From 4b2bec50c2ab447c603e76007abd08d30d55a72e Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 9 Feb 2009 09:33:37 +0000 Subject: [PATCH] Initial import. --- .cvsignore | 1 + Makefile.certificate | 74 ++++ hobble-openssl | 45 +++ import.log | 1 + make-dummy-cert | 28 ++ mingw32-openssl-0.9.8g-global.patch | 16 + mingw32-openssl-0.9.8g-sfx.patch | 14 + mingw32-openssl-0.9.8j-configure.patch | 16 + mingw32-openssl-0.9.8j-header-files.patch | 141 ++++++++ mingw32-openssl-0.9.8j-shared.patch | 20 ++ mingw32-openssl.spec | 342 ++++++++++++++++++ openssl-0.9.6-x509.patch | 29 ++ openssl-0.9.8a-defaults.patch | 50 +++ openssl-0.9.8a-link-krb5.patch | 11 + openssl-0.9.8a-no-rpath.patch | 11 + openssl-0.9.8a-reuse-cipher-change.patch | 20 ++ openssl-0.9.8b-aliasing-bug.patch | 24 ++ openssl-0.9.8b-test-use-localhost.patch | 24 ++ openssl-0.9.8b-x509-name-cmp.patch | 18 + openssl-0.9.8g-default-paths.patch | 77 +++++ openssl-0.9.8g-ia64.patch | 19 + openssl-0.9.8g-no-extssl.patch | 27 ++ openssl-0.9.8j-bad-mime.patch | 14 + openssl-0.9.8j-ca-dir.patch | 36 ++ openssl-0.9.8j-eap-fast.patch | 378 ++++++++++++++++++++ openssl-0.9.8j-enginesdir.patch | 40 +++ openssl-0.9.8j-env-nozlib.patch | 13 + openssl-0.9.8j-evp-nonfips.patch | 127 +++++++ openssl-0.9.8j-fips-no-pairwise.patch | 24 ++ openssl-0.9.8j-fipscheck-hmac.patch | 125 +++++++ openssl-0.9.8j-kernel-fipsmode.patch | 62 ++++ openssl-0.9.8j-nocanister.patch | 31 ++ openssl-0.9.8j-readme-warning.patch | 35 ++ openssl-0.9.8j-redhat.patch | 53 +++ openssl-0.9.8j-shlib-version.patch | 12 + openssl-0.9.8j-soversion.patch | 49 +++ openssl-0.9.8j-use-fipscheck.patch | 384 +++++++++++++++++++++ openssl-0.9.8j-version-add-engines.patch | 48 +++ openssl-thread-test.c | 400 ++++++++++++++++++++++ opensslconf-new-warning.h | 7 + opensslconf-new.h | 34 ++ sources | 1 + 42 files changed, 2881 insertions(+) create mode 100644 Makefile.certificate create mode 100755 hobble-openssl create mode 100644 import.log create mode 100755 make-dummy-cert create mode 100644 mingw32-openssl-0.9.8g-global.patch create mode 100644 mingw32-openssl-0.9.8g-sfx.patch create mode 100644 mingw32-openssl-0.9.8j-configure.patch create mode 100644 mingw32-openssl-0.9.8j-header-files.patch create mode 100644 mingw32-openssl-0.9.8j-shared.patch create mode 100644 mingw32-openssl.spec create mode 100644 openssl-0.9.6-x509.patch create mode 100644 openssl-0.9.8a-defaults.patch create mode 100644 openssl-0.9.8a-link-krb5.patch create mode 100644 openssl-0.9.8a-no-rpath.patch create mode 100644 openssl-0.9.8a-reuse-cipher-change.patch create mode 100644 openssl-0.9.8b-aliasing-bug.patch create mode 100644 openssl-0.9.8b-test-use-localhost.patch create mode 100644 openssl-0.9.8b-x509-name-cmp.patch create mode 100644 openssl-0.9.8g-default-paths.patch create mode 100644 openssl-0.9.8g-ia64.patch create mode 100644 openssl-0.9.8g-no-extssl.patch create mode 100644 openssl-0.9.8j-bad-mime.patch create mode 100644 openssl-0.9.8j-ca-dir.patch create mode 100644 openssl-0.9.8j-eap-fast.patch create mode 100644 openssl-0.9.8j-enginesdir.patch create mode 100644 openssl-0.9.8j-env-nozlib.patch create mode 100644 openssl-0.9.8j-evp-nonfips.patch create mode 100644 openssl-0.9.8j-fips-no-pairwise.patch create mode 100644 openssl-0.9.8j-fipscheck-hmac.patch create mode 100644 openssl-0.9.8j-kernel-fipsmode.patch create mode 100644 openssl-0.9.8j-nocanister.patch create mode 100644 openssl-0.9.8j-readme-warning.patch create mode 100644 openssl-0.9.8j-redhat.patch create mode 100644 openssl-0.9.8j-shlib-version.patch create mode 100644 openssl-0.9.8j-soversion.patch create mode 100644 openssl-0.9.8j-use-fipscheck.patch create mode 100644 openssl-0.9.8j-version-add-engines.patch create mode 100644 openssl-thread-test.c create mode 100644 opensslconf-new-warning.h create mode 100644 opensslconf-new.h diff --git a/.cvsignore b/.cvsignore index e69de29..6dba667 100644 --- a/.cvsignore +++ b/.cvsignore @@ -0,0 +1 @@ +openssl-0.9.8j-usa.tar.bz2 diff --git a/Makefile.certificate b/Makefile.certificate new file mode 100644 index 0000000..bf3dc21 --- /dev/null +++ b/Makefile.certificate @@ -0,0 +1,74 @@ +UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) +SERIAL=0 + +.PHONY: usage +.SUFFIXES: .key .csr .crt .pem +.PRECIOUS: %.key %.csr %.crt %.pem + +usage: + @echo "This makefile allows you to create:" + @echo " o public/private key pairs" + @echo " o SSL certificate signing requests (CSRs)" + @echo " o self-signed SSL test certificates" + @echo + @echo "To create a key pair, run \"make SOMETHING.key\"." + @echo "To create a CSR, run \"make SOMETHING.csr\"." + @echo "To create a test certificate, run \"make SOMETHING.crt\"." + @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." + @echo + @echo "To create a key for use with Apache, run \"make genkey\"." + @echo "To create a CSR for use with Apache, run \"make certreq\"." + @echo "To create a test certificate for use with Apache, run \"make testcert\"." + @echo + @echo "To create a test certificate with serial number other than zero, add SERIAL=num" + @echo + @echo Examples: + @echo " make server.key" + @echo " make server.csr" + @echo " make server.crt" + @echo " make stunnel.pem" + @echo " make genkey" + @echo " make certreq" + @echo " make testcert" + @echo " make server.crt SERIAL=1" + @echo " make stunnel.pem SERIAL=2" + @echo " make testcert SERIAL=3" + +%.pem: + umask 77 ; \ + PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ + PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ + /usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \ + cat $$PEM1 > $@ ; \ + echo "" >> $@ ; \ + cat $$PEM2 >> $@ ; \ + $(RM) $$PEM1 $$PEM2 + +%.key: + umask 77 ; \ + /usr/bin/openssl genrsa -des3 1024 > $@ + +%.csr: %.key + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $^ -out $@ + +%.crt: %.key + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL) + +TLSROOT=/etc/pki/tls +KEY=$(TLSROOT)/private/localhost.key +CSR=$(TLSROOT)/certs/localhost.csr +CRT=$(TLSROOT)/certs/localhost.crt + +genkey: $(KEY) +certreq: $(CSR) +testcert: $(CRT) + +$(CSR): $(KEY) + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR) + +$(CRT): $(KEY) + umask 77 ; \ + /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL) diff --git a/hobble-openssl b/hobble-openssl new file mode 100755 index 0000000..de0490f --- /dev/null +++ b/hobble-openssl @@ -0,0 +1,45 @@ +#!/bin/sh + +# Quit out if anything fails. +set -e + +# Clean out patent-or-otherwise-encumbered code. +# MDC-2: 4,908,861 13/03/2007 +# IDEA: 5,214,703 25/05/2010 +# RC5: 5,724,428 03/03/2015 +# EC: ????????? ??/??/2015 + +# Remove assembler portions of IDEA, MDC2, and RC5. +(find crypto/{idea,mdc2,rc5}/asm -type f | xargs -r rm -fv) + +# IDEA, MDC2, RC5, EC. +for a in idea mdc2 rc5 ec ecdh ecdsa; do + for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do + echo Destroying $c + > $c + done +done + +for c in `find crypto/evp -name "*_rc5.c" -o -name "*_idea.c" -o -name "*_mdc2.c" -o -name "*_ecdsa.c"`; do + echo Destroying $c + > $c +done + +for h in `find crypto ssl apps test -name "*.h"` ; do + echo Removing IDEA, MDC2, RC5, and EC references from $h + cat $h | \ + awk 'BEGIN {ech=1;} \ + /^#[ \t]*ifndef.*NO_IDEA/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_MDC2/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \ + /^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \ + /^#[ \t]*if/ {if(ech < 1) ech--;} \ + {if(ech>0) {;print $0};} \ + /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \ + mv $h.hobbled $h +done + +# Make the makefiles happy. +touch crypto/rc5/asm/rc5-586.pl diff --git a/import.log b/import.log new file mode 100644 index 0000000..b837e05 --- /dev/null +++ b/import.log @@ -0,0 +1 @@ +mingw32-openssl-0_9_8j-2_fc11:HEAD:mingw32-openssl-0.9.8j-2.fc11.src.rpm:1234171576 diff --git a/make-dummy-cert b/make-dummy-cert new file mode 100755 index 0000000..3aff5be --- /dev/null +++ b/make-dummy-cert @@ -0,0 +1,28 @@ +#!/bin/sh +umask 077 + +answers() { + echo -- + echo SomeState + echo SomeCity + echo SomeOrganization + echo SomeOrganizationalUnit + echo localhost.localdomain + echo root@localhost.localdomain +} + +if [ $# -eq 0 ] ; then + echo $"Usage: `basename $0` filename [...]" + exit 0 +fi + +for target in $@ ; do + PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` + PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` + trap "rm -f $PEM1 $PEM2" SIGINT + answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null + cat $PEM1 > ${target} + echo "" >> ${target} + cat $PEM2 >> ${target} + rm -f $PEM1 $PEM2 +done diff --git a/mingw32-openssl-0.9.8g-global.patch b/mingw32-openssl-0.9.8g-global.patch new file mode 100644 index 0000000..814fb46 --- /dev/null +++ b/mingw32-openssl-0.9.8g-global.patch @@ -0,0 +1,16 @@ +Fix global variable macros. + + - RWMJ 2008-09-30 + +diff -ur openssl-0.9.8g.orig/e_os2.h openssl-0.9.8g.mingw/e_os2.h +--- openssl-0.9.8g.orig/e_os2.h 2005-12-18 18:57:07.000000000 +0000 ++++ openssl-0.9.8g.mingw/e_os2.h 2008-09-30 14:27:53.000000000 +0100 +@@ -264,7 +264,7 @@ + # define OPENSSL_IMPLEMENT_GLOBAL(type,name) \ + extern type _hide_##name; \ + type *_shadow_##name(void) { return &_hide_##name; } \ +- static type _hide_##name ++ type _hide_##name + # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void) + # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name())) + #else diff --git a/mingw32-openssl-0.9.8g-sfx.patch b/mingw32-openssl-0.9.8g-sfx.patch new file mode 100644 index 0000000..332a926 --- /dev/null +++ b/mingw32-openssl-0.9.8g-sfx.patch @@ -0,0 +1,14 @@ +--- openssl-0.9.8g.orig/engines/Makefile 2006-02-04 01:49:34.000000000 +0000 ++++ openssl-0.9.8g.mingw/engines/Makefile 2008-09-30 20:05:30.000000000 +0100 +@@ -91,7 +91,10 @@ + set -e; \ + for l in $(LIBNAMES); do \ + ( echo installing $$l; \ +- if [ "$(PLATFORM)" != "Cygwin" ]; then \ ++ if [ "$(PLATFORM)" = "mingw" ]; then \ ++ sfx=dll; \ ++ cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \ ++ elif [ "$(PLATFORM)" != "Cygwin" ]; then \ + case "$(CFLAGS)" in \ + *DSO_DLFCN*) sfx="so";; \ + *DSO_DL*) sfx="sl";; \ diff --git a/mingw32-openssl-0.9.8j-configure.patch b/mingw32-openssl-0.9.8j-configure.patch new file mode 100644 index 0000000..73feff1 --- /dev/null +++ b/mingw32-openssl-0.9.8j-configure.patch @@ -0,0 +1,16 @@ +The 'mingw' target to Configure has some problems with cross-compilation. + + - RWMJ 2008-09-30 + +diff -ur openssl-0.9.8g.orig/Configure openssl-0.9.8g.mingw/Configure +--- openssl-0.9.8g.orig/Configure 2008-09-30 14:16:16.000000000 +0100 ++++ openssl-0.9.8g.mingw/Configure 2008-09-30 14:59:34.000000000 +0100 +@@ -468,7 +468,7 @@ + "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32", + + # MinGW +-"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a", ++"mingw", "MINGW32_CC:-DL_ENDIAN -Wall MINGW32_CFLAGS -D_WIN32_WINNT=0x333 -DMK1MF_BUILD:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-shared:.dll.a:MINGW32_RANLIB", + + # UWIN + "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32", diff --git a/mingw32-openssl-0.9.8j-header-files.patch b/mingw32-openssl-0.9.8j-header-files.patch new file mode 100644 index 0000000..55d1203 --- /dev/null +++ b/mingw32-openssl-0.9.8j-header-files.patch @@ -0,0 +1,141 @@ +--- ./crypto/seed/seed_ecb.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200 ++++ ./crypto/seed/seed_ecb.c 2009-02-02 18:28:55.000000000 +0100 +@@ -49,7 +49,7 @@ + * + */ + +-#include ++#include "seed.h" + + void SEED_ecb_encrypt(const unsigned char *in, unsigned char *out, const SEED_KEY_SCHEDULE *ks, int enc) + { +--- ./crypto/seed/seed_locl.h.mingw-header-files 2009-02-02 18:28:48.000000000 +0100 ++++ ./crypto/seed/seed_locl.h 2009-02-02 18:28:55.000000000 +0100 +@@ -27,7 +27,7 @@ + #define HEADER_SEED_LOCL_H + + #include "openssl/e_os2.h" +-#include ++#include "seed.h" + + + #ifdef SEED_LONG /* need 32-bit type */ +--- ./crypto/seed/seed.c.mingw-header-files 2007-04-24 01:50:10.000000000 +0200 ++++ ./crypto/seed/seed.c 2009-02-02 18:28:55.000000000 +0100 +@@ -32,7 +32,7 @@ + #include + #endif + +-#include ++#include "seed.h" + #include "seed_locl.h" + + static seed_word SS[4][256] = { { +--- ./crypto/camellia/cmll_cbc.c.mingw-header-files 2006-12-02 13:00:27.000000000 +0100 ++++ ./crypto/camellia/cmll_cbc.c 2009-02-02 18:28:54.000000000 +0100 +@@ -58,7 +58,7 @@ + #include + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, +--- ./crypto/camellia/cmll_cfb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 ++++ ./crypto/camellia/cmll_cfb.c 2009-02-02 18:28:54.000000000 +0100 +@@ -113,7 +113,7 @@ + #include + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + #include "e_os.h" + +--- ./crypto/camellia/cmll_ofb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 ++++ ./crypto/camellia/cmll_ofb.c 2009-02-02 18:28:55.000000000 +0100 +@@ -111,7 +111,7 @@ + # endif + #endif + #include +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + /* The input and output encrypted as though 128bit ofb mode is being +--- ./crypto/camellia/cmll_misc.c.mingw-header-files 2009-02-02 18:29:19.000000000 +0100 ++++ ./crypto/camellia/cmll_misc.c 2009-02-02 18:29:32.000000000 +0100 +@@ -50,7 +50,7 @@ + */ + + #include +-#include ++#include "camellia.h" + #include "cmll_locl.h" + #include + #ifdef OPENSSL_FIPS +--- ./crypto/camellia/cmll_ecb.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 ++++ ./crypto/camellia/cmll_ecb.c 2009-02-02 18:28:54.000000000 +0100 +@@ -56,7 +56,7 @@ + #endif + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out, +--- ./crypto/camellia/cmll_ctr.c.mingw-header-files 2006-06-10 00:31:05.000000000 +0200 ++++ ./crypto/camellia/cmll_ctr.c 2009-02-02 18:28:54.000000000 +0100 +@@ -56,7 +56,7 @@ + #endif + #include + +-#include ++#include "camellia.h" + #include "cmll_locl.h" + + /* NOTE: the IV/counter CTR mode is big-endian. The rest of the Camellia code +--- ./crypto/evp/e_seed.c.mingw-header-files 2007-07-04 14:56:32.000000000 +0200 ++++ ./crypto/evp/e_seed.c 2009-02-02 18:28:55.000000000 +0100 +@@ -59,7 +59,7 @@ + #include + #include + #ifndef OPENSSL_NO_SEED +-#include ++#include "../seed/seed.h" + #include "evp_locl.h" + + static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); +--- ./crypto/evp/e_camellia.c.mingw-header-files 2008-09-21 12:24:08.000000000 +0200 ++++ ./crypto/evp/e_camellia.c 2009-02-02 18:28:55.000000000 +0100 +@@ -59,7 +59,7 @@ + #include + #include + #include +-#include ++#include "../camellia/camellia.h" + #include "evp_locl.h" + + static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, +--- ./apps/speed.c.mingw-header-files 2009-01-07 11:48:22.000000000 +0100 ++++ ./apps/speed.c 2009-02-02 18:28:54.000000000 +0100 +@@ -165,7 +165,7 @@ + #include + #endif + #ifndef OPENSSL_NO_CAMELLIA +-#include ++#include "../crypto/camellia/camellia.h" + #endif + #ifndef OPENSSL_NO_MD2 + #include +@@ -202,7 +202,7 @@ + #include + #endif + #ifndef OPENSSL_NO_SEED +-#include ++#include "../crypto/seed/seed.h" + #endif + #ifndef OPENSSL_NO_BF + #include diff --git a/mingw32-openssl-0.9.8j-shared.patch b/mingw32-openssl-0.9.8j-shared.patch new file mode 100644 index 0000000..c1ea4bf --- /dev/null +++ b/mingw32-openssl-0.9.8j-shared.patch @@ -0,0 +1,20 @@ +--- ./Makefile.shared.lfarkas 2009-01-28 16:39:05.000000000 +0100 ++++ ./Makefile.shared 2009-01-28 16:41:51.000000000 +0100 +@@ -238,7 +238,7 @@ + SHLIB=cyg$(LIBNAME); \ + base=-Wl,--enable-auto-image-base; \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ +- SHLIB=$(LIBNAME)eay32; base=; \ ++ SHLIB=lib$(LIBNAME); base=; \ + fi; \ + SHLIB_SUFFIX=.dll; \ + LIBVERSION="$(LIBVERSION)"; \ +@@ -253,7 +253,7 @@ + SHLIB=cyg$(LIBNAME); \ + base=-Wl,--enable-auto-image-base; \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ +- SHLIB=$(LIBNAME)eay32; \ ++ SHLIB=lib$(LIBNAME); \ + base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \ + fi; \ + SHLIB_SUFFIX=.dll; \ diff --git a/mingw32-openssl.spec b/mingw32-openssl.spec new file mode 100644 index 0000000..bc1b081 --- /dev/null +++ b/mingw32-openssl.spec @@ -0,0 +1,342 @@ +%define __strip %{_mingw32_strip} +%define __objdump %{_mingw32_objdump} +%define _use_internal_dependency_generator 0 +%define __find_requires %{_mingw32_findrequires} +%define __find_provides %{_mingw32_findprovides} + +# For the curious: +# 0.9.5a soversion = 0 +# 0.9.6 soversion = 1 +# 0.9.6a soversion = 2 +# 0.9.6c soversion = 3 +# 0.9.7a soversion = 4 +# 0.9.7ef soversion = 5 +# 0.9.8ab soversion = 6 +# 0.9.8g soversion = 7 +# 0.9.8j + EAP-FAST soversion = 8 +%define soversion 8 + +# Enable the tests. +# These only work some of the time, but fail randomly at other times +# (although I have had them complete a few times, so I don't think +# there is any actual problem with the binaries). +%define run_tests 0 + +# Number of threads to spawn when testing some threading fixes. +%define thread_test_threads %{?threads:%{threads}}%{!?threads:1} + +Name: mingw32-openssl +Version: 0.9.8j +Release: 2%{?dist} +Summary: MinGW port of the OpenSSL toolkit + +License: OpenSSL +Group: Development/Libraries +URL: http://www.openssl.org/ + +# Use the hobble-openssl script to create the source file. +Source0: openssl-%{version}-usa.tar.bz2 + +Source1: hobble-openssl +Source2: Makefile.certificate +Source6: make-dummy-cert +Source8: openssl-thread-test.c +Source9: opensslconf-new.h +Source10: opensslconf-new-warning.h + +# Patches from Fedora native package. +# Build changes +Patch0: openssl-0.9.8j-redhat.patch +Patch1: openssl-0.9.8a-defaults.patch +Patch2: openssl-0.9.8a-link-krb5.patch +Patch3: openssl-0.9.8j-soversion.patch +Patch4: openssl-0.9.8j-enginesdir.patch +Patch5: openssl-0.9.8a-no-rpath.patch +Patch6: openssl-0.9.8b-test-use-localhost.patch +Patch7: openssl-0.9.8j-shlib-version.patch +# Bug fixes +Patch21: openssl-0.9.8b-aliasing-bug.patch +Patch22: openssl-0.9.8b-x509-name-cmp.patch +Patch23: openssl-0.9.8g-default-paths.patch +Patch24: openssl-0.9.8g-no-extssl.patch +# Functionality changes +Patch32: openssl-0.9.8g-ia64.patch +Patch33: openssl-0.9.8j-ca-dir.patch +Patch34: openssl-0.9.6-x509.patch +Patch35: openssl-0.9.8j-version-add-engines.patch +Patch38: openssl-0.9.8a-reuse-cipher-change.patch +# Disabled this because it uses getaddrinfo which is lacking on Windows. +#Patch39: openssl-0.9.8g-ipv6-apps.patch +Patch40: openssl-0.9.8j-nocanister.patch +Patch41: openssl-0.9.8j-use-fipscheck.patch +Patch42: openssl-0.9.8j-fipscheck-hmac.patch +Patch43: openssl-0.9.8j-evp-nonfips.patch +Patch44: openssl-0.9.8j-kernel-fipsmode.patch +Patch45: openssl-0.9.8j-env-nozlib.patch +Patch46: openssl-0.9.8j-eap-fast.patch +Patch47: openssl-0.9.8j-readme-warning.patch +Patch48: openssl-0.9.8j-bad-mime.patch +Patch49: openssl-0.9.8j-fips-no-pairwise.patch +# Backported fixes including security fixes + +# MinGW-specific patches. +Patch100: mingw32-openssl-0.9.8j-header-files.patch +Patch101: mingw32-openssl-0.9.8j-configure.patch +Patch102: mingw32-openssl-0.9.8j-shared.patch +Patch103: mingw32-openssl-0.9.8g-global.patch +Patch104: mingw32-openssl-0.9.8g-sfx.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildArch: noarch + +BuildRequires: mingw32-filesystem >= 40 +BuildRequires: mingw32-gcc +BuildRequires: mingw32-binutils + +BuildRequires: mingw32-zlib +BuildRequires: mingw32-pthreads + +BuildRequires: mktemp +#BuildRequires: krb5-devel +BuildRequires: perl +BuildRequires: sed +BuildRequires: /usr/bin/cmp +BuildRequires: /usr/bin/rename + +# XXX Not really sure about this one. The build script uses +# /usr/bin/makedepend which comes from imake. +BuildRequires: imake + +%if %{run_tests} +# Required both to build, and to run the tests. +# XXX This needs to be fixed - cross-compilation should not +# require running executables. +BuildRequires: wine + +# Required to run the tests. +BuildRequires: xorg-x11-server-Xvfb +%endif + +#Requires: ca-certificates >= 2008-5 +Requires: pkgconfig + + +%description +The OpenSSL toolkit provides support for secure communications between +machines. OpenSSL includes a certificate management tool and shared +libraries which provide various cryptographic algorithms and +protocols. + +This package contains Windows (MinGW) libraries and development tools. + + +%prep +%setup -q -n openssl-%{version} + +%{SOURCE1} > /dev/null +%patch0 -p1 -b .redhat +%patch1 -p1 -b .defaults +# Fix link line for libssl (bug #111154). +%patch2 -p1 -b .krb5 +%patch3 -p1 -b .soversion +%patch4 -p1 -b .enginesdir +%patch5 -p1 -b .no-rpath +%patch6 -p1 -b .use-localhost +%patch7 -p1 -b .shlib-version + +%patch21 -p1 -b .aliasing-bug +%patch22 -p1 -b .name-cmp +%patch23 -p1 -b .default-paths +%patch24 -p1 -b .no-extssl + +%patch32 -p1 -b .ia64 +#patch33 is applied after make test +%patch34 -p1 -b .x509 +%patch35 -p1 -b .version-add-engines +%patch38 -p1 -b .cipher-change +#%patch39 -p1 -b .ipv6-apps +%patch40 -p1 -b .nocanister +%patch41 -p1 -b .use-fipscheck +%patch42 -p1 -b .fipscheck-hmac +%patch43 -p1 -b .evp-nonfips +%patch44 -p1 -b .fipsmode +%patch45 -p1 -b .env-nozlib +%patch46 -p1 -b .eap-fast +%patch47 -p1 -b .warning +%patch48 -p1 -b .bad-mime +%patch49 -p1 -b .no-pairwise + +%patch100 -p1 -b .mingw-header-files +%patch101 -p1 -b .mingw-configure +%patch102 -p1 -b .mingw-shared +%patch103 -p1 -b .mingw-global +%patch104 -p1 -b .mingw-sfx + +# Modify the various perl scripts to reference perl in the right location. +perl util/perlpath.pl `dirname %{__perl}` + +# Generate a table with the compile settings for my perusal. +touch Makefile +make TABLE PERL=%{__perl} + +%build +# NB: 'no-hw' is vital. MinGW cannot build the hardware drivers +# and if you don't have this you'll get an obscure link error. +%{_mingw32_env}; \ +sed -i -e "s/MINGW32_CC/%{_mingw32_cc}/" -e "s/MINGW32_CFLAGS/%{_mingw32_cflags}/" -e "s/MINGW32_RANLIB/%{_mingw32_ranlib}/" Configure; \ +./Configure \ + --prefix=%{_mingw32_prefix} \ + --openssldir=%{_mingw32_sysconfdir}/pki/tls \ + zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ + no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-hw shared \ + --enginesdir=%{_mingw32_libdir}/openssl/engines \ + mingw +# --with-krb5-flavor=MIT +# -I%{_mingw32_prefix}/kerberos/include -L%{_mingw32_prefix}/kerberos/%{_lib} +%{_mingw32_make} depend +%{_mingw32_make} all build-shared + +# Generate hashes for the included certs. +%{_mingw32_make} rehash build-shared + +%if %{run_tests} +#---------------------------------------------------------------------- +# Run some tests. I don't know why this isn't in a %-check section +# but this is how it is in the native RPM. + +# This is a bit of a hack, but the test scripts look for 'openssl' +# by name. +pushd apps +ln -s openssl.exe openssl +popd + +# This is useful for diagnosing Wine problems. +WINEDEBUG=+loaddll +export WINEDEBUG + +# Make sure we can find the installed DLLs. +WINEDLLPATH=%{_mingw32_bindir} +export WINEDLLPATH + +# The tests run Wine and require an X server (but don't really use +# it). Therefore we create a virtual framebuffer for the duration of +# the tests. +# XXX There is no good way to choose a random, unused display. +# XXX Setting depth to 24 bits avoids bug 458219. +unset DISPLAY +display=:21 +Xvfb $display -screen 0 1024x768x24 -ac -noreset & xpid=$! +trap "kill -TERM $xpid ||:" EXIT +sleep 3 +DISPLAY=$display +export DISPLAY + +%{_mingw32_make} LDCMD=%{_mingw32_cc} -C test apps tests + +# Disable this thread test, because we don't have pthread on Windows. +%{_mingw32_cc} -o openssl-thread-test \ + -I./include \ + %-{_mingw32_cflags} \ + %-{SOURCE8} \ + -L. \ + -lssl -lcrypto \ + -lpthread -lz -ldl + +## `krb5-config --cflags` +## `krb5-config --libs` +# +./openssl-thread-test --threads %{thread_test_threads} + +#---------------------------------------------------------------------- +%endif + +# Patch33 must be patched after tests otherwise they will fail +patch -p1 -b -z .ca-dir < %{PATCH33} + +# Add generation of HMAC checksum of the final stripped library +#%define __spec_install_post \ +# %{?__debug_package:%{__debug_install_post}} \ +# %{__arch_install_post} \ +# %{__os_install_post} \ +# fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \ +# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \ +#%{nil} + +if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then + iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \ + mv -f CHANGES.utf8 CHANGES +fi + + +%install +rm -rf $RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir} +mkdir -p $RPM_BUILD_ROOT%{_mingw32_libdir}/openssl +mkdir -p $RPM_BUILD_ROOT%{_mingw32_bindir} +mkdir -p $RPM_BUILD_ROOT%{_mingw32_includedir} +mkdir -p $RPM_BUILD_ROOT%{_mingw32_mandir} +make INSTALL_PREFIX=$RPM_BUILD_ROOT install build-shared + +# Install the actual DLLs. +install libcrypto-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} +install libssl-%{soversion}.dll $RPM_BUILD_ROOT%{_mingw32_bindir} + +# Remove static libraries but DON'T remove *.dll.a files. +rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.a +rm $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.a + +# I have no idea why it installs the manpages in /etc, but +# we remove them anyway. +rm -r $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/man + +# Set permissions on lib*.dll.a so that strip works. +chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libcrypto.dll.a +chmod 0755 $RPM_BUILD_ROOT%{_mingw32_libdir}/libssl.dll.a + +# Install a makefile for generating keys and self-signed certs, and a script +# for generating them on the fly. +mkdir -p $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs +install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/Makefile +install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/certs/make-dummy-cert + +# Pick a CA script. +pushd $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/tls/misc +mv CA.sh CA +popd + +mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA +mkdir -m700 $RPM_BUILD_ROOT%{_mingw32_sysconfdir}/pki/CA/private + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root) +%doc LICENSE +%{_mingw32_bindir}/openssl.exe +%{_mingw32_bindir}/c_rehash +%{_mingw32_bindir}/libcrypto-%{soversion}.dll +%{_mingw32_bindir}/libssl-%{soversion}.dll +#{_mingw32_bindir}/.libcrypto*.hmac +%{_mingw32_libdir}/libcrypto.dll.a +%{_mingw32_libdir}/libssl.dll.a +%{_mingw32_libdir}/engines +%{_mingw32_libdir}/pkgconfig/*.pc +%{_mingw32_includedir}/openssl +%config(noreplace) %{_mingw32_sysconfdir}/pki + + +%changelog +* Mon Feb 2 2009 Levente Farkas - 0.9.8j-2 +- Various build fixes. + +* Wed Jan 28 2009 Levente Farkas - 0.9.8j-1 +- update to new upstream version. + +* Mon Dec 29 2008 Levente Farkas - 0.9.8g-2 +- minor cleanup. + +* Tue Sep 30 2008 Richard W.M. Jones - 0.9.8g-1 +- Initial RPM release. diff --git a/openssl-0.9.6-x509.patch b/openssl-0.9.6-x509.patch new file mode 100644 index 0000000..7b3f49f --- /dev/null +++ b/openssl-0.9.6-x509.patch @@ -0,0 +1,29 @@ +Do not treat duplicate certs as an error. + +--- openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 15:09:05 2000 ++++ openssl-0.9.6/crypto/x509/by_file.c Wed Sep 27 14:21:20 2000 +@@ -163,8 +163,12 @@ + } + } + i=X509_STORE_add_cert(ctx->store_ctx,x); +- if (!i) goto err; +- count++; ++ /* ignore any problems with current certificate ++ and continue with the next one */ ++ if (i) ++ count++; ++ else ++ ERR_clear_error(); + X509_free(x); + x=NULL; + } +@@ -179,7 +183,8 @@ + goto err; + } + i=X509_STORE_add_cert(ctx->store_ctx,x); +- if (!i) goto err; ++ if (!i) ++ ERR_clear_error(); + ret=i; + } + else diff --git a/openssl-0.9.8a-defaults.patch b/openssl-0.9.8a-defaults.patch new file mode 100644 index 0000000..5a4db7b --- /dev/null +++ b/openssl-0.9.8a-defaults.patch @@ -0,0 +1,50 @@ +--- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200 ++++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100 +@@ -99,6 +99,7 @@ + #################################################################### + [ req ] + default_bits = 1024 ++default_md = sha1 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +@@ -116,23 +117,26 @@ + # MASK:XXXX a literal mask value. + # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings + # so use this option with caution! +-string_mask = nombstr ++# we use PrintableString+UTF8String mask so if pure ASCII texts are used ++# the resulting certificates are compatible with Netscape ++string_mask = MASK:0x2002 + + # req_extensions = v3_req # The extensions to add to a certificate request + + [ req_distinguished_name ] + countryName = Country Name (2 letter code) +-countryName_default = AU ++countryName_default = GB + countryName_min = 2 + countryName_max = 2 + + stateOrProvinceName = State or Province Name (full name) +-stateOrProvinceName_default = Some-State ++stateOrProvinceName_default = Berkshire + + localityName = Locality Name (eg, city) ++localityName_default = Newbury + + 0.organizationName = Organization Name (eg, company) +-0.organizationName_default = Internet Widgits Pty Ltd ++0.organizationName_default = My Company Ltd + + # we can do this but it is not needed normally :-) + #1.organizationName = Second Organization Name (eg, company) +@@ -141,7 +145,7 @@ + organizationalUnitName = Organizational Unit Name (eg, section) + #organizationalUnitName_default = + +-commonName = Common Name (eg, YOUR name) ++commonName = Common Name (eg, your name or your server\'s hostname) + commonName_max = 64 + + emailAddress = Email Address diff --git a/openssl-0.9.8a-link-krb5.patch b/openssl-0.9.8a-link-krb5.patch new file mode 100644 index 0000000..f34b1e5 --- /dev/null +++ b/openssl-0.9.8a-link-krb5.patch @@ -0,0 +1,11 @@ +--- openssl-0.9.8a/Makefile.org.link-krb5 2005-07-05 07:14:21.000000000 +0200 ++++ openssl-0.9.8a/Makefile.org 2005-11-07 18:00:08.000000000 +0100 +@@ -266,7 +266,7 @@ + + do_$(SHLIB_TARGET): + @ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ +- if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ ++ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ + $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ diff --git a/openssl-0.9.8a-no-rpath.patch b/openssl-0.9.8a-no-rpath.patch new file mode 100644 index 0000000..8f8fb91 --- /dev/null +++ b/openssl-0.9.8a-no-rpath.patch @@ -0,0 +1,11 @@ +--- openssl-0.9.8a/Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200 ++++ openssl-0.9.8a/Makefile.shared 2005-11-16 22:35:37.000000000 +0100 +@@ -153,7 +153,7 @@ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ + SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" + +-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" ++DO_GNU_APP=LDFLAGS="$(CFLAGS)" + + #This is rather special. It's a special target with which one can link + #applications without bothering with any features that have anything to diff --git a/openssl-0.9.8a-reuse-cipher-change.patch b/openssl-0.9.8a-reuse-cipher-change.patch new file mode 100644 index 0000000..666688b --- /dev/null +++ b/openssl-0.9.8a-reuse-cipher-change.patch @@ -0,0 +1,20 @@ +--- openssl-0.9.8a/ssl/ssl.h.cipher-change 2005-11-22 16:36:22.000000000 +0100 ++++ openssl-0.9.8a/ssl/ssl.h 2005-12-15 11:28:05.000000000 +0100 +@@ -477,7 +477,7 @@ + + #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L + #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L +-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L ++#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */ + #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L + #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L + #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ +@@ -494,7 +494,7 @@ + + /* SSL_OP_ALL: various bug workarounds that should be rather harmless. + * This used to be 0x000FFFFFL before 0.9.7. */ +-#define SSL_OP_ALL 0x00000FFFL ++#define SSL_OP_ALL 0x00000FF7L /* without SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG */ + + /* DTLS options */ + #define SSL_OP_NO_QUERY_MTU 0x00001000L diff --git a/openssl-0.9.8b-aliasing-bug.patch b/openssl-0.9.8b-aliasing-bug.patch new file mode 100644 index 0000000..8d3b36a --- /dev/null +++ b/openssl-0.9.8b-aliasing-bug.patch @@ -0,0 +1,24 @@ + +This patch fixes a violation of the C aliasing rules that can cause +miscompilation with some compiler versions. + +--- openssl-0.9.8b/crypto/dso/dso_dlfcn.c.orig 2006-10-30 18:21:35.000000000 +0100 ++++ openssl-0.9.8b/crypto/dso/dso_dlfcn.c 2006-10-30 18:21:37.000000000 +0100 +@@ -237,7 +237,7 @@ static void *dlfcn_bind_var(DSO *dso, co + static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname) + { + void *ptr; +- DSO_FUNC_TYPE sym, *tsym = &sym; ++ DSO_FUNC_TYPE sym; + + if((dso == NULL) || (symname == NULL)) + { +@@ -255,7 +255,7 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO + DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE); + return(NULL); + } +- *(void **)(tsym) = dlsym(ptr, symname); ++ sym = dlsym(ptr, symname); + if(sym == NULL) + { + DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE); diff --git a/openssl-0.9.8b-test-use-localhost.patch b/openssl-0.9.8b-test-use-localhost.patch new file mode 100644 index 0000000..08adf1c --- /dev/null +++ b/openssl-0.9.8b-test-use-localhost.patch @@ -0,0 +1,24 @@ +diff -up openssl-0.9.8b/ssl/ssltest.c.use-localhost openssl-0.9.8b/ssl/ssltest.c +--- openssl-0.9.8b/ssl/ssltest.c.use-localhost 2006-02-24 18:58:35.000000000 +0100 ++++ openssl-0.9.8b/ssl/ssltest.c 2007-08-03 14:06:16.000000000 +0200 +@@ -839,19 +839,8 @@ bad: + #ifndef OPENSSL_NO_KRB5 + if (c_ssl && c_ssl->kssl_ctx) + { +- char localhost[MAXHOSTNAMELEN+2]; +- +- if (gethostname(localhost, sizeof localhost-1) == 0) +- { +- localhost[sizeof localhost-1]='\0'; +- if(strlen(localhost) == sizeof localhost-1) +- { +- BIO_printf(bio_err,"localhost name too long\n"); +- goto end; +- } + kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, +- localhost); +- } ++ "localhost"); + } + #endif /* OPENSSL_NO_KRB5 */ + diff --git a/openssl-0.9.8b-x509-name-cmp.patch b/openssl-0.9.8b-x509-name-cmp.patch new file mode 100644 index 0000000..c7e8848 --- /dev/null +++ b/openssl-0.9.8b-x509-name-cmp.patch @@ -0,0 +1,18 @@ +--- openssl-0.9.8b/crypto/x509/x509_cmp.c.name-cmp 2004-12-01 02:45:30.000000000 +0100 ++++ openssl-0.9.8b/crypto/x509/x509_cmp.c 2006-11-30 23:37:26.000000000 +0100 +@@ -282,14 +282,7 @@ + nb=sk_X509_NAME_ENTRY_value(b->entries,i); + j=na->value->type-nb->value->type; + if (j) +- { +- nabit = ASN1_tag2bit(na->value->type); +- nbbit = ASN1_tag2bit(nb->value->type); +- if (!(nabit & STR_TYPE_CMP) || +- !(nbbit & STR_TYPE_CMP)) +- return j; +- j = asn1_string_memcmp(na->value, nb->value); +- } ++ return j; + else if (na->value->type == V_ASN1_PRINTABLESTRING) + j=nocase_spacenorm_cmp(na->value, nb->value); + else if (na->value->type == V_ASN1_IA5STRING diff --git a/openssl-0.9.8g-default-paths.patch b/openssl-0.9.8g-default-paths.patch new file mode 100644 index 0000000..23fa4e1 --- /dev/null +++ b/openssl-0.9.8g-default-paths.patch @@ -0,0 +1,77 @@ +diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c +--- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100 ++++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100 +@@ -1077,12 +1077,13 @@ bad: + } + #endif + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + store = SSL_CTX_get_cert_store(ctx); + X509_STORE_set_flags(store, vflags); +@@ -1132,8 +1133,11 @@ bad: + + SSL_CTX_sess_set_cache_size(ctx2,128); + +- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx2))) ++ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx2)) + { + ERR_print_errors(bio_err); + } +diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c +--- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100 ++++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100 +@@ -673,12 +673,13 @@ bad: + if (!set_cert_key_stuff(ctx,cert,key)) + goto end; + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + store = SSL_CTX_get_cert_store(ctx); +diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c +--- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100 ++++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100 +@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv) + + SSL_load_error_strings(); + +- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(tm_ctx))) ++ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ + ERR_print_errors(bio_err); +- /* goto end; */ + } + + if (tm_cipher == NULL) diff --git a/openssl-0.9.8g-ia64.patch b/openssl-0.9.8g-ia64.patch new file mode 100644 index 0000000..ec982d2 --- /dev/null +++ b/openssl-0.9.8g-ia64.patch @@ -0,0 +1,19 @@ +diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h +--- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 2008-08-10 22:23:55.000000000 +0200 ++++ openssl-0.9.8g/crypto/bn/bn_lcl.h 2008-08-10 22:23:55.000000000 +0200 +@@ -279,6 +279,15 @@ extern "C" { + # define BN_UMULT_HIGH(a,b) __umulh((a),(b)) + # define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high))) + # endif ++# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG) ++# if defined(__GNUC__) ++# define BN_UMULT_HIGH(a,b) ({ \ ++ register BN_ULONG ret; \ ++ asm ("xmpy.hu %0 = %1, %2" \ ++ : "=f"(ret) \ ++ : "f"(a), "f"(b)); \ ++ ret; }) ++# endif /* compiler */ + # endif /* cpu */ + #endif /* OPENSSL_NO_ASM */ + diff --git a/openssl-0.9.8g-no-extssl.patch b/openssl-0.9.8g-no-extssl.patch new file mode 100644 index 0000000..de00d0c --- /dev/null +++ b/openssl-0.9.8g-no-extssl.patch @@ -0,0 +1,27 @@ +diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c +--- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200 ++++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200 +@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION) ++ { ++ return ret; ++ } ++ + ret+=2; + + if (ret>=limit) return NULL; /* this really never occurs, but ... */ +@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION) ++ { ++ return ret; ++ } ++ + ret+=2; + if (ret>=limit) return NULL; /* this really never occurs, but ... */ + diff --git a/openssl-0.9.8j-bad-mime.patch b/openssl-0.9.8j-bad-mime.patch new file mode 100644 index 0000000..a990911 --- /dev/null +++ b/openssl-0.9.8j-bad-mime.patch @@ -0,0 +1,14 @@ +diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c +--- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime 2008-08-05 17:56:11.000000000 +0200 ++++ openssl-0.9.8j/crypto/asn1/asn_mime.c 2009-01-14 22:08:34.000000000 +0100 +@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER + static int mime_hdr_cmp(const MIME_HEADER * const *a, + const MIME_HEADER * const *b) + { ++ if ((*a)->name == NULL || (*b)->name == NULL) ++ return (*a)->name - (*b)->name < 0 ? -1 : ++ (*a)->name - (*b)->name > 0 ? 1 : 0; ++ + return(strcmp((*a)->name, (*b)->name)); + } + diff --git a/openssl-0.9.8j-ca-dir.patch b/openssl-0.9.8j-ca-dir.patch new file mode 100644 index 0000000..52c0025 --- /dev/null +++ b/openssl-0.9.8j-ca-dir.patch @@ -0,0 +1,36 @@ +diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf +--- openssl-0.9.8j/apps/openssl.cnf.ca-dir 2009-01-13 23:20:10.000000000 +0100 ++++ openssl-0.9.8j/apps/openssl.cnf 2009-01-13 23:20:10.000000000 +0100 +@@ -34,7 +34,7 @@ default_ca = CA_default # The default c + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = ../../CA # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh +--- openssl-0.9.8j/apps/CA.sh.ca-dir 2005-07-04 23:44:22.000000000 +0200 ++++ openssl-0.9.8j/apps/CA.sh 2009-01-13 23:20:10.000000000 +0100 +@@ -39,7 +39,7 @@ CA="$OPENSSL ca $SSLEAY_CONFIG" + VERIFY="$OPENSSL verify" + X509="$OPENSSL x509" + +-CATOP=./demoCA ++CATOP=../../CA + CAKEY=./cakey.pem + CAREQ=./careq.pem + CACERT=./cacert.pem +diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in +--- openssl-0.9.8j/apps/CA.pl.in.ca-dir 2006-04-28 02:28:51.000000000 +0200 ++++ openssl-0.9.8j/apps/CA.pl.in 2009-01-13 23:20:10.000000000 +0100 +@@ -53,7 +53,7 @@ $VERIFY="$openssl verify"; + $X509="$openssl x509"; + $PKCS12="$openssl pkcs12"; + +-$CATOP="./demoCA"; ++$CATOP="../../CA"; + $CAKEY="cakey.pem"; + $CAREQ="careq.pem"; + $CACERT="cacert.pem"; diff --git a/openssl-0.9.8j-eap-fast.patch b/openssl-0.9.8j-eap-fast.patch new file mode 100644 index 0000000..1e77f00 --- /dev/null +++ b/openssl-0.9.8j-eap-fast.patch @@ -0,0 +1,378 @@ +diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c +--- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100 ++++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100 +@@ -106,6 +106,12 @@ int tls1_new(SSL *s) + + void tls1_free(SSL *s) + { ++#ifndef OPENSSL_NO_TLSEXT ++ if (s && s->tlsext_session_ticket) ++ { ++ OPENSSL_free(s->tlsext_session_ticket); ++ } ++#endif /* OPENSSL_NO_TLSEXT */ + ssl3_free(s); + } + +@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex + int ticklen; + if (s->session && s->session->tlsext_tick) + ticklen = s->session->tlsext_ticklen; ++ else if (s->session && s->tlsext_session_ticket && ++ s->tlsext_session_ticket->data) ++ { ++ ticklen = s->tlsext_session_ticket->length; ++ s->session->tlsext_tick = OPENSSL_malloc(ticklen); ++ if (!s->session->tlsext_tick) ++ return NULL; ++ memcpy(s->session->tlsext_tick, ++ s->tlsext_session_ticket->data, ++ ticklen); ++ s->session->tlsext_ticklen = ticklen; ++ } + else + ticklen = 0; ++ if (ticklen == 0 && s->tlsext_session_ticket && ++ s->tlsext_session_ticket->data == NULL) ++ goto skip_ext; + /* Check for enough room 2 for extension type, 2 for len + * rest for ticket + */ +@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex + ret += ticklen; + } + } ++ skip_ext: + + if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) + { +@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s, + } + + } ++ else if (type == TLSEXT_TYPE_session_ticket) ++ { ++ if (s->tls_session_ticket_ext_cb && ++ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) ++ { ++ *al = TLS1_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ } + else if (type == TLSEXT_TYPE_status_request + && s->ctx->tlsext_status_cb) + { +@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, + } + else if (type == TLSEXT_TYPE_session_ticket) + { ++ if (s->tls_session_ticket_ext_cb && ++ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) ++ { ++ *al = TLS1_AD_INTERNAL_ERROR; ++ return 0; ++ } + if ((SSL_get_options(s) & SSL_OP_NO_TICKET) + || (size > 0)) + { +@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned + s->tlsext_ticket_expected = 1; + return 0; /* Cache miss */ + } ++ if (s->tls_session_secret_cb) ++ { ++ /* Indicate cache miss here and instead of ++ * generating the session from ticket now, ++ * trigger abbreviated handshake based on ++ * external mechanism to calculate the master ++ * secret later. */ ++ return 0; ++ } + return tls_decrypt_ticket(s, p, size, session_id, len, + ret); + } +diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c +--- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100 ++++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100 +@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s) + goto f_err; + } + ++#ifndef OPENSSL_NO_TLSEXT ++ /* check if we want to resume the session based on external pre-shared secret */ ++ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) ++ { ++ SSL_CIPHER *pref_cipher=NULL; ++ s->session->master_key_length=sizeof(s->session->master_key); ++ if (s->tls_session_secret_cb(s, s->session->master_key, ++ &s->session->master_key_length, ++ NULL, &pref_cipher, ++ s->tls_session_secret_cb_arg)) ++ { ++ s->session->cipher = pref_cipher ? ++ pref_cipher : ssl_get_cipher_by_char(s, p+j); ++ } ++ } ++#endif /* OPENSSL_NO_TLSEXT */ ++ + if (j != 0 && j == s->session->session_id_length + && memcmp(p,s->session->session_id,j) == 0) + { +@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s) + { + int ok; + long n; +- /* If we have no ticket or session ID is non-zero length (a match of +- * a non-zero session length would never reach here) it cannot be a +- * resumed session. +- */ +- if (!s->session->tlsext_tick || s->session->session_id_length) ++ /* If we have no ticket it cannot be a resumed session. */ ++ if (!s->session->tlsext_tick) + return 1; + /* this function is called when we really expect a Certificate + * message, so permit appropriate message length */ +diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c +--- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200 ++++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100 +@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX * + return(s->session_timeout); + } + ++#ifndef OPENSSL_NO_TLSEXT ++int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len, ++ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg) ++ { ++ if (s == NULL) return(0); ++ s->tls_session_secret_cb = tls_session_secret_cb; ++ s->tls_session_secret_cb_arg = arg; ++ return(1); ++ } ++ ++int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, ++ void *arg) ++ { ++ if (s == NULL) return(0); ++ s->tls_session_ticket_ext_cb = cb; ++ s->tls_session_ticket_ext_cb_arg = arg; ++ return(1); ++ } ++ ++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) ++ { ++ if (s->version >= TLS1_VERSION) ++ { ++ if (s->tlsext_session_ticket) ++ { ++ OPENSSL_free(s->tlsext_session_ticket); ++ s->tlsext_session_ticket = NULL; ++ } ++ ++ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); ++ if (!s->tlsext_session_ticket) ++ { ++ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ ++ if (ext_data) ++ { ++ s->tlsext_session_ticket->length = ext_len; ++ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1; ++ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); ++ } ++ else ++ { ++ s->tlsext_session_ticket->length = 0; ++ s->tlsext_session_ticket->data = NULL; ++ } ++ ++ return 1; ++ } ++ ++ return 0; ++ } ++#endif /* OPENSSL_NO_TLSEXT */ ++ + typedef struct timeout_param_st + { + SSL_CTX *ctx; +diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c +--- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100 ++++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100 +@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s) + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); + goto err; + } ++ ++ /* Check if we want to use external pre-shared secret for this ++ * handshake for not reused session only. We need to generate ++ * server_random before calling tls_session_secret_cb in order to allow ++ * SessionTicket processing to use it in key derivation. */ ++ { ++ unsigned long Time; ++ unsigned char *pos; ++ Time=(unsigned long)time(NULL); /* Time */ ++ pos=s->s3->server_random; ++ l2n(Time,pos); ++ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) ++ { ++ al=SSL_AD_INTERNAL_ERROR; ++ goto f_err; ++ } ++ } ++ ++ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) ++ { ++ SSL_CIPHER *pref_cipher=NULL; ++ ++ s->session->master_key_length=sizeof(s->session->master_key); ++ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, ++ ciphers, &pref_cipher, s->tls_session_secret_cb_arg)) ++ { ++ s->hit=1; ++ s->session->ciphers=ciphers; ++ s->session->verify_result=X509_V_OK; ++ ++ ciphers=NULL; ++ ++ /* check if some cipher was preferred by call back */ ++ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); ++ if (pref_cipher == NULL) ++ { ++ al=SSL_AD_HANDSHAKE_FAILURE; ++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); ++ goto f_err; ++ } ++ ++ s->session->cipher=pref_cipher; ++ ++ if (s->cipher_list) ++ sk_SSL_CIPHER_free(s->cipher_list); ++ ++ if (s->cipher_list_by_id) ++ sk_SSL_CIPHER_free(s->cipher_list_by_id); ++ ++ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); ++ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers); ++ } ++ } + #endif + /* Worst case, we will use the NULL compression, but if we have other + * options, we will now look for them. We have i-1 compression +@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s) + unsigned char *buf; + unsigned char *p,*d; + int i,sl; +- unsigned long l,Time; ++ unsigned long l; ++#ifdef OPENSSL_NO_TLSEXT ++ unsigned long Time; ++#endif + + if (s->state == SSL3_ST_SW_SRVR_HELLO_A) + { + buf=(unsigned char *)s->init_buf->data; ++#ifdef OPENSSL_NO_TLSEXT + p=s->s3->server_random; ++ /* Generate server_random if it was not needed previously */ + Time=(unsigned long)time(NULL); /* Time */ + l2n(Time,p); + if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + return -1; ++#endif + /* Do the message type and length last */ + d=p= &(buf[4]); + +diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h +--- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100 ++++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100 +@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T + #define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/ + #endif + ++/* TLS Session Ticket extension struct */ ++struct tls_session_ticket_ext_st ++ { ++ unsigned short length; ++ void *data; ++ }; ++ + #ifdef __cplusplus + } + #endif +diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c +--- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200 ++++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100 +@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]= + {ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, + {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"}, + {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, ++{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"}, + {0,NULL} + }; + +diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h +--- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100 ++++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100 +@@ -344,6 +344,7 @@ extern "C" { + * 'struct ssl_st *' function parameters used to prototype callbacks + * in SSL_CTX. */ + typedef struct ssl_st *ssl_crock_st; ++typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; + + /* used to hold info on the particular ciphers used */ + typedef struct ssl_cipher_st +@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st + + DECLARE_STACK_OF(SSL_CIPHER) + ++typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg); ++typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg); ++ + /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ + typedef struct ssl_method_st + { +@@ -1034,6 +1038,18 @@ struct ssl_st + + /* RFC4507 session ticket expected to be received or sent */ + int tlsext_ticket_expected; ++ ++ /* TLS Session Ticket extension override */ ++ TLS_SESSION_TICKET_EXT *tlsext_session_ticket; ++ ++ /* TLS Session Ticket extension callback */ ++ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb; ++ void *tls_session_ticket_ext_cb_arg; ++ ++ /* TLS pre-shared secret session resumption */ ++ tls_session_secret_cb_fn tls_session_secret_cb; ++ void *tls_session_secret_cb_arg; ++ + SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ + #define session_ctx initial_ctx + #else +@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v + int SSL_COMP_add_compression_method(int id,void *cm); + #endif + ++/* TLS extensions functions */ ++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); ++ ++int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, ++ void *arg); ++ ++/* Pre-shared secret session resumption functions */ ++int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); ++ + /* BEGIN ERROR CODES */ + /* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. +@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void); + #define SSL_F_TLS1_ENC 210 + #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 + #define SSL_F_WRITE_PENDING 212 ++#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213 + + /* Reason codes. */ + #define SSL_R_APP_DATA_IN_HANDSHAKE 100 diff --git a/openssl-0.9.8j-enginesdir.patch b/openssl-0.9.8j-enginesdir.patch new file mode 100644 index 0000000..3834fe8 --- /dev/null +++ b/openssl-0.9.8j-enginesdir.patch @@ -0,0 +1,40 @@ +diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure +--- openssl-0.9.8j/Configure.enginesdir 2009-01-13 23:17:40.000000000 +0100 ++++ openssl-0.9.8j/Configure 2009-01-13 23:17:40.000000000 +0100 +@@ -577,6 +577,7 @@ my $idx_arflags = $idx++; + + my $prefix=""; + my $openssldir=""; ++my $enginesdir=""; + my $exe_ext=""; + my $install_prefix=""; + my $fipslibdir="/usr/local/ssl/fips-1.0/lib/"; +@@ -815,6 +816,10 @@ PROCESS_ARGS: + { + $openssldir=$1; + } ++ elsif (/^--enginesdir=(.*)$/) ++ { ++ $enginesdir=$1; ++ } + elsif (/^--install.prefix=(.*)$/) + { + $install_prefix=$1; +@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/; + + $openssldir=$prefix . "/ssl" if $openssldir eq ""; + $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/; +- ++$enginesdir="$prefix/lib/engines" if $enginesdir eq ""; + + print "IsMK1MF=$IsMK1MF\n"; + +@@ -1635,7 +1640,7 @@ while () + if (/^#define\s+OPENSSLDIR/) + { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } + elsif (/^#define\s+ENGINESDIR/) +- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; } ++ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; } + elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) + { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" + if $export_var_as_fn; diff --git a/openssl-0.9.8j-env-nozlib.patch b/openssl-0.9.8j-env-nozlib.patch new file mode 100644 index 0000000..65af5a8 --- /dev/null +++ b/openssl-0.9.8j-env-nozlib.patch @@ -0,0 +1,13 @@ +Do not implicitly load the zlib support if OPENSSL_NO_DEFAULT_ZLIB is set. +diff -up openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib openssl-0.9.8j/ssl/ssl_ciph.c +--- openssl-0.9.8j/ssl/ssl_ciph.c.env-nozlib 2009-01-05 15:43:07.000000000 +0100 ++++ openssl-0.9.8j/ssl/ssl_ciph.c 2009-01-14 17:47:46.000000000 +0100 +@@ -287,7 +287,7 @@ static void load_builtin_compressions(vo + + MemCheck_off(); + ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); +- if (ssl_comp_methods != NULL) ++ if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL) + { + comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp != NULL) diff --git a/openssl-0.9.8j-evp-nonfips.patch b/openssl-0.9.8j-evp-nonfips.patch new file mode 100644 index 0000000..c25cf38 --- /dev/null +++ b/openssl-0.9.8j-evp-nonfips.patch @@ -0,0 +1,127 @@ +diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c +--- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips 2005-04-30 23:51:40.000000000 +0200 ++++ openssl-0.9.8j/crypto/evp/c_alld.c 2009-01-14 17:51:41.000000000 +0100 +@@ -64,6 +64,11 @@ + + void OpenSSL_add_all_digests(void) + { ++#ifdef OPENSSL_FIPS ++ OPENSSL_init(); ++ if (!FIPS_mode()) ++ { ++#endif + #ifndef OPENSSL_NO_MD2 + EVP_add_digest(EVP_md2()); + #endif +@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void) + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); + #endif ++#ifdef OPENSSL_FIPS ++ } ++ else ++ { ++#ifndef OPENSSL_NO_SHA ++ EVP_add_digest(EVP_sha1()); ++ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); ++ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); ++#ifndef OPENSSL_NO_DSA ++ EVP_add_digest(EVP_dss1()); ++ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); ++ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); ++ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); ++#endif ++#ifndef OPENSSL_NO_ECDSA ++ EVP_add_digest(EVP_ecdsa()); ++#endif ++#endif ++#ifndef OPENSSL_NO_SHA256 ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++#endif ++#ifndef OPENSSL_NO_SHA512 ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++#endif ++ } ++#endif + } +diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c +--- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips 2007-04-24 01:50:04.000000000 +0200 ++++ openssl-0.9.8j/crypto/evp/c_allc.c 2009-01-14 17:51:41.000000000 +0100 +@@ -65,6 +65,11 @@ + void OpenSSL_add_all_ciphers(void) + { + ++#ifdef OPENSSL_FIPS ++ OPENSSL_init(); ++ if(!FIPS_mode()) ++ { ++#endif + #ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_cfb()); + EVP_add_cipher(EVP_des_cfb1()); +@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void) + EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256"); + EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256"); + #endif ++#ifdef OPENSSL_FIPS ++ } ++ else ++ { ++#ifndef OPENSSL_NO_DES ++ EVP_add_cipher(EVP_des_ede_cfb()); ++ EVP_add_cipher(EVP_des_ede3_cfb()); ++ ++ EVP_add_cipher(EVP_des_ede_ofb()); ++ EVP_add_cipher(EVP_des_ede3_ofb()); ++ ++ EVP_add_cipher(EVP_des_ede_cbc()); ++ EVP_add_cipher(EVP_des_ede3_cbc()); ++ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3"); ++ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3"); ++ ++ EVP_add_cipher(EVP_des_ede()); ++ EVP_add_cipher(EVP_des_ede3()); ++#endif ++ ++#ifndef OPENSSL_NO_AES ++ EVP_add_cipher(EVP_aes_128_ecb()); ++ EVP_add_cipher(EVP_aes_128_cbc()); ++ EVP_add_cipher(EVP_aes_128_cfb()); ++ EVP_add_cipher(EVP_aes_128_cfb1()); ++ EVP_add_cipher(EVP_aes_128_cfb8()); ++ EVP_add_cipher(EVP_aes_128_ofb()); ++#if 0 ++ EVP_add_cipher(EVP_aes_128_ctr()); ++#endif ++ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128"); ++ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128"); ++ EVP_add_cipher(EVP_aes_192_ecb()); ++ EVP_add_cipher(EVP_aes_192_cbc()); ++ EVP_add_cipher(EVP_aes_192_cfb()); ++ EVP_add_cipher(EVP_aes_192_cfb1()); ++ EVP_add_cipher(EVP_aes_192_cfb8()); ++ EVP_add_cipher(EVP_aes_192_ofb()); ++#if 0 ++ EVP_add_cipher(EVP_aes_192_ctr()); ++#endif ++ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192"); ++ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192"); ++ EVP_add_cipher(EVP_aes_256_ecb()); ++ EVP_add_cipher(EVP_aes_256_cbc()); ++ EVP_add_cipher(EVP_aes_256_cfb()); ++ EVP_add_cipher(EVP_aes_256_cfb1()); ++ EVP_add_cipher(EVP_aes_256_cfb8()); ++ EVP_add_cipher(EVP_aes_256_ofb()); ++#if 0 ++ EVP_add_cipher(EVP_aes_256_ctr()); ++#endif ++ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); ++ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); ++#endif ++ } ++#endif + + PKCS12_PBE_add(); + PKCS5_PBE_add(); diff --git a/openssl-0.9.8j-fips-no-pairwise.patch b/openssl-0.9.8j-fips-no-pairwise.patch new file mode 100644 index 0000000..e6c2f73 --- /dev/null +++ b/openssl-0.9.8j-fips-no-pairwise.patch @@ -0,0 +1,24 @@ +diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c +--- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise 2009-01-17 20:27:37.000000000 +0100 ++++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c 2009-01-17 20:27:28.000000000 +0100 +@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa, + if (fips_rsa_pairwise_fail) + BN_add_word(rsa->n, 1); + +- if(!fips_check_rsa(rsa)) ++ if(FIPS_mode() && !fips_check_rsa(rsa)) + goto err; + + ok=1; +diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c +--- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise 2008-09-16 12:12:15.000000000 +0200 ++++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c 2009-01-17 20:26:20.000000000 +0100 +@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa) + dsa->pub_key=pub_key; + if (fips_dsa_pairwise_fail) + BN_add_word(dsa->pub_key, 1); +- if(!fips_check_dsa(dsa)) ++ if(FIPS_mode() && !fips_check_dsa(dsa)) + goto err; + ok=1; + diff --git a/openssl-0.9.8j-fipscheck-hmac.patch b/openssl-0.9.8j-fipscheck-hmac.patch new file mode 100644 index 0000000..3ba459b --- /dev/null +++ b/openssl-0.9.8j-fipscheck-hmac.patch @@ -0,0 +1,125 @@ +Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary. +We use the binary just during the OpenSSL build to checksum the libcrypto. +diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile +--- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100 ++++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100 +@@ -46,7 +46,7 @@ lib: $(LIBOBJ) + @echo $(LIBOBJ) > lib + + ../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o +- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ ++ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \ + $(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM + + files: +diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c +--- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200 ++++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100 +@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len) + + #ifdef OPENSSL_FIPS + +-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx, ++static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx, + const char *key) + { + int len=strlen(key); +@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH + + if (len > SHA_CBLOCK) + { +- SHA1_Init(md_ctx); +- SHA1_Update(md_ctx,key,len); +- SHA1_Final(keymd,md_ctx); +- len=20; ++ SHA256_Init(md_ctx); ++ SHA256_Update(md_ctx,key,len); ++ SHA256_Final(keymd,md_ctx); ++ len=SHA256_DIGEST_LENGTH; + } + else + memcpy(keymd,key,len); +@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH + + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) + pad[i]=0x36^keymd[i]; +- SHA1_Init(md_ctx); +- SHA1_Update(md_ctx,pad,SHA_CBLOCK); ++ SHA256_Init(md_ctx); ++ SHA256_Update(md_ctx,pad,SHA256_CBLOCK); + + for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) + pad[i]=0x5c^keymd[i]; +- SHA1_Init(o_ctx); +- SHA1_Update(o_ctx,pad,SHA_CBLOCK); ++ SHA256_Init(o_ctx); ++ SHA256_Update(o_ctx,pad,SHA256_CBLOCK); + } + +-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx) ++static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx) + { +- unsigned char buf[20]; ++ unsigned char buf[SHA256_DIGEST_LENGTH]; + +- SHA1_Final(buf,md_ctx); +- SHA1_Update(o_ctx,buf,sizeof buf); +- SHA1_Final(md,o_ctx); ++ SHA256_Final(buf,md_ctx); ++ SHA256_Update(o_ctx,buf,sizeof buf); ++ SHA256_Final(md,o_ctx); + } + + #endif +@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md + int main(int argc,char **argv) + { + #ifdef OPENSSL_FIPS +- static char key[]="etaonrishdlcupfm"; ++ static char key[]="orboDeJITITejsirpADONivirpUkvarP"; + int n,binary=0; + + if(argc < 2) +@@ -125,8 +125,8 @@ int main(int argc,char **argv) + for(; n < argc ; ++n) + { + FILE *f=fopen(argv[n],"rb"); +- SHA_CTX md_ctx,o_ctx; +- unsigned char md[20]; ++ SHA256_CTX md_ctx,o_ctx; ++ unsigned char md[SHA256_DIGEST_LENGTH]; + int i; + + if(!f) +@@ -139,7 +139,7 @@ int main(int argc,char **argv) + for( ; ; ) + { + char buf[1024]; +- int l=fread(buf,1,sizeof buf,f); ++ size_t l=fread(buf,1,sizeof buf,f); + + if(l == 0) + { +@@ -151,18 +151,18 @@ int main(int argc,char **argv) + else + break; + } +- SHA1_Update(&md_ctx,buf,l); ++ SHA256_Update(&md_ctx,buf,l); + } + hmac_final(md,&md_ctx,&o_ctx); + + if (binary) + { +- fwrite(md,20,1,stdout); ++ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout); + break; /* ... for single(!) file */ + } + +- printf("HMAC-SHA1(%s)= ",argv[n]); +- for(i=0 ; i < 20 ; ++i) ++/* printf("HMAC-SHA1(%s)= ",argv[n]); */ ++ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i) + printf("%02x",md[i]); + printf("\n"); + } diff --git a/openssl-0.9.8j-kernel-fipsmode.patch b/openssl-0.9.8j-kernel-fipsmode.patch new file mode 100644 index 0000000..fed04c3 --- /dev/null +++ b/openssl-0.9.8j-kernel-fipsmode.patch @@ -0,0 +1,62 @@ +diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c +--- openssl-0.9.8j/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100 ++++ openssl-0.9.8j/crypto/o_init.c 2009-01-14 17:57:39.000000000 +0100 +@@ -59,6 +59,45 @@ + #include + #include + ++#ifdef OPENSSL_FIPS ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ ++static void init_fips_mode(void) ++ { ++ char buf[2] = "0"; ++ int fd; ++ ++ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) ++ { ++ buf[0] = '1'; ++ } ++ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) ++ { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); ++ close(fd); ++ } ++ /* Failure reading the fips mode switch file means just not ++ * switching into FIPS mode. We would break too many things ++ * otherwise. ++ */ ++ ++ if (buf[0] == '1') ++ { ++ FIPS_mode_set(1); ++ } ++ } ++#endif ++ + /* Perform any essential OpenSSL initialization operations. + * Currently only sets FIPS callbacks + */ +@@ -73,11 +112,10 @@ void OPENSSL_init(void) + #ifdef CRYPTO_MDEBUG + CRYPTO_malloc_debug_init(); + #endif +-#ifdef OPENSSL_ENGINE ++ init_fips_mode(); + int_EVP_MD_init_engine_callbacks(); + int_EVP_CIPHER_init_engine_callbacks(); + int_RAND_init_engine_callbacks(); +-#endif + done = 1; + } + #endif diff --git a/openssl-0.9.8j-nocanister.patch b/openssl-0.9.8j-nocanister.patch new file mode 100644 index 0000000..f5e1272 --- /dev/null +++ b/openssl-0.9.8j-nocanister.patch @@ -0,0 +1,31 @@ +Do not create a fipscanister.o, add the objects directly. +diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile +--- openssl-0.9.8j/fips/Makefile.nocanister 2009-01-13 18:26:15.000000000 +0100 ++++ openssl-0.9.8j/fips/Makefile 2009-01-13 21:43:43.000000000 +0100 +@@ -142,8 +142,24 @@ lib: $(LIB) + if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi + @touch lib + +-$(LIB): $(FIPSLIBDIR)fipscanister.o +- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o ++$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS) ++ FIPS_ASM=""; \ ++ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \ ++ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \ ++ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \ ++ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \ ++ if [ -n "$(CPUID_OBJ)" ]; then \ ++ CPUID=../crypto/$(CPUID_OBJ) ; \ ++ else \ ++ CPUID="" ; \ ++ fi ; \ ++ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \ ++ for i in $(FIPS_OBJ_LISTS); do \ ++ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \ ++ objs="$$objs `sed "$$script" $$i`"; \ ++ done; \ ++ objs="$$objs" ; \ ++ $(AR) $(LIB) $$objs + $(RANLIB) $(LIB) || echo Never mind. + + $(FIPSCANLIB): $(FIPSCANLOC) diff --git a/openssl-0.9.8j-readme-warning.patch b/openssl-0.9.8j-readme-warning.patch new file mode 100644 index 0000000..411e6bd --- /dev/null +++ b/openssl-0.9.8j-readme-warning.patch @@ -0,0 +1,35 @@ +diff -up openssl-0.9.8j/README.warning openssl-0.9.8j/README +--- openssl-0.9.8j/README.warning 2009-01-07 11:50:53.000000000 +0100 ++++ openssl-0.9.8j/README 2009-01-14 17:43:02.000000000 +0100 +@@ -5,6 +5,31 @@ + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson + All rights reserved. + ++ WARNING ++ ------- ++ ++ This version of OpenSSL is built in a way that supports operation in ++ the so called FIPS mode. Note though that the library as we build it ++ is not FIPS validated and the FIPS mode is present for testing purposes ++ only. ++ ++ This version also contains a few differences from the upstream code ++ some of which are: ++ * The FIPS integrity verification check is implemented differently ++ from the upstream FIPS validated OpenSSL module. It verifies ++ HMAC-SHA256 checksum of the whole libcrypto shared library. ++ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and ++ tries to initialize the FIPS mode if it is set to 1 aborting if the ++ FIPS mode could not be initialized. It is also possible to force the ++ OpenSSL library to FIPS mode especially for debugging purposes by ++ setting the environment variable OPENSSL_FORCE_FIPS_MODE. ++ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module ++ will not automatically load the built in compression method ZLIB ++ when initialized. Applications can still explicitely ask for ZLIB ++ compression method. ++ * There is added a support for EAP-FAST through TLS extension. This code ++ is backported from OpenSSL upstream development branch. ++ + DESCRIPTION + ----------- + diff --git a/openssl-0.9.8j-redhat.patch b/openssl-0.9.8j-redhat.patch new file mode 100644 index 0000000..2e1153d --- /dev/null +++ b/openssl-0.9.8j-redhat.patch @@ -0,0 +1,53 @@ +diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure +--- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100 ++++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100 +@@ -320,28 +320,28 @@ my %table=( + #### + # *-generic* is endian-neutral target, but ./config is free to + # throw in -D[BL]_ENDIAN, whichever appropriate... +-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### IA-32 targets... + "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", + #### +-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ppc64", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### SPARC Linux setups + # Ray Miller has patiently + # assisted with debugging of following two configs. +-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + # it's a real mess with -mcpu=ultrasparc option under Linux, but + # -Wa,-Av8plus should do the trick no matter what. +-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + # GCC 3.1 is a requirement +-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + #### Alpha Linux with GNU C and Compaq C setups + # Special notes: + # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you +@@ -355,8 +355,8 @@ my %table=( + # + # + # +-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", ++"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", + "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", + "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", + diff --git a/openssl-0.9.8j-shlib-version.patch b/openssl-0.9.8j-shlib-version.patch new file mode 100644 index 0000000..8182398 --- /dev/null +++ b/openssl-0.9.8j-shlib-version.patch @@ -0,0 +1,12 @@ +diff -up openssl-0.9.8j/crypto/opensslv.h.shlib-version openssl-0.9.8j/crypto/opensslv.h +--- openssl-0.9.8j/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100 ++++ openssl-0.9.8j/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100 +@@ -83,7 +83,7 @@ + * should only keep the versions that are binary compatible with the current. + */ + #define SHLIB_VERSION_HISTORY "" +-#define SHLIB_VERSION_NUMBER "0.9.8" ++#define SHLIB_VERSION_NUMBER "0.9.8j" + + + #endif /* HEADER_OPENSSLV_H */ diff --git a/openssl-0.9.8j-soversion.patch b/openssl-0.9.8j-soversion.patch new file mode 100644 index 0000000..80ee5cd --- /dev/null +++ b/openssl-0.9.8j-soversion.patch @@ -0,0 +1,49 @@ +Define and use a soname -- because we have to care about binary +compatibility, we have to increment the soname in order to allow +this version to co-exist with another versions and have everything +work right. + +diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure +--- openssl-0.9.8j/Configure.soversion 2007-12-03 14:41:19.000000000 +0100 ++++ openssl-0.9.8j/Configure 2007-12-03 14:41:19.000000000 +0100 +@@ -1371,7 +1371,7 @@ while () + elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) + { + my $sotmp = $1; +- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; ++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/; + } + elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) + { +diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org +--- openssl-0.9.8j/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100 ++++ openssl-0.9.8j/Makefile.org 2007-12-03 14:41:19.000000000 +0100 +@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= + SHLIB_MAJOR= + SHLIB_MINOR= + SHLIB_EXT= ++SHLIB_SONAMEVER=8 + PLATFORM=dist + OPTIONS= + CONFIGURE_ARGS= +@@ -277,10 +278,9 @@ clean-shared: + link-shared: + @ set -e; for i in ${SHLIBDIRS}; do \ + $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ +- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ ++ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ + LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ + symlink.$(SHLIB_TARGET); \ +- libs="$$libs -l$$i"; \ + done + + build-shared: do_$(SHLIB_TARGET) link-shared +@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET): + libs="$(LIBKRB5) $$libs"; \ + fi; \ + $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ +- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ ++ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \ + LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \ + LIBDEPS="$$libs $(EX_LIBS)" \ + link_a.$(SHLIB_TARGET); \ diff --git a/openssl-0.9.8j-use-fipscheck.patch b/openssl-0.9.8j-use-fipscheck.patch new file mode 100644 index 0000000..6f2eca1 --- /dev/null +++ b/openssl-0.9.8j-use-fipscheck.patch @@ -0,0 +1,384 @@ +Use fipscheck compatible way of verification of the integrity of the libcrypto +shared library. +diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile +--- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100 ++++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100 +@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$ + if [ "$(FIPSCANLIB)" = "libfips" ]; then \ + LIBRARIES="-L$(TOP) -lfips"; \ + elif [ -n "$(FIPSCANLIB)" ]; then \ +- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ +- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \ ++ LIBRARIES="$(LIBCRYPTO)"; \ + fi; \ + $(MAKE) -f $(TOP)/Makefile.shared -e \ + CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ +@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if + shlib_target="$(SHLIB_TARGET)"; \ + fi; \ + LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \ +- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \ +- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \ +- fi; \ + [ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \ + $(MAKE) -f $(TOP)/Makefile.shared -e \ + CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \ +diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org +--- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100 ++++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100 +@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA + $(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \ + $(AR) libcrypto.a fips/fipscanister.o ; \ + else \ +- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ +- FIPSLD_CC=$(CC); CC=fips/fipsld; \ +- export CC FIPSLD_CC; \ +- fi; \ + $(MAKE) -e SHLIBDIRS='crypto' build-shared; \ + fi \ + else \ +@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT + fips/fipscanister.o: build_fips + libfips$(SHLIB_EXT): fips/fipscanister.o + @if [ "$(SHLIB_TARGET)" != "" ]; then \ +- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \ + $(MAKE) -f Makefile.shared -e $(BUILDENV) \ +- CC=$${CC} LIBNAME=fips THIS=$@ \ ++ CC=$(CC) LIBNAME=fips THIS=$@ \ + LIBEXTRAS=fips/fipscanister.o \ + LIBDEPS="$(EX_LIBS)" \ + LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \ +@@ -469,7 +464,7 @@ openssl.pc: Makefile + echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ + echo 'Version: '$(VERSION); \ + echo 'Requires: '; \ +- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ ++ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\ + echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc + + Makefile: Makefile.org Configure config +diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c +--- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200 ++++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100 +@@ -47,6 +47,7 @@ + * + */ + ++#define _GNU_SOURCE + + #include + #include +@@ -56,6 +57,9 @@ + #include + #include + #include ++#include ++#include ++#include + #include "fips_locl.h" + + #ifdef OPENSSL_FIPS +@@ -165,6 +169,7 @@ int FIPS_selftest() + && FIPS_selftest_dsa(); + } + ++#if 0 + extern const void *FIPS_text_start(), *FIPS_text_end(); + extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; + unsigned char FIPS_signature [20] = { 0 }; +@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void) + + return 1; + } ++#else ++/* we implement what libfipscheck does ourselves */ ++ ++static int ++get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen) ++{ ++ Dl_info info; ++ void *dl, *sym; ++ int rv = -1; ++ ++ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY); ++ if (dl == NULL) { ++ return -1; ++ } ++ ++ sym = dlsym(dl, symbolname); ++ ++ if (sym != NULL && dladdr(sym, &info)) { ++ strncpy(path, info.dli_fname, pathlen-1); ++ path[pathlen-1] = '\0'; ++ rv = 0; ++ } ++ ++ dlclose(dl); ++ ++ return rv; ++} ++ ++static const char conv[] = "0123456789abcdef"; ++ ++static char * ++bin2hex(void *buf, size_t len) ++{ ++ char *hex, *p; ++ unsigned char *src = buf; ++ ++ hex = malloc(len * 2 + 1); ++ if (hex == NULL) ++ return NULL; ++ ++ p = hex; ++ ++ while (len > 0) { ++ unsigned c; ++ ++ c = *src; ++ src++; ++ ++ *p = conv[c >> 4]; ++ ++p; ++ *p = conv[c & 0x0f]; ++ ++p; ++ --len; ++ } ++ *p = '\0'; ++ return hex; ++} ++ ++#define HMAC_PREFIX "." ++#define HMAC_SUFFIX ".hmac" ++#define READ_BUFFER_LENGTH 16384 ++ ++static char * ++make_hmac_path(const char *origpath) ++{ ++ char *path, *p; ++ const char *fn; ++ ++ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); ++ if(path == NULL) { ++ return NULL; ++ } ++ ++ fn = strrchr(origpath, '/'); ++ if (fn == NULL) { ++ fn = origpath; ++ } else { ++ ++fn; ++ } ++ ++ strncpy(path, origpath, fn-origpath); ++ p = path + (fn - origpath); ++ p = stpcpy(p, HMAC_PREFIX); ++ p = stpcpy(p, fn); ++ p = stpcpy(p, HMAC_SUFFIX); ++ ++ return path; ++} ++ ++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; ++ ++static int ++compute_file_hmac(const char *path, void **buf, size_t *hmaclen) ++{ ++ FILE *f = NULL; ++ int rv = -1; ++ unsigned char rbuf[READ_BUFFER_LENGTH]; ++ size_t len; ++ unsigned int hlen; ++ HMAC_CTX c; ++ ++ HMAC_CTX_init(&c); ++ ++ f = fopen(path, "r"); ++ ++ if (f == NULL) { ++ goto end; ++ } ++ ++ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256()); ++ ++ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) { ++ HMAC_Update(&c, rbuf, len); ++ } ++ ++ len = sizeof(rbuf); ++ /* reuse rbuf for hmac */ ++ HMAC_Final(&c, rbuf, &hlen); ++ ++ *buf = malloc(hlen); ++ if (*buf == NULL) { ++ goto end; ++ } ++ ++ *hmaclen = hlen; ++ ++ memcpy(*buf, rbuf, hlen); ++ ++ rv = 0; ++end: ++ HMAC_CTX_cleanup(&c); ++ ++ if (f) ++ fclose(f); ++ ++ return rv; ++} ++ ++static int ++FIPSCHECK_verify(const char *libname, const char *symbolname) ++{ ++ char path[PATH_MAX+1]; ++ int rv; ++ FILE *hf; ++ char *hmacpath, *p; ++ char *hmac = NULL; ++ size_t n; ++ ++ rv = get_library_path(libname, symbolname, path, sizeof(path)); ++ ++ if (rv < 0) ++ return 0; ++ ++ hmacpath = make_hmac_path(path); ++ ++ hf = fopen(hmacpath, "r"); ++ if (hf == NULL) { ++ free(hmacpath); ++ return 0; ++ } ++ ++ if (getline(&hmac, &n, hf) > 0) { ++ void *buf; ++ size_t hmaclen; ++ char *hex; ++ ++ if ((p=strchr(hmac, '\n')) != NULL) ++ *p = '\0'; ++ ++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { ++ rv = -4; ++ goto end; ++ } ++ ++ if ((hex=bin2hex(buf, hmaclen)) == NULL) { ++ free(buf); ++ rv = -5; ++ goto end; ++ } ++ ++ if (strcmp(hex, hmac) != 0) { ++ rv = -1; ++ } ++ free(buf); ++ free(hex); ++ } ++ ++end: ++ free(hmac); ++ free(hmacpath); ++ fclose(hf); ++ ++ if (rv < 0) ++ return 0; ++ ++ /* check successful */ ++ return 1; ++} ++ ++#endif + + int FIPS_mode_set(int onoff) + { +@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff) + } + #endif + +- if(fips_signature_witness() != FIPS_signature) +- { +- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE); +- fips_selftest_fail = 1; +- ret = 0; +- goto end; +- } +- +- if(!FIPS_check_incore_fingerprint()) ++ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set")) + { ++ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; +@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void) + return ret; + } + ++#if 0 + unsigned char *fips_signature_witness(void) + { + extern unsigned char FIPS_signature[]; + return FIPS_signature; + } ++#endif + + /* Generalized public key test routine. Signs and verifies the data + * supplied in tbs using mesage digest md and setting option digest +diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile +--- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100 ++++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100 +@@ -62,9 +62,9 @@ testapps: + + all: + @if [ -z "$(FIPSLIBDIR)" ]; then \ +- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \ ++ $(MAKE) -e subdirs lib; \ + else \ +- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \ ++ $(MAKE) -e lib; \ + fi + + # Idea behind fipscanister.o is to "seize" the sequestered code between +@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $ + HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \ + *) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \ + esac fi +- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1 + + # If another exception is immediately required, assign approprite + # site-specific ld command to FIPS_SITE_LD environment variable. +@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC) + $(RANLIB) ../$(FIPSCANLIB).a || echo Never mind. + @touch lib + +-shared: lib subdirs fips_premain_dso$(EXE_EXT) ++shared: lib subdirs + + libs: + @target=lib; $(RECURSIVE_MAKE) +@@ -195,10 +194,6 @@ install: + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; + @target=install; $(RECURSIVE_MAKE) +- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \ +- fips_premain.c.sha1 \ +- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \ +- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips* + + lint: + @target=lint; $(RECURSIVE_MAKE) +diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h +--- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200 ++++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100 +@@ -63,7 +63,9 @@ int fips_is_owning_thread(void); + int fips_set_owning_thread(void); + void fips_set_selftest_fail(void); + int fips_clear_owning_thread(void); ++#if 0 + unsigned char *fips_signature_witness(void); ++#endif + + #define FIPS_MAX_CIPHER_TEST_SIZE 16 + diff --git a/openssl-0.9.8j-version-add-engines.patch b/openssl-0.9.8j-version-add-engines.patch new file mode 100644 index 0000000..f54326c --- /dev/null +++ b/openssl-0.9.8j-version-add-engines.patch @@ -0,0 +1,48 @@ +diff -up openssl-0.9.8j/apps/version.c.version-add-engines openssl-0.9.8j/apps/version.c +--- openssl-0.9.8j/apps/version.c.version-add-engines 2008-10-20 14:53:33.000000000 +0200 ++++ openssl-0.9.8j/apps/version.c 2009-01-13 23:22:03.000000000 +0100 +@@ -131,6 +131,7 @@ + #ifndef OPENSSL_NO_BF + # include + #endif ++#include + + #undef PROG + #define PROG version_main +@@ -140,7 +141,7 @@ int MAIN(int, char **); + int MAIN(int argc, char **argv) + { + int i,ret=0; +- int cflags=0,version=0,date=0,options=0,platform=0,dir=0; ++ int cflags=0,version=0,date=0,options=0,platform=0,dir=0,engines=0; + + apps_startup(); + +@@ -164,7 +165,7 @@ int MAIN(int argc, char **argv) + else if (strcmp(argv[i],"-d") == 0) + dir=1; + else if (strcmp(argv[i],"-a") == 0) +- date=version=cflags=options=platform=dir=1; ++ date=version=cflags=options=platform=dir=engines=1; + else + { + BIO_printf(bio_err,"usage:version -[avbofpd]\n"); +@@ -211,6 +212,18 @@ int MAIN(int argc, char **argv) + } + if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS)); + if (dir) printf("%s\n",SSLeay_version(SSLEAY_DIR)); ++ if (engines) ++ { ++ ENGINE *e; ++ printf("engines: "); ++ e = ENGINE_get_first(); ++ while (e) ++ { ++ printf("%s ", ENGINE_get_id(e)); ++ e = ENGINE_get_next(e); ++ } ++ printf("\n"); ++ } + end: + apps_shutdown(); + OPENSSL_EXIT(ret); diff --git a/openssl-thread-test.c b/openssl-thread-test.c new file mode 100644 index 0000000..3b90285 --- /dev/null +++ b/openssl-thread-test.c @@ -0,0 +1,400 @@ +/* Test program to verify that RSA signing is thread-safe in OpenSSL. */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +/* Just assume we want to do engine stuff if we're using 0.9.6b or + * higher. This assumption is only valid for versions bundled with RHL. */ +#if OPENSSL_VERSION_NUMBER >= 0x0090602fL +#include +#define USE_ENGINE +#endif + +#define MAX_THREAD_COUNT 10000 +#define ITERATION_COUNT 10 +#define MAIN_COUNT 100 + +/* OpenSSL requires us to provide thread ID and locking primitives. */ +pthread_mutex_t *mutex_locks = NULL; +static unsigned long +thread_id_cb(void) +{ + return (unsigned long) pthread_self(); +} +static void +lock_cb(int mode, int n, const char *file, int line) +{ + if (mode & CRYPTO_LOCK) { + pthread_mutex_lock(&mutex_locks[n]); + } else { + pthread_mutex_unlock(&mutex_locks[n]); + } +} + +struct thread_args { + RSA *rsa; + int digest_type; + unsigned char *digest; + unsigned int digest_len; + unsigned char *signature; + unsigned int signature_len; + pthread_t main_thread; +}; + +static int print = 0; + +pthread_mutex_t sign_lock = PTHREAD_MUTEX_INITIALIZER; +static int locked_sign = 0; +static void SIGN_LOCK() {if (locked_sign) pthread_mutex_lock(&sign_lock);} +static void SIGN_UNLOCK() {if (locked_sign) pthread_mutex_unlock(&sign_lock);} + +pthread_mutex_t verify_lock = PTHREAD_MUTEX_INITIALIZER; +static int locked_verify = 0; +static void VERIFY_LOCK() {if (locked_verify) pthread_mutex_lock(&verify_lock);} +static void VERIFY_UNLOCK() {if (locked_verify) pthread_mutex_unlock(&verify_lock);} + +pthread_mutex_t failure_count_lock = PTHREAD_MUTEX_INITIALIZER; +long failure_count = 0; +static void +failure() +{ + pthread_mutex_lock(&failure_count_lock); + failure_count++; + pthread_mutex_unlock(&failure_count_lock); +} + +static void * +thread_main(void *argp) +{ + struct thread_args *args = argp; + unsigned char *signature; + unsigned int signature_len, signature_alloc_len; + int ret, i; + + signature_alloc_len = args->signature_len; + if (RSA_size(args->rsa) > signature_alloc_len) { + signature_alloc_len = RSA_size(args->rsa); + } + signature = malloc(signature_alloc_len); + if (signature == NULL) { + fprintf(stderr, "Skipping checks in thread %lu -- %s.\n", + (unsigned long) pthread_self(), strerror(errno)); + pthread_exit(0); + return NULL; + } + for (i = 0; i < ITERATION_COUNT; i++) { + signature_len = signature_alloc_len; + SIGN_LOCK(); + ret = RSA_check_key(args->rsa); + ERR_print_errors_fp(stdout); + if (ret != 1) { + failure(); + break; + } + ret = RSA_sign(args->digest_type, + args->digest, + args->digest_len, + signature, &signature_len, + args->rsa); + SIGN_UNLOCK(); + ERR_print_errors_fp(stdout); + if (ret != 1) { + failure(); + break; + } + + VERIFY_LOCK(); + ret = RSA_verify(args->digest_type, + args->digest, + args->digest_len, + signature, signature_len, + args->rsa); + VERIFY_UNLOCK(); + if (ret != 1) { + fprintf(stderr, + "Signature from thread %lu(%d) fails " + "verification (passed in thread #%lu)!\n", + (long) pthread_self(), i, + (long) args->main_thread); + ERR_print_errors_fp(stdout); + failure(); + continue; + } + if (print) { + fprintf(stderr, ">%d\n", i); + } + } + free(signature); + + pthread_exit(0); + + return NULL; +} + +unsigned char * +xmemdup(unsigned char *s, size_t len) +{ + unsigned char *r; + r = malloc(len); + if (r == NULL) { + fprintf(stderr, "Out of memory.\n"); + ERR_print_errors_fp(stdout); + assert(r != NULL); + } + memcpy(r, s, len); + return r; +} + +int +main(int argc, char **argv) +{ + RSA *rsa; + MD5_CTX md5; + int fd, i; + pthread_t threads[MAX_THREAD_COUNT]; + int thread_count = 1000; + unsigned char *message, *digest; + unsigned int message_len, digest_len; + unsigned char *correct_signature; + unsigned int correct_siglen, ret; + struct thread_args master_args, *args; + int sync = 0, seed = 0; + int again = 1; +#ifdef USE_ENGINE + char *engine = NULL; + ENGINE *e = NULL; +#endif + + pthread_mutex_init(&failure_count_lock, NULL); + + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--seed") == 0) { + printf("Seeding PRNG.\n"); + seed++; + } else + if (strcmp(argv[i], "--sync") == 0) { + printf("Running synchronized.\n"); + sync++; + } else + if ((strcmp(argv[i], "--threads") == 0) && (i < argc - 1)) { + i++; + thread_count = atol(argv[i]); + if (thread_count > MAX_THREAD_COUNT) { + thread_count = MAX_THREAD_COUNT; + } + printf("Starting %d threads.\n", thread_count); + sync++; + } else + if (strcmp(argv[i], "--sign") == 0) { + printf("Locking signing.\n"); + locked_sign++; + } else + if (strcmp(argv[i], "--verify") == 0) { + printf("Locking verifies.\n"); + locked_verify++; + } else + if (strcmp(argv[i], "--print") == 0) { + printf("Tracing.\n"); + print++; +#ifdef USE_ENGINE + } else + if ((strcmp(argv[i], "--engine") == 0) && (i < argc - 1)) { + printf("Using engine \"%s\".\n", argv[i + 1]); + engine = argv[i + 1]; + i++; +#endif + } else { + printf("Bad argument: %s\n", argv[i]); + return 1; + } + } + + /* Get some random data to sign. */ + fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) { + fprintf(stderr, "Error opening /dev/urandom: %s\n", + strerror(errno)); + } + + if (print) { + fprintf(stderr, "Reading random data.\n"); + } + message = malloc(message_len = 9371); + read(fd, message, message_len); + close(fd); + + /* Initialize the SSL library and set up thread-safe locking. */ + ERR_load_crypto_strings(); + SSL_library_init(); + mutex_locks = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks()); + for (i = 0; i < CRYPTO_num_locks(); i++) { + pthread_mutex_init(&mutex_locks[i], NULL); + } + CRYPTO_set_id_callback(thread_id_cb); + CRYPTO_set_locking_callback(lock_cb); + ERR_print_errors_fp(stdout); + + /* Seed the PRNG if we were asked to do so. */ + if (seed) { + if (print) { + fprintf(stderr, "Seeding PRNG.\n"); + } + RAND_add(message, message_len, message_len); + ERR_print_errors_fp(stdout); + } + + /* Turn on a hardware crypto device if asked to do so. */ +#ifdef USE_ENGINE + if (engine) { +#if OPENSSL_VERSION_NUMBER >= 0x0090700fL + ENGINE_load_builtin_engines(); +#endif + if (print) { + fprintf(stderr, "Initializing \"%s\" engine.\n", + engine); + } + e = ENGINE_by_id(engine); + ERR_print_errors_fp(stdout); + if (e) { + i = ENGINE_init(e); + ERR_print_errors_fp(stdout); + i = ENGINE_set_default_RSA(e); + ERR_print_errors_fp(stdout); + } + } +#endif + + /* Compute the digest for the signature. */ + if (print) { + fprintf(stderr, "Computing digest.\n"); + } + digest = malloc(digest_len = MD5_DIGEST_LENGTH); + MD5_Init(&md5); + MD5_Update(&md5, message, message_len); + MD5_Final(digest, &md5); + + /* Generate a signing key. */ + if (print) { + fprintf(stderr, "Generating key.\n"); + } + rsa = RSA_generate_key(4096, 3, NULL, NULL); + ERR_print_errors_fp(stdout); + if (rsa == NULL) { + _exit(1); + } + + /* Sign the data. */ + correct_siglen = RSA_size(rsa); + correct_signature = malloc(correct_siglen); + for (i = 0; i < MAIN_COUNT; i++) { + if (print) { + fprintf(stderr, "Signing data (%d).\n", i); + } + ret = RSA_check_key(rsa); + ERR_print_errors_fp(stdout); + if (ret != 1) { + failure(); + } + correct_siglen = RSA_size(rsa); + ret = RSA_sign(NID_md5, digest, digest_len, + correct_signature, &correct_siglen, + rsa); + ERR_print_errors_fp(stdout); + if (ret != 1) { + _exit(2); + } + if (print) { + fprintf(stderr, "Verifying data (%d).\n", i); + } + ret = RSA_verify(NID_md5, digest, digest_len, + correct_signature, correct_siglen, + rsa); + if (ret != 1) { + _exit(2); + } + } + + /* Collect up the inforamtion which other threads will need for + * comparing their signature results with ours. */ + master_args.rsa = rsa; + master_args.digest_type = NID_md5; + master_args.digest = digest; + master_args.digest_len = digest_len; + master_args.signature = correct_signature; + master_args.signature_len = correct_siglen; + master_args.main_thread = pthread_self(); + + fprintf(stdout, "Performing %d signatures in each of %d threads " + "(%d, %d).\n", ITERATION_COUNT, thread_count, + digest_len, correct_siglen); + fflush(NULL); + + /* Start up all of the threads. */ + for (i = 0; i < thread_count; i++) { + args = malloc(sizeof(struct thread_args)); + args->rsa = RSAPrivateKey_dup(master_args.rsa); + args->digest_type = master_args.digest_type; + args->digest_len = master_args.digest_len; + args->digest = xmemdup(master_args.digest, args->digest_len); + args->signature_len = master_args.signature_len; + args->signature = xmemdup(master_args.signature, + args->signature_len); + args->main_thread = pthread_self(); + ret = pthread_create(&threads[i], NULL, thread_main, args); + while ((ret != 0) && (errno == EAGAIN)) { + ret = pthread_create(&threads[i], NULL, + thread_main, &args); + fprintf(stderr, "Thread limit hit at %d.\n", i); + } + if (ret != 0) { + fprintf(stderr, "Unable to create thread %d: %s.\n", + i, strerror(errno)); + threads[i] = -1; + } else { + if (sync) { + ret = pthread_join(threads[i], NULL); + assert(ret == 0); + } + if (print) { + fprintf(stderr, "%d\n", i); + } + } + } + + /* Wait for all threads to complete. So long as we can find an + * unjoined thread, keep joining threads. */ + do { + again = 0; + for (i = 0; i < thread_count; i++) { + /* If we have an unterminated thread, join it. */ + if (threads[i] != -1) { + again = 1; + if (print) { + fprintf(stderr, "Joining thread %d.\n", + i); + } + pthread_join(threads[i], NULL); + threads[i] = -1; + break; + } + } + } while (again == 1); + + fprintf(stderr, "%ld failures\n", failure_count); + + return (failure_count != 0); +} diff --git a/opensslconf-new-warning.h b/opensslconf-new-warning.h new file mode 100644 index 0000000..de091c8 --- /dev/null +++ b/opensslconf-new-warning.h @@ -0,0 +1,7 @@ +/* Prepended at openssl package build-time. Don't include this file directly, + * use instead. */ + +#ifndef openssl_opensslconf_multilib_redirection_h +#error "Don't include this file directly, use instead!" +#endif + diff --git a/opensslconf-new.h b/opensslconf-new.h new file mode 100644 index 0000000..cf22738 --- /dev/null +++ b/opensslconf-new.h @@ -0,0 +1,34 @@ +/* This file is here to prevent a file conflict on multiarch systems. A + * conflict will frequently occur because arch-specific build-time + * configuration options are stored (and used, so they can't just be stripped + * out) in opensslconf.h. The original opensslconf.h has been renamed. + * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ + +#ifdef openssl_opensslconf_multilib_redirection_h +#error "Do not define openssl_opensslconf_multilib_redirection_h!" +#endif +#define openssl_opensslconf_multilib_redirection_h + +#if defined(__i386__) +#include "opensslconf-i386.h" +#elif defined(__ia64__) +#include "opensslconf-ia64.h" +#elif defined(__powerpc64__) +#include "opensslconf-ppc64.h" +#elif defined(__powerpc__) +#include "opensslconf-ppc.h" +#elif defined(__s390x__) +#include "opensslconf-s390x.h" +#elif defined(__s390__) +#include "opensslconf-s390.h" +#elif defined(__sparc__) && defined(__arch64__) +#include "opensslconf-sparc64.h" +#elif defined(__sparc__) +#include "opensslconf-sparc.h" +#elif defined(__x86_64__) +#include "opensslconf-x86_64.h" +#else +#error "This openssl-devel package does not work your architecture?" +#endif + +#undef openssl_opensslconf_multilib_redirection_h diff --git a/sources b/sources index e69de29..f0e2eb7 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +573353d8cb4330b71e9985cea4785d61 openssl-0.9.8j-usa.tar.bz2