhp521\n");
|
||||||
|
BIO_printf(bio_err, "ecdh\n");
|
||||||
|
# endif
|
||||||
|
|
||||||
|
@@ -1255,11 +1193,11 @@ int MAIN(int argc, char **argv)
|
||||||
|
if (!FIPS_mode() || i != R_DSA_512)
|
||||||
|
dsa_doit[i] = 1;
|
||||||
|
# ifndef OPENSSL_NO_ECDSA
|
||||||
|
- for (i = 0; i < EC_NUM; i++)
|
||||||
|
+ for (i = R_EC_P256; i <= R_EC_P521; i++)
|
||||||
|
ecdsa_doit[i] = 1;
|
||||||
|
# endif
|
||||||
|
# ifndef OPENSSL_NO_ECDH
|
||||||
|
- for (i = 0; i < EC_NUM; i++)
|
||||||
|
+ for (i = R_EC_P256; i <= R_EC_P521; i++)
|
||||||
|
ecdh_doit[i] = 1;
|
||||||
|
# endif
|
||||||
|
}
|
||||||
|
diff -up openssl-1.0.2a/ssl/t1_lib.c.suiteb openssl-1.0.2a/ssl/t1_lib.c
|
||||||
|
--- openssl-1.0.2a/ssl/t1_lib.c.suiteb 2015-04-21 17:46:15.506322451 +0200
|
||||||
|
+++ openssl-1.0.2a/ssl/t1_lib.c 2015-04-22 15:03:32.464591096 +0200
|
||||||
|
@@ -266,41 +266,30 @@ static const unsigned char eccurves_defa
|
||||||
|
0, 13, /* sect571k1 (13) */
|
||||||
|
# endif
|
||||||
|
0, 25, /* secp521r1 (25) */
|
||||||
|
- 0, 28, /* brainpool512r1 (28) */
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
0, 11, /* sect409k1 (11) */
|
||||||
|
0, 12, /* sect409r1 (12) */
|
||||||
|
# endif
|
||||||
|
- 0, 27, /* brainpoolP384r1 (27) */
|
||||||
|
0, 24, /* secp384r1 (24) */
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
0, 9, /* sect283k1 (9) */
|
||||||
|
0, 10, /* sect283r1 (10) */
|
||||||
|
# endif
|
||||||
|
- 0, 26, /* brainpoolP256r1 (26) */
|
||||||
|
- 0, 22, /* secp256k1 (22) */
|
||||||
|
0, 23, /* secp256r1 (23) */
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
0, 8, /* sect239k1 (8) */
|
||||||
|
0, 6, /* sect233k1 (6) */
|
||||||
|
0, 7, /* sect233r1 (7) */
|
||||||
|
# endif
|
||||||
|
- 0, 20, /* secp224k1 (20) */
|
||||||
|
- 0, 21, /* secp224r1 (21) */
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
0, 4, /* sect193r1 (4) */
|
||||||
|
0, 5, /* sect193r2 (5) */
|
||||||
|
# endif
|
||||||
|
- 0, 18, /* secp192k1 (18) */
|
||||||
|
- 0, 19, /* secp192r1 (19) */
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
0, 1, /* sect163k1 (1) */
|
||||||
|
0, 2, /* sect163r1 (2) */
|
||||||
|
0, 3, /* sect163r2 (3) */
|
||||||
|
# endif
|
||||||
|
- 0, 15, /* secp160k1 (15) */
|
||||||
|
- 0, 16, /* secp160r1 (16) */
|
||||||
|
- 0, 17, /* secp160r2 (17) */
|
||||||
|
};
|
||||||
|
|
||||||
|
static const unsigned char suiteb_curves[] = {
|
||||||
|
@@ -325,29 +314,21 @@ static const unsigned char fips_curves_d
|
||||||
|
0, 9, /* sect283k1 (9) */
|
||||||
|
0, 10, /* sect283r1 (10) */
|
||||||
|
# endif
|
||||||
|
- 0, 22, /* secp256k1 (22) */
|
||||||
|
0, 23, /* secp256r1 (23) */
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
0, 8, /* sect239k1 (8) */
|
||||||
|
0, 6, /* sect233k1 (6) */
|
||||||
|
0, 7, /* sect233r1 (7) */
|
||||||
|
# endif
|
||||||
|
- 0, 20, /* secp224k1 (20) */
|
||||||
|
- 0, 21, /* secp224r1 (21) */
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
0, 4, /* sect193r1 (4) */
|
||||||
|
0, 5, /* sect193r2 (5) */
|
||||||
|
# endif
|
||||||
|
- 0, 18, /* secp192k1 (18) */
|
||||||
|
- 0, 19, /* secp192r1 (19) */
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
0, 1, /* sect163k1 (1) */
|
||||||
|
0, 2, /* sect163r1 (2) */
|
||||||
|
0, 3, /* sect163r2 (3) */
|
||||||
|
# endif
|
||||||
|
- 0, 15, /* secp160k1 (15) */
|
||||||
|
- 0, 16, /* secp160r1 (16) */
|
||||||
|
- 0, 17, /* secp160r2 (17) */
|
||||||
|
};
|
||||||
|
# endif
|
||||||
|
|
61
openssl-1.0.2a-enc-fail.patch
Normal file
61
openssl-1.0.2a-enc-fail.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2a/crypto/evp/bio_enc.c
|
||||||
|
--- openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/crypto/evp/bio_enc.c 2015-04-22 18:10:06.491819948 +0200
|
||||||
|
@@ -201,10 +201,14 @@ static int enc_read(BIO *b, char *out, i
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- EVP_CipherUpdate(&(ctx->cipher),
|
||||||
|
- (unsigned char *)ctx->buf, &ctx->buf_len,
|
||||||
|
- (unsigned char *)&(ctx->buf[BUF_OFFSET]), i);
|
||||||
|
- ctx->cont = 1;
|
||||||
|
+ if (!EVP_CipherUpdate(&(ctx->cipher),
|
||||||
|
+ (unsigned char *)ctx->buf, &ctx->buf_len,
|
||||||
|
+ (unsigned char *)&(ctx->buf[BUF_OFFSET]),
|
||||||
|
+ i)) {
|
||||||
|
+ ctx->ok = 0;
|
||||||
|
+ ctx->cont = 0;
|
||||||
|
+ } else
|
||||||
|
+ ctx->cont = 1;
|
||||||
|
/*
|
||||||
|
* Note: it is possible for EVP_CipherUpdate to decrypt zero
|
||||||
|
* bytes because this is or looks like the final block: if this
|
||||||
|
@@ -260,9 +264,13 @@ static int enc_write(BIO *b, const char
|
||||||
|
ctx->buf_off = 0;
|
||||||
|
while (inl > 0) {
|
||||||
|
n = (inl > ENC_BLOCK_SIZE) ? ENC_BLOCK_SIZE : inl;
|
||||||
|
- EVP_CipherUpdate(&(ctx->cipher),
|
||||||
|
- (unsigned char *)ctx->buf, &ctx->buf_len,
|
||||||
|
- (unsigned char *)in, n);
|
||||||
|
+ if (!EVP_CipherUpdate(&(ctx->cipher),
|
||||||
|
+ (unsigned char *)ctx->buf, &ctx->buf_len,
|
||||||
|
+ (unsigned char *)in, n)) {
|
||||||
|
+ BIO_copy_next_retry(b);
|
||||||
|
+ ctx->ok = 0;
|
||||||
|
+ return ret - inl;
|
||||||
|
+ }
|
||||||
|
inl -= n;
|
||||||
|
in += n;
|
||||||
|
|
||||||
|
@@ -298,8 +306,9 @@ static long enc_ctrl(BIO *b, int cmd, lo
|
||||||
|
case BIO_CTRL_RESET:
|
||||||
|
ctx->ok = 1;
|
||||||
|
ctx->finished = 0;
|
||||||
|
- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
|
||||||
|
- ctx->cipher.encrypt);
|
||||||
|
+ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
|
||||||
|
+ ctx->cipher.encrypt))
|
||||||
|
+ ctx->ok = 0;
|
||||||
|
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
|
||||||
|
break;
|
||||||
|
case BIO_CTRL_EOF: /* More to read */
|
||||||
|
@@ -421,7 +430,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI
|
||||||
|
|
||||||
|
b->init = 1;
|
||||||
|
ctx = (BIO_ENC_CTX *)b->ptr;
|
||||||
|
- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
|
||||||
|
+ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e))
|
||||||
|
+ ctx->ok = 0;
|
||||||
|
|
||||||
|
if (b->callback != NULL)
|
||||||
|
b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
|
diff -up openssl-1.0.2a/Configure.enginesdir openssl-1.0.2a/Configure
|
||||||
--- openssl-1.0.0-beta5/Configure.enginesdir 2010-01-20 18:07:05.000000000 +0100
|
--- openssl-1.0.2a/Configure.enginesdir 2015-04-20 14:37:58.137392222 +0200
|
||||||
+++ openssl-1.0.0-beta5/Configure 2010-01-20 18:10:48.000000000 +0100
|
+++ openssl-1.0.2a/Configure 2015-04-20 14:37:58.140392292 +0200
|
||||||
@@ -622,6 +622,7 @@ my $idx_multilib = $idx++;
|
@@ -702,6 +702,7 @@ my $idx_multilib = $idx++;
|
||||||
my $prefix="";
|
my $prefix="";
|
||||||
my $libdir="";
|
my $libdir="";
|
||||||
my $openssldir="";
|
my $openssldir="";
|
||||||
@ -9,7 +9,7 @@ diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
|
|||||||
my $exe_ext="";
|
my $exe_ext="";
|
||||||
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
|
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
|
||||||
my $cross_compile_prefix="";
|
my $cross_compile_prefix="";
|
||||||
@@ -833,6 +834,10 @@ PROCESS_ARGS:
|
@@ -929,6 +930,10 @@ PROCESS_ARGS:
|
||||||
{
|
{
|
||||||
$openssldir=$1;
|
$openssldir=$1;
|
||||||
}
|
}
|
||||||
@ -20,7 +20,7 @@ diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
|
|||||||
elsif (/^--install.prefix=(.*)$/)
|
elsif (/^--install.prefix=(.*)$/)
|
||||||
{
|
{
|
||||||
$install_prefix=$1;
|
$install_prefix=$1;
|
||||||
@@ -1053,7 +1058,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
@@ -1185,7 +1190,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
||||||
|
|
||||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
||||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
||||||
@ -29,7 +29,7 @@ diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
|
|||||||
|
|
||||||
print "IsMK1MF=$IsMK1MF\n";
|
print "IsMK1MF=$IsMK1MF\n";
|
||||||
|
|
||||||
@@ -1673,7 +1678,7 @@ while (<IN>)
|
@@ -1871,7 +1876,7 @@ while (<IN>)
|
||||||
}
|
}
|
||||||
elsif (/^#define\s+ENGINESDIR/)
|
elsif (/^#define\s+ENGINESDIR/)
|
||||||
{
|
{
|
||||||
@ -38,12 +38,12 @@ diff -up openssl-1.0.0-beta5/Configure.enginesdir openssl-1.0.0-beta5/Configure
|
|||||||
$foo =~ s/\\/\\\\/g;
|
$foo =~ s/\\/\\\\/g;
|
||||||
print OUT "#define ENGINESDIR \"$foo\"\n";
|
print OUT "#define ENGINESDIR \"$foo\"\n";
|
||||||
}
|
}
|
||||||
diff -up openssl-1.0.0-beta5/engines/Makefile.enginesdir openssl-1.0.0-beta5/engines/Makefile
|
diff -up openssl-1.0.2a/engines/Makefile.enginesdir openssl-1.0.2a/engines/Makefile
|
||||||
--- openssl-1.0.0-beta5/engines/Makefile.enginesdir 2010-01-16 21:06:09.000000000 +0100
|
--- openssl-1.0.2a/engines/Makefile.enginesdir 2015-04-20 14:37:58.140392292 +0200
|
||||||
+++ openssl-1.0.0-beta5/engines/Makefile 2010-01-20 18:07:05.000000000 +0100
|
+++ openssl-1.0.2a/engines/Makefile 2015-04-20 14:40:15.570598383 +0200
|
||||||
@@ -124,7 +124,7 @@ install:
|
@@ -124,7 +124,7 @@ install:
|
||||||
sfx=".so"; \
|
esac; \
|
||||||
cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
||||||
fi; \
|
fi; \
|
||||||
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
||||||
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
+ chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \
|
39
openssl-1.0.2a-env-zlib.patch
Normal file
39
openssl-1.0.2a-env-zlib.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
diff -up openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
|
||||||
|
--- openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2015-04-09 18:17:20.509637597 +0200
|
||||||
|
+++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-09 18:17:14.767504953 +0200
|
||||||
|
@@ -47,6 +47,13 @@ Once the identities of the compression m
|
||||||
|
been standardized, the compression API will most likely be changed. Using
|
||||||
|
it in the current state is not recommended.
|
||||||
|
|
||||||
|
+It is also not recommended to use compression if data transfered contain
|
||||||
|
+untrusted parts that can be manipulated by an attacker as he could then
|
||||||
|
+get information about the encrypted data. See the CRIME attack. For
|
||||||
|
+that reason the default loading of the zlib compression method is
|
||||||
|
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
|
||||||
|
+is present during the library initialization.
|
||||||
|
+
|
||||||
|
=head1 RETURN VALUES
|
||||||
|
|
||||||
|
SSL_COMP_add_compression_method() may return the following values:
|
||||||
|
diff -up openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib openssl-1.0.2a/ssl/ssl_ciph.c
|
||||||
|
--- openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib 2015-04-09 18:17:20.510637620 +0200
|
||||||
|
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-09 18:17:20.264631937 +0200
|
||||||
|
@@ -140,6 +140,8 @@
|
||||||
|
* OTHERWISE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <openssl/objects.h>
|
||||||
|
#ifndef OPENSSL_NO_COMP
|
||||||
|
@@ -450,7 +452,8 @@ static void load_builtin_compressions(vo
|
||||||
|
|
||||||
|
MemCheck_off();
|
||||||
|
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
|
||||||
|
- if (ssl_comp_methods != NULL) {
|
||||||
|
+ if (ssl_comp_methods != NULL
|
||||||
|
+ && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
|
||||||
|
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
||||||
|
if (comp != NULL) {
|
||||||
|
comp->method = COMP_zlib();
|
174
openssl-1.0.2a-fips-ctor.patch
Normal file
174
openssl-1.0.2a-fips-ctor.patch
Normal file
@ -0,0 +1,174 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-ctor openssl-1.0.2a/crypto/fips/fips.c
|
||||||
|
--- openssl-1.0.2a/crypto/fips/fips.c.fips-ctor 2015-04-21 17:42:18.702765856 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-21 17:42:18.742766794 +0200
|
||||||
|
@@ -60,6 +60,8 @@
|
||||||
|
#include <dlfcn.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
#include "fips_locl.h"
|
||||||
|
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l
|
||||||
|
}
|
||||||
|
|
||||||
|
# define HMAC_PREFIX "."
|
||||||
|
-# define HMAC_SUFFIX ".hmac"
|
||||||
|
+# ifndef HMAC_SUFFIX
|
||||||
|
+# define HMAC_SUFFIX ".hmac"
|
||||||
|
+# endif
|
||||||
|
# define READ_BUFFER_LENGTH 16384
|
||||||
|
|
||||||
|
static char *make_hmac_path(const char *origpath)
|
||||||
|
@@ -279,20 +283,14 @@ static int compute_file_hmac(const char
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int FIPSCHECK_verify(const char *libname, const char *symbolname)
|
||||||
|
+static int FIPSCHECK_verify(const char *path)
|
||||||
|
{
|
||||||
|
- char path[PATH_MAX + 1];
|
||||||
|
- int rv;
|
||||||
|
+ int rv = 0;
|
||||||
|
FILE *hf;
|
||||||
|
char *hmacpath, *p;
|
||||||
|
char *hmac = NULL;
|
||||||
|
size_t n;
|
||||||
|
|
||||||
|
- rv = get_library_path(libname, symbolname, path, sizeof(path));
|
||||||
|
-
|
||||||
|
- if (rv < 0)
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
hmacpath = make_hmac_path(path);
|
||||||
|
if (hmacpath == NULL)
|
||||||
|
return 0;
|
||||||
|
@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int verify_checksums(void)
|
||||||
|
+{
|
||||||
|
+ int rv;
|
||||||
|
+ char path[PATH_MAX + 1];
|
||||||
|
+ char *p;
|
||||||
|
+
|
||||||
|
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
|
||||||
|
+ are in the same directory */
|
||||||
|
+
|
||||||
|
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
|
||||||
|
+ "FIPS_mode_set", path, sizeof(path));
|
||||||
|
+ if (rv < 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ rv = FIPSCHECK_verify(path);
|
||||||
|
+ if (!rv)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* replace libcrypto with libssl */
|
||||||
|
+ while ((p = strstr(path, "libcrypto.so")) != NULL) {
|
||||||
|
+ p = stpcpy(p, "libssl");
|
||||||
|
+ memmove(p, p + 3, strlen(p + 2));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rv = FIPSCHECK_verify(path);
|
||||||
|
+ if (!rv)
|
||||||
|
+ return 0;
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+# ifndef FIPS_MODULE_PATH
|
||||||
|
+# define FIPS_MODULE_PATH "/etc/system-fips"
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
|
+int FIPS_module_installed(void)
|
||||||
|
+{
|
||||||
|
+ int rv;
|
||||||
|
+ rv = access(FIPS_MODULE_PATH, F_OK);
|
||||||
|
+ if (rv < 0 && errno != ENOENT)
|
||||||
|
+ rv = 0;
|
||||||
|
+
|
||||||
|
+ /* Installed == true */
|
||||||
|
+ return !rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int FIPS_module_mode_set(int onoff, const char *auth)
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons
|
||||||
|
}
|
||||||
|
# endif
|
||||||
|
|
||||||
|
- if (!FIPSCHECK_verify
|
||||||
|
- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
|
||||||
|
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
|
||||||
|
- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||||
|
- fips_selftest_fail = 1;
|
||||||
|
- ret = 0;
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (!FIPSCHECK_verify
|
||||||
|
- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
|
||||||
|
+ if (!verify_checksums()) {
|
||||||
|
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
|
||||||
|
FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||||
|
fips_selftest_fail = 1;
|
||||||
|
diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ctor openssl-1.0.2a/crypto/fips/fips.h
|
||||||
|
--- openssl-1.0.2a/crypto/fips/fips.h.fips-ctor 2015-04-21 17:42:18.739766724 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-21 17:42:18.743766818 +0200
|
||||||
|
@@ -74,6 +74,7 @@ extern "C" {
|
||||||
|
|
||||||
|
int FIPS_module_mode_set(int onoff, const char *auth);
|
||||||
|
int FIPS_module_mode(void);
|
||||||
|
+ int FIPS_module_installed(void);
|
||||||
|
const void *FIPS_rand_check(void);
|
||||||
|
int FIPS_selftest(void);
|
||||||
|
int FIPS_selftest_failed(void);
|
||||||
|
diff -up openssl-1.0.2a/crypto/o_init.c.fips-ctor openssl-1.0.2a/crypto/o_init.c
|
||||||
|
--- openssl-1.0.2a/crypto/o_init.c.fips-ctor 2015-04-21 17:42:18.732766559 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:45:02.662613173 +0200
|
||||||
|
@@ -74,6 +74,9 @@ static void init_fips_mode(void)
|
||||||
|
char buf[2] = "0";
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
+ /* Ensure the selftests always run */
|
||||||
|
+ FIPS_mode_set(1);
|
||||||
|
+
|
||||||
|
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||||
|
buf[0] = '1';
|
||||||
|
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||||
|
@@ -85,8 +88,12 @@ static void init_fips_mode(void)
|
||||||
|
* otherwise..
|
||||||
|
*/
|
||||||
|
|
||||||
|
- if (buf[0] == '1') {
|
||||||
|
- FIPS_mode_set(1);
|
||||||
|
+ if (buf[0] != '1') {
|
||||||
|
+ /* drop down to non-FIPS mode if it is not requested */
|
||||||
|
+ FIPS_mode_set(0);
|
||||||
|
+ } else {
|
||||||
|
+ /* abort if selftest failed */
|
||||||
|
+ FIPS_selftest_check();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
@@ -96,13 +103,16 @@ static void init_fips_mode(void)
|
||||||
|
* sets FIPS callbacks
|
||||||
|
*/
|
||||||
|
|
||||||
|
-void OPENSSL_init_library(void)
|
||||||
|
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
|
||||||
|
{
|
||||||
|
static int done = 0;
|
||||||
|
if (done)
|
||||||
|
return;
|
||||||
|
done = 1;
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
+ if (!FIPS_module_installed()) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
RAND_init_fips();
|
||||||
|
init_fips_mode();
|
||||||
|
if (!FIPS_mode()) {
|
1929
openssl-1.0.2a-fips-ec.patch
Normal file
1929
openssl-1.0.2a-fips-ec.patch
Normal file
File diff suppressed because it is too large
Load Diff
21
openssl-1.0.2a-fips-md5-allow.patch
Normal file
21
openssl-1.0.2a-fips-md5-allow.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.2a/crypto/md5/md5_dgst.c
|
||||||
|
--- openssl-1.0.2a/crypto/md5/md5_dgst.c.md5-allow 2015-04-09 18:18:36.505393113 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-09 18:18:32.408298469 +0200
|
||||||
|
@@ -72,7 +72,16 @@ const char MD5_version[] = "MD5" OPENSSL
|
||||||
|
#define INIT_DATA_C (unsigned long)0x98badcfeL
|
||||||
|
#define INIT_DATA_D (unsigned long)0x10325476L
|
||||||
|
|
||||||
|
-nonfips_md_init(MD5)
|
||||||
|
+int MD5_Init(MD5_CTX *c)
|
||||||
|
+#ifdef OPENSSL_FIPS
|
||||||
|
+{
|
||||||
|
+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
|
||||||
|
+ OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
|
||||||
|
+ return private_MD5_Init(c);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int private_MD5_Init(MD5_CTX *c)
|
||||||
|
+#endif
|
||||||
|
{
|
||||||
|
memset(c, 0, sizeof(*c));
|
||||||
|
c->A = INIT_DATA_A;
|
13699
openssl-1.0.2a-fips.patch
Normal file
13699
openssl-1.0.2a-fips.patch
Normal file
File diff suppressed because it is too large
Load Diff
525
openssl-1.0.2a-ipv6-apps.patch
Normal file
525
openssl-1.0.2a-ipv6-apps.patch
Normal file
@ -0,0 +1,525 @@
|
|||||||
|
diff -up openssl-1.0.2a/apps/s_apps.h.ipv6-apps openssl-1.0.2a/apps/s_apps.h
|
||||||
|
--- openssl-1.0.2a/apps/s_apps.h.ipv6-apps 2015-04-20 15:01:24.029120104 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_apps.h 2015-04-20 15:05:00.353137701 +0200
|
||||||
|
@@ -151,7 +151,7 @@ typedef fd_mask fd_set;
|
||||||
|
#define PORT_STR "4433"
|
||||||
|
#define PROTOCOL "tcp"
|
||||||
|
|
||||||
|
-int do_server(int port, int type, int *ret,
|
||||||
|
+int do_server(char *port, int type, int *ret,
|
||||||
|
int (*cb) (char *hostname, int s, int stype,
|
||||||
|
unsigned char *context), unsigned char *context,
|
||||||
|
int naccept);
|
||||||
|
@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO *out, SS
|
||||||
|
int ssl_print_curves(BIO *out, SSL *s, int noshared);
|
||||||
|
#endif
|
||||||
|
int ssl_print_tmp_key(BIO *out, SSL *s);
|
||||||
|
-int init_client(int *sock, char *server, int port, int type);
|
||||||
|
+int init_client(int *sock, char *server, char *port, int type);
|
||||||
|
int should_retry(int i);
|
||||||
|
int extract_port(char *str, short *port_ptr);
|
||||||
|
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
||||||
|
- short *p);
|
||||||
|
+int extract_host_port(char *str, char **host_ptr, char **port_ptr);
|
||||||
|
|
||||||
|
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||||
|
int argi, long argl, long ret);
|
||||||
|
diff -up openssl-1.0.2a/apps/s_client.c.ipv6-apps openssl-1.0.2a/apps/s_client.c
|
||||||
|
--- openssl-1.0.2a/apps/s_client.c.ipv6-apps 2015-04-20 15:01:24.022119942 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 15:06:42.338503234 +0200
|
||||||
|
@@ -662,7 +662,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
int cbuf_len, cbuf_off;
|
||||||
|
int sbuf_len, sbuf_off;
|
||||||
|
fd_set readfds, writefds;
|
||||||
|
- short port = PORT;
|
||||||
|
+ char *port_str = PORT_STR;
|
||||||
|
int full_log = 1;
|
||||||
|
char *host = SSL_HOST_NAME;
|
||||||
|
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
|
||||||
|
@@ -785,13 +785,11 @@ int MAIN(int argc, char **argv)
|
||||||
|
} else if (strcmp(*argv, "-port") == 0) {
|
||||||
|
if (--argc < 1)
|
||||||
|
goto bad;
|
||||||
|
- port = atoi(*(++argv));
|
||||||
|
- if (port == 0)
|
||||||
|
- goto bad;
|
||||||
|
+ port_str = *(++argv);
|
||||||
|
} else if (strcmp(*argv, "-connect") == 0) {
|
||||||
|
if (--argc < 1)
|
||||||
|
goto bad;
|
||||||
|
- if (!extract_host_port(*(++argv), &host, NULL, &port))
|
||||||
|
+ if (!extract_host_port(*(++argv), &host, &port_str))
|
||||||
|
goto bad;
|
||||||
|
} else if (strcmp(*argv, "-verify") == 0) {
|
||||||
|
verify = SSL_VERIFY_PEER;
|
||||||
|
@@ -1417,7 +1415,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
|
||||||
|
re_start:
|
||||||
|
|
||||||
|
- if (init_client(&s, host, port, socket_type) == 0) {
|
||||||
|
+ if (init_client(&s, host, port_str, socket_type) == 0) {
|
||||||
|
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
|
||||||
|
SHUTDOWN(s);
|
||||||
|
goto end;
|
||||||
|
diff -up openssl-1.0.2a/apps/s_server.c.ipv6-apps openssl-1.0.2a/apps/s_server.c
|
||||||
|
--- openssl-1.0.2a/apps/s_server.c.ipv6-apps 2015-04-20 15:01:24.030120127 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 15:10:47.245187746 +0200
|
||||||
|
@@ -1061,7 +1061,7 @@ int MAIN(int argc, char *argv[])
|
||||||
|
{
|
||||||
|
X509_VERIFY_PARAM *vpm = NULL;
|
||||||
|
int badarg = 0;
|
||||||
|
- short port = PORT;
|
||||||
|
+ char *port_str = PORT_STR;
|
||||||
|
char *CApath = NULL, *CAfile = NULL;
|
||||||
|
char *chCApath = NULL, *chCAfile = NULL;
|
||||||
|
char *vfyCApath = NULL, *vfyCAfile = NULL;
|
||||||
|
@@ -1148,7 +1148,8 @@ int MAIN(int argc, char *argv[])
|
||||||
|
if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
|
||||||
|
if (--argc < 1)
|
||||||
|
goto bad;
|
||||||
|
- if (!extract_port(*(++argv), &port))
|
||||||
|
+ port_str = *(++argv);
|
||||||
|
+ if (port_str == NULL || *port_str == '\0')
|
||||||
|
goto bad;
|
||||||
|
} else if (strcmp(*argv, "-naccept") == 0) {
|
||||||
|
if (--argc < 1)
|
||||||
|
@@ -2020,13 +2021,13 @@ int MAIN(int argc, char *argv[])
|
||||||
|
BIO_printf(bio_s_out, "ACCEPT\n");
|
||||||
|
(void)BIO_flush(bio_s_out);
|
||||||
|
if (rev)
|
||||||
|
- do_server(port, socket_type, &accept_socket, rev_body, context,
|
||||||
|
+ do_server(port_str, socket_type, &accept_socket, rev_body, context,
|
||||||
|
naccept);
|
||||||
|
else if (www)
|
||||||
|
- do_server(port, socket_type, &accept_socket, www_body, context,
|
||||||
|
+ do_server(port_str, socket_type, &accept_socket, www_body, context,
|
||||||
|
naccept);
|
||||||
|
else
|
||||||
|
- do_server(port, socket_type, &accept_socket, sv_body, context,
|
||||||
|
+ do_server(port_str, socket_type, &accept_socket, sv_body, context,
|
||||||
|
naccept);
|
||||||
|
print_stats(bio_s_out, ctx);
|
||||||
|
ret = 0;
|
||||||
|
diff -up openssl-1.0.2a/apps/s_socket.c.ipv6-apps openssl-1.0.2a/apps/s_socket.c
|
||||||
|
--- openssl-1.0.2a/apps/s_socket.c.ipv6-apps 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/s_socket.c 2015-04-20 15:32:53.960079507 +0200
|
||||||
|
@@ -106,9 +106,7 @@ static struct hostent *GetHostByName(cha
|
||||||
|
static void ssl_sock_cleanup(void);
|
||||||
|
# endif
|
||||||
|
static int ssl_sock_init(void);
|
||||||
|
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
|
||||||
|
-static int init_server(int *sock, int port, int type);
|
||||||
|
-static int init_server_long(int *sock, int port, char *ip, int type);
|
||||||
|
+static int init_server(int *sock, char *port, int type);
|
||||||
|
static int do_accept(int acc_sock, int *sock, char **host);
|
||||||
|
static int host_ip(char *str, unsigned char ip[4]);
|
||||||
|
|
||||||
|
@@ -231,65 +229,66 @@ static int ssl_sock_init(void)
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
-int init_client(int *sock, char *host, int port, int type)
|
||||||
|
+int init_client(int *sock, char *host, char *port, int type)
|
||||||
|
{
|
||||||
|
- unsigned char ip[4];
|
||||||
|
-
|
||||||
|
- memset(ip, '\0', sizeof ip);
|
||||||
|
- if (!host_ip(host, &(ip[0])))
|
||||||
|
- return 0;
|
||||||
|
- return init_client_ip(sock, ip, port, type);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
|
||||||
|
-{
|
||||||
|
- unsigned long addr;
|
||||||
|
- struct sockaddr_in them;
|
||||||
|
- int s, i;
|
||||||
|
+ struct addrinfo *res, *res0, hints;
|
||||||
|
+ char *failed_call = NULL;
|
||||||
|
+ int s;
|
||||||
|
+ int e;
|
||||||
|
|
||||||
|
if (!ssl_sock_init())
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
- memset((char *)&them, 0, sizeof(them));
|
||||||
|
- them.sin_family = AF_INET;
|
||||||
|
- them.sin_port = htons((unsigned short)port);
|
||||||
|
- addr = (unsigned long)
|
||||||
|
- ((unsigned long)ip[0] << 24L) |
|
||||||
|
- ((unsigned long)ip[1] << 16L) |
|
||||||
|
- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
|
||||||
|
- them.sin_addr.s_addr = htonl(addr);
|
||||||
|
-
|
||||||
|
- if (type == SOCK_STREAM)
|
||||||
|
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
|
||||||
|
- else /* ( type == SOCK_DGRAM) */
|
||||||
|
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
|
||||||
|
-
|
||||||
|
- if (s == INVALID_SOCKET) {
|
||||||
|
- perror("socket");
|
||||||
|
+ memset(&hints, '\0', sizeof(hints));
|
||||||
|
+ hints.ai_socktype = type;
|
||||||
|
+ hints.ai_flags = AI_ADDRCONFIG;
|
||||||
|
+
|
||||||
|
+ e = getaddrinfo(host, port, &hints, &res);
|
||||||
|
+ if (e) {
|
||||||
|
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
|
||||||
|
+ if (e == EAI_SYSTEM)
|
||||||
|
+ perror("getaddrinfo");
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ res0 = res;
|
||||||
|
+ while (res) {
|
||||||
|
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
|
||||||
|
+ if (s == INVALID_SOCKET) {
|
||||||
|
+ failed_call = "socket";
|
||||||
|
+ goto nextres;
|
||||||
|
+ }
|
||||||
|
# if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
|
||||||
|
- if (type == SOCK_STREAM) {
|
||||||
|
- i = 0;
|
||||||
|
- i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
|
||||||
|
- if (i < 0) {
|
||||||
|
- closesocket(s);
|
||||||
|
- perror("keepalive");
|
||||||
|
- return (0);
|
||||||
|
+ if (type == SOCK_STREAM) {
|
||||||
|
+ int i = 0;
|
||||||
|
+ i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,
|
||||||
|
+ (char *)&i, sizeof(i));
|
||||||
|
+ if (i < 0) {
|
||||||
|
+ failed_call = "keepalive";
|
||||||
|
+ goto nextres;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
# endif
|
||||||
|
-
|
||||||
|
- if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
|
||||||
|
- closesocket(s);
|
||||||
|
- perror("connect");
|
||||||
|
- return (0);
|
||||||
|
+ if (connect(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) {
|
||||||
|
+ freeaddrinfo(res0);
|
||||||
|
+ *sock = s;
|
||||||
|
+ return (1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ failed_call = "socket";
|
||||||
|
+ nextres:
|
||||||
|
+ if (s != INVALID_SOCKET)
|
||||||
|
+ close(s);
|
||||||
|
+ res = res->ai_next;
|
||||||
|
}
|
||||||
|
- *sock = s;
|
||||||
|
- return (1);
|
||||||
|
+ freeaddrinfo(res0);
|
||||||
|
+ closesocket(s);
|
||||||
|
+
|
||||||
|
+ perror(failed_call);
|
||||||
|
+ return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
-int do_server(int port, int type, int *ret,
|
||||||
|
+int do_server(char *port, int type, int *ret,
|
||||||
|
int (*cb) (char *hostname, int s, int stype,
|
||||||
|
unsigned char *context), unsigned char *context,
|
||||||
|
int naccept)
|
||||||
|
@@ -328,69 +327,89 @@ int do_server(int port, int type, int *r
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int init_server_long(int *sock, int port, char *ip, int type)
|
||||||
|
+static int init_server(int *sock, char *port, int type)
|
||||||
|
{
|
||||||
|
- int ret = 0;
|
||||||
|
- struct sockaddr_in server;
|
||||||
|
- int s = -1;
|
||||||
|
+ struct addrinfo *res, *res0 = NULL, hints;
|
||||||
|
+ char *failed_call = NULL;
|
||||||
|
+ int s = INVALID_SOCKET;
|
||||||
|
+ int e;
|
||||||
|
|
||||||
|
if (!ssl_sock_init())
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
- memset((char *)&server, 0, sizeof(server));
|
||||||
|
- server.sin_family = AF_INET;
|
||||||
|
- server.sin_port = htons((unsigned short)port);
|
||||||
|
- if (ip == NULL)
|
||||||
|
- server.sin_addr.s_addr = INADDR_ANY;
|
||||||
|
- else
|
||||||
|
-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
|
||||||
|
-# ifndef BIT_FIELD_LIMITS
|
||||||
|
- memcpy(&server.sin_addr.s_addr, ip, 4);
|
||||||
|
-# else
|
||||||
|
- memcpy(&server.sin_addr, ip, 4);
|
||||||
|
-# endif
|
||||||
|
-
|
||||||
|
- if (type == SOCK_STREAM)
|
||||||
|
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
|
||||||
|
- else /* type == SOCK_DGRAM */
|
||||||
|
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
|
||||||
|
+ memset(&hints, '\0', sizeof(hints));
|
||||||
|
+ hints.ai_family = AF_INET6;
|
||||||
|
+ tryipv4:
|
||||||
|
+ hints.ai_socktype = type;
|
||||||
|
+ hints.ai_flags = AI_PASSIVE;
|
||||||
|
+
|
||||||
|
+ e = getaddrinfo(NULL, port, &hints, &res);
|
||||||
|
+ if (e) {
|
||||||
|
+ if (hints.ai_family == AF_INET) {
|
||||||
|
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
|
||||||
|
+ if (e == EAI_SYSTEM)
|
||||||
|
+ perror("getaddrinfo");
|
||||||
|
+ return (0);
|
||||||
|
+ } else
|
||||||
|
+ res = NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (s == INVALID_SOCKET)
|
||||||
|
- goto err;
|
||||||
|
+ res0 = res;
|
||||||
|
+ while (res) {
|
||||||
|
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
|
||||||
|
+ if (s == INVALID_SOCKET) {
|
||||||
|
+ failed_call = "socket";
|
||||||
|
+ goto nextres;
|
||||||
|
+ }
|
||||||
|
+ if (hints.ai_family == AF_INET6) {
|
||||||
|
+ int j = 0;
|
||||||
|
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&j, sizeof j);
|
||||||
|
+ }
|
||||||
|
# if defined SOL_SOCKET && defined SO_REUSEADDR
|
||||||
|
- {
|
||||||
|
- int j = 1;
|
||||||
|
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
|
||||||
|
- }
|
||||||
|
-# endif
|
||||||
|
- if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
|
||||||
|
-# ifndef OPENSSL_SYS_WINDOWS
|
||||||
|
- perror("bind");
|
||||||
|
+ {
|
||||||
|
+ int j = 1;
|
||||||
|
+ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
|
||||||
|
+ }
|
||||||
|
# endif
|
||||||
|
- goto err;
|
||||||
|
+
|
||||||
|
+ if (bind(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) {
|
||||||
|
+ failed_call = "bind";
|
||||||
|
+ goto nextres;
|
||||||
|
+ }
|
||||||
|
+ if (type == SOCK_STREAM && listen(s, 128) == -1) {
|
||||||
|
+ failed_call = "listen";
|
||||||
|
+ goto nextres;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *sock = s;
|
||||||
|
+ return (1);
|
||||||
|
+
|
||||||
|
+ nextres:
|
||||||
|
+ if (s != INVALID_SOCKET)
|
||||||
|
+ close(s);
|
||||||
|
+ res = res->ai_next;
|
||||||
|
}
|
||||||
|
- /* Make it 128 for linux */
|
||||||
|
- if (type == SOCK_STREAM && listen(s, 128) == -1)
|
||||||
|
- goto err;
|
||||||
|
- *sock = s;
|
||||||
|
- ret = 1;
|
||||||
|
- err:
|
||||||
|
- if ((ret == 0) && (s != -1)) {
|
||||||
|
- SHUTDOWN(s);
|
||||||
|
+ if (res0)
|
||||||
|
+ freeaddrinfo(res0);
|
||||||
|
+
|
||||||
|
+ if (s == INVALID_SOCKET) {
|
||||||
|
+ if (hints.ai_family == AF_INET6) {
|
||||||
|
+ hints.ai_family = AF_INET;
|
||||||
|
+ goto tryipv4;
|
||||||
|
+ }
|
||||||
|
+ perror("socket");
|
||||||
|
+ return (0);
|
||||||
|
}
|
||||||
|
- return (ret);
|
||||||
|
-}
|
||||||
|
|
||||||
|
-static int init_server(int *sock, int port, int type)
|
||||||
|
-{
|
||||||
|
- return (init_server_long(sock, port, NULL, type));
|
||||||
|
+ perror(failed_call);
|
||||||
|
+ return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int do_accept(int acc_sock, int *sock, char **host)
|
||||||
|
{
|
||||||
|
+ static struct sockaddr_storage from;
|
||||||
|
+ char buffer[NI_MAXHOST];
|
||||||
|
int ret;
|
||||||
|
- struct hostent *h1, *h2;
|
||||||
|
- static struct sockaddr_in from;
|
||||||
|
int len;
|
||||||
|
/* struct linger ling; */
|
||||||
|
|
||||||
|
@@ -432,134 +451,60 @@ static int do_accept(int acc_sock, int *
|
||||||
|
ling.l_onoff=1;
|
||||||
|
ling.l_linger=0;
|
||||||
|
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
|
||||||
|
- if (i < 0) { perror("linger"); return(0); }
|
||||||
|
+ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
|
||||||
|
i=0;
|
||||||
|
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
|
||||||
|
- if (i < 0) { perror("keepalive"); return(0); }
|
||||||
|
+ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (host == NULL)
|
||||||
|
goto end;
|
||||||
|
-# ifndef BIT_FIELD_LIMITS
|
||||||
|
- /* I should use WSAAsyncGetHostByName() under windows */
|
||||||
|
- h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
|
||||||
|
- sizeof(from.sin_addr.s_addr), AF_INET);
|
||||||
|
-# else
|
||||||
|
- h1 = gethostbyaddr((char *)&from.sin_addr,
|
||||||
|
- sizeof(struct in_addr), AF_INET);
|
||||||
|
-# endif
|
||||||
|
- if (h1 == NULL) {
|
||||||
|
- BIO_printf(bio_err, "bad gethostbyaddr\n");
|
||||||
|
+
|
||||||
|
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
|
||||||
|
+ buffer, sizeof(buffer), NULL, 0, 0)) {
|
||||||
|
+ BIO_printf(bio_err, "getnameinfo failed\n");
|
||||||
|
*host = NULL;
|
||||||
|
/* return(0); */
|
||||||
|
} else {
|
||||||
|
- if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
|
||||||
|
+ if ((*host = (char *)OPENSSL_malloc(strlen(buffer) + 1)) == NULL) {
|
||||||
|
perror("OPENSSL_malloc");
|
||||||
|
closesocket(ret);
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
- BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
|
||||||
|
-
|
||||||
|
- h2 = GetHostByName(*host);
|
||||||
|
- if (h2 == NULL) {
|
||||||
|
- BIO_printf(bio_err, "gethostbyname failure\n");
|
||||||
|
- closesocket(ret);
|
||||||
|
- return (0);
|
||||||
|
- }
|
||||||
|
- if (h2->h_addrtype != AF_INET) {
|
||||||
|
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
|
||||||
|
- closesocket(ret);
|
||||||
|
- return (0);
|
||||||
|
- }
|
||||||
|
+ strcpy(*host, buffer);
|
||||||
|
}
|
||||||
|
end:
|
||||||
|
*sock = ret;
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
||||||
|
- short *port_ptr)
|
||||||
|
+int extract_host_port(char *str, char **host_ptr, char **port_ptr)
|
||||||
|
{
|
||||||
|
- char *h, *p;
|
||||||
|
+ char *h, *p, *x;
|
||||||
|
|
||||||
|
- h = str;
|
||||||
|
- p = strchr(str, ':');
|
||||||
|
+ x = h = str;
|
||||||
|
+ if (*h == '[') {
|
||||||
|
+ h++;
|
||||||
|
+ p = strchr(h, ']');
|
||||||
|
+ if (p == NULL) {
|
||||||
|
+ BIO_printf(bio_err, "no ending bracket for IPv6 address\n");
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+ *(p++) = '\0';
|
||||||
|
+ x = p;
|
||||||
|
+ }
|
||||||
|
+ p = strchr(x, ':');
|
||||||
|
if (p == NULL) {
|
||||||
|
BIO_printf(bio_err, "no port defined\n");
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
*(p++) = '\0';
|
||||||
|
|
||||||
|
- if ((ip != NULL) && !host_ip(str, ip))
|
||||||
|
- goto err;
|
||||||
|
if (host_ptr != NULL)
|
||||||
|
*host_ptr = h;
|
||||||
|
+ if (port_ptr != NULL)
|
||||||
|
+ *port_ptr = p;
|
||||||
|
|
||||||
|
- if (!extract_port(p, port_ptr))
|
||||||
|
- goto err;
|
||||||
|
- return (1);
|
||||||
|
- err:
|
||||||
|
- return (0);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static int host_ip(char *str, unsigned char ip[4])
|
||||||
|
-{
|
||||||
|
- unsigned int in[4];
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
|
||||||
|
- 4) {
|
||||||
|
- for (i = 0; i < 4; i++)
|
||||||
|
- if (in[i] > 255) {
|
||||||
|
- BIO_printf(bio_err, "invalid IP address\n");
|
||||||
|
- goto err;
|
||||||
|
- }
|
||||||
|
- ip[0] = in[0];
|
||||||
|
- ip[1] = in[1];
|
||||||
|
- ip[2] = in[2];
|
||||||
|
- ip[3] = in[3];
|
||||||
|
- } else { /* do a gethostbyname */
|
||||||
|
- struct hostent *he;
|
||||||
|
-
|
||||||
|
- if (!ssl_sock_init())
|
||||||
|
- return (0);
|
||||||
|
-
|
||||||
|
- he = GetHostByName(str);
|
||||||
|
- if (he == NULL) {
|
||||||
|
- BIO_printf(bio_err, "gethostbyname failure\n");
|
||||||
|
- goto err;
|
||||||
|
- }
|
||||||
|
- /* cast to short because of win16 winsock definition */
|
||||||
|
- if ((short)he->h_addrtype != AF_INET) {
|
||||||
|
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
|
||||||
|
- return (0);
|
||||||
|
- }
|
||||||
|
- ip[0] = he->h_addr_list[0][0];
|
||||||
|
- ip[1] = he->h_addr_list[0][1];
|
||||||
|
- ip[2] = he->h_addr_list[0][2];
|
||||||
|
- ip[3] = he->h_addr_list[0][3];
|
||||||
|
- }
|
||||||
|
- return (1);
|
||||||
|
- err:
|
||||||
|
- return (0);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-int extract_port(char *str, short *port_ptr)
|
||||||
|
-{
|
||||||
|
- int i;
|
||||||
|
- struct servent *s;
|
||||||
|
-
|
||||||
|
- i = atoi(str);
|
||||||
|
- if (i != 0)
|
||||||
|
- *port_ptr = (unsigned short)i;
|
||||||
|
- else {
|
||||||
|
- s = getservbyname(str, "tcp");
|
||||||
|
- if (s == NULL) {
|
||||||
|
- BIO_printf(bio_err, "getservbyname failure for %s\n", str);
|
||||||
|
- return (0);
|
||||||
|
- }
|
||||||
|
- *port_ptr = ntohs((unsigned short)s->s_port);
|
||||||
|
- }
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
11
openssl-1.0.2a-issuer-hash.patch
Normal file
11
openssl-1.0.2a-issuer-hash.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
diff -up openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash openssl-1.0.1k/crypto/x509/x509_cmp.c
|
||||||
|
--- openssl-1.0.1k/crypto/x509/x509_cmp.c.issuer-hash 2015-04-09 18:16:03.349855193 +0200
|
||||||
|
+++ openssl-1.0.1k/crypto/x509/x509_cmp.c 2015-04-09 18:16:00.616792058 +0200
|
||||||
|
@@ -86,6 +86,7 @@ unsigned long X509_issuer_and_serial_has
|
||||||
|
char *f;
|
||||||
|
|
||||||
|
EVP_MD_CTX_init(&ctx);
|
||||||
|
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
|
f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
|
||||||
|
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
|
||||||
|
goto err;
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.0.1i/doc/apps/ec.pod.manfix openssl-1.0.1i/doc/apps/ec.pod
|
diff -up openssl-1.0.2a/doc/apps/ec.pod.manfix openssl-1.0.2a/doc/apps/ec.pod
|
||||||
--- openssl-1.0.1i/doc/apps/ec.pod.manfix 2014-07-22 21:41:23.000000000 +0200
|
--- openssl-1.0.2a/doc/apps/ec.pod.manfix 2015-01-20 13:33:36.000000000 +0100
|
||||||
+++ openssl-1.0.1i/doc/apps/ec.pod 2014-08-07 11:21:57.258887741 +0200
|
+++ openssl-1.0.2a/doc/apps/ec.pod 2015-04-21 17:39:20.084574580 +0200
|
||||||
@@ -93,10 +93,6 @@ prints out the public, private key compo
|
@@ -93,10 +93,6 @@ prints out the public, private key compo
|
||||||
|
|
||||||
this option prevents output of the encoded version of the key.
|
this option prevents output of the encoded version of the key.
|
||||||
@ -12,9 +12,9 @@ diff -up openssl-1.0.1i/doc/apps/ec.pod.manfix openssl-1.0.1i/doc/apps/ec.pod
|
|||||||
=item B<-pubin>
|
=item B<-pubin>
|
||||||
|
|
||||||
by default a private key is read from the input file: with this option a
|
by default a private key is read from the input file: with this option a
|
||||||
diff -up openssl-1.0.1i/doc/apps/openssl.pod.manfix openssl-1.0.1i/doc/apps/openssl.pod
|
diff -up openssl-1.0.2a/doc/apps/openssl.pod.manfix openssl-1.0.2a/doc/apps/openssl.pod
|
||||||
--- openssl-1.0.1i/doc/apps/openssl.pod.manfix 2014-07-22 21:43:11.000000000 +0200
|
--- openssl-1.0.2a/doc/apps/openssl.pod.manfix 2015-01-20 13:33:36.000000000 +0100
|
||||||
+++ openssl-1.0.1i/doc/apps/openssl.pod 2014-08-07 11:21:57.259887746 +0200
|
+++ openssl-1.0.2a/doc/apps/openssl.pod 2015-04-21 17:39:20.084574580 +0200
|
||||||
@@ -163,7 +163,7 @@ Create or examine a netscape certificate
|
@@ -163,7 +163,7 @@ Create or examine a netscape certificate
|
||||||
|
|
||||||
Online Certificate Status Protocol utility.
|
Online Certificate Status Protocol utility.
|
||||||
@ -45,10 +45,10 @@ diff -up openssl-1.0.1i/doc/apps/openssl.pod.manfix openssl-1.0.1i/doc/apps/open
|
|||||||
L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
|
L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
|
||||||
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
|
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
|
||||||
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
|
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
|
||||||
diff -up openssl-1.0.1i/doc/apps/s_client.pod.manfix openssl-1.0.1i/doc/apps/s_client.pod
|
diff -up openssl-1.0.2a/doc/apps/s_client.pod.manfix openssl-1.0.2a/doc/apps/s_client.pod
|
||||||
--- openssl-1.0.1i/doc/apps/s_client.pod.manfix 2014-08-06 23:10:56.000000000 +0200
|
--- openssl-1.0.2a/doc/apps/s_client.pod.manfix 2015-04-21 17:39:20.085574603 +0200
|
||||||
+++ openssl-1.0.1i/doc/apps/s_client.pod 2014-08-07 11:24:28.736604443 +0200
|
+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-21 17:41:00.215924162 +0200
|
||||||
@@ -34,9 +34,14 @@ B<openssl> B<s_client>
|
@@ -34,6 +34,9 @@ B<openssl> B<s_client>
|
||||||
[B<-ssl2>]
|
[B<-ssl2>]
|
||||||
[B<-ssl3>]
|
[B<-ssl3>]
|
||||||
[B<-tls1>]
|
[B<-tls1>]
|
||||||
@ -58,12 +58,19 @@ diff -up openssl-1.0.1i/doc/apps/s_client.pod.manfix openssl-1.0.1i/doc/apps/s_c
|
|||||||
[B<-no_ssl2>]
|
[B<-no_ssl2>]
|
||||||
[B<-no_ssl3>]
|
[B<-no_ssl3>]
|
||||||
[B<-no_tls1>]
|
[B<-no_tls1>]
|
||||||
+[B<-no_tls1_1>]
|
@@ -200,7 +203,7 @@ Use the PSK key B<key> when using a PSK
|
||||||
+[B<-no_tls1_2>]
|
given as a hexadecimal number without leading 0x, for example -psk
|
||||||
[B<-bugs>]
|
1a2b3c4d.
|
||||||
[B<-cipher cipherlist>]
|
|
||||||
[B<-serverpref>]
|
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
||||||
@@ -196,7 +201,7 @@ Use the PSK key B<key> when using a PSK
|
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
||||||
|
|
||||||
|
these options disable the use of certain SSL or TLS protocols. By default
|
||||||
|
the initial handshake uses a method which should be compatible with all
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/s_server.pod.manfix openssl-1.0.2a/doc/apps/s_server.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/s_server.pod.manfix 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-21 17:39:20.085574603 +0200
|
||||||
|
@@ -212,7 +212,7 @@ Use the PSK key B<key> when using a PSK
|
||||||
given as a hexadecimal number without leading 0x, for example -psk
|
given as a hexadecimal number without leading 0x, for example -psk
|
||||||
1a2b3c4d.
|
1a2b3c4d.
|
||||||
|
|
||||||
@ -72,15 +79,15 @@ diff -up openssl-1.0.1i/doc/apps/s_client.pod.manfix openssl-1.0.1i/doc/apps/s_c
|
|||||||
|
|
||||||
these options disable the use of certain SSL or TLS protocols. By default
|
these options disable the use of certain SSL or TLS protocols. By default
|
||||||
the initial handshake uses a method which should be compatible with all
|
the initial handshake uses a method which should be compatible with all
|
||||||
diff -up openssl-1.0.1i/doc/apps/s_server.pod.manfix openssl-1.0.1i/doc/apps/s_server.pod
|
diff -up openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod
|
||||||
--- openssl-1.0.1i/doc/apps/s_server.pod.manfix 2014-08-06 23:10:56.000000000 +0200
|
--- openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix 2015-03-19 14:30:36.000000000 +0100
|
||||||
+++ openssl-1.0.1i/doc/apps/s_server.pod 2014-08-07 11:21:57.259887746 +0200
|
+++ openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod 2015-04-22 20:12:43.082395251 +0200
|
||||||
@@ -216,7 +216,7 @@ Use the PSK key B<key> when using a PSK
|
@@ -2,7 +2,7 @@
|
||||||
given as a hexadecimal number without leading 0x, for example -psk
|
|
||||||
1a2b3c4d.
|
|
||||||
|
|
||||||
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
|
=head1 NAME
|
||||||
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
|
||||||
|
-SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file
|
||||||
|
+SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - load serverinfo extensions
|
||||||
|
|
||||||
|
=head1 SYNOPSIS
|
||||||
|
|
||||||
these options disable the use of certain SSL or TLS protocols. By default
|
|
||||||
the initial handshake uses a method which should be compatible with all
|
|
1400
openssl-1.0.2a-new-fips-reqs.patch
Normal file
1400
openssl-1.0.2a-new-fips-reqs.patch
Normal file
File diff suppressed because it is too large
Load Diff
25
openssl-1.0.2a-no-md5-verify.patch
Normal file
25
openssl-1.0.2a-no-md5-verify.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.2a/crypto/asn1/a_verify.c
|
||||||
|
--- openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify 2015-04-09 18:20:58.829680829 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/asn1/a_verify.c 2015-04-09 18:20:54.495580710 +0200
|
||||||
|
@@ -56,6 +56,9 @@
|
||||||
|
* [including the GNU Public Licence.]
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
+
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
|
||||||
|
@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
|
||||||
|
if (ret != 2)
|
||||||
|
goto err;
|
||||||
|
ret = -1;
|
||||||
|
+ } else if (mdnid == NID_md5
|
||||||
|
+ && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
|
||||||
|
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
|
||||||
|
+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||||
|
+ goto err;
|
||||||
|
} else {
|
||||||
|
const EVP_MD *type;
|
||||||
|
type = EVP_get_digestbynid(mdnid);
|
@ -1,6 +1,7 @@
|
|||||||
--- openssl-0.9.8a/Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200
|
diff -up openssl-1.0.2a/Makefile.shared.no-rpath openssl-1.0.2a/Makefile.shared
|
||||||
+++ openssl-0.9.8a/Makefile.shared 2005-11-16 22:35:37.000000000 +0100
|
--- openssl-1.0.2a/Makefile.shared.no-rpath 2015-04-09 18:14:39.647921663 +0200
|
||||||
@@ -153,7 +153,7 @@
|
+++ openssl-1.0.2a/Makefile.shared 2015-04-09 18:14:34.423800985 +0200
|
||||||
|
@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
|
||||||
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
|
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
|
||||||
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
||||||
|
|
198
openssl-1.0.2a-padlock64.patch
Normal file
198
openssl-1.0.2a-padlock64.patch
Normal file
@ -0,0 +1,198 @@
|
|||||||
|
diff -up openssl-1.0.2a/engines/e_padlock.c.padlock64 openssl-1.0.2a/engines/e_padlock.c
|
||||||
|
--- openssl-1.0.2a/engines/e_padlock.c.padlock64 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/engines/e_padlock.c 2015-04-22 16:23:44.105617468 +0200
|
||||||
|
@@ -101,7 +101,10 @@
|
||||||
|
*/
|
||||||
|
# undef COMPILE_HW_PADLOCK
|
||||||
|
# if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
|
||||||
|
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
|
||||||
|
+# if (defined(__GNUC__) && __GNUC__>=2 && \
|
||||||
|
+ (defined(__i386__) || defined(__i386) || \
|
||||||
|
+ defined(__x86_64__) || defined(__x86_64)) \
|
||||||
|
+ ) || \
|
||||||
|
(defined(_MSC_VER) && defined(_M_IX86))
|
||||||
|
# define COMPILE_HW_PADLOCK
|
||||||
|
# endif
|
||||||
|
@@ -140,7 +143,7 @@ void ENGINE_load_padlock(void)
|
||||||
|
# endif
|
||||||
|
# elif defined(__GNUC__)
|
||||||
|
# ifndef alloca
|
||||||
|
-# define alloca(s) __builtin_alloca(s)
|
||||||
|
+# define alloca(s) __builtin_alloca((s))
|
||||||
|
# endif
|
||||||
|
# endif
|
||||||
|
|
||||||
|
@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_da
|
||||||
|
* =======================================================
|
||||||
|
*/
|
||||||
|
# if defined(__GNUC__) && __GNUC__>=2
|
||||||
|
+# if defined(__i386__) || defined(__i386)
|
||||||
|
/*
|
||||||
|
* As for excessive "push %ebx"/"pop %ebx" found all over.
|
||||||
|
* When generating position-independent code GCC won't let
|
||||||
|
@@ -379,22 +383,6 @@ static int padlock_available(void)
|
||||||
|
return padlock_use_ace + padlock_use_rng;
|
||||||
|
}
|
||||||
|
|
||||||
|
-# ifndef OPENSSL_NO_AES
|
||||||
|
-# ifndef AES_ASM
|
||||||
|
-/* Our own htonl()/ntohl() */
|
||||||
|
-static inline void padlock_bswapl(AES_KEY *ks)
|
||||||
|
-{
|
||||||
|
- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
|
||||||
|
- unsigned int *key = ks->rd_key;
|
||||||
|
-
|
||||||
|
- while (i--) {
|
||||||
|
- asm volatile ("bswapl %0":"+r" (*key));
|
||||||
|
- key++;
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-# endif
|
||||||
|
-# endif
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Force key reload from memory to the CPU microcode. Loading EFLAGS from the
|
||||||
|
* stack clears EFLAGS[30] which does the trick.
|
||||||
|
@@ -404,7 +392,7 @@ static inline void padlock_reload_key(vo
|
||||||
|
asm volatile ("pushfl; popfl");
|
||||||
|
}
|
||||||
|
|
||||||
|
-# ifndef OPENSSL_NO_AES
|
||||||
|
+# ifndef OPENSSL_NO_AES
|
||||||
|
/*
|
||||||
|
* This is heuristic key context tracing. At first one
|
||||||
|
* believes that one should use atomic swap instructions,
|
||||||
|
@@ -448,6 +436,101 @@ static inline void *name(size_t cnt,
|
||||||
|
: "edx", "cc", "memory"); \
|
||||||
|
return iv; \
|
||||||
|
}
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
|
+# elif defined(__x86_64__) || defined(__x86_64)
|
||||||
|
+
|
||||||
|
+/* Load supported features of the CPU to see if
|
||||||
|
+ the PadLock is available. */
|
||||||
|
+static int padlock_available(void)
|
||||||
|
+{
|
||||||
|
+ char vendor_string[16];
|
||||||
|
+ unsigned int eax, edx;
|
||||||
|
+
|
||||||
|
+ /* Are we running on the Centaur (VIA) CPU? */
|
||||||
|
+ eax = 0x00000000;
|
||||||
|
+ vendor_string[12] = 0;
|
||||||
|
+ asm volatile ("cpuid\n"
|
||||||
|
+ "movl %%ebx,(%1)\n"
|
||||||
|
+ "movl %%edx,4(%1)\n"
|
||||||
|
+ "movl %%ecx,8(%1)\n":"+a" (eax):"r"(vendor_string):"rbx",
|
||||||
|
+ "rcx", "rdx");
|
||||||
|
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* Check for Centaur Extended Feature Flags presence */
|
||||||
|
+ eax = 0xC0000000;
|
||||||
|
+ asm volatile ("cpuid":"+a" (eax)::"rbx", "rcx", "rdx");
|
||||||
|
+ if (eax < 0xC0000001)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* Read the Centaur Extended Feature Flags */
|
||||||
|
+ eax = 0xC0000001;
|
||||||
|
+ asm volatile ("cpuid":"+a" (eax), "=d"(edx)::"rbx", "rcx");
|
||||||
|
+
|
||||||
|
+ /* Fill up some flags */
|
||||||
|
+ padlock_use_ace = ((edx & (0x3 << 6)) == (0x3 << 6));
|
||||||
|
+ padlock_use_rng = ((edx & (0x3 << 2)) == (0x3 << 2));
|
||||||
|
+
|
||||||
|
+ return padlock_use_ace + padlock_use_rng;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Force key reload from memory to the CPU microcode.
|
||||||
|
+ Loading EFLAGS from the stack clears EFLAGS[30]
|
||||||
|
+ which does the trick. */
|
||||||
|
+static inline void padlock_reload_key(void)
|
||||||
|
+{
|
||||||
|
+ asm volatile ("pushfq; popfq");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+# ifndef OPENSSL_NO_AES
|
||||||
|
+/*
|
||||||
|
+ * This is heuristic key context tracing. At first one
|
||||||
|
+ * believes that one should use atomic swap instructions,
|
||||||
|
+ * but it's not actually necessary. Point is that if
|
||||||
|
+ * padlock_saved_context was changed by another thread
|
||||||
|
+ * after we've read it and before we compare it with cdata,
|
||||||
|
+ * our key *shall* be reloaded upon thread context switch
|
||||||
|
+ * and we are therefore set in either case...
|
||||||
|
+ */
|
||||||
|
+static inline void padlock_verify_context(struct padlock_cipher_data *cdata)
|
||||||
|
+{
|
||||||
|
+ asm volatile ("pushfq\n"
|
||||||
|
+ " btl $30,(%%rsp)\n"
|
||||||
|
+ " jnc 1f\n"
|
||||||
|
+ " cmpq %2,%1\n"
|
||||||
|
+ " je 1f\n"
|
||||||
|
+ " popfq\n"
|
||||||
|
+ " subq $8,%%rsp\n"
|
||||||
|
+ "1: addq $8,%%rsp\n"
|
||||||
|
+ " movq %2,%0":"+m" (padlock_saved_context)
|
||||||
|
+ :"r"(padlock_saved_context), "r"(cdata):"cc");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Template for padlock_xcrypt_* modes */
|
||||||
|
+/* BIG FAT WARNING:
|
||||||
|
+ * The offsets used with 'leal' instructions
|
||||||
|
+ * describe items of the 'padlock_cipher_data'
|
||||||
|
+ * structure.
|
||||||
|
+ */
|
||||||
|
+# define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
|
||||||
|
+static inline void *name(size_t cnt, \
|
||||||
|
+ struct padlock_cipher_data *cdata, \
|
||||||
|
+ void *out, const void *inp) \
|
||||||
|
+{ void *iv; \
|
||||||
|
+ asm volatile ( "leaq 16(%0),%%rdx\n" \
|
||||||
|
+ " leaq 32(%0),%%rbx\n" \
|
||||||
|
+ rep_xcrypt "\n" \
|
||||||
|
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
|
||||||
|
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
|
||||||
|
+ : "rbx", "rdx", "cc", "memory"); \
|
||||||
|
+ return iv; \
|
||||||
|
+}
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
|
+# endif /* cpu */
|
||||||
|
+
|
||||||
|
+# ifndef OPENSSL_NO_AES
|
||||||
|
|
||||||
|
/* Generate all functions with appropriate opcodes */
|
||||||
|
/* rep xcryptecb */
|
||||||
|
@@ -458,6 +541,20 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, "
|
||||||
|
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
|
||||||
|
/* rep xcryptofb */
|
||||||
|
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
|
||||||
|
+
|
||||||
|
+# ifndef AES_ASM
|
||||||
|
+/* Our own htonl()/ntohl() */
|
||||||
|
+static inline void padlock_bswapl(AES_KEY *ks)
|
||||||
|
+{
|
||||||
|
+ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
|
||||||
|
+ unsigned int *key = ks->rd_key;
|
||||||
|
+
|
||||||
|
+ while (i--) {
|
||||||
|
+ asm volatile ("bswapl %0":"+r" (*key));
|
||||||
|
+ key++;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+# endif
|
||||||
|
# endif
|
||||||
|
/* The RNG call itself */
|
||||||
|
static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
|
||||||
|
@@ -485,8 +582,8 @@ static inline unsigned int padlock_xstor
|
||||||
|
static inline unsigned char *padlock_memcpy(void *dst, const void *src,
|
||||||
|
size_t n)
|
||||||
|
{
|
||||||
|
- long *d = dst;
|
||||||
|
- const long *s = src;
|
||||||
|
+ size_t *d = dst;
|
||||||
|
+ const size_t *s = src;
|
||||||
|
|
||||||
|
n /= sizeof(*d);
|
||||||
|
do {
|
21
openssl-1.0.2a-pkgconfig-krb5.patch
Normal file
21
openssl-1.0.2a-pkgconfig-krb5.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
diff -up openssl-1.0.2a/Makefile.org.krb5 openssl-1.0.2a/Makefile.org
|
||||||
|
--- openssl-1.0.2a/Makefile.org.krb5 2015-04-21 17:08:41.157464459 +0200
|
||||||
|
+++ openssl-1.0.2a/Makefile.org 2015-04-21 17:11:56.887039005 +0200
|
||||||
|
@@ -372,7 +372,7 @@ libcrypto.pc: Makefile
|
||||||
|
echo 'Requires: '; \
|
||||||
|
echo 'Libs: -L$${libdir} -lcrypto'; \
|
||||||
|
echo 'Libs.private: $(EX_LIBS)'; \
|
||||||
|
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
|
||||||
|
+ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
|
||||||
|
|
||||||
|
libssl.pc: Makefile
|
||||||
|
@ ( echo 'prefix=$(INSTALLTOP)'; \
|
||||||
|
@@ -385,7 +385,7 @@ libssl.pc: Makefile
|
||||||
|
echo 'Version: '$(VERSION); \
|
||||||
|
echo 'Requires.private: libcrypto'; \
|
||||||
|
echo 'Libs: -L$${libdir} -lssl'; \
|
||||||
|
- echo 'Libs.private: $(EX_LIBS)'; \
|
||||||
|
+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
|
||||||
|
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
|
||||||
|
|
||||||
|
openssl.pc: Makefile
|
50
openssl-1.0.2a-readme-warning.patch
Normal file
50
openssl-1.0.2a-readme-warning.patch
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
diff -up openssl-1.0.2a/README.warning openssl-1.0.2a/README
|
||||||
|
--- openssl-1.0.2a/README.warning 2015-03-20 16:00:47.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/README 2015-03-21 09:06:11.000000000 +0100
|
||||||
|
@@ -5,6 +5,46 @@
|
||||||
|
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||||
|
All rights reserved.
|
||||||
|
|
||||||
|
+ WARNING
|
||||||
|
+ -------
|
||||||
|
+
|
||||||
|
+ This version of OpenSSL is built in a way that supports operation in
|
||||||
|
+ the so called FIPS mode. Note though that the library as we build it
|
||||||
|
+ is not FIPS 140-2 validated and the FIPS mode is present for testing
|
||||||
|
+ purposes only.
|
||||||
|
+
|
||||||
|
+ This version also contains a few differences from the upstream code
|
||||||
|
+ some of which are:
|
||||||
|
+ * The FIPS validation support is significantly different from the
|
||||||
|
+ upstream FIPS support. For example the FIPS integrity verification
|
||||||
|
+ check is implemented differently as the FIPS module is built inside
|
||||||
|
+ the shared library. The HMAC-SHA256 checksums of the whole shared
|
||||||
|
+ libraries are verified. Also note that the FIPS integrity
|
||||||
|
+ verification check requires that the libcrypto and libssl shared
|
||||||
|
+ library files are unmodified which means that it will fail if these
|
||||||
|
+ files are changed for example by prelink.
|
||||||
|
+ * If the file /etc/system-fips is present the integrity verification
|
||||||
|
+ and selftests of the crypto algorithms are run inside the library
|
||||||
|
+ constructor code.
|
||||||
|
+ * With the /etc/system-fips present the module respects the kernel
|
||||||
|
+ FIPS flag /proc/sys/crypto/fips and tries to initialize the FIPS mode
|
||||||
|
+ if it is set to 1 aborting if the FIPS mode could not be initialized.
|
||||||
|
+ With the /etc/system-fips present it is also possible to force the
|
||||||
|
+ OpenSSL library to FIPS mode especially for debugging purposes by
|
||||||
|
+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
|
||||||
|
+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
|
||||||
|
+ will not automatically load the built in compression method ZLIB
|
||||||
|
+ when initialized. Applications can still explicitely ask for ZLIB
|
||||||
|
+ compression method.
|
||||||
|
+ * The library was patched so the certificates, CRLs and other objects
|
||||||
|
+ signed with use of MD5 fail verification as the MD5 is too insecure
|
||||||
|
+ to be used for signatures. If the environment variable
|
||||||
|
+ OPENSSL_ENABLE_MD5_VERIFY is set, the verification can proceed
|
||||||
|
+ normally.
|
||||||
|
+ * If the OPENSSL_ENFORCE_MODULUS_BITS environment variable is set,
|
||||||
|
+ the library will not allow generation of DSA and RSA keys with
|
||||||
|
+ other lengths than specified in the FIPS 186-4 standard.
|
||||||
|
+
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
|
114
openssl-1.0.2a-rpmbuild.patch
Normal file
114
openssl-1.0.2a-rpmbuild.patch
Normal file
@ -0,0 +1,114 @@
|
|||||||
|
diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
|
||||||
|
--- openssl-1.0.2a/Configure.rpmbuild 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/Configure 2015-04-20 14:35:03.516318252 +0200
|
||||||
|
@@ -348,8 +348,8 @@ my %table=(
|
||||||
|
####
|
||||||
|
# *-generic* is endian-neutral target, but ./config is free to
|
||||||
|
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
||||||
|
-"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
-"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
+"linux-generic32","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
+"linux-ppc", "gcc:-DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
# Note that -march is not among compiler options in below linux-armv4
|
||||||
|
@@ -378,30 +378,30 @@ my %table=(
|
||||||
|
#
|
||||||
|
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
|
||||||
|
#
|
||||||
|
-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
+"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
# Configure script adds minimally required -march for assembly support,
|
||||||
|
# if no -march was specified at command line. mips32 and mips64 below
|
||||||
|
# refer to contemporary MIPS Architecture specifications, MIPS32 and
|
||||||
|
# MIPS64, rather than to kernel bitness.
|
||||||
|
-"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
-"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
|
||||||
|
-"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
|
+"linux-mips32", "gcc:-mabi=32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
+"linux-mips64", "gcc:-mabi=n32 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::32",
|
||||||
|
+"linux64-mips64", "gcc:-mabi=64 -Wall \$(RPM_OPT_FLAGS) -DBN_DIV3W::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
|
#### IA-32 targets...
|
||||||
|
"linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
-"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
+"linux-elf", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
"linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
|
||||||
|
####
|
||||||
|
-"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
|
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
|
||||||
|
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
|
+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
|
+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
|
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
|
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
|
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
|
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
|
||||||
|
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
|
+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
|
#### So called "highgprs" target for z/Architecture CPUs
|
||||||
|
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
|
||||||
|
# /proc/cpuinfo. The idea is to preserve most significant bits of
|
||||||
|
@@ -419,12 +419,12 @@ my %table=(
|
||||||
|
#### SPARC Linux setups
|
||||||
|
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||||
|
# assisted with debugging of following two configs.
|
||||||
|
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
# it's a real mess with -mcpu=ultrasparc option under Linux, but
|
||||||
|
# -Wa,-Av8plus should do the trick no matter what.
|
||||||
|
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
|
+"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
|
# GCC 3.1 is a requirement
|
||||||
|
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
|
+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
|
#### Alpha Linux with GNU C and Compaq C setups
|
||||||
|
# Special notes:
|
||||||
|
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
||||||
|
@@ -1737,7 +1737,7 @@ while (<IN>)
|
||||||
|
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
||||||
|
{
|
||||||
|
my $sotmp = $1;
|
||||||
|
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
|
||||||
|
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
|
||||||
|
}
|
||||||
|
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
||||||
|
{
|
||||||
|
diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
|
||||||
|
--- openssl-1.0.2a/Makefile.org.rpmbuild 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/Makefile.org 2015-04-20 14:11:52.152847093 +0200
|
||||||
|
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
||||||
|
SHLIB_MAJOR=
|
||||||
|
SHLIB_MINOR=
|
||||||
|
SHLIB_EXT=
|
||||||
|
+SHLIB_SONAMEVER=10
|
||||||
|
PLATFORM=dist
|
||||||
|
OPTIONS=
|
||||||
|
CONFIGURE_ARGS=
|
||||||
|
@@ -335,10 +336,9 @@ clean-shared:
|
||||||
|
link-shared:
|
||||||
|
@ set -e; for i in $(SHLIBDIRS); do \
|
||||||
|
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
||||||
|
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
||||||
|
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
||||||
|
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
||||||
|
symlink.$(SHLIB_TARGET); \
|
||||||
|
- libs="$$libs -l$$i"; \
|
||||||
|
done
|
||||||
|
|
||||||
|
build-shared: do_$(SHLIB_TARGET) link-shared
|
||||||
|
@@ -349,7 +349,7 @@ do_$(SHLIB_TARGET):
|
||||||
|
libs="$(LIBKRB5) $$libs"; \
|
||||||
|
fi; \
|
||||||
|
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||||
|
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
|
||||||
|
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
|
||||||
|
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
|
||||||
|
LIBDEPS="$$libs $(EX_LIBS)" \
|
||||||
|
link_a.$(SHLIB_TARGET); \
|
35
openssl-1.0.2a-rsa-x931.patch
Normal file
35
openssl-1.0.2a-rsa-x931.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
diff -up openssl-1.0.2a/apps/genrsa.c.x931 openssl-1.0.2a/apps/genrsa.c
|
||||||
|
--- openssl-1.0.2a/apps/genrsa.c.x931 2015-04-09 18:18:24.132107287 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/genrsa.c 2015-04-09 18:18:18.852985339 +0200
|
||||||
|
@@ -97,6 +97,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
int ret = 1;
|
||||||
|
int i, num = DEFBITS;
|
||||||
|
long l;
|
||||||
|
+ int use_x931 = 0;
|
||||||
|
const EVP_CIPHER *enc = NULL;
|
||||||
|
unsigned long f4 = RSA_F4;
|
||||||
|
char *outfile = NULL;
|
||||||
|
@@ -139,6 +140,8 @@ int MAIN(int argc, char **argv)
|
||||||
|
f4 = 3;
|
||||||
|
else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
|
||||||
|
f4 = RSA_F4;
|
||||||
|
+ else if (strcmp(*argv, "-x931") == 0)
|
||||||
|
+ use_x931 = 1;
|
||||||
|
# ifndef OPENSSL_NO_ENGINE
|
||||||
|
else if (strcmp(*argv, "-engine") == 0) {
|
||||||
|
if (--argc < 1)
|
||||||
|
@@ -278,7 +281,13 @@ int MAIN(int argc, char **argv)
|
||||||
|
if (!rsa)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
- if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
|
||||||
|
+ if (use_x931) {
|
||||||
|
+ if (!BN_set_word(bn, f4))
|
||||||
|
+ goto err;
|
||||||
|
+ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
|
||||||
|
+ goto err;
|
||||||
|
+ } else if (!BN_set_word(bn, f4)
|
||||||
|
+ || !RSA_generate_key_ex(rsa, num, bn, &cb))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
app_RAND_write_file(NULL, bio_err);
|
241
openssl-1.0.2a-secure-getenv.patch
Normal file
241
openssl-1.0.2a-secure-getenv.patch
Normal file
@ -0,0 +1,241 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_api.c
|
||||||
|
--- openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/crypto/conf/conf_api.c 2015-04-21 17:14:12.757214532 +0200
|
||||||
|
@@ -63,6 +63,8 @@
|
||||||
|
# define NDEBUG
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <assert.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
@@ -141,7 +143,7 @@ char *_CONF_get_string(const CONF *conf,
|
||||||
|
if (v != NULL)
|
||||||
|
return (v->value);
|
||||||
|
if (strcmp(section, "ENV") == 0) {
|
||||||
|
- p = getenv(name);
|
||||||
|
+ p = secure_getenv(name);
|
||||||
|
if (p != NULL)
|
||||||
|
return (p);
|
||||||
|
}
|
||||||
|
@@ -154,7 +156,7 @@ char *_CONF_get_string(const CONF *conf,
|
||||||
|
else
|
||||||
|
return (NULL);
|
||||||
|
} else
|
||||||
|
- return (getenv(name));
|
||||||
|
+ return (secure_getenv(name));
|
||||||
|
}
|
||||||
|
|
||||||
|
#if 0 /* There's no way to provide error checking
|
||||||
|
diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_mod.c
|
||||||
|
--- openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/crypto/conf/conf_mod.c 2015-04-21 17:13:24.165078848 +0200
|
||||||
|
@@ -57,6 +57,8 @@
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <ctype.h>
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
@@ -526,7 +528,7 @@ char *CONF_get1_default_config_file(void
|
||||||
|
char *file;
|
||||||
|
int len;
|
||||||
|
|
||||||
|
- file = getenv("OPENSSL_CONF");
|
||||||
|
+ file = secure_getenv("OPENSSL_CONF");
|
||||||
|
if (file)
|
||||||
|
return BUF_strdup(file);
|
||||||
|
|
||||||
|
diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/crypto/engine/eng_list.c
|
||||||
|
--- openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv 2015-04-21 17:13:24.165078848 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/engine/eng_list.c 2015-04-21 17:15:53.180561603 +0200
|
||||||
|
@@ -62,6 +62,8 @@
|
||||||
|
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include "eng_int.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -368,10 +370,10 @@ ENGINE *ENGINE_by_id(const char *id)
|
||||||
|
*/
|
||||||
|
if (strcmp(id, "dynamic")) {
|
||||||
|
# ifdef OPENSSL_SYS_VMS
|
||||||
|
- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||||
|
+ if (OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||||
|
load_dir = "SSLROOT:[ENGINES]";
|
||||||
|
# else
|
||||||
|
- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||||
|
+ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
|
||||||
|
load_dir = ENGINESDIR;
|
||||||
|
# endif
|
||||||
|
iterator = ENGINE_by_id("dynamic");
|
||||||
|
diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypto/md5/md5_dgst.c
|
||||||
|
--- openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv 2015-04-21 17:13:24.156078637 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-21 17:13:24.165078848 +0200
|
||||||
|
@@ -56,6 +56,8 @@
|
||||||
|
* [including the GNU Public Licence.]
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include "md5_locl.h"
|
||||||
|
#include <openssl/opensslv.h>
|
||||||
|
@@ -75,7 +77,8 @@ const char MD5_version[] = "MD5" OPENSSL
|
||||||
|
int MD5_Init(MD5_CTX *c)
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
{
|
||||||
|
- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
|
||||||
|
+ if (FIPS_mode()
|
||||||
|
+ && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
|
||||||
|
OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
|
||||||
|
return private_MD5_Init(c);
|
||||||
|
}
|
||||||
|
diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_init.c
|
||||||
|
--- openssl-1.0.2a/crypto/o_init.c.secure-getenv 2015-04-21 17:13:24.142078310 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:13:24.165078848 +0200
|
||||||
|
@@ -53,6 +53,8 @@
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <e_os.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
@@ -72,7 +74,7 @@ static void init_fips_mode(void)
|
||||||
|
char buf[2] = "0";
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||||
|
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||||
|
buf[0] = '1';
|
||||||
|
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||||
|
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||||
|
diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/crypto/rand/randfile.c
|
||||||
|
--- openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/crypto/rand/randfile.c 2015-04-21 17:13:24.165078848 +0200
|
||||||
|
@@ -60,6 +60,8 @@
|
||||||
|
#if !defined(OPENSSL_SYS_VXWORKS)
|
||||||
|
# define _XOPEN_SOURCE 500
|
||||||
|
#endif
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
@@ -292,14 +294,12 @@ const char *RAND_file_name(char *buf, si
|
||||||
|
struct stat sb;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if (OPENSSL_issetugid() == 0)
|
||||||
|
- s = getenv("RANDFILE");
|
||||||
|
+ s = secure_getenv("RANDFILE");
|
||||||
|
if (s != NULL && *s && strlen(s) + 1 < size) {
|
||||||
|
if (BUF_strlcpy(buf, s, size) >= size)
|
||||||
|
return NULL;
|
||||||
|
} else {
|
||||||
|
- if (OPENSSL_issetugid() == 0)
|
||||||
|
- s = getenv("HOME");
|
||||||
|
+ s = secure_getenv("HOME");
|
||||||
|
#ifdef DEFAULT_HOME
|
||||||
|
if (s == NULL) {
|
||||||
|
s = DEFAULT_HOME;
|
||||||
|
diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto/x509/by_dir.c
|
||||||
|
--- openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/crypto/x509/by_dir.c 2015-04-21 17:13:24.165078848 +0200
|
||||||
|
@@ -56,6 +56,8 @@
|
||||||
|
* [including the GNU Public Licence.]
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <errno.h>
|
||||||
|
@@ -128,7 +130,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
|
||||||
|
switch (cmd) {
|
||||||
|
case X509_L_ADD_DIR:
|
||||||
|
if (argl == X509_FILETYPE_DEFAULT) {
|
||||||
|
- dir = (char *)getenv(X509_get_default_cert_dir_env());
|
||||||
|
+ dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
|
||||||
|
if (dir)
|
||||||
|
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||||
|
else
|
||||||
|
diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypto/x509/by_file.c
|
||||||
|
--- openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv 2015-04-21 17:13:24.118077749 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-21 17:13:24.166078871 +0200
|
||||||
|
@@ -56,6 +56,8 @@
|
||||||
|
* [including the GNU Public Licence.]
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <errno.h>
|
||||||
|
@@ -97,7 +99,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
|
||||||
|
switch (cmd) {
|
||||||
|
case X509_L_FILE_LOAD:
|
||||||
|
if (argl == X509_FILETYPE_DEFAULT) {
|
||||||
|
- file = (char *)getenv(X509_get_default_cert_file_env());
|
||||||
|
+ file = (char *)secure_getenv(X509_get_default_cert_file_env());
|
||||||
|
if (file)
|
||||||
|
ok = (X509_load_cert_crl_file(ctx, file,
|
||||||
|
X509_FILETYPE_PEM) != 0);
|
||||||
|
diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/crypto/x509/x509_vfy.c
|
||||||
|
--- openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-21 17:19:14.948277272 +0200
|
||||||
|
@@ -56,6 +56,8 @@
|
||||||
|
* [including the GNU Public Licence.]
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <errno.h>
|
||||||
|
@@ -550,7 +552,7 @@ static int check_chain_extensions(X509_S
|
||||||
|
* A hack to keep people who don't want to modify their software
|
||||||
|
* happy
|
||||||
|
*/
|
||||||
|
- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
|
||||||
|
+ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
|
||||||
|
allow_proxy_certs = 1;
|
||||||
|
purpose = ctx->param->purpose;
|
||||||
|
}
|
||||||
|
diff -up openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2a/engines/ccgost/gost_ctl.c
|
||||||
|
--- openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/engines/ccgost/gost_ctl.c 2015-04-21 17:19:53.897187577 +0200
|
||||||
|
@@ -6,6 +6,8 @@
|
||||||
|
* Implementation of control commands for GOST engine *
|
||||||
|
* OpenSSL 0.9.9 libraries required *
|
||||||
|
**********************************************************************/
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
@@ -64,7 +66,7 @@ const char *get_gost_engine_param(int pa
|
||||||
|
if (gost_params[param] != NULL) {
|
||||||
|
return gost_params[param];
|
||||||
|
}
|
||||||
|
- tmp = getenv(gost_envnames[param]);
|
||||||
|
+ tmp = secure_getenv(gost_envnames[param]);
|
||||||
|
if (tmp) {
|
||||||
|
if (gost_params[param])
|
||||||
|
OPENSSL_free(gost_params[param]);
|
||||||
|
@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
|
||||||
|
const char *tmp;
|
||||||
|
if (param < 0 || param > GOST_PARAM_MAX)
|
||||||
|
return 0;
|
||||||
|
- tmp = getenv(gost_envnames[param]);
|
||||||
|
+ tmp = secure_getenv(gost_envnames[param]);
|
||||||
|
/*
|
||||||
|
* if there is value in the environment, use it, else -passed string *
|
||||||
|
*/
|
285
openssl-1.0.2a-system-cipherlist.patch
Normal file
285
openssl-1.0.2a-system-cipherlist.patch
Normal file
@ -0,0 +1,285 @@
|
|||||||
|
diff -up openssl-1.0.2a/Configure.system openssl-1.0.2a/Configure
|
||||||
|
--- openssl-1.0.2a/Configure.system 2015-04-22 15:23:47.970633650 +0200
|
||||||
|
+++ openssl-1.0.2a/Configure 2015-04-22 15:23:48.042635407 +0200
|
||||||
|
@@ -10,7 +10,7 @@ use strict;
|
||||||
|
|
||||||
|
# see INSTALL for instructions.
|
||||||
|
|
||||||
|
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
|
||||||
|
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
|
||||||
|
|
||||||
|
# Options:
|
||||||
|
#
|
||||||
|
@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher>
|
||||||
|
# --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently
|
||||||
|
# supported values are "MIT" and "Heimdal". A value is required.
|
||||||
|
#
|
||||||
|
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||||
|
+# cipher is specified (default).
|
||||||
|
+#
|
||||||
|
# --test-sanity Make a number of sanity checks on the data in this file.
|
||||||
|
# This is a debugging tool for OpenSSL developers.
|
||||||
|
#
|
||||||
|
@@ -703,6 +706,7 @@ my $prefix="";
|
||||||
|
my $libdir="";
|
||||||
|
my $openssldir="";
|
||||||
|
my $enginesdir="";
|
||||||
|
+my $system_ciphers_file="";
|
||||||
|
my $exe_ext="";
|
||||||
|
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
|
||||||
|
my $cross_compile_prefix="";
|
||||||
|
@@ -934,6 +938,10 @@ PROCESS_ARGS:
|
||||||
|
{
|
||||||
|
$enginesdir=$1;
|
||||||
|
}
|
||||||
|
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||||
|
+ {
|
||||||
|
+ $system_ciphers_file=$1;
|
||||||
|
+ }
|
||||||
|
elsif (/^--install.prefix=(.*)$/)
|
||||||
|
{
|
||||||
|
$install_prefix=$1;
|
||||||
|
@@ -1096,6 +1104,7 @@ print "Configuring for $target\n";
|
||||||
|
|
||||||
|
&usage if (!defined($table{$target}));
|
||||||
|
|
||||||
|
+chop $system_ciphers_file if $system_ciphers_file =~ /\/$/;
|
||||||
|
|
||||||
|
foreach (sort (keys %disabled))
|
||||||
|
{
|
||||||
|
@@ -1667,6 +1676,7 @@ while (<IN>)
|
||||||
|
s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
|
||||||
|
s/^MULTILIB=.*$/MULTILIB=$multilib/;
|
||||||
|
s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
|
||||||
|
+ s/^SYSTEM_CIPHERS_FILE=.*$/SYSTEM_CIPHERS_FILE=$system_ciphers_file/;
|
||||||
|
s/^LIBDIR=.*$/LIBDIR=$libdir/;
|
||||||
|
s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
|
||||||
|
s/^PLATFORM=.*$/PLATFORM=$target/;
|
||||||
|
@@ -1877,6 +1887,14 @@ while (<IN>)
|
||||||
|
$foo =~ s/\\/\\\\/g;
|
||||||
|
print OUT "#define ENGINESDIR \"$foo\"\n";
|
||||||
|
}
|
||||||
|
+ elsif (/^#((define)|(undef))\s+SYSTEM_CIPHERS_FILE/)
|
||||||
|
+ {
|
||||||
|
+ my $foo = "$system_ciphers_file";
|
||||||
|
+ if ($foo ne '') {
|
||||||
|
+ $foo =~ s/\\/\\\\/g;
|
||||||
|
+ print OUT "#define SYSTEM_CIPHERS_FILE \"$foo\"\n";
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
|
||||||
|
{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
|
||||||
|
if $export_var_as_fn;
|
||||||
|
diff -up openssl-1.0.2a/crypto/opensslconf.h.in.system openssl-1.0.2a/crypto/opensslconf.h.in
|
||||||
|
--- openssl-1.0.2a/crypto/opensslconf.h.in.system 2015-04-22 15:23:47.988634089 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/opensslconf.h.in 2015-04-22 15:23:48.042635407 +0200
|
||||||
|
@@ -25,6 +25,8 @@
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#undef SYSTEM_CIPHERS_FILE
|
||||||
|
+
|
||||||
|
#undef OPENSSL_UNISTD
|
||||||
|
#define OPENSSL_UNISTD <unistd.h>
|
||||||
|
|
||||||
|
diff -up openssl-1.0.2a/ssl/ssl_ciph.c.system openssl-1.0.2a/ssl/ssl_ciph.c
|
||||||
|
--- openssl-1.0.2a/ssl/ssl_ciph.c.system 2015-04-22 15:23:47.993634211 +0200
|
||||||
|
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-22 15:29:30.185982356 +0200
|
||||||
|
@@ -1463,6 +1463,50 @@ static int check_suiteb_cipher_list(cons
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+static char *load_system_str(const char *suffix)
|
||||||
|
+{
|
||||||
|
+ FILE *fp;
|
||||||
|
+ char buf[1024];
|
||||||
|
+ char *new_rules;
|
||||||
|
+ unsigned len, slen;
|
||||||
|
+
|
||||||
|
+ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
|
||||||
|
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
||||||
|
+ /* cannot open or file is empty */
|
||||||
|
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fp)
|
||||||
|
+ fclose(fp);
|
||||||
|
+
|
||||||
|
+ slen = strlen(suffix);
|
||||||
|
+ len = strlen(buf);
|
||||||
|
+
|
||||||
|
+ if (buf[len - 1] == '\n') {
|
||||||
|
+ len--;
|
||||||
|
+ buf[len] = 0;
|
||||||
|
+ }
|
||||||
|
+ if (buf[len - 1] == '\r') {
|
||||||
|
+ len--;
|
||||||
|
+ buf[len] = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
||||||
|
+ if (new_rules == 0)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ memcpy(new_rules, buf, len);
|
||||||
|
+ if (slen > 0) {
|
||||||
|
+ memcpy(&new_rules[len], suffix, slen);
|
||||||
|
+ len += slen;
|
||||||
|
+ }
|
||||||
|
+ new_rules[len] = 0;
|
||||||
|
+
|
||||||
|
+ return new_rules;
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
|
||||||
|
**cipher_list, STACK_OF(SSL_CIPHER)
|
||||||
|
**cipher_list_by_id,
|
||||||
|
@@ -1471,19 +1515,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
|
||||||
|
unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac,
|
||||||
|
disabled_ssl;
|
||||||
|
- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
|
||||||
|
+ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list;
|
||||||
|
const char *rule_p;
|
||||||
|
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||||
|
const SSL_CIPHER **ca_list = NULL;
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ char *new_rules = NULL;
|
||||||
|
+
|
||||||
|
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
|
||||||
|
+ char *p = rule_str + 14;
|
||||||
|
+
|
||||||
|
+ new_rules = load_system_str(p);
|
||||||
|
+ rule_str = new_rules;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return with error if nothing to do.
|
||||||
|
*/
|
||||||
|
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
||||||
|
- return NULL;
|
||||||
|
+ goto end;
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
||||||
|
- return NULL;
|
||||||
|
+ goto end;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1507,7 +1561,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
(CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
|
||||||
|
if (co_list == NULL) {
|
||||||
|
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||||
|
- return (NULL); /* Failure */
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||||
|
@@ -1568,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
* in force within each class
|
||||||
|
*/
|
||||||
|
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return NULL;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Now disable everything (maintaining the ordering!) */
|
||||||
|
@@ -1587,9 +1640,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||||
|
ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
|
||||||
|
if (ca_list == NULL) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||||
|
- return (NULL); /* Failure */
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||||
|
disabled_mkey, disabled_auth, disabled_enc,
|
||||||
|
@@ -1615,8 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
OPENSSL_free((void *)ca_list); /* Not needed anymore */
|
||||||
|
|
||||||
|
if (!ok) { /* Rule processing failure */
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return (NULL);
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1624,8 +1675,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
* if we cannot get one.
|
||||||
|
*/
|
||||||
|
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return (NULL);
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1646,12 +1696,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- OPENSSL_free(co_list); /* Not needed any longer */
|
||||||
|
|
||||||
|
tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
|
||||||
|
if (tmp_cipher_list == NULL) {
|
||||||
|
sk_SSL_CIPHER_free(cipherstack);
|
||||||
|
- return NULL;
|
||||||
|
+ cipherstack = NULL;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
if (*cipher_list != NULL)
|
||||||
|
sk_SSL_CIPHER_free(*cipher_list);
|
||||||
|
@@ -1663,6 +1713,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
ssl_cipher_ptr_id_cmp);
|
||||||
|
|
||||||
|
sk_SSL_CIPHER_sort(*cipher_list_by_id);
|
||||||
|
+
|
||||||
|
+ end:
|
||||||
|
+ OPENSSL_free(co_list);
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ OPENSSL_free(new_rules);
|
||||||
|
+#endif
|
||||||
|
return (cipherstack);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssl-1.0.2a/ssl/ssl.h.system openssl-1.0.2a/ssl/ssl.h
|
||||||
|
--- openssl-1.0.2a/ssl/ssl.h.system 2015-04-22 15:23:48.043635431 +0200
|
||||||
|
+++ openssl-1.0.2a/ssl/ssl.h 2015-04-22 15:35:43.666093799 +0200
|
||||||
|
@@ -345,6 +345,11 @@ extern "C" {
|
||||||
|
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||||
|
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||||
|
*/
|
||||||
|
+# ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
||||||
|
+# else
|
||||||
|
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
|
||||||
|
+# endif
|
||||||
|
|
||||||
|
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||||
|
# define SSL_SENT_SHUTDOWN 1
|
||||||
|
diff -up openssl-1.0.2a/ssl/ssl_lib.c.system openssl-1.0.2a/ssl/ssl_lib.c
|
||||||
|
--- openssl-1.0.2a/ssl/ssl_lib.c.system 2015-04-22 15:23:48.044635455 +0200
|
||||||
|
+++ openssl-1.0.2a/ssl/ssl_lib.c 2015-04-22 15:31:55.794534631 +0200
|
||||||
|
@@ -273,7 +273,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||||
|
&(ctx->cipher_list_by_id),
|
||||||
|
meth->version ==
|
||||||
|
SSL2_VERSION ? "SSLv2" :
|
||||||
|
- SSL_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||||
|
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||||
|
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||||
|
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,
|
||||||
|
SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||||
|
@@ -1945,7 +1945,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||||
|
ssl_create_cipher_list(ret->method,
|
||||||
|
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||||
|
meth->version ==
|
||||||
|
- SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST,
|
||||||
|
+ SSL2_VERSION ? "SSLv2" : SSL_SYSTEM_DEFAULT_CIPHER_LIST,
|
||||||
|
ret->cert);
|
||||||
|
if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||||
|
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
21
openssl-1.0.2a-test-use-localhost.patch
Normal file
21
openssl-1.0.2a-test-use-localhost.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
diff -up openssl-1.0.2a/ssl/ssltest.c.use-localhost openssl-1.0.2a/ssl/ssltest.c
|
||||||
|
--- openssl-1.0.2a/ssl/ssltest.c.use-localhost 2015-04-20 14:43:07.172601663 +0200
|
||||||
|
+++ openssl-1.0.2a/ssl/ssltest.c 2015-04-20 14:45:02.831299849 +0200
|
||||||
|
@@ -1516,16 +1516,7 @@ int main(int argc, char *argv[])
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_KRB5
|
||||||
|
if (c_ssl && c_ssl->kssl_ctx) {
|
||||||
|
- char localhost[MAXHOSTNAMELEN + 2];
|
||||||
|
-
|
||||||
|
- if (gethostname(localhost, sizeof localhost - 1) == 0) {
|
||||||
|
- localhost[sizeof localhost - 1] = '\0';
|
||||||
|
- if (strlen(localhost) == sizeof localhost - 1) {
|
||||||
|
- BIO_printf(bio_err, "localhost name too long\n");
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
- kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost);
|
||||||
|
- }
|
||||||
|
+ kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, "localhost");
|
||||||
|
}
|
||||||
|
#endif /* OPENSSL_NO_KRB5 */
|
||||||
|
|
286
openssl-1.0.2a-trusted-first-doc.patch
Normal file
286
openssl-1.0.2a-trusted-first-doc.patch
Normal file
@ -0,0 +1,286 @@
|
|||||||
|
diff -up openssl-1.0.2a/apps/cms.c.trusted-first openssl-1.0.2a/apps/cms.c
|
||||||
|
--- openssl-1.0.2a/apps/cms.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/cms.c 2015-04-22 16:25:31.839164061 +0200
|
||||||
|
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
|
||||||
|
"-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
+ "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
+ BIO_printf(bio_err,
|
||||||
|
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||||
|
diff -up openssl-1.0.2a/apps/ocsp.c.trusted-first openssl-1.0.2a/apps/ocsp.c
|
||||||
|
--- openssl-1.0.2a/apps/ocsp.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/ocsp.c 2015-04-22 16:25:31.840164085 +0200
|
||||||
|
@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
"-CAfile file trusted certificates file\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
+ "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
+ BIO_printf(bio_err,
|
||||||
|
"-VAfile file validator certificates file\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
"-validity_period n maximum validity discrepancy in seconds\n");
|
||||||
|
diff -up openssl-1.0.2a/apps/s_client.c.trusted-first openssl-1.0.2a/apps/s_client.c
|
||||||
|
--- openssl-1.0.2a/apps/s_client.c.trusted-first 2015-04-22 16:25:31.799163115 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_client.c 2015-04-22 16:25:31.840164085 +0200
|
||||||
|
@@ -333,6 +333,8 @@ static void sc_usage(void)
|
||||||
|
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
||||||
|
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
|
+ BIO_printf(bio_err,
|
||||||
|
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
" -pause - sleep(1) after each read(2) and write(2) system call\n");
|
||||||
|
diff -up openssl-1.0.2a/apps/smime.c.trusted-first openssl-1.0.2a/apps/smime.c
|
||||||
|
--- openssl-1.0.2a/apps/smime.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/smime.c 2015-04-22 16:25:31.840164085 +0200
|
||||||
|
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
|
||||||
|
"-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
+ "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
+ BIO_printf(bio_err,
|
||||||
|
"-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||||
|
diff -up openssl-1.0.2a/apps/s_server.c.trusted-first openssl-1.0.2a/apps/s_server.c
|
||||||
|
--- openssl-1.0.2a/apps/s_server.c.trusted-first 2015-04-22 16:25:31.806163281 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_server.c 2015-04-22 16:25:31.841164108 +0200
|
||||||
|
@@ -569,6 +569,8 @@ static void sv_usage(void)
|
||||||
|
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
|
||||||
|
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
|
+ BIO_printf(bio_err,
|
||||||
|
" -nocert - Don't use any certificates (Anon-DH)\n");
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
" -cipher arg - play with 'openssl ciphers' to see what goes here\n");
|
||||||
|
diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c
|
||||||
|
--- openssl-1.0.2a/apps/s_time.c.trusted-first 2015-04-22 16:25:31.755162075 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_time.c 2015-04-22 16:25:31.841164108 +0200
|
||||||
|
@@ -182,6 +182,7 @@ static void s_time_usage(void)
|
||||||
|
file if not specified by this option\n\
|
||||||
|
-CApath arg - PEM format directory of CA's\n\
|
||||||
|
-CAfile arg - PEM format file of CA's\n\
|
||||||
|
+-trusted_first - Use trusted CA's first when building the trust chain\n\
|
||||||
|
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
|
||||||
|
|
||||||
|
printf("usage: s_time <args>\n\n");
|
||||||
|
diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c
|
||||||
|
--- openssl-1.0.2a/apps/ts.c.trusted-first 2015-04-22 16:25:31.797163068 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/ts.c 2015-04-22 16:25:31.841164108 +0200
|
||||||
|
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
|
||||||
|
"[-queryfile request.tsq] "
|
||||||
|
"-in response.tsr [-token_in] "
|
||||||
|
- "-CApath ca_path -CAfile ca_file.pem "
|
||||||
|
+ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
|
||||||
|
"-untrusted cert_file.pem\n");
|
||||||
|
cleanup:
|
||||||
|
/* Clean up. */
|
||||||
|
diff -up openssl-1.0.2a/apps/verify.c.trusted-first openssl-1.0.2a/apps/verify.c
|
||||||
|
--- openssl-1.0.2a/apps/verify.c.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/apps/verify.c 2015-04-22 16:25:31.841164108 +0200
|
||||||
|
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
end:
|
||||||
|
if (ret == 1) {
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
|
||||||
|
+ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
|
||||||
|
BIO_printf(bio_err, " [-attime timestamp]");
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
BIO_printf(bio_err, " [-engine e]");
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/cms.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/cms.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-22 16:25:31.842164132 +0200
|
||||||
|
@@ -35,6 +35,7 @@ B<openssl> B<cms>
|
||||||
|
[B<-print>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
[B<-CApath dir>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-md digest>]
|
||||||
|
[B<-[cipher]>]
|
||||||
|
[B<-nointern>]
|
||||||
|
@@ -244,6 +245,12 @@ B<-verify>. This directory must be a sta
|
||||||
|
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||||
|
to each certificate.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before untrusted certificates
|
||||||
|
+from the message when building the trust chain to verify certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-md digest>
|
||||||
|
|
||||||
|
digest algorithm to use when signing or resigning. If not present then the
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ocsp.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first 2015-04-22 16:25:31.798163092 +0200
|
||||||
|
+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-22 16:25:31.842164132 +0200
|
||||||
|
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
|
||||||
|
[B<-path>]
|
||||||
|
[B<-CApath dir>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-VAfile file>]
|
||||||
|
[B<-validity_period n>]
|
||||||
|
[B<-status_age n>]
|
||||||
|
@@ -143,6 +144,13 @@ connection timeout to the OCSP responder
|
||||||
|
file or pathname containing trusted CA certificates. These are used to verify
|
||||||
|
the signature on the OCSP response.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory over certificates provided
|
||||||
|
+in the response or residing in other certificates file when building the trust
|
||||||
|
+chain to verify responder certificate.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-verify_other file>
|
||||||
|
|
||||||
|
file containing additional certificates to search when attempting to locate
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/s_client.pod.trusted-first openssl-1.0.2a/doc/apps/s_client.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/s_client.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200
|
||||||
|
+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-22 16:25:31.843164156 +0200
|
||||||
|
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
|
||||||
|
[B<-pass arg>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-reconnect>]
|
||||||
|
[B<-pause>]
|
||||||
|
[B<-showcerts>]
|
||||||
|
@@ -123,7 +124,7 @@ also used when building the client certi
|
||||||
|
A file containing trusted certificates to use during server authentication
|
||||||
|
and to use when attempting to build the client certificate chain.
|
||||||
|
|
||||||
|
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||||
|
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
|
||||||
|
|
||||||
|
Set various certificate chain valiadition option. See the
|
||||||
|
L<B<verify>|verify(1)> manual page for details.
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps/smime.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/smime.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-22 16:25:31.843164156 +0200
|
||||||
|
@@ -15,6 +15,9 @@ B<openssl> B<smime>
|
||||||
|
[B<-pk7out>]
|
||||||
|
[B<-[cipher]>]
|
||||||
|
[B<-in file>]
|
||||||
|
+[B<-CAfile file>]
|
||||||
|
+[B<-CApath dir>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-certfile file>]
|
||||||
|
[B<-signer file>]
|
||||||
|
[B<-recip file>]
|
||||||
|
@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
|
||||||
|
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||||
|
to each certificate.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory over certificates provided
|
||||||
|
+in the message when building the trust chain to verify a certificate.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-md digest>
|
||||||
|
|
||||||
|
digest algorithm to use when signing or resigning. If not present then the
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/apps/s_server.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/s_server.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200
|
||||||
|
+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-22 16:25:31.843164156 +0200
|
||||||
|
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
|
||||||
|
[B<-state>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-nocert>]
|
||||||
|
[B<-cipher cipherlist>]
|
||||||
|
[B<-serverpref>]
|
||||||
|
@@ -174,6 +175,12 @@ and to use when attempting to build the
|
||||||
|
is also used in the list of acceptable client CAs passed to the client when
|
||||||
|
a certificate is requested.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before other certificates
|
||||||
|
+when building the trust chain to verify client certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-state>
|
||||||
|
|
||||||
|
prints out the SSL session states.
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/apps/s_time.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/s_time.pod.trusted-first 2015-01-15 15:43:49.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/s_time.pod 2015-04-22 16:25:31.843164156 +0200
|
||||||
|
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
|
||||||
|
[B<-key filename>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-reuse>]
|
||||||
|
[B<-new>]
|
||||||
|
[B<-verify depth>]
|
||||||
|
@@ -76,6 +77,12 @@ also used when building the client certi
|
||||||
|
A file containing trusted certificates to use during server authentication
|
||||||
|
and to use when attempting to build the client certificate chain.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory over the certificates provided
|
||||||
|
+by the server when building the trust chain to verify server certificate.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-new>
|
||||||
|
|
||||||
|
performs the timing test using a new session ID for each connection.
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/ts.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-22 16:25:31.843164156 +0200
|
||||||
|
@@ -46,6 +46,7 @@ B<-verify>
|
||||||
|
[B<-token_in>]
|
||||||
|
[B<-CApath> trusted_cert_path]
|
||||||
|
[B<-CAfile> trusted_certs.pem]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-untrusted> cert_file.pem]
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
|
||||||
|
or B<-CApath> must be specified.
|
||||||
|
(Optional)
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before other certificates
|
||||||
|
+when building the trust chain to verify certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-untrusted> cert_file.pem
|
||||||
|
|
||||||
|
Set of additional untrusted certificates in PEM format which may be
|
||||||
|
diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/apps/verify.pod
|
||||||
|
--- openssl-1.0.2a/doc/apps/verify.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-22 16:25:31.843164156 +0200
|
||||||
|
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
|
||||||
|
B<openssl> B<verify>
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-purpose purpose>]
|
||||||
|
[B<-policy arg>]
|
||||||
|
[B<-ignore_critical>]
|
||||||
|
@@ -78,6 +79,12 @@ If a valid CRL cannot be found an error
|
||||||
|
A file of untrusted certificates. The file should contain multiple certificates
|
||||||
|
in PEM format concatenated together.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before the certificates in the untrusted
|
||||||
|
+file when building the trust chain to verify certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-purpose purpose>
|
||||||
|
|
||||||
|
The intended use for the certificate. If this option is not specified,
|
47
openssl-1.0.2a-version-add-engines.patch
Normal file
47
openssl-1.0.2a-version-add-engines.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
diff -up openssl-1.0.2a/apps/version.c.version-add-engines openssl-1.0.2a/apps/version.c
|
||||||
|
--- openssl-1.0.2a/apps/version.c.version-add-engines 2015-04-09 18:16:42.345756005 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/version.c 2015-04-09 18:16:36.573622667 +0200
|
||||||
|
@@ -131,6 +131,7 @@
|
||||||
|
#ifndef OPENSSL_NO_BF
|
||||||
|
# include <openssl/blowfish.h>
|
||||||
|
#endif
|
||||||
|
+#include <openssl/engine.h>
|
||||||
|
|
||||||
|
#undef PROG
|
||||||
|
#define PROG version_main
|
||||||
|
@@ -140,7 +141,8 @@ int MAIN(int, char **);
|
||||||
|
int MAIN(int argc, char **argv)
|
||||||
|
{
|
||||||
|
int i, ret = 0;
|
||||||
|
- int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
|
||||||
|
+ int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir =
|
||||||
|
+ 0, engines = 0;
|
||||||
|
|
||||||
|
apps_startup();
|
||||||
|
|
||||||
|
@@ -164,7 +166,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
else if (strcmp(argv[i], "-d") == 0)
|
||||||
|
dir = 1;
|
||||||
|
else if (strcmp(argv[i], "-a") == 0)
|
||||||
|
- date = version = cflags = options = platform = dir = 1;
|
||||||
|
+ date = version = cflags = options = platform = dir = engines = 1;
|
||||||
|
else {
|
||||||
|
BIO_printf(bio_err, "usage:version -[avbofpd]\n");
|
||||||
|
ret = 1;
|
||||||
|
@@ -208,6 +210,16 @@ int MAIN(int argc, char **argv)
|
||||||
|
printf("%s\n", SSLeay_version(SSLEAY_CFLAGS));
|
||||||
|
if (dir)
|
||||||
|
printf("%s\n", SSLeay_version(SSLEAY_DIR));
|
||||||
|
+ if (engines) {
|
||||||
|
+ ENGINE *e;
|
||||||
|
+ printf("engines: ");
|
||||||
|
+ e = ENGINE_get_first();
|
||||||
|
+ while (e) {
|
||||||
|
+ printf("%s ", ENGINE_get_id(e));
|
||||||
|
+ e = ENGINE_get_next(e);
|
||||||
|
+ }
|
||||||
|
+ printf("\n");
|
||||||
|
+ }
|
||||||
|
end:
|
||||||
|
apps_shutdown();
|
||||||
|
OPENSSL_EXIT(ret);
|
83
openssl-1.0.2a-version.patch
Normal file
83
openssl-1.0.2a-version.patch
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/cversion.c.version openssl-1.0.2a/crypto/cversion.c
|
||||||
|
--- openssl-1.0.2a/crypto/cversion.c.version 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/crypto/cversion.c 2015-04-21 16:48:56.285535316 +0200
|
||||||
|
@@ -62,7 +62,7 @@
|
||||||
|
# include "buildinf.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-const char *SSLeay_version(int t)
|
||||||
|
+const char *_current_SSLeay_version(int t)
|
||||||
|
{
|
||||||
|
if (t == SSLEAY_VERSION)
|
||||||
|
return OPENSSL_VERSION_TEXT;
|
||||||
|
@@ -101,7 +101,40 @@ const char *SSLeay_version(int t)
|
||||||
|
return ("not available");
|
||||||
|
}
|
||||||
|
|
||||||
|
-unsigned long SSLeay(void)
|
||||||
|
+const char *_original_SSLeay_version(int t)
|
||||||
|
+{
|
||||||
|
+ if (t == SSLEAY_VERSION)
|
||||||
|
+ return "OpenSSL 1.0.0-fips 29 Mar 2010";
|
||||||
|
+ else
|
||||||
|
+ return _current_SSLeay_version(t);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+const char *_original101_SSLeay_version(int t)
|
||||||
|
+{
|
||||||
|
+ if (t == SSLEAY_VERSION)
|
||||||
|
+ return "OpenSSL 1.0.1e-fips 11 Feb 2013";
|
||||||
|
+ else
|
||||||
|
+ return _current_SSLeay_version(t);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+unsigned long _original_SSLeay(void)
|
||||||
|
+{
|
||||||
|
+ return (0x10000003L);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+unsigned long _original101_SSLeay(void)
|
||||||
|
+{
|
||||||
|
+ return (0x1000105fL);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+unsigned long _current_SSLeay(void)
|
||||||
|
{
|
||||||
|
return (SSLEAY_VERSION_NUMBER);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+__asm__(".symver _original_SSLeay,SSLeay@");
|
||||||
|
+__asm__(".symver _original_SSLeay_version,SSLeay_version@");
|
||||||
|
+__asm__(".symver _original101_SSLeay,SSLeay@OPENSSL_1.0.1");
|
||||||
|
+__asm__(".symver _original101_SSLeay_version,SSLeay_version@OPENSSL_1.0.1");
|
||||||
|
+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.2");
|
||||||
|
+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.2");
|
||||||
|
diff -up openssl-1.0.2a/Makefile.shared.version openssl-1.0.2a/Makefile.shared
|
||||||
|
--- openssl-1.0.2a/Makefile.shared.version 2015-04-21 16:43:02.624170648 +0200
|
||||||
|
+++ openssl-1.0.2a/Makefile.shared 2015-04-21 16:43:02.676171879 +0200
|
||||||
|
@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
|
||||||
|
SHLIB_SUFFIX=; \
|
||||||
|
ALLSYMSFLAGS='-Wl,--whole-archive'; \
|
||||||
|
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
|
||||||
|
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
||||||
|
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
||||||
|
|
||||||
|
DO_GNU_APP=LDFLAGS="$(CFLAGS)"
|
||||||
|
|
||||||
|
diff -up openssl-1.0.2a/version.map.version openssl-1.0.2a/version.map
|
||||||
|
--- openssl-1.0.2a/version.map.version 2015-04-21 16:43:02.676171879 +0200
|
||||||
|
+++ openssl-1.0.2a/version.map 2015-04-21 16:51:49.621630589 +0200
|
||||||
|
@@ -0,0 +1,13 @@
|
||||||
|
+OPENSSL_1.0.1 {
|
||||||
|
+ global:
|
||||||
|
+ SSLeay;
|
||||||
|
+ SSLeay_version;
|
||||||
|
+ local:
|
||||||
|
+ _original*;
|
||||||
|
+ _current*;
|
||||||
|
+};
|
||||||
|
+OPENSSL_1.0.2 {
|
||||||
|
+ global:
|
||||||
|
+ SSLeay;
|
||||||
|
+ SSLeay_version;
|
||||||
|
+} OPENSSL_1.0.1;
|
12
openssl-1.0.2a-weak-ciphers.patch
Normal file
12
openssl-1.0.2a-weak-ciphers.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up openssl-1.0.2a/ssl/ssl.h.weak-ciphers openssl-1.0.2a/ssl/ssl.h
|
||||||
|
--- openssl-1.0.2a/ssl/ssl.h.weak-ciphers 2015-04-22 15:11:14.026574414 +0200
|
||||||
|
+++ openssl-1.0.2a/ssl/ssl.h 2015-04-22 15:14:51.302744713 +0200
|
||||||
|
@@ -338,7 +338,7 @@ extern "C" {
|
||||||
|
* The following cipher list is used by default. It also is substituted when
|
||||||
|
* an application-defined cipher list string starts with 'DEFAULT'.
|
||||||
|
*/
|
||||||
|
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
|
||||||
|
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!DES"
|
||||||
|
/*
|
||||||
|
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
|
||||||
|
* starts with a reasonable order, and all we have to do for DEFAULT is
|
555
openssl-1.0.2a-wrap-pad.patch
Normal file
555
openssl-1.0.2a-wrap-pad.patch
Normal file
@ -0,0 +1,555 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/evp/c_allc.c.wrap openssl-1.0.2a/crypto/evp/c_allc.c
|
||||||
|
--- openssl-1.0.2a/crypto/evp/c_allc.c.wrap 2015-04-22 15:41:32.147488107 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/evp/c_allc.c 2015-04-22 15:47:25.486946239 +0200
|
||||||
|
@@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void)
|
||||||
|
EVP_add_cipher(EVP_aes_128_xts());
|
||||||
|
EVP_add_cipher(EVP_aes_128_ccm());
|
||||||
|
EVP_add_cipher(EVP_aes_128_wrap());
|
||||||
|
+ EVP_add_cipher(EVP_aes_128_wrap_pad());
|
||||||
|
EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
|
||||||
|
EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
|
||||||
|
EVP_add_cipher(EVP_aes_192_ecb());
|
||||||
|
@@ -191,6 +192,7 @@ void OpenSSL_add_all_ciphers(void)
|
||||||
|
EVP_add_cipher(EVP_aes_192_gcm());
|
||||||
|
EVP_add_cipher(EVP_aes_192_ccm());
|
||||||
|
EVP_add_cipher(EVP_aes_192_wrap());
|
||||||
|
+ EVP_add_cipher(EVP_aes_192_wrap_pad());
|
||||||
|
EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
|
||||||
|
EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
|
||||||
|
EVP_add_cipher(EVP_aes_256_ecb());
|
||||||
|
@@ -204,6 +206,7 @@ void OpenSSL_add_all_ciphers(void)
|
||||||
|
EVP_add_cipher(EVP_aes_256_xts());
|
||||||
|
EVP_add_cipher(EVP_aes_256_ccm());
|
||||||
|
EVP_add_cipher(EVP_aes_256_wrap());
|
||||||
|
+ EVP_add_cipher(EVP_aes_256_wrap_pad());
|
||||||
|
EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
|
||||||
|
EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
|
||||||
|
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|
||||||
|
@@ -258,6 +261,7 @@ void OpenSSL_add_all_ciphers(void)
|
||||||
|
|
||||||
|
EVP_add_cipher(EVP_des_ede());
|
||||||
|
EVP_add_cipher(EVP_des_ede3());
|
||||||
|
+ EVP_add_cipher(EVP_des_ede3_wrap());
|
||||||
|
# endif
|
||||||
|
|
||||||
|
# ifndef OPENSSL_NO_AES
|
||||||
|
@@ -272,6 +276,7 @@ void OpenSSL_add_all_ciphers(void)
|
||||||
|
EVP_add_cipher(EVP_aes_128_xts());
|
||||||
|
EVP_add_cipher(EVP_aes_128_ccm());
|
||||||
|
EVP_add_cipher(EVP_aes_128_wrap());
|
||||||
|
+ EVP_add_cipher(EVP_aes_128_wrap_pad());
|
||||||
|
EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
|
||||||
|
EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
|
||||||
|
EVP_add_cipher(EVP_aes_192_ecb());
|
||||||
|
@@ -284,6 +289,7 @@ void OpenSSL_add_all_ciphers(void)
|
||||||
|
EVP_add_cipher(EVP_aes_192_gcm());
|
||||||
|
EVP_add_cipher(EVP_aes_192_ccm());
|
||||||
|
EVP_add_cipher(EVP_aes_192_wrap());
|
||||||
|
+ EVP_add_cipher(EVP_aes_192_wrap_pad());
|
||||||
|
EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
|
||||||
|
EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
|
||||||
|
EVP_add_cipher(EVP_aes_256_ecb());
|
||||||
|
@@ -297,6 +303,7 @@ void OpenSSL_add_all_ciphers(void)
|
||||||
|
EVP_add_cipher(EVP_aes_256_xts());
|
||||||
|
EVP_add_cipher(EVP_aes_256_ccm());
|
||||||
|
EVP_add_cipher(EVP_aes_256_wrap());
|
||||||
|
+ EVP_add_cipher(EVP_aes_256_wrap_pad());
|
||||||
|
EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
|
||||||
|
EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
|
||||||
|
# endif
|
||||||
|
diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.c
|
||||||
|
--- openssl-1.0.2a/crypto/evp/e_aes.c.wrap 2015-04-22 15:41:32.148488131 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/evp/e_aes.c 2015-04-22 15:52:21.809039506 +0200
|
||||||
|
@@ -1,5 +1,5 @@
|
||||||
|
/* ====================================================================
|
||||||
|
- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
|
||||||
|
+ * Copyright (c) 2001-2014 The OpenSSL Project. All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
@@ -1952,7 +1952,7 @@ static int aes_wrap_init_key(EVP_CIPHER_
|
||||||
|
wctx->iv = NULL;
|
||||||
|
}
|
||||||
|
if (iv) {
|
||||||
|
- memcpy(ctx->iv, iv, 8);
|
||||||
|
+ memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
|
||||||
|
wctx->iv = ctx->iv;
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
@@ -1963,30 +1963,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
|
||||||
|
{
|
||||||
|
EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
|
||||||
|
size_t rv;
|
||||||
|
+ /* AES wrap with padding has IV length of 4, without padding 8 */
|
||||||
|
+ int pad = EVP_CIPHER_CTX_iv_length(ctx) == 4;
|
||||||
|
+ /* No final operation so always return zero length */
|
||||||
|
if (!in)
|
||||||
|
return 0;
|
||||||
|
- if (inlen % 8)
|
||||||
|
+ /* Input length must always be non-zero */
|
||||||
|
+ if (!inlen)
|
||||||
|
return -1;
|
||||||
|
- if (ctx->encrypt && inlen < 8)
|
||||||
|
+ /* If decrypting need at least 16 bytes and multiple of 8 */
|
||||||
|
+ if (!ctx->encrypt && (inlen < 16 || inlen & 0x7))
|
||||||
|
return -1;
|
||||||
|
- if (!ctx->encrypt && inlen < 16)
|
||||||
|
+ /* If not padding input must be multiple of 8 */
|
||||||
|
+ if (!pad && inlen & 0x7)
|
||||||
|
return -1;
|
||||||
|
if (!out) {
|
||||||
|
- if (ctx->encrypt)
|
||||||
|
+ if (ctx->encrypt) {
|
||||||
|
+ /* If padding round up to multiple of 8 */
|
||||||
|
+ if (pad)
|
||||||
|
+ inlen = (inlen + 7) / 8 * 8;
|
||||||
|
+ /* 8 byte prefix */
|
||||||
|
return inlen + 8;
|
||||||
|
- else
|
||||||
|
+ } else {
|
||||||
|
+ /* If not padding output will be exactly 8 bytes
|
||||||
|
+ * smaller than input. If padding it will be at
|
||||||
|
+ * least 8 bytes smaller but we don't know how
|
||||||
|
+ * much.
|
||||||
|
+ */
|
||||||
|
return inlen - 8;
|
||||||
|
}
|
||||||
|
+ }
|
||||||
|
+ if (pad) {
|
||||||
|
if (ctx->encrypt)
|
||||||
|
- rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
|
||||||
|
+ rv = CRYPTO_128_wrap_pad(&wctx->ks.ks, wctx->iv,
|
||||||
|
+ out, in, inlen,
|
||||||
|
(block128_f) AES_encrypt);
|
||||||
|
else
|
||||||
|
- rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv, out, in, inlen,
|
||||||
|
+ rv = CRYPTO_128_unwrap_pad(&wctx->ks.ks, wctx->iv,
|
||||||
|
+ out, in, inlen,
|
||||||
|
(block128_f) AES_decrypt);
|
||||||
|
+ } else {
|
||||||
|
+ if (ctx->encrypt)
|
||||||
|
+ rv = CRYPTO_128_wrap(&wctx->ks.ks, wctx->iv,
|
||||||
|
+ out, in, inlen, (block128_f) AES_encrypt);
|
||||||
|
+ else
|
||||||
|
+ rv = CRYPTO_128_unwrap(&wctx->ks.ks, wctx->iv,
|
||||||
|
+ out, in, inlen, (block128_f) AES_decrypt);
|
||||||
|
+ }
|
||||||
|
return rv ? (int)rv : -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
|
||||||
|
+# define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
|
||||||
|
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
|
||||||
|
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
|
||||||
|
|
||||||
|
@@ -2031,3 +2058,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
|
||||||
|
{
|
||||||
|
return &aes_256_wrap;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+static const EVP_CIPHER aes_128_wrap_pad = {
|
||||||
|
+ NID_id_aes128_wrap_pad,
|
||||||
|
+ 8, 16, 4, WRAP_FLAGS,
|
||||||
|
+ aes_wrap_init_key, aes_wrap_cipher,
|
||||||
|
+ NULL,
|
||||||
|
+ sizeof(EVP_AES_WRAP_CTX),
|
||||||
|
+ NULL, NULL, NULL, NULL
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+const EVP_CIPHER *EVP_aes_128_wrap_pad(void)
|
||||||
|
+{
|
||||||
|
+ return &aes_128_wrap_pad;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static const EVP_CIPHER aes_192_wrap_pad = {
|
||||||
|
+ NID_id_aes192_wrap_pad,
|
||||||
|
+ 8, 24, 4, WRAP_FLAGS,
|
||||||
|
+ aes_wrap_init_key, aes_wrap_cipher,
|
||||||
|
+ NULL,
|
||||||
|
+ sizeof(EVP_AES_WRAP_CTX),
|
||||||
|
+ NULL, NULL, NULL, NULL
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+const EVP_CIPHER *EVP_aes_192_wrap_pad(void)
|
||||||
|
+{
|
||||||
|
+ return &aes_192_wrap_pad;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static const EVP_CIPHER aes_256_wrap_pad = {
|
||||||
|
+ NID_id_aes256_wrap_pad,
|
||||||
|
+ 8, 32, 4, WRAP_FLAGS,
|
||||||
|
+ aes_wrap_init_key, aes_wrap_cipher,
|
||||||
|
+ NULL,
|
||||||
|
+ sizeof(EVP_AES_WRAP_CTX),
|
||||||
|
+ NULL, NULL, NULL, NULL
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+const EVP_CIPHER *EVP_aes_256_wrap_pad(void)
|
||||||
|
+{
|
||||||
|
+ return &aes_256_wrap_pad;
|
||||||
|
+}
|
||||||
|
diff -up openssl-1.0.2a/crypto/evp/e_des3.c.wrap openssl-1.0.2a/crypto/evp/e_des3.c
|
||||||
|
--- openssl-1.0.2a/crypto/evp/e_des3.c.wrap 2015-04-22 15:41:40.301683300 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/evp/e_des3.c 2015-04-22 15:53:39.529899964 +0200
|
||||||
|
@@ -473,7 +473,7 @@ static const EVP_CIPHER des3_wrap = {
|
||||||
|
NID_id_smime_alg_CMS3DESwrap,
|
||||||
|
8, 24, 0,
|
||||||
|
EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
|
||||||
|
- | EVP_CIPH_FLAG_DEFAULT_ASN1,
|
||||||
|
+ | EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_FLAG_FIPS,
|
||||||
|
des_ede3_init_key, des_ede3_wrap_cipher,
|
||||||
|
NULL,
|
||||||
|
sizeof(DES_EDE_KEY),
|
||||||
|
diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h
|
||||||
|
--- openssl-1.0.2a/crypto/evp/evp.h.wrap 2015-04-22 19:30:57.000000000 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/evp/evp.h 2015-04-22 19:51:06.352832516 +0200
|
||||||
|
@@ -832,6 +832,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_128_gcm(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_128_xts(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_128_wrap(void);
|
||||||
|
+const EVP_CIPHER *EVP_aes_128_wrap_pad(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_192_ecb(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_192_cbc(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_192_cfb1(void);
|
||||||
|
@@ -843,6 +844,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_192_ccm(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_192_gcm(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_192_wrap(void);
|
||||||
|
+const EVP_CIPHER *EVP_aes_192_wrap_pad(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_256_ecb(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_256_cbc(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_256_cfb1(void);
|
||||||
|
@@ -855,6 +857,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_256_gcm(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_256_xts(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_256_wrap(void);
|
||||||
|
+const EVP_CIPHER *EVP_aes_256_wrap_pad(void);
|
||||||
|
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|
||||||
|
const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
|
||||||
|
const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void);
|
||||||
|
diff -up openssl-1.0.2a/crypto/evp/evptests.txt.wrap openssl-1.0.2a/crypto/evp/evptests.txt
|
||||||
|
--- openssl-1.0.2a/crypto/evp/evptests.txt.wrap 2015-04-22 15:41:47.194848307 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/evp/evptests.txt 2015-04-22 16:01:08.174540977 +0200
|
||||||
|
@@ -399,3 +399,7 @@ id-aes256-wrap:000102030405060708090A0B0
|
||||||
|
id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2
|
||||||
|
id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1
|
||||||
|
id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F:28C9F404C4B810F4CBCCB35CFB87F8263F5786E2D80ED326CBC7F0E71A99F43BFB988B9B7A02DD21
|
||||||
|
+# AES wrap tests from RFC5649
|
||||||
|
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a
|
||||||
|
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f
|
||||||
|
+
|
||||||
|
diff -up openssl-1.0.2a/crypto/modes/modes.h.wrap openssl-1.0.2a/crypto/modes/modes.h
|
||||||
|
--- openssl-1.0.2a/crypto/modes/modes.h.wrap 2015-04-22 15:41:49.228896997 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/modes/modes.h 2015-04-22 16:03:40.724152855 +0200
|
||||||
|
@@ -157,6 +157,12 @@ size_t CRYPTO_128_unwrap(void *key, cons
|
||||||
|
unsigned char *out,
|
||||||
|
const unsigned char *in, size_t inlen,
|
||||||
|
block128_f block);
|
||||||
|
+size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
|
||||||
|
+ unsigned char *out, const unsigned char *in,
|
||||||
|
+ size_t inlen, block128_f block);
|
||||||
|
+size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
|
||||||
|
+ unsigned char *out, const unsigned char *in,
|
||||||
|
+ size_t inlen, block128_f block);
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/wrap128.c
|
||||||
|
--- openssl-1.0.2a/crypto/modes/wrap128.c.wrap 2015-03-19 14:30:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.2a/crypto/modes/wrap128.c 2015-04-22 16:06:16.798848197 +0200
|
||||||
|
@@ -2,6 +2,7 @@
|
||||||
|
/*
|
||||||
|
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
||||||
|
* project.
|
||||||
|
+ * Mode with padding contributed by Petr Spacek (pspacek@redhat.com).
|
||||||
|
*/
|
||||||
|
/* ====================================================================
|
||||||
|
* Copyright (c) 2013 The OpenSSL Project. All rights reserved.
|
||||||
|
@@ -52,19 +53,44 @@
|
||||||
|
* ====================================================================
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/** Beware!
|
||||||
|
+ *
|
||||||
|
+ * Following wrapping modes were designed for AES but this implementation
|
||||||
|
+ * allows you to use them for any 128 bit block cipher.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
#include "cryptlib.h"
|
||||||
|
#include <openssl/modes.h>
|
||||||
|
|
||||||
|
+/** RFC 3394 section 2.2.3.1 Default Initial Value */
|
||||||
|
static const unsigned char default_iv[] = {
|
||||||
|
0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
|
||||||
|
};
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- * Input size limit: lower than maximum of standards but far larger than
|
||||||
|
+/** RFC 5649 section 3 Alternative Initial Value 32-bit constant */
|
||||||
|
+static const unsigned char default_aiv[] = {
|
||||||
|
+ 0xA6, 0x59, 0x59, 0xA6
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+/** Input size limit: lower than maximum of standards but far larger than
|
||||||
|
* anything that will be used in practice.
|
||||||
|
*/
|
||||||
|
#define CRYPTO128_WRAP_MAX (1UL << 31)
|
||||||
|
|
||||||
|
+/** Wrapping according to RFC 3394 section 2.2.1.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] key Key value.
|
||||||
|
+ * @param[in] iv IV value. Length = 8 bytes. NULL = use default_iv.
|
||||||
|
+ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
|
||||||
|
+ * @param[in] inlen Length of in.
|
||||||
|
+ * @param[out] out Cipher text. Minimal buffer length = (inlen + 8) bytes.
|
||||||
|
+ * Input and output buffers can overlap if block function
|
||||||
|
+ * supports that.
|
||||||
|
+ * @param[in] block Block processing function.
|
||||||
|
+ * @return 0 if inlen does not consist of n 64-bit blocks, n >= 2.
|
||||||
|
+ * or if inlen > CRYPTO128_WRAP_MAX.
|
||||||
|
+ * Output length if wrapping succeeded.
|
||||||
|
+ */
|
||||||
|
size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
|
||||||
|
unsigned char *out,
|
||||||
|
const unsigned char *in, size_t inlen,
|
||||||
|
@@ -72,11 +98,11 @@ size_t CRYPTO_128_wrap(void *key, const
|
||||||
|
{
|
||||||
|
unsigned char *A, B[16], *R;
|
||||||
|
size_t i, j, t;
|
||||||
|
- if ((inlen & 0x7) || (inlen < 8) || (inlen > CRYPTO128_WRAP_MAX))
|
||||||
|
+ if ((inlen & 0x7) || (inlen < 16) || (inlen > CRYPTO128_WRAP_MAX))
|
||||||
|
return 0;
|
||||||
|
A = B;
|
||||||
|
t = 1;
|
||||||
|
- memcpy(out + 8, in, inlen);
|
||||||
|
+ memmove(out + 8, in, inlen);
|
||||||
|
if (!iv)
|
||||||
|
iv = default_iv;
|
||||||
|
|
||||||
|
@@ -100,7 +126,23 @@ size_t CRYPTO_128_wrap(void *key, const
|
||||||
|
return inlen + 8;
|
||||||
|
}
|
||||||
|
|
||||||
|
-size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
|
||||||
|
+/** Unwrapping according to RFC 3394 section 2.2.2 steps 1-2.
|
||||||
|
+ * IV check (step 3) is responsibility of the caller.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] key Key value.
|
||||||
|
+ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
|
||||||
|
+ * @param[out] out Plain text without IV.
|
||||||
|
+ * Minimal buffer length = (inlen - 8) bytes.
|
||||||
|
+ * Input and output buffers can overlap if block function
|
||||||
|
+ * supports that.
|
||||||
|
+ * @param[in] in Ciphertext text as n 64-bit blocks
|
||||||
|
+ * @param[in] inlen Length of in.
|
||||||
|
+ * @param[in] block Block processing function.
|
||||||
|
+ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
|
||||||
|
+ * or if inlen is not multiply of 8.
|
||||||
|
+ * Output length otherwise.
|
||||||
|
+ */
|
||||||
|
+static size_t crypto_128_unwrap_raw(void *key, unsigned char *iv,
|
||||||
|
unsigned char *out,
|
||||||
|
const unsigned char *in, size_t inlen,
|
||||||
|
block128_f block)
|
||||||
|
@@ -113,7 +155,7 @@ size_t CRYPTO_128_unwrap(void *key, cons
|
||||||
|
A = B;
|
||||||
|
t = 6 * (inlen >> 3);
|
||||||
|
memcpy(A, in, 8);
|
||||||
|
- memcpy(out, in + 8, inlen);
|
||||||
|
+ memmove(out, in + 8, inlen);
|
||||||
|
for (j = 0; j < 6; j++) {
|
||||||
|
R = out + inlen - 8;
|
||||||
|
for (i = 0; i < inlen; i += 8, t--, R -= 8) {
|
||||||
|
@@ -128,11 +170,190 @@ size_t CRYPTO_128_unwrap(void *key, cons
|
||||||
|
memcpy(R, B + 8, 8);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ memcpy(iv, A, 8);
|
||||||
|
+ return inlen;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/** Unwrapping according to RFC 3394 section 2.2.2 including IV check.
|
||||||
|
+ * First block of plain text have to match supplied IV otherwise an error is
|
||||||
|
+ * returned.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] key Key value.
|
||||||
|
+ * @param[out] iv Unchecked IV value. Minimal buffer length = 8 bytes.
|
||||||
|
+ * @param[out] out Plain text without IV.
|
||||||
|
+ * Minimal buffer length = (inlen - 8) bytes.
|
||||||
|
+ * Input and output buffers can overlap if block function
|
||||||
|
+ * supports that.
|
||||||
|
+ * @param[in] in Ciphertext text as n 64-bit blocks
|
||||||
|
+ * @param[in] inlen Length of in.
|
||||||
|
+ * @param[in] block Block processing function.
|
||||||
|
+ * @return 0 if inlen is out of range [24, CRYPTO128_WRAP_MAX]
|
||||||
|
+ * or if inlen is not multiply of 8
|
||||||
|
+ * or if IV doesn't match expected value.
|
||||||
|
+ * Output length otherwise.
|
||||||
|
+ */
|
||||||
|
+size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
|
||||||
|
+ unsigned char *out, const unsigned char *in,
|
||||||
|
+ size_t inlen, block128_f block)
|
||||||
|
+{
|
||||||
|
+ size_t ret;
|
||||||
|
+ unsigned char got_iv[8];
|
||||||
|
+
|
||||||
|
+ ret = crypto_128_unwrap_raw(key, got_iv, out, in, inlen, block);
|
||||||
|
+ if (ret == 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
if (!iv)
|
||||||
|
iv = default_iv;
|
||||||
|
- if (memcmp(A, iv, 8)) {
|
||||||
|
+ if (CRYPTO_memcmp(got_iv, iv, 8)) {
|
||||||
|
+ OPENSSL_cleanse(out, ret);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/** Wrapping according to RFC 5649 section 4.1.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] key Key value.
|
||||||
|
+ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
|
||||||
|
+ * @param[out] out Cipher text. Minimal buffer length = (inlen + 15) bytes.
|
||||||
|
+ * Input and output buffers can overlap if block function
|
||||||
|
+ * supports that.
|
||||||
|
+ * @param[in] in Plain text as n 64-bit blocks, n >= 2.
|
||||||
|
+ * @param[in] inlen Length of in.
|
||||||
|
+ * @param[in] block Block processing function.
|
||||||
|
+ * @return 0 if inlen is out of range [1, CRYPTO128_WRAP_MAX].
|
||||||
|
+ * Output length if wrapping succeeded.
|
||||||
|
+ */
|
||||||
|
+size_t CRYPTO_128_wrap_pad(void *key, const unsigned char *icv,
|
||||||
|
+ unsigned char *out,
|
||||||
|
+ const unsigned char *in, size_t inlen,
|
||||||
|
+ block128_f block)
|
||||||
|
+{
|
||||||
|
+ /* n: number of 64-bit blocks in the padded key data */
|
||||||
|
+ const size_t blocks_padded = (inlen + 7) / 8;
|
||||||
|
+ const size_t padded_len = blocks_padded * 8;
|
||||||
|
+ const size_t padding_len = padded_len - inlen;
|
||||||
|
+ /* RFC 5649 section 3: Alternative Initial Value */
|
||||||
|
+ unsigned char aiv[8];
|
||||||
|
+ int ret;
|
||||||
|
+
|
||||||
|
+ /* Section 1: use 32-bit fixed field for plaintext octet length */
|
||||||
|
+ if (inlen == 0 || inlen >= CRYPTO128_WRAP_MAX)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* Section 3: Alternative Initial Value */
|
||||||
|
+ if (!icv)
|
||||||
|
+ memcpy(aiv, default_aiv, 4);
|
||||||
|
+ else
|
||||||
|
+ memcpy(aiv, icv, 4); /* Standard doesn't mention this. */
|
||||||
|
+
|
||||||
|
+ aiv[4] = (inlen >> 24) & 0xFF;
|
||||||
|
+ aiv[5] = (inlen >> 16) & 0xFF;
|
||||||
|
+ aiv[6] = (inlen >> 8) & 0xFF;
|
||||||
|
+ aiv[7] = inlen & 0xFF;
|
||||||
|
+
|
||||||
|
+ if (padded_len == 8) {
|
||||||
|
+ /* Section 4.1 - special case in step 2:
|
||||||
|
+ * If the padded plaintext contains exactly eight octets, then
|
||||||
|
+ * prepend the AIV and encrypt the resulting 128-bit block
|
||||||
|
+ * using AES in ECB mode. */
|
||||||
|
+ memmove(out + 8, in, inlen);
|
||||||
|
+ memcpy(out, aiv, 8);
|
||||||
|
+ memset(out + 8 + inlen, 0, padding_len);
|
||||||
|
+ block(out, out, key);
|
||||||
|
+ ret = 16; /* AIV + padded input */
|
||||||
|
+ } else {
|
||||||
|
+ memmove(out, in, inlen);
|
||||||
|
+ memset(out + inlen, 0, padding_len); /* Section 4.1 step 1 */
|
||||||
|
+ ret = CRYPTO_128_wrap(key, aiv, out, out, padded_len, block);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/** Unwrapping according to RFC 5649 section 4.2.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] key Key value.
|
||||||
|
+ * @param[in] icv (Non-standard) IV, 4 bytes. NULL = use default_aiv.
|
||||||
|
+ * @param[out] out Plain text. Minimal buffer length = inlen bytes.
|
||||||
|
+ * Input and output buffers can overlap if block function
|
||||||
|
+ * supports that.
|
||||||
|
+ * @param[in] in Ciphertext text as n 64-bit blocks
|
||||||
|
+ * @param[in] inlen Length of in.
|
||||||
|
+ * @param[in] block Block processing function.
|
||||||
|
+ * @return 0 if inlen is out of range [16, CRYPTO128_WRAP_MAX],
|
||||||
|
+ * or if inlen is not multiply of 8
|
||||||
|
+ * or if IV and message length indicator doesn't match.
|
||||||
|
+ * Output length if unwrapping succeeded and IV matches.
|
||||||
|
+ */
|
||||||
|
+size_t CRYPTO_128_unwrap_pad(void *key, const unsigned char *icv,
|
||||||
|
+ unsigned char *out,
|
||||||
|
+ const unsigned char *in, size_t inlen,
|
||||||
|
+ block128_f block)
|
||||||
|
+{
|
||||||
|
+ /* n: number of 64-bit blocks in the padded key data */
|
||||||
|
+ size_t n = inlen / 8 - 1;
|
||||||
|
+ size_t padded_len;
|
||||||
|
+ size_t padding_len;
|
||||||
|
+ size_t ptext_len;
|
||||||
|
+ /* RFC 5649 section 3: Alternative Initial Value */
|
||||||
|
+ unsigned char aiv[8];
|
||||||
|
+ static unsigned char zeros[8] = { 0x0 };
|
||||||
|
+ size_t ret;
|
||||||
|
+
|
||||||
|
+ /* Section 4.2: Cipher text length has to be (n+1) 64-bit blocks. */
|
||||||
|
+ if ((inlen & 0x7) != 0 || inlen < 16 || inlen >= CRYPTO128_WRAP_MAX)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ memmove(out, in, inlen);
|
||||||
|
+ if (inlen == 16) {
|
||||||
|
+ /* Section 4.2 - special case in step 1:
|
||||||
|
+ * When n=1, the ciphertext contains exactly two 64-bit
|
||||||
|
+ * blocks and they are decrypted as a single AES
|
||||||
|
+ * block using AES in ECB mode:
|
||||||
|
+ * AIV | P[1] = DEC(K, C[0] | C[1])
|
||||||
|
+ */
|
||||||
|
+ block(out, out, key);
|
||||||
|
+ memcpy(aiv, out, 8);
|
||||||
|
+ /* Remove AIV */
|
||||||
|
+ memmove(out, out + 8, 8);
|
||||||
|
+ padded_len = 8;
|
||||||
|
+ } else {
|
||||||
|
+ padded_len = inlen - 8;
|
||||||
|
+ ret = crypto_128_unwrap_raw(key, aiv, out, out, inlen, block);
|
||||||
|
+ if (padded_len != ret) {
|
||||||
|
OPENSSL_cleanse(out, inlen);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
- return inlen;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Section 3: AIV checks: Check that MSB(32,A) = A65959A6.
|
||||||
|
+ * Optionally a user-supplied value can be used
|
||||||
|
+ * (even if standard doesn't mention this). */
|
||||||
|
+ if ((!icv && CRYPTO_memcmp(aiv, default_aiv, 4))
|
||||||
|
+ || (icv && CRYPTO_memcmp(aiv, icv, 4))) {
|
||||||
|
+ OPENSSL_cleanse(out, inlen);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Check that 8*(n-1) < LSB(32,AIV) <= 8*n.
|
||||||
|
+ * If so, let ptext_len = LSB(32,AIV). */
|
||||||
|
+
|
||||||
|
+ ptext_len = (aiv[4] << 24) | (aiv[5] << 16) | (aiv[6] << 8) | aiv[7];
|
||||||
|
+ if (8 * (n - 1) >= ptext_len || ptext_len > 8 * n) {
|
||||||
|
+ OPENSSL_cleanse(out, inlen);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Check that the rightmost padding_len octets of the output data
|
||||||
|
+ * are zero. */
|
||||||
|
+ padding_len = padded_len - ptext_len;
|
||||||
|
+ if (CRYPTO_memcmp(out + ptext_len, zeros, padding_len) != 0) {
|
||||||
|
+ OPENSSL_cleanse(out, inlen);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Section 4.2 step 3: Remove padding */
|
||||||
|
+ return ptext_len;
|
||||||
|
}
|
28
openssl-1.0.2a-x509.patch
Normal file
28
openssl-1.0.2a-x509.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
diff -up openssl-1.0.2a/crypto/x509/by_file.c.x509 openssl-1.0.2a/crypto/x509/by_file.c
|
||||||
|
--- openssl-1.0.2a/crypto/x509/by_file.c.x509 2015-04-09 18:16:29.365456157 +0200
|
||||||
|
+++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-09 18:16:26.398387618 +0200
|
||||||
|
@@ -152,9 +152,12 @@ int X509_load_cert_file(X509_LOOKUP *ctx
|
||||||
|
}
|
||||||
|
}
|
||||||
|
i = X509_STORE_add_cert(ctx->store_ctx, x);
|
||||||
|
- if (!i)
|
||||||
|
- goto err;
|
||||||
|
- count++;
|
||||||
|
+ /* ignore any problems with current certificate
|
||||||
|
+ and continue with the next one */
|
||||||
|
+ if (i)
|
||||||
|
+ count++;
|
||||||
|
+ else
|
||||||
|
+ ERR_clear_error();
|
||||||
|
X509_free(x);
|
||||||
|
x = NULL;
|
||||||
|
}
|
||||||
|
@@ -167,7 +170,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx
|
||||||
|
}
|
||||||
|
i = X509_STORE_add_cert(ctx->store_ctx, x);
|
||||||
|
if (!i)
|
||||||
|
- goto err;
|
||||||
|
+ ERR_clear_error();
|
||||||
|
ret = i;
|
||||||
|
} else {
|
||||||
|
X509err(X509_F_X509_LOAD_CERT_FILE, X509_R_BAD_X509_FILETYPE);
|
27
openssl-1.0.2a-xmpp-starttls.patch
Normal file
27
openssl-1.0.2a-xmpp-starttls.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
diff -up openssl-1.0.2a/apps/s_client.c.starttls openssl-1.0.2a/apps/s_client.c
|
||||||
|
--- openssl-1.0.2a/apps/s_client.c.starttls 2015-04-22 18:23:12.964387157 +0200
|
||||||
|
+++ openssl-1.0.2a/apps/s_client.c 2015-04-22 18:23:56.496414820 +0200
|
||||||
|
@@ -134,7 +134,8 @@
|
||||||
|
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
|
||||||
|
* OTHERWISE.
|
||||||
|
*/
|
||||||
|
-
|
||||||
|
+/* for strcasestr */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <assert.h>
|
||||||
|
#include <ctype.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
@@ -1626,8 +1627,11 @@ int MAIN(int argc, char **argv)
|
||||||
|
"xmlns='jabber:client' to='%s' version='1.0'>", host);
|
||||||
|
seen = BIO_read(sbio, mbuf, BUFSIZZ);
|
||||||
|
mbuf[seen] = 0;
|
||||||
|
- while (!strstr
|
||||||
|
- (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
|
||||||
|
+ while (!strcasestr
|
||||||
|
+ (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
|
||||||
|
+ && !strcasestr(mbuf,
|
||||||
|
+ "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
|
||||||
|
+ {
|
||||||
|
if (strstr(mbuf, "/stream:features>"))
|
||||||
|
goto shut;
|
||||||
|
seen = BIO_read(sbio, mbuf, BUFSIZZ);
|
@ -1,11 +1,11 @@
|
|||||||
--- ssl/dtls1.h.orig 2014-12-22 19:03:22.442338471 +0100
|
--- ssl/dtls1.h.orig 2014-12-22 19:03:22.442338471 +0100
|
||||||
+++ ssl/dtls1.h 2014-12-22 19:03:44.061694335 +0100
|
+++ ssl/dtls1.h 2014-12-22 19:03:44.061694335 +0100
|
||||||
@@ -68,7 +68,7 @@
|
@@ -68,7 +68,7 @@
|
||||||
#endif
|
# endif
|
||||||
#ifdef OPENSSL_SYS_WIN32
|
# ifdef OPENSSL_SYS_WIN32
|
||||||
/* Needed for struct timeval */
|
/* Needed for struct timeval */
|
||||||
-#include <winsock.h>
|
-# include <winsock.h>
|
||||||
+#include <time.h>
|
+# include <time.h>
|
||||||
#elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
|
# elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
|
||||||
#include <sys/timeval.h>
|
# include <sys/timeval.h>
|
||||||
#else
|
# else
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
--- openssl-1.0.1e/ssl/ssl_ciph.c.orig 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.2a/ssl/ssl_ciph.c.secure_getenv_mingw 2015-04-24 18:34:32.572168275 +0200
|
||||||
+++ openssl-1.0.1e/ssl/ssl_ciph.c 2013-03-24 20:39:53.425122737 +0100
|
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-24 18:35:03.060679959 +0200
|
||||||
@@ -455,7 +457,7 @@
|
@@ -484,7 +484,7 @@
|
||||||
|
MemCheck_off();
|
||||||
MemCheck_off();
|
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
|
||||||
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
|
if (ssl_comp_methods != NULL
|
||||||
- if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
|
- && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
|
||||||
+ if (ssl_comp_methods != NULL && getenv("OPENSSL_DEFAULT_ZLIB") != NULL)
|
+ && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
|
||||||
{
|
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
||||||
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
if (comp != NULL) {
|
||||||
if (comp != NULL)
|
comp->method = COMP_zlib();
|
||||||
|
@ -6,6 +6,6 @@
|
|||||||
pfx=lib; \
|
pfx=lib; \
|
||||||
- if [ "$(PLATFORM)" = "mingw" ]; then \
|
- if [ "$(PLATFORM)" = "mingw" ]; then \
|
||||||
+ if [ "$(PLATFORM)" = "mingw" -o "$(PLATFORM)" = "mingw64" ]; then \
|
+ if [ "$(PLATFORM)" = "mingw" -o "$(PLATFORM)" = "mingw64" ]; then \
|
||||||
sfx=.dll; \
|
sfx=.dll; \
|
||||||
cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/$$pfx$$l$$sfx.new; \
|
||||||
elif [ "$(PLATFORM)" != "Cygwin" ]; then \
|
elif expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
|
||||||
|
Loading…
Reference in New Issue
Block a user