rpms/mingw-openssl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Added missing patches and removed unused ones

Browse Source
This commit is contained in:
Erik van Pienbroek 2012-11-09 16:29:44 +01:00
parent 7ab115bd4d
commit 942a99b725
40 changed files with 21706 additions and 16153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
README.FIPS Normal file
View File

@ -0,0 +1,75 @@
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
=================================================================
This package contains libraries which comprise the FIPS 140-2
Red Hat Enterprise Linux - OPENSSL Module.
The module files
================
/usr/lib[64]/libcrypto.so.1.0.0d
/usr/lib[64]/libssl.so.1.0.0d
/usr/lib[64]/.libcrypto.so.1.0.0d.hmac
/usr/lib[64]/.libssl.so.1.0.0d.hmac
Dependencies
============
The approved mode of operation requires kernel with /dev/urandom RNG running
with properties as defined in the security policy of the module. This is
provided by kernel packages with validated Red Hat Enterprise Linux - IPSec
Crytographic Module.
Installation
============
The RPM package of the module can be installed by standard tools recommended
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
rpm, RHN remote management tool).
For proper operation of the in-module integrity verification the prelink has to
be disabled. This can be done with setting PRELINKING=no in the
/etc/sysconfig/prelink configuration file. If the libraries were already
prelinked the prelink should be undone on all the system files with the
'prelink -u -a' command.
Usage and API
=============
The module respects kernel command line FIPS setting. If the kernel command
line contains option fips=1 the module will initialize in the FIPS approved
mode of operation automatically. To allow for the automatic initialization the
application using the module has to call one of the following API calls:
- void OPENSSL_init_library(void) - this will do only a basic initialization
of the library and does initialization of the FIPS approved mode without setting
up EVP API with supported algorithms.
- void OPENSSL_add_all_algorithms(void) - this API function calls
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
in the approved mode
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
adds algorithms which are necessary for TLS protocol support and initializes
the SSL library.
To explicitely put the library to the approved mode the application can call
the following function:
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
the library from the non-approved to the approved mode. If any of the selftests
and integrity verification tests fail, the library is put into the error state
and 0 is returned. If they succeed the return value is 1.
To query the module whether it is in the approved mode or not:
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
0 otherwise.
To query whether the module is in the error state:
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
state, 0 otherwise.
To zeroize the FIPS RNG key and internal state the application calls:
- void RAND_cleanup(void)

75
mingw-openssl-fix-fips-build-failure.patch Normal file
View File

@ -0,0 +1,75 @@
--- openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.orig 2012-11-03 18:59:03.620066556 +0100
+++ openssl-1.0.1c/crypto/fips/fips_rand_selftest.c 2012-11-03 19:57:33.156686682 +0100
@@ -47,6 +47,8 @@
*
*/
+#ifdef OPENSSL_FIPS
+
#include <string.h>
#include <openssl/err.h>
#include <openssl/fips.h>
@@ -54,9 +56,6 @@
#include <openssl/fips_rand.h>
#include "fips_locl.h"
-#ifdef OPENSSL_FIPS
-
-
typedef struct
{
--- openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.orig 2012-11-03 20:03:20.546180631 +0100
+++ openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c 2012-11-03 20:03:46.069328396 +0100
@@ -47,6 +47,8 @@
*
*/
+#ifdef OPENSSL_FIPS
+
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/dsa.h>
@@ -56,8 +58,6 @@
#include <openssl/bn.h>
#include "fips_locl.h"
-#ifdef OPENSSL_FIPS
-
static const unsigned char dsa_test_2048_p[] = {
0xa8,0x53,0x78,0xd8,0xfd,0x3f,0x8d,0x72,0xec,0x74,0x18,0x08,
0x0d,0xa2,0x13,0x17,0xe4,0x3e,0xc4,0xb6,0x2b,0xa8,0xc8,0x62,
--- openssl-1.0.1c/crypto/fips/fips_rand.c.orig 2012-11-03 20:07:49.956891942 +0100
+++ openssl-1.0.1c/crypto/fips/fips_rand.c 2012-11-03 20:08:14.260048118 +0100
@@ -47,6 +47,8 @@
*
*/
+#ifdef OPENSSL_FIPS
+
/*
* This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
*/
@@ -82,8 +84,6 @@
#include <openssl/fips.h>
#include "fips_locl.h"
-#ifdef OPENSSL_FIPS
-
void *OPENSSL_stderr(void);
#define AES_BLOCK_LENGTH 16
--- openssl-1.0.1c/crypto/rand/md_rand.c.orig 2012-11-03 20:19:31.461754618 +0100
+++ openssl-1.0.1c/crypto/rand/md_rand.c 2012-11-03 20:20:58.294282662 +0100
@@ -392,7 +392,11 @@
/* always poll for external entropy in FIPS mode, drbg provides the
* expansion
*/
+#ifdef OPENSSL_FIPS
if (!initialized || FIPS_module_mode())
+#else
+ if (!initialized)
+#endif
{
RAND_poll();
initialized = 1;

19
openssl-0.9.8g-ia64.patch
View File

@ -1,19 +0,0 @@
diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h
--- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 2008-08-10 22:23:55.000000000 +0200
+++ openssl-0.9.8g/crypto/bn/bn_lcl.h 2008-08-10 22:23:55.000000000 +0200
@@ -279,6 +279,15 @@ extern "C" {
# define BN_UMULT_HIGH(a,b) __umulh((a),(b))
# define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
# endif
+# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
+# if defined(__GNUC__)
+# define BN_UMULT_HIGH(a,b) ({ \
+ register BN_ULONG ret; \
+ asm ("xmpy.hu %0 = %1, %2" \
+ : "=f"(ret) \
+ : "f"(a), "f"(b)); \
+ ret; })
+# endif /* compiler */
# endif /* cpu */
#endif /* OPENSSL_NO_ASM */

14
openssl-0.9.8j-bad-mime.patch
View File

@ -1,14 +0,0 @@
diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c
--- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime 2008-08-05 17:56:11.000000000 +0200
+++ openssl-0.9.8j/crypto/asn1/asn_mime.c 2009-01-14 22:08:34.000000000 +0100
@@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER
static int mime_hdr_cmp(const MIME_HEADER * const *a,
const MIME_HEADER * const *b)
{
+ if ((*a)->name == NULL || (*b)->name == NULL)
+ return (*a)->name - (*b)->name < 0 ? -1 :
+ (*a)->name - (*b)->name > 0 ? 1 : 0;
+
return(strcmp((*a)->name, (*b)->name));
}

400
openssl-1.0.0-beta3-fipscheck.patch
View File

@ -1,400 +0,0 @@
diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips.c
--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck 2009-08-10 20:11:59.000000000 +0200
+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-10 20:11:59.000000000 +0200
@@ -47,6 +47,7 @@
*
*/
+#define _GNU_SOURCE
#include <openssl/rand.h>
#include <openssl/fips_rand.h>
@@ -56,6 +57,9 @@
#include <openssl/rsa.h>
#include <string.h>
#include <limits.h>
+#include <dlfcn.h>
+#include <stdio.h>
+#include <stdlib.h>
#include "fips_locl.h"
#ifdef OPENSSL_FIPS
@@ -165,6 +169,204 @@ int FIPS_selftest()
&& FIPS_selftest_dsa();
}
+/* we implement what libfipscheck does ourselves */
+
+static int
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
+{
+ Dl_info info;
+ void *dl, *sym;
+ int rv = -1;
+
+ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL) {
+ return -1;
+ }
+
+ sym = dlsym(dl, symbolname);
+
+ if (sym != NULL && dladdr(sym, &info)) {
+ strncpy(path, info.dli_fname, pathlen-1);
+ path[pathlen-1] = '\0';
+ rv = 0;
+ }
+
+ dlclose(dl);
+
+ return rv;
+}
+
+static const char conv[] = "0123456789abcdef";
+
+static char *
+bin2hex(void *buf, size_t len)
+{
+ char *hex, *p;
+ unsigned char *src = buf;
+
+ hex = malloc(len * 2 + 1);
+ if (hex == NULL)
+ return NULL;
+
+ p = hex;
+
+ while (len > 0) {
+ unsigned c;
+
+ c = *src;
+ src++;
+
+ *p = conv[c >> 4];
+ ++p;
+ *p = conv[c & 0x0f];
+ ++p;
+ --len;
+ }
+ *p = '\0';
+ return hex;
+}
+
+#define HMAC_PREFIX "."
+#define HMAC_SUFFIX ".hmac"
+#define READ_BUFFER_LENGTH 16384
+
+static char *
+make_hmac_path(const char *origpath)
+{
+ char *path, *p;
+ const char *fn;
+
+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
+ if(path == NULL) {
+ return NULL;
+ }
+
+ fn = strrchr(origpath, '/');
+ if (fn == NULL) {
+ fn = origpath;
+ } else {
+ ++fn;
+ }
+
+ strncpy(path, origpath, fn-origpath);
+ p = path + (fn - origpath);
+ p = stpcpy(p, HMAC_PREFIX);
+ p = stpcpy(p, fn);
+ p = stpcpy(p, HMAC_SUFFIX);
+
+ return path;
+}
+
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
+
+static int
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+{
+ FILE *f = NULL;
+ int rv = -1;
+ unsigned char rbuf[READ_BUFFER_LENGTH];
+ size_t len;
+ unsigned int hlen;
+ HMAC_CTX c;
+
+ HMAC_CTX_init(&c);
+
+ f = fopen(path, "r");
+
+ if (f == NULL) {
+ goto end;
+ }
+
+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
+
+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
+ HMAC_Update(&c, rbuf, len);
+ }
+
+ len = sizeof(rbuf);
+ /* reuse rbuf for hmac */
+ HMAC_Final(&c, rbuf, &hlen);
+
+ *buf = malloc(hlen);
+ if (*buf == NULL) {
+ goto end;
+ }
+
+ *hmaclen = hlen;
+
+ memcpy(*buf, rbuf, hlen);
+
+ rv = 0;
+end:
+ HMAC_CTX_cleanup(&c);
+
+ if (f)
+ fclose(f);
+
+ return rv;
+}
+
+static int
+FIPSCHECK_verify(const char *libname, const char *symbolname)
+{
+ char path[PATH_MAX+1];
+ int rv;
+ FILE *hf;
+ char *hmacpath, *p;
+ char *hmac = NULL;
+ size_t n;
+
+ rv = get_library_path(libname, symbolname, path, sizeof(path));
+
+ if (rv < 0)
+ return 0;
+
+ hmacpath = make_hmac_path(path);
+
+ hf = fopen(hmacpath, "r");
+ if (hf == NULL) {
+ free(hmacpath);
+ return 0;
+ }
+
+ if (getline(&hmac, &n, hf) > 0) {
+ void *buf;
+ size_t hmaclen;
+ char *hex;
+
+ if ((p=strchr(hmac, '\n')) != NULL)
+ *p = '\0';
+
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
+ rv = -4;
+ goto end;
+ }
+
+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
+ free(buf);
+ rv = -5;
+ goto end;
+ }
+
+ if (strcmp(hex, hmac) != 0) {
+ rv = -1;
+ }
+ free(buf);
+ free(hex);
+ }
+
+end:
+ free(hmac);
+ free(hmacpath);
+ fclose(hf);
+
+ if (rv < 0)
+ return 0;
+
+ /* check successful */
+ return 1;
+}
+
int FIPS_mode_set(int onoff)
{
int fips_set_owning_thread();
@@ -201,6 +403,22 @@ int FIPS_mode_set(int onoff)
}
#endif
+ if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
+ {
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
+ if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
+ {
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
/* Perform RNG KAT before seeding */
if (!FIPS_selftest_rng())
{
diff -up openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
--- openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck 2009-08-10 20:11:59.000000000 +0200
+++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c 2009-08-10 20:11:59.000000000 +0200
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
#ifdef OPENSSL_FIPS
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
const char *key)
{
size_t len=strlen(key);
@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
if (len > SHA_CBLOCK)
{
- SHA1_Init(md_ctx);
- SHA1_Update(md_ctx,key,len);
- SHA1_Final(keymd,md_ctx);
- len=20;
+ SHA256_Init(md_ctx);
+ SHA256_Update(md_ctx,key,len);
+ SHA256_Final(keymd,md_ctx);
+ len=SHA256_DIGEST_LENGTH;
}
else
memcpy(keymd,key,len);
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
pad[i]=0x36^keymd[i];
- SHA1_Init(md_ctx);
- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
+ SHA256_Init(md_ctx);
+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
pad[i]=0x5c^keymd[i];
- SHA1_Init(o_ctx);
- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
+ SHA256_Init(o_ctx);
+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
}
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
{
- unsigned char buf[20];
+ unsigned char buf[SHA256_DIGEST_LENGTH];
- SHA1_Final(buf,md_ctx);
- SHA1_Update(o_ctx,buf,sizeof buf);
- SHA1_Final(md,o_ctx);
+ SHA256_Final(buf,md_ctx);
+ SHA256_Update(o_ctx,buf,sizeof buf);
+ SHA256_Final(md,o_ctx);
}
#endif
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
int main(int argc,char **argv)
{
#ifdef OPENSSL_FIPS
- static char key[]="etaonrishdlcupfm";
+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
int n,binary=0;
if(argc < 2)
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
for(; n < argc ; ++n)
{
FILE *f=fopen(argv[n],"rb");
- SHA_CTX md_ctx,o_ctx;
- unsigned char md[20];
+ SHA256_CTX md_ctx,o_ctx;
+ unsigned char md[SHA256_DIGEST_LENGTH];
int i;
if(!f)
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
else
break;
}
- SHA1_Update(&md_ctx,buf,l);
+ SHA256_Update(&md_ctx,buf,l);
}
hmac_final(md,&md_ctx,&o_ctx);
if (binary)
{
- fwrite(md,20,1,stdout);
+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
break; /* ... for single(!) file */
}
- printf("HMAC-SHA1(%s)= ",argv[n]);
- for(i=0 ; i < 20 ; ++i)
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
printf("%02x",md[i]);
printf("\n");
}
diff -up openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck openssl-1.0.0-beta3/crypto/fips/Makefile
--- openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck 2009-08-10 20:11:59.000000000 +0200
+++ openssl-1.0.0-beta3/crypto/fips/Makefile 2009-08-10 20:27:45.000000000 +0200
@@ -16,6 +16,9 @@ GENERAL=Makefile
TEST=fips_test_suite.c fips_randtest.c
APPS=
+PROGRAM= fips_standalone_sha1
+EXE= $(PROGRAM)$(EXE_EXT)
+
LIB=$(TOP)/libcrypto.a
LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \
fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
@@ -25,6 +28,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_self
fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o fips_rand.o \
fips_rsa_x931g.o
+LIBCRYPTO=-L.. -lcrypto
+
SRC= $(LIBSRC) fips_standalone_sha1.c
EXHEADER= fips.h fips_rand.h
@@ -35,13 +40,15 @@ ALL= $(GENERAL) $(SRC) $(HEADER)
top:
(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
-all: lib
+all: lib exe
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB) || echo Never mind.
@touch lib
+exe: $(EXE)
+
files:
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -77,5 +84,9 @@ dclean:
clean:
rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+$(EXE): $(PROGRAM).o
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
+ $(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
+
# DO NOT DELETE THIS LINE -- make depend depends on it.

79
openssl-1.0.0-beta3-fipsrng.patch
View File

@ -1,79 +0,0 @@
diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips.c
--- openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
+++ openssl-1.0.0-beta3/crypto/fips/fips.c 2009-08-11 18:14:36.000000000 +0200
@@ -427,22 +427,22 @@ int FIPS_mode_set(int onoff)
goto end;
}
+ /* now switch the RNG into FIPS mode */
+ fips_set_rand_check(FIPS_rand_method());
+ RAND_set_rand_method(FIPS_rand_method());
+
/* automagically seed PRNG if not already seeded */
if(!FIPS_rand_status())
{
- if(RAND_bytes(buf,sizeof buf) <= 0)
+ RAND_poll();
+ if (!FIPS_rand_status())
{
fips_selftest_fail = 1;
ret = 0;
goto end;
}
- FIPS_rand_set_key(buf,32);
- FIPS_rand_seed(buf+32,16);
}
- /* now switch into FIPS mode */
- fips_set_rand_check(FIPS_rand_method());
- RAND_set_rand_method(FIPS_rand_method());
if(FIPS_selftest())
fips_set_mode(1);
else
diff -up openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips_rand.c
--- openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng 2009-08-11 18:12:14.000000000 +0200
+++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c 2009-08-11 18:16:48.000000000 +0200
@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
{
int i;
if (!ctx->keyed)
- return 0;
+ {
+ FIPS_RAND_SIZE_T keylen = 16;
+
+ if (seedlen - keylen < AES_BLOCK_LENGTH)
+ return 0;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
+ keylen += 8;
+ seedlen -= keylen;
+ fips_set_prng_key(ctx, seed+seedlen, keylen);
+ }
/* In test mode seed is just supplied data */
if (ctx->test_mode)
{
@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
unsigned char tmp[AES_BLOCK_LENGTH];
int i;
+ FIPS_selftest_check();
if (ctx->error)
{
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
diff -up openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng openssl-1.0.0-beta3/crypto/rand/rand_lcl.h
--- openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng 2009-08-11 18:12:13.000000000 +0200
+++ openssl-1.0.0-beta3/crypto/rand/rand_lcl.h 2009-08-11 18:18:13.000000000 +0200
@@ -112,8 +112,11 @@
#ifndef HEADER_RAND_LCL_H
#define HEADER_RAND_LCL_H
+#ifndef OPENSSL_FIPS
#define ENTROPY_NEEDED 32 /* require 256 bits = 32 bytes of randomness */
-
+#else
+#define ENTROPY_NEEDED 48 /* we need 48 bytes of randomness for FIPS rng */
+#endif
#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)

44
openssl-1.0.0-beta3-soversion.patch
View File

@ -1,44 +0,0 @@
diff -up openssl-1.0.0-beta3/Configure.soversion openssl-1.0.0-beta3/Configure
--- openssl-1.0.0-beta3/Configure.soversion 2009-08-04 23:06:52.000000000 +0200
+++ openssl-1.0.0-beta3/Configure 2009-08-04 23:06:52.000000000 +0200
@@ -1514,7 +1514,7 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
my $sotmp = $1;
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
}
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{
diff -up openssl-1.0.0-beta3/Makefile.org.soversion openssl-1.0.0-beta3/Makefile.org
--- openssl-1.0.0-beta3/Makefile.org.soversion 2009-08-04 23:06:52.000000000 +0200
+++ openssl-1.0.0-beta3/Makefile.org 2009-08-04 23:11:01.000000000 +0200
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=
SHLIB_MINOR=
SHLIB_EXT=
+SHLIB_SONAMEVER=10
PLATFORM=dist
OPTIONS=
CONFIGURE_ARGS=
@@ -289,10 +290,9 @@ clean-shared:
link-shared:
@ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
symlink.$(SHLIB_TARGET); \
- libs="$$libs -l$$i"; \
done
build-shared: do_$(SHLIB_TARGET) link-shared
@@ -303,7 +303,7 @@ do_$(SHLIB_TARGET):
libs="$(LIBKRB5) $$libs"; \
fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
LIBDEPS="$$libs $(EX_LIBS)" \
link_a.$(SHLIB_TARGET); \

25
openssl-1.0.0-beta4-dtls1-abi.patch
View File

@ -1,25 +0,0 @@
Adding struct member is ABI breaker however as the structure is always allocated by
the library calls we just move it to the end and it should be reasonably safe.
diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
--- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi 2009-11-12 14:34:37.000000000 +0100
+++ openssl-1.0.0-beta4/ssl/dtls1.h 2009-11-12 14:47:57.000000000 +0100
@@ -216,9 +216,6 @@ typedef struct dtls1_state_st
*/
record_pqueue buffered_app_data;
- /* Is set when listening for new connections with dtls1_listen() */
- unsigned int listen;
-
unsigned int mtu; /* max DTLS packet size */
struct hm_header_st w_msg_hdr;
@@ -242,6 +239,9 @@ typedef struct dtls1_state_st
unsigned int retransmitting;
unsigned int change_cipher_spec_ok;
+ /* Is set when listening for new connections with dtls1_listen() */
+ unsigned int listen;
+
} DTLS1_STATE;
typedef struct dtls1_record_data_st

189
openssl-1.0.0-fips-pkcs8.patch Normal file
View File

@ -0,0 +1,189 @@
diff -up openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 openssl-1.0.0/crypto/pem/pem_all.c
--- openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 2006-11-06 20:53:37.000000000 +0100
+++ openssl-1.0.0/crypto/pem/pem_all.c 2012-04-26 17:17:35.765317652 +0200
@@ -147,7 +147,37 @@ IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRIN
IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE,
PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE)
+#ifdef OPENSSL_FIPS
+static int fips_PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+ {
+ if (FIPS_mode())
+ return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
+ (char *)kstr, klen, cb, u);
+ else
+ return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
+ bp,x,enc,kstr,klen,cb,u);
+ }
+
+#ifndef OPENSSL_NO_FP_API
+static int fips_PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+ {
+ if (FIPS_mode())
+ return PEM_write_PKCS8PrivateKey(fp, x, enc,
+ (char *)kstr, klen, cb, u);
+ else
+ return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey,
+ ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
+ fp,x,enc,kstr,klen,cb,u);
+ }
+#endif
+
+#endif
#ifndef OPENSSL_NO_RSA
@@ -193,7 +223,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RS
#endif
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_RSA(k, x);
+
+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+
+ EVP_PKEY_set1_RSA(k, x);
+
+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+#endif
+
+#else
+
IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+
+#endif
+
IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
@@ -223,7 +295,47 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp,
return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
}
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_DSA(k, x);
+
+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_DSA(k, x);
+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+#endif
+
+#else
+
IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+
+#endif
+
IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
#ifndef OPENSSL_NO_FP_API
@@ -269,8 +381,49 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *b
IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
+
+
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_EC_KEY(k, x);
+
+ ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_EC_KEY(k, x);
+ ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+}
+#endif
+
+#else
+
IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
+#endif
+
IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
#ifndef OPENSSL_NO_FP_API

22
openssl-1.0.0-name-hash.patch
View File

@ -1,22 +0,0 @@
diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c
--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash 2010-01-12 18:27:10.000000000 +0100
+++ openssl-1.0.0/crypto/x509/x509_cmp.c 2010-04-06 16:44:52.000000000 +0200
@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA
{
unsigned long ret=0;
unsigned char md[16];
+ EVP_MD_CTX ctx;
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x,NULL);
- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
+
+ EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)
+ && EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length)
+ && EVP_DigestFinal_ex(&ctx, md, NULL);
+ EVP_MD_CTX_cleanup(&ctx);
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)

12164
openssl-1.0.0a-fips.patch
View File

File diff suppressed because it is too large Load Diff

272
openssl-1.0.0a-fipsmode.patch
View File

@ -1,272 +0,0 @@
diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
--- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode 2009-07-01 16:55:58.000000000 +0200
+++ openssl-1.0.0a/crypto/engine/eng_all.c 2010-06-04 13:32:13.000000000 +0200
@@ -58,9 +58,23 @@
#include "cryptlib.h"
#include "eng_int.h"
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
void ENGINE_load_builtin_engines(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init_library();
+ if (FIPS_mode()) {
+ /* We allow loading dynamic engine as a third party
+ engine might be FIPS validated.
+ User is disallowed to load non-validated engines
+ by security policy. */
+ ENGINE_load_dynamic();
+ return;
+ }
+#endif
#if 0
/* There's no longer any need for an "openssl" ENGINE unless, one day,
* it is the *only* way for standard builtin implementations to be be
diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
--- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode 2009-12-25 15:12:24.000000000 +0100
+++ openssl-1.0.0a/crypto/evp/c_allc.c 2010-06-04 13:32:13.000000000 +0200
@@ -65,6 +65,11 @@
void OpenSSL_add_all_ciphers(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init_library();
+ if(!FIPS_mode())
+ {
+#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cfb());
EVP_add_cipher(EVP_des_cfb1());
@@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede_cfb());
+ EVP_add_cipher(EVP_des_ede3_cfb());
+
+ EVP_add_cipher(EVP_des_ede_ofb());
+ EVP_add_cipher(EVP_des_ede3_ofb());
+
+ EVP_add_cipher(EVP_des_ede_cbc());
+ EVP_add_cipher(EVP_des_ede3_cbc());
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
+
+ EVP_add_cipher(EVP_des_ede());
+ EVP_add_cipher(EVP_des_ede3());
+#endif
+
+#ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_ecb());
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_128_cfb());
+ EVP_add_cipher(EVP_aes_128_cfb1());
+ EVP_add_cipher(EVP_aes_128_cfb8());
+ EVP_add_cipher(EVP_aes_128_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_128_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_192_cfb());
+ EVP_add_cipher(EVP_aes_192_cfb1());
+ EVP_add_cipher(EVP_aes_192_cfb8());
+ EVP_add_cipher(EVP_aes_192_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_192_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+ EVP_add_cipher(EVP_aes_256_cbc());
+ EVP_add_cipher(EVP_aes_256_cfb());
+ EVP_add_cipher(EVP_aes_256_cfb1());
+ EVP_add_cipher(EVP_aes_256_cfb8());
+ EVP_add_cipher(EVP_aes_256_ofb());
+#if 0
+ EVP_add_cipher(EVP_aes_256_ctr());
+#endif
+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
+#endif
+ }
+#endif
}
diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
--- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode 2009-07-08 10:50:53.000000000 +0200
+++ openssl-1.0.0a/crypto/evp/c_alld.c 2010-06-04 13:32:13.000000000 +0200
@@ -64,6 +64,11 @@
void OpenSSL_add_all_digests(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init_library();
+ if (!FIPS_mode())
+ {
+#endif
#ifndef OPENSSL_NO_MD4
EVP_add_digest(EVP_md4());
#endif
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
#ifndef OPENSSL_NO_WHIRLPOOL
EVP_add_digest(EVP_whirlpool());
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
+ EVP_add_digest(EVP_sha1());
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#ifndef OPENSSL_NO_DSA
+ EVP_add_digest(EVP_dss1());
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#ifndef OPENSSL_NO_ECDSA
+ EVP_add_digest(EVP_ecdsa());
+#endif
+#endif
+#ifndef OPENSSL_NO_SHA256
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+#endif
+ }
+#endif
}
diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
--- openssl-1.0.0a/crypto/o_init.c.fipsmode 2010-06-04 13:32:13.000000000 +0200
+++ openssl-1.0.0a/crypto/o_init.c 2010-06-04 13:32:13.000000000 +0200
@@ -59,6 +59,43 @@
#include <e_os.h>
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <openssl/fips.h>
+
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static void init_fips_mode(void)
+ {
+ char buf[2] = "0";
+ int fd;
+
+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+ {
+ buf[0] = '1';
+ }
+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
+ {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
+ close(fd);
+ }
+ /* Failure reading the fips mode switch file means just not
+ * switching into FIPS mode. We would break too many things
+ * otherwise.
+ */
+
+ if (buf[0] == '1')
+ {
+ FIPS_mode_set(1);
+ }
+ }
+#endif
+
/* Perform any essential OpenSSL initialization operations.
* Currently only sets FIPS callbacks
*/
@@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
#ifdef CRYPTO_MDEBUG
CRYPTO_malloc_debug_init();
#endif
+ init_fips_mode();
done = 1;
}
#endif
diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
--- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode 2010-04-07 15:18:30.000000000 +0200
+++ openssl-1.0.0a/ssl/ssl_algs.c 2010-06-04 13:32:48.000000000 +0200
@@ -64,6 +64,12 @@
int SSL_library_init(void)
{
+#ifdef OPENSSL_FIPS
+ OPENSSL_init_library();
+ if (!FIPS_mode())
+ {
+#endif
+
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
@@ -127,6 +133,48 @@ int SSL_library_init(void)
EVP_add_digest(EVP_sha());
EVP_add_digest(EVP_dss());
#endif
+#ifdef OPENSSL_FIPS
+ }
+ else
+ {
+#ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede3_cbc());
+#endif
+#ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_256_cbc());
+#endif
+#ifndef OPENSSL_NO_MD5
+ /* needed even in the FIPS mode for TLS MAC */
+ EVP_add_digest(EVP_md5());
+ EVP_add_digest_alias(SN_md5,"ssl2-md5");
+ EVP_add_digest_alias(SN_md5,"ssl3-md5");
+#endif
+#ifndef OPENSSL_NO_SHA
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+#endif
+#ifndef OPENSSL_NO_SHA256
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+#endif
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
+ EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
+#endif
+#ifndef OPENSSL_NO_ECDSA
+ EVP_add_digest(EVP_ecdsa());
+#endif
+ }
+#endif
#ifndef OPENSSL_NO_COMP
/* This will initialise the built-in compression algorithms.
The value returned is a STACK_OF(SSL_COMP), but that can

21
openssl-1.0.0a-manfix.patch
View File

@ -1,21 +0,0 @@
diff -up openssl-1.0.0a/doc/apps/openssl.pod.manfix openssl-1.0.0a/doc/apps/openssl.pod
--- openssl-1.0.0a/doc/apps/openssl.pod.manfix 2010-01-21 19:46:28.000000000 +0100
+++ openssl-1.0.0a/doc/apps/openssl.pod 2010-06-30 14:24:50.000000000 +0200
@@ -287,8 +287,6 @@ SHA Digest
SHA-1 Digest
-=back
-
=item B<sha224>
SHA-224 Digest
@@ -305,6 +303,8 @@ SHA-384 Digest
SHA-512 Digest
+=back
+
=head2 ENCODING AND CIPHER COMMANDS
=over 10

2388
openssl-1.0.0b-aesni.patch
View File

File diff suppressed because it is too large Load Diff

57
openssl-1.0.0c-apps-ipv6listen.patch
View File

@ -1,57 +0,0 @@
diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c
--- openssl-1.0.0c/apps/s_socket.c.ipv6listen 2011-01-24 16:44:18.000000000 +0100
+++ openssl-1.0.0c/apps/s_socket.c 2011-01-24 16:56:25.000000000 +0100
@@ -335,15 +335,16 @@ int do_server(char *port, int type, int
static int init_server(int *sock, char *port, int type)
{
- struct addrinfo *res, *res0, hints;
+ struct addrinfo *res, *res0 = NULL, hints;
char * failed_call = NULL;
- char port_name[8];
int s;
int e;
if (!ssl_sock_init()) return(0);
memset(&hints, '\0', sizeof(hints));
+ hints.ai_family = AF_INET6;
+tryipv4:
hints.ai_socktype = type;
hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
@@ -365,6 +366,12 @@ static int init_server(int *sock, char *
failed_call = "socket";
goto nextres;
}
+ if (hints.ai_family == AF_INET6)
+ {
+ int j = 0;
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
+ (void *) &j, sizeof j);
+ }
#if defined SOL_SOCKET && defined SO_REUSEADDR
{
int j = 1;
@@ -392,9 +399,19 @@ nextres:
close(s);
res = res->ai_next;
}
- freeaddrinfo(res0);
+ if (res0)
+ freeaddrinfo(res0);
- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+ if (s == INVALID_SOCKET)
+ {
+ if (hints.ai_family == AF_INET6)
+ {
+ hints.ai_family = AF_INET;
+ goto tryipv4;
+ }
+ perror("socket");
+ return(0);
+ }
perror(failed_call);
return(0);

20
openssl-1.0.0c-fips-md5-allow.patch
View File

@ -1,20 +0,0 @@
diff -up openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.0c/crypto/md5/md5_dgst.c
--- openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow 2011-02-03 19:53:28.000000000 +0100
+++ openssl-1.0.0c/crypto/md5/md5_dgst.c 2011-02-03 20:33:14.000000000 +0100
@@ -75,7 +75,15 @@ const char MD5_version[]="MD5" OPENSSL_V
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
-FIPS_NON_FIPS_MD_Init(MD5)
+int MD5_Init(MD5_CTX *c)
+#ifdef OPENSSL_FIPS
+ {
+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
+ FIPS_BAD_ALGORITHM(alg)
+ return private_MD5_Init(c);
+ }
+int private_MD5_Init(MD5_CTX *c)
+#endif
{
memset (c,0,sizeof(*c));
c->A=INIT_DATA_A;

384
openssl-1.0.0c-fips186-3.patch
View File

@ -1,384 +0,0 @@
diff -up openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsa_gen.c
--- openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 2011-02-03 21:04:14.000000000 +0100
+++ openssl-1.0.0c/crypto/dsa/dsa_gen.c 2011-02-04 08:54:42.000000000 +0100
@@ -120,11 +120,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
int ok=0;
unsigned char seed[SHA256_DIGEST_LENGTH];
unsigned char md[SHA256_DIGEST_LENGTH];
- unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
+ unsigned char buf[SHA256_DIGEST_LENGTH];
BIGNUM *r0,*W,*X,*c,*test;
BIGNUM *g=NULL,*q=NULL,*p=NULL;
BN_MONT_CTX *mont=NULL;
- int i, k, n=0, m=0, qsize = qbits >> 3;
+ int i, k, b, n=0, m=0, qsize = qbits >> 3;
int counter=0;
int r=0;
BN_CTX *ctx=NULL;
@@ -138,9 +138,13 @@ int dsa_builtin_paramgen(DSA *ret, size_
goto err;
}
- if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
+ if (FIPS_mode() &&
+ (bits != 1024 || qbits != 160) &&
+ (bits != 2048 || qbits != 224) &&
+ (bits != 2048 || qbits != 256) &&
+ (bits != 3072 || qbits != 256))
{
- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
goto err;
}
#endif
@@ -151,22 +155,25 @@ int dsa_builtin_paramgen(DSA *ret, size_
return 0;
if (evpmd == NULL)
- /* use SHA1 as default */
- evpmd = EVP_sha1();
+ {
+ if (qbits <= 160)
+ evpmd = EVP_sha1();
+ else if (qbits <= 224)
+ evpmd = EVP_sha224();
+ else
+ evpmd = EVP_sha256();
+ }
if (bits < 512)
bits = 512;
bits = (bits+63)/64*64;
- /* NB: seed_len == 0 is special case: copy generated seed to
- * seed_in if it is not NULL.
- */
if (seed_len && (seed_len < (size_t)qsize))
seed_in = NULL; /* seed buffer too small -- ignore */
if (seed_len > (size_t)qsize)
seed_len = qsize; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
- * but our internal buffers are restricted to 160 bits*/
+ * but our internal buffers are restricted to 256 bits*/
if (seed_in != NULL)
memcpy(seed, seed_in, seed_len);
@@ -189,13 +196,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
if (!BN_lshift(test,BN_value_one(),bits-1))
goto err;
+ /* step 3 n = \lceil bits / qbits \rceil - 1 */
+ n = (bits+qbits-1)/qbits - 1;
+ /* step 4 b = bits - 1 - n * qbits */
+ b = bits - 1 - n*qbits;
+
for (;;)
{
for (;;) /* find q */
{
int seed_is_random;
- /* step 1 */
+ /* step 5 generate seed */
if(!BN_GENCB_call(cb, 0, m++))
goto err;
@@ -210,28 +222,17 @@ int dsa_builtin_paramgen(DSA *ret, size_
seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
}
memcpy(buf , seed, qsize);
- memcpy(buf2, seed, qsize);
- /* precompute "SEED + 1" for step 7: */
- for (i = qsize-1; i >= 0; i--)
- {
- buf[i]++;
- if (buf[i] != 0)
- break;
- }
- /* step 2 */
+ /* step 6 U = hash(seed) */
EVP_Digest(seed, qsize, md, NULL, evpmd, NULL);
- EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL);
- for (i = 0; i < qsize; i++)
- md[i]^=buf2[i];
- /* step 3 */
+ /* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
md[0] |= 0x80;
md[qsize-1] |= 0x01;
if (!BN_bin2bn(md, qsize, q))
goto err;
- /* step 4 */
+ /* step 8 test for prime (64 round of Rabin-Miller) */
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
seed_is_random, cb);
if (r > 0)
@@ -239,27 +240,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
if (r != 0)
goto err;
- /* do a callback call */
- /* step 5 */
}
if(!BN_GENCB_call(cb, 2, 0)) goto err;
if(!BN_GENCB_call(cb, 3, 0)) goto err;
- /* step 6 */
+ /* step 11 */
counter=0;
- /* "offset = 2" */
-
- n=(bits-1)/160;
+ /* "offset = 1" */
for (;;)
{
if ((counter != 0) && !BN_GENCB_call(cb, 0, counter))
goto err;
- /* step 7 */
+ /* step 11.1, 11.2 obtain W */
BN_zero(W);
- /* now 'buf' contains "SEED + offset - 1" */
for (k=0; k<=n; k++)
{
/* obtain "SEED + offset + k" by incrementing: */
@@ -272,28 +268,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL);
- /* step 8 */
if (!BN_bin2bn(md, qsize, r0))
goto err;
- if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
+ if (k == n)
+ BN_mask_bits(r0,b);
+ if (!BN_lshift(r0,r0,qbits*k)) goto err;
if (!BN_add(W,W,r0)) goto err;
}
- /* more of step 8 */
- if (!BN_mask_bits(W,bits-1)) goto err;
+ /* step 11.3 X = W + 2^(L-1) */
if (!BN_copy(X,W)) goto err;
if (!BN_add(X,X,test)) goto err;
- /* step 9 */
+ /* step 11.4 c = X mod 2*q */
if (!BN_lshift1(r0,q)) goto err;
if (!BN_mod(c,X,r0,ctx)) goto err;
+
+ /* step 11.5 p = X - (c - 1) */
if (!BN_sub(r0,c,BN_value_one())) goto err;
if (!BN_sub(p,X,r0)) goto err;
- /* step 10 */
+ /* step 11.6 */
if (BN_cmp(p,test) >= 0)
{
- /* step 11 */
+ /* step 11.7 */
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
ctx, 1, cb);
if (r > 0)
@@ -302,12 +300,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
goto err;
}
- /* step 13 */
+ /* step 11.9 */
counter++;
/* "offset = offset + n + 1" */
- /* step 14 */
- if (counter >= 4096) break;
+ /* step 12 */
+ if (counter >= 4*bits) break;
}
}
end:
diff -up openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 openssl-1.0.0c/crypto/dsa/dsa.h
--- openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 2011-02-03 21:04:14.000000000 +0100
+++ openssl-1.0.0c/crypto/dsa/dsa.h 2011-02-03 21:04:14.000000000 +0100
@@ -316,6 +316,7 @@ void ERR_load_DSA_strings(void);
#define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
#define DSA_R_DECODE_ERROR 104
#define DSA_R_INVALID_DIGEST_TYPE 106
+#define DSA_R_KEY_SIZE_INVALID 113
#define DSA_R_KEY_SIZE_TOO_SMALL 110
#define DSA_R_MISSING_PARAMETERS 101
#define DSA_R_MODULUS_TOO_LARGE 103
diff -up openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsatest.c
--- openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 2011-02-03 21:14:07.000000000 +0100
+++ openssl-1.0.0c/crypto/dsa/dsatest.c 2011-02-04 08:40:24.000000000 +0100
@@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
/* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to
* FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */
static unsigned char seed[20]={
- 0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
- 0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
+ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
+ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
};
static unsigned char out_p[]={
- 0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
- 0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
- 0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
- 0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
- 0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
- 0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
- 0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
- 0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
+ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
+ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
+ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
+ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
+ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
+ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
+ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
+ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
+ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
+ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
+ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
};
static unsigned char out_q[]={
- 0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
- 0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
- 0xda,0xce,0x91,0x5f,
+ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
+ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
};
static unsigned char out_g[]={
- 0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
- 0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
- 0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
- 0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
- 0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
- 0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
- 0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
- 0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
+ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
+ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
+ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
+ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
+ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
+ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
+ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
+ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
+ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
+ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
+ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
};
static const unsigned char str1[]="12345678901234567890";
@@ -157,7 +162,7 @@ int main(int argc, char **argv)
BIO_printf(bio_err,"test generation of DSA parameters\n");
BN_GENCB_set(&cb, dsa_cb, bio_err);
- if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
+ if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
seed, 20, &counter, &h, &cb))
goto end;
@@ -170,9 +175,9 @@ int main(int argc, char **argv)
BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h);
DSA_print(bio_err,dsa,0);
- if (counter != 105)
+ if (counter != 239)
{
- BIO_printf(bio_err,"counter should be 105\n");
+ BIO_printf(bio_err,"counter should be 239\n");
goto end;
}
if (h != 2)
diff -up openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c
--- openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 2011-02-03 21:04:14.000000000 +0100
+++ openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c 2011-02-04 09:03:03.000000000 +0100
@@ -68,44 +68,42 @@
#ifdef OPENSSL_FIPS
-/* seed, out_p, out_q, out_g are taken the NIST test vectors */
-
static unsigned char seed[20] = {
- 0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34,
- 0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a
- };
+ 0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
+ 0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
+ };
static unsigned char out_p[] = {
- 0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57,
- 0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b,
- 0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43,
- 0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69,
- 0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12,
- 0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47,
- 0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4,
- 0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8,
- 0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef,
- 0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8,
- 0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef
+ 0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
+ 0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
+ 0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
+ 0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
+ 0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
+ 0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
+ 0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
+ 0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
+ 0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
+ 0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
+ 0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
};
static unsigned char out_q[] = {
- 0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c,
- 0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3
+ 0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
+ 0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
};
static unsigned char out_g[] = {
- 0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb,
- 0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e,
- 0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63,
- 0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35,
- 0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf,
- 0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a,
- 0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed,
- 0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf,
- 0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2,
- 0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36,
- 0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec
+ 0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
+ 0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
+ 0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
+ 0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
+ 0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
+ 0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
+ 0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
+ 0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
+ 0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
+ 0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
+ 0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
};
static const unsigned char str1[]="12345678901234567890";
@@ -133,7 +131,7 @@ int FIPS_selftest_dsa()
goto err;
if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL))
goto err;
- if (counter != 378)
+ if (counter != 239)
goto err;
if (h != 2)
goto err;

25
openssl-1.0.0c-pkcs12-fips-default.patch
View File

@ -1,25 +0,0 @@
diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c
--- openssl-1.0.0c/apps/pkcs12.c.fips-default 2009-07-27 23:08:45.000000000 +0200
+++ openssl-1.0.0c/apps/pkcs12.c 2011-02-04 15:25:38.000000000 +0100
@@ -67,6 +67,9 @@
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
#define PROG pkcs12_main
@@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
apps_startup();
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
+#endif
+
enc = EVP_des_ede3_cbc();
if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);

94
openssl-1.0.0c-speed-fips.patch
View File

@ -1,94 +0,0 @@
diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c
--- openssl-1.0.0c/apps/speed.c.spfips 2010-11-18 14:22:26.000000000 +0100
+++ openssl-1.0.0c/apps/speed.c 2011-01-24 17:25:32.000000000 +0100
@@ -100,6 +100,9 @@
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
#if !defined(OPENSSL_SYS_MSDOS)
#include OPENSSL_UNISTD
#endif
@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_RSA
if (strcmp(*argv,"rsa") == 0)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ {
rsa_doit[R_RSA_512]=1;
+ }
rsa_doit[R_RSA_1024]=1;
rsa_doit[R_RSA_2048]=1;
rsa_doit[R_RSA_4096]=1;
@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_DSA
if (strcmp(*argv,"dsa") == 0)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ {
dsa_doit[R_DSA_512]=1;
+ }
dsa_doit[R_DSA_1024]=1;
dsa_doit[R_DSA_2048]=1;
}
@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv)
AES_set_encrypt_key(key32,256,&aes_ks3);
#endif
#ifndef OPENSSL_NO_CAMELLIA
+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
+ {
Camellia_set_key(key16,128,&camellia_ks1);
Camellia_set_key(ckey24,192,&camellia_ks2);
Camellia_set_key(ckey32,256,&camellia_ks3);
+ }
#endif
#ifndef OPENSSL_NO_IDEA
+ if (doit[D_CBC_IDEA])
+ {
idea_set_encrypt_key(key16,&idea_ks);
+ }
#endif
#ifndef OPENSSL_NO_SEED
+ if (doit[D_CBC_SEED])
+ {
SEED_set_key(key16,&seed_ks);
+ }
#endif
#ifndef OPENSSL_NO_RC4
+ if (doit[D_RC4])
+ {
RC4_set_key(&rc4_ks,16,key16);
+ }
#endif
#ifndef OPENSSL_NO_RC2
+ if (doit[D_CBC_RC2])
+ {
RC2_set_key(&rc2_ks,16,key16,128);
+ }
#endif
#ifndef OPENSSL_NO_RC5
+ if (doit[D_CBC_RC5])
+ {
RC5_32_set_key(&rc5_ks,16,key16,12);
+ }
#endif
#ifndef OPENSSL_NO_BF
+ if (doit[D_CBC_BF])
+ {
BF_set_key(&bf_ks,16,key16);
+ }
#endif
#ifndef OPENSSL_NO_CAST
+ if (doit[D_CBC_CAST])
+ {
CAST_set_key(&cast_ks,16,key16);
+ }
#endif
#ifndef OPENSSL_NO_RSA
memset(rsa_c,0,sizeof(rsa_c));

22
openssl-1.0.0d-version.patch
View File

@ -1,22 +0,0 @@
diff -up openssl-1.0.0d/crypto/opensslv.h.version openssl-1.0.0d/crypto/opensslv.h
--- openssl-1.0.0d/crypto/opensslv.h.version 2011-02-10 14:24:52.000000000 +0100
+++ openssl-1.0.0d/crypto/opensslv.h 2011-02-10 14:48:00.000000000 +0100
@@ -25,7 +25,8 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000004fL
+/* we have to keep the version number to not break the abi */
+#define OPENSSL_VERSION_NUMBER 0x10000003
#ifdef OPENSSL_FIPS
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0d-fips 8 Feb 2011"
#else
@@ -83,7 +84,7 @@
* should only keep the versions that are binary compatible with the current.
*/
#define SHLIB_VERSION_HISTORY ""
-#define SHLIB_VERSION_NUMBER "1.0.0"
+#define SHLIB_VERSION_NUMBER "1.0.0d"
#endif /* HEADER_OPENSSLV_H */

12
openssl-1.0.0d-xmpp-starttls.patch Normal file
View File

@ -0,0 +1,12 @@
diff -ru openssl-1.0.0d.old/apps/s_client.c openssl-1.0.0d/apps/s_client.c
--- openssl-1.0.0d.old/apps/s_client.c 2011-07-17 21:05:19.934181169 +0200
+++ openssl-1.0.0d/apps/s_client.c 2011-07-17 21:11:42.747824990 +0200
@@ -1186,7 +1186,7 @@
"xmlns='jabber:client' to='%s' version='1.0'>", host);
seen = BIO_read(sbio,mbuf,BUFSIZZ);
mbuf[seen] = 0;
- while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
+ while (!strcasestr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && !strcasestr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
{
if (strstr(mbuf, "/stream:features>"))
goto shut;

24
openssl-1.0.0e-chil-fixes.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up openssl-1.0.0e/engines/e_chil.c.chil openssl-1.0.0e/engines/e_chil.c
--- openssl-1.0.0e/engines/e_chil.c.chil 2010-06-15 19:25:12.000000000 +0200
+++ openssl-1.0.0e/engines/e_chil.c 2011-09-21 17:32:03.000000000 +0200
@@ -1261,6 +1261,11 @@ static int hwcrhk_insert_card(const char
UI *ui;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
+ /* Despite what the documentation says prompt_info can be
+ * an empty string.
+ */
+ if (prompt_info && !*prompt_info)
+ prompt_info = NULL;
if (cactx)
{
@@ -1287,7 +1292,7 @@ static int hwcrhk_insert_card(const char
if (ui)
{
- char answer;
+ char answer = '\0';
char buf[BUFSIZ];
/* Despite what the documentation says wrong_info can be
* an empty string.

23
openssl-1.0.0e-doc-noeof.patch Normal file
View File

@ -0,0 +1,23 @@
diff -up openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof openssl-1.0.0e/doc/apps/s_client.pod
--- openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof 2009-06-26 13:28:51.000000000 +0200
+++ openssl-1.0.0e/doc/apps/s_client.pod 2011-11-03 08:30:35.000000000 +0100
@@ -27,6 +27,7 @@ B<openssl> B<s_client>
[B<-nbio>]
[B<-crlf>]
[B<-ign_eof>]
+[B<-no_ign_eof>]
[B<-quiet>]
[B<-ssl2>]
[B<-ssl3>]
@@ -161,6 +162,11 @@ by some servers.
inhibit shutting down the connection when end of file is reached in the
input.
+=item B<-no_ign_eof>
+
+shut down the connection when end of file is reached in the
+input. Can be used to override the implicit B<-ign_eof> after B<-quiet>.
+
=item B<-quiet>
inhibit printing of session and certificate information. This implicitly

8
openssl-1.0.0-beta3-defaults.patch → openssl-1.0.0f-defaults.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.0-beta3/apps/openssl.cnf.defaults openssl-1.0.0-beta3/apps/openssl.cnf
--- openssl-1.0.0-beta3/apps/openssl.cnf.defaults 2009-04-04 20:09:43.000000000 +0200
+++ openssl-1.0.0-beta3/apps/openssl.cnf 2009-08-04 22:57:16.000000000 +0200
diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf
--- openssl-1.0.0f/apps/openssl.cnf.defaults 2011-12-06 01:01:00.000000000 +0100
+++ openssl-1.0.0f/apps/openssl.cnf 2012-01-05 13:16:15.000000000 +0100
@@ -103,7 +103,8 @@ emailAddress = optional
####################################################################
@ -37,7 +37,7 @@ diff -up openssl-1.0.0-beta3/apps/openssl.cnf.defaults openssl-1.0.0-beta3/apps/
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
-commonName = Common Name (eg, YOUR name)
-commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64

23
openssl-1.0.1-beta2-dtls1-abi.patch Normal file
View File

@ -0,0 +1,23 @@
diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
--- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi 2012-02-06 17:07:34.630336118 +0100
+++ openssl-1.0.1-beta2/ssl/dtls1.h 2012-02-06 17:10:08.956623707 +0100
@@ -222,9 +222,6 @@ typedef struct dtls1_state_st
*/
record_pqueue buffered_app_data;
- /* Is set when listening for new connections with dtls1_listen() */
- unsigned int listen;
-
unsigned int mtu; /* max DTLS packet size */
struct hm_header_st w_msg_hdr;
@@ -248,6 +245,9 @@ typedef struct dtls1_state_st
unsigned int retransmitting;
unsigned int change_cipher_spec_ok;
+ /* Is set when listening for new connections with dtls1_listen() */
+ unsigned int listen;
+
#ifndef OPENSSL_NO_SCTP
/* used when SSL_ST_XX_FLUSH is entered */
int next_state;

21
openssl-1.0.1-beta2-fips-md5-allow.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.1-beta2/crypto/md5/md5_dgst.c
--- openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow 2012-02-06 20:09:56.000000000 +0100
+++ openssl-1.0.1-beta2/crypto/md5/md5_dgst.c 2012-02-06 20:14:02.332117603 +0100
@@ -71,7 +71,16 @@ const char MD5_version[]="MD5" OPENSSL_V
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
-nonfips_md_init(MD5)
+int MD5_Init(MD5_CTX *c)
+#ifdef OPENSSL_FIPS
+ {
+ if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
+ OpenSSLDie(__FILE__, __LINE__, \
+ "Digest MD5 forbidden in FIPS mode!");
+ return private_MD5_Init(c);
+ }
+int private_MD5_Init(MD5_CTX *c)
+#endif
{
memset (c,0,sizeof(*c));
c->A=INIT_DATA_A;

193
openssl-1.0.1-beta2-padlock64.patch Normal file
View File

@ -0,0 +1,193 @@
diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
--- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 2011-06-21 18:42:15.000000000 +0200
+++ openssl-1.0.1-beta2/engines/e_padlock.c 2012-02-06 20:18:52.039537799 +0100
@@ -101,7 +101,10 @@
compiler choice is limited to GCC and Microsoft C. */
#undef COMPILE_HW_PADLOCK
#if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
+# if (defined(__GNUC__) && __GNUC__>=2 && \
+ (defined(__i386__) || defined(__i386) || \
+ defined(__x86_64__) || defined(__x86_64)) \
+ ) || \
(defined(_MSC_VER) && defined(_M_IX86))
# define COMPILE_HW_PADLOCK
# endif
@@ -137,7 +140,7 @@ void ENGINE_load_padlock (void)
# endif
#elif defined(__GNUC__)
# ifndef alloca
-# define alloca(s) __builtin_alloca(s)
+# define alloca(s) __builtin_alloca((s))
# endif
#endif
@@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
* =======================================================
*/
#if defined(__GNUC__) && __GNUC__>=2
+#if defined(__i386__) || defined(__i386)
/*
* As for excessive "push %ebx"/"pop %ebx" found all over.
* When generating position-independent code GCC won't let
@@ -383,21 +387,6 @@ padlock_available(void)
return padlock_use_ace + padlock_use_rng;
}
-#ifndef OPENSSL_NO_AES
-/* Our own htonl()/ntohl() */
-static inline void
-padlock_bswapl(AES_KEY *ks)
-{
- size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
- unsigned int *key = ks->rd_key;
-
- while (i--) {
- asm volatile ("bswapl %0" : "+r"(*key));
- key++;
- }
-}
-#endif
-
/* Force key reload from memory to the CPU microcode.
Loading EFLAGS from the stack clears EFLAGS[30]
which does the trick. */
@@ -455,12 +444,127 @@ static inline void *name(size_t cnt, \
: "edx", "cc", "memory"); \
return iv; \
}
+#endif
+
+#elif defined(__x86_64__) || defined(__x86_64)
+
+/* Load supported features of the CPU to see if
+ the PadLock is available. */
+static int
+padlock_available(void)
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x00000000;
+ vendor_string[12] = 0;
+ asm volatile (
+ "cpuid\n"
+ "movl %%ebx,(%1)\n"
+ "movl %%edx,4(%1)\n"
+ "movl %%ecx,8(%1)\n"
+ : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
+ return 0;
+
+ /* Check for Centaur Extended Feature Flags presence */
+ eax = 0xC0000000;
+ asm volatile ("cpuid"
+ : "+a"(eax) : : "rbx", "rcx", "rdx");
+ if (eax < 0xC0000001)
+ return 0;
+
+ /* Read the Centaur Extended Feature Flags */
+ eax = 0xC0000001;
+ asm volatile ("cpuid"
+ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
+
+ /* Fill up some flags */
+ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
+ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
+
+ return padlock_use_ace + padlock_use_rng;
+}
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS from the stack clears EFLAGS[30]
+ which does the trick. */
+static inline void
+padlock_reload_key(void)
+{
+ asm volatile ("pushfq; popfq");
+}
+
+#ifndef OPENSSL_NO_AES
+/*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+ * but it's not actually necessary. Point is that if
+ * padlock_saved_context was changed by another thread
+ * after we've read it and before we compare it with cdata,
+ * our key *shall* be reloaded upon thread context switch
+ * and we are therefore set in either case...
+ */
+static inline void
+padlock_verify_context(struct padlock_cipher_data *cdata)
+{
+ asm volatile (
+ "pushfq\n"
+" btl $30,(%%rsp)\n"
+" jnc 1f\n"
+" cmpq %2,%1\n"
+" je 1f\n"
+" popfq\n"
+" subq $8,%%rsp\n"
+"1: addq $8,%%rsp\n"
+" movq %2,%0"
+ :"+m"(padlock_saved_context)
+ : "r"(padlock_saved_context), "r"(cdata) : "cc");
+}
+
+/* Template for padlock_xcrypt_* modes */
+/* BIG FAT WARNING:
+ * The offsets used with 'leal' instructions
+ * describe items of the 'padlock_cipher_data'
+ * structure.
+ */
+#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
+static inline void *name(size_t cnt, \
+ struct padlock_cipher_data *cdata, \
+ void *out, const void *inp) \
+{ void *iv; \
+ asm volatile ( "leaq 16(%0),%%rdx\n" \
+ " leaq 32(%0),%%rbx\n" \
+ rep_xcrypt "\n" \
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
+ : "rbx", "rdx", "cc", "memory"); \
+ return iv; \
+}
+#endif
+
+#endif /* cpu */
+
+#ifndef OPENSSL_NO_AES
/* Generate all functions with appropriate opcodes */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */
+
+/* Our own htonl()/ntohl() */
+static inline void
+padlock_bswapl(AES_KEY *ks)
+{
+ size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
+ unsigned int *key = ks->rd_key;
+
+ while (i--) {
+ asm volatile ("bswapl %0" : "+r"(*key));
+ key++;
+ }
+}
#endif
/* The RNG call itself */
@@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
static inline unsigned char *
padlock_memcpy(void *dst,const void *src,size_t n)
{
- long *d=dst;
- const long *s=src;
+ size_t *d=dst;
+ const size_t *s=src;
n /= sizeof(*d);
do { *d++ = *s++; } while (--n);

68
openssl-1.0.0-beta4-redhat.patch → openssl-1.0.1-beta2-rpmbuild.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
--- openssl-1.0.0-beta4/Configure.redhat 2009-11-09 15:11:13.000000000 +0100
+++ openssl-1.0.0-beta4/Configure 2009-11-12 12:15:27.000000000 +0100
@@ -336,32 +336,32 @@ my %table=(
diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
--- openssl-1.0.1-beta2/Configure.rpmbuild 2012-01-05 01:07:34.000000000 +0100
+++ openssl-1.0.1-beta2/Configure 2012-02-02 12:43:56.547409325 +0100
@@ -343,23 +343,23 @@ my %table=(
####
# *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate...
@ -27,10 +27,19 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
#### So called "highgprs" target for z/Architecture CPUs
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
# /proc/cpuinfo. The idea is to preserve most significant bits of
@@ -373,16 +373,16 @@ my %table=(
# ldconfig and run-time linker to autodiscover. Unfortunately it
# doesn't work just yet, because of couple of bugs in glibc
# sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
-"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
+"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
#### SPARC Linux setups
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
# assisted with debugging of following two configs.
@ -46,7 +55,7 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
@@ -375,8 +375,8 @@ my %table=(
@@ -396,8 +396,8 @@ my %table=(
#
# <appro@fy.chalmers.se>
#
@ -57,3 +66,44 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
@@ -1678,7 +1678,7 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
my $sotmp = $1;
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
}
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{
diff -up openssl-1.0.1-beta2/Makefile.org.rpmbuild openssl-1.0.1-beta2/Makefile.org
--- openssl-1.0.1-beta2/Makefile.org.rpmbuild 2011-12-27 16:17:50.000000000 +0100
+++ openssl-1.0.1-beta2/Makefile.org 2012-02-02 12:30:23.652495435 +0100
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=
SHLIB_MINOR=
SHLIB_EXT=
+SHLIB_SONAMEVER=10
PLATFORM=dist
OPTIONS=
CONFIGURE_ARGS=
@@ -333,10 +334,9 @@ clean-shared:
link-shared:
@ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
symlink.$(SHLIB_TARGET); \
- libs="$$libs -l$$i"; \
done
build-shared: do_$(SHLIB_TARGET) link-shared
@@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
libs="$(LIBKRB5) $$libs"; \
fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
- LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
+ LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
LIBDEPS="$$libs $(EX_LIBS)" \
link_a.$(SHLIB_TARGET); \

14
openssl-1.0.0-beta5-cipher-change.patch → openssl-1.0.1-beta2-ssl-op-all.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
--- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change 2010-01-20 18:12:07.000000000 +0100
+++ openssl-1.0.0-beta5/ssl/ssl.h 2010-01-20 18:13:04.000000000 +0100
@@ -513,7 +513,7 @@ typedef struct ssl_session_st
diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h
--- openssl-1.0.1-beta2/ssl/ssl.h.op-all 2012-02-02 12:49:00.828035916 +0100
+++ openssl-1.0.1-beta2/ssl/ssl.h 2012-02-02 12:52:27.297818182 +0100
@@ -540,7 +540,7 @@ struct ssl_session_st
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
/* Allow initial connection to servers that don't support RI */
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
@ -10,12 +10,12 @@ diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
@@ -530,7 +530,7 @@ typedef struct ssl_session_st
@@ -558,7 +558,7 @@ struct ssl_session_st
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FFFFFL before 0.9.7. */
-#define SSL_OP_ALL 0x80000FFFL
+#define SSL_OP_ALL 0x80000FF7L
-#define SSL_OP_ALL 0x80000BFFL
+#define SSL_OP_ALL 0x80000BF7L /* we still have to include SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
/* DTLS options */
#define SSL_OP_NO_QUERY_MTU 0x00001000L

30
openssl-1.0.1-pkgconfig-krb5.patch Normal file
View File

@ -0,0 +1,30 @@
diff -up openssl-1.0.1/Makefile.org.krb5 openssl-1.0.1/Makefile.org
--- openssl-1.0.1/Makefile.org.krb5 2012-03-14 21:15:04.000000000 +0100
+++ openssl-1.0.1/Makefile.org 2012-04-11 16:28:31.254725422 +0200
@@ -370,7 +370,7 @@ libcrypto.pc: Makefile
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+ echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
libssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -383,7 +383,7 @@ libssl.pc: Makefile
echo 'Version: '$(VERSION); \
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
- echo 'Libs.private: $(EX_LIBS)'; \
+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
openssl.pc: Makefile
@@ -397,7 +397,7 @@ openssl.pc: Makefile
echo 'Version: '$(VERSION); \
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
- echo 'Libs.private: $(EX_LIBS)'; \
+ echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
Makefile: Makefile.org Configure config

55
openssl-1.0.1-version.patch Normal file
View File

@ -0,0 +1,55 @@
diff -up openssl-1.0.1/crypto/cversion.c.version openssl-1.0.1/crypto/cversion.c
--- openssl-1.0.1/crypto/cversion.c.version 2004-04-19 20:09:22.000000000 +0200
+++ openssl-1.0.1/crypto/cversion.c 2012-03-14 20:58:20.630352536 +0100
@@ -110,8 +110,15 @@ const char *SSLeay_version(int t)
return("not available");
}
-unsigned long SSLeay(void)
+unsigned long _original_SSLeay(void)
+ {
+ return(0x10000003);
+ }
+
+unsigned long _current_SSLeay(void)
{
return(SSLEAY_VERSION_NUMBER);
}
+__asm__(".symver _original_SSLeay,SSLeay@");
+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1");
diff -up openssl-1.0.1/crypto/opensslv.h.version openssl-1.0.1/crypto/opensslv.h
--- openssl-1.0.1/crypto/opensslv.h.version 2012-03-14 20:58:19.914337879 +0100
+++ openssl-1.0.1/crypto/opensslv.h 2012-03-14 20:58:20.630352536 +0100
@@ -83,7 +83,7 @@
* should only keep the versions that are binary compatible with the current.
*/
#define SHLIB_VERSION_HISTORY ""
-#define SHLIB_VERSION_NUMBER "1.0.0"
+#define SHLIB_VERSION_NUMBER "1.0.1c"
#endif /* HEADER_OPENSSLV_H */
diff -up openssl-1.0.1/Makefile.shared.version openssl-1.0.1/Makefile.shared
--- openssl-1.0.1/Makefile.shared.version 2012-03-14 20:58:20.553350959 +0100
+++ openssl-1.0.1/Makefile.shared 2012-03-14 20:58:20.631352556 +0100
@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
DO_GNU_APP=LDFLAGS="$(CFLAGS)"
diff -up openssl-1.0.1/version.map.version openssl-1.0.1/version.map
--- openssl-1.0.1/version.map.version 2012-03-14 20:58:20.631352556 +0100
+++ openssl-1.0.1/version.map 2012-03-14 20:58:20.631352556 +0100
@@ -0,0 +1,7 @@
+OPENSSL_1.0.1 {
+ global:
+ SSLeay;
+ local:
+ _original*;
+ _current*;
+};

54
openssl-1.0.0-beta4-algo-doc.patch → openssl-1.0.1a-algo-doc.patch
View File

@ -1,28 +1,7 @@
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
--- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc 2009-10-16 17:29:34.000000000 +0200
+++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod 2009-11-12 14:13:21.000000000 +0100
@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
-EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
+EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224,
+EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
EVP digest routines
@@ -51,6 +52,10 @@ EVP digest routines
const EVP_MD *EVP_md5(void);
const EVP_MD *EVP_sha(void);
const EVP_MD *EVP_sha1(void);
+ const EVP_MD *EVP_sha224(void);
+ const EVP_MD *EVP_sha256(void);
+ const EVP_MD *EVP_sha384(void);
+ const EVP_MD *EVP_sha512(void);
const EVP_MD *EVP_dss(void);
const EVP_MD *EVP_dss1(void);
const EVP_MD *EVP_mdc2(void);
@@ -70,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
--- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc 2012-04-11 00:28:22.000000000 +0200
+++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod 2012-04-20 09:14:01.865167011 +0200
@@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
@ -31,22 +10,7 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
If B<impl> is NULL then the default implementation of digest B<type> is used.
EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
@@ -127,9 +132,11 @@ with this digest. For example EVP_sha1()
return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
algorithms may not be retained in future versions of OpenSSL.
-EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
-return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
-algorithms respectively. The associated signature algorithm is RSA in each case.
+EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
+EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160()
+return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384,
+SHA512, MDC2 and RIPEMD160 digest algorithms respectively. The associated
+signature algorithm is RSA in each case.
EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
algorithms but using DSS (DSA) for the signature algorithm. Note: there is
@@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
@@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
size in bytes.
@ -56,10 +20,10 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
corresponding EVP_MD structures.
diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
--- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
+++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod 2009-11-12 14:11:03.000000000 +0100
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
--- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc 2005-04-15 18:01:35.000000000 +0200
+++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod 2012-04-20 09:10:59.114736465 +0200
@@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);

12
openssl-1.0.1c-aliasing.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up openssl-1.0.1c/crypto/modes/Makefile.aliasing openssl-1.0.1c/crypto/modes/Makefile
--- openssl-1.0.1c/crypto/modes/Makefile.aliasing 2011-08-12 00:36:17.000000000 +0200
+++ openssl-1.0.1c/crypto/modes/Makefile 2012-07-13 11:32:10.767829077 +0200
@@ -12,7 +12,7 @@ AR= ar r
MODES_ASM_OBJ=
-CFLAGS= $(INCLUDES) $(CFLAG)
+CFLAGS= $(INCLUDES) $(CFLAG) -fno-strict-aliasing
ASFLAGS= $(INCLUDES) $(ASFLAG)
AFLAGS= $(ASFLAGS)

106
openssl-1.0.1c-backports.patch Normal file
View File

@ -0,0 +1,106 @@
diff -up openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports openssl-1.0.1c/crypto/asn1/x_pubkey.c
--- openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports 2012-02-28 15:47:16.000000000 +0100
+++ openssl-1.0.1c/crypto/asn1/x_pubkey.c 2012-05-15 17:44:14.584128501 +0200
@@ -175,12 +175,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *k
CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
if (key->pkey)
{
+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
EVP_PKEY_free(ret);
ret = key->pkey;
}
else
+ {
key->pkey = ret;
- CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
+ }
CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
return ret;
diff -up openssl-1.0.1c/ssl/s3_lib.c.backports openssl-1.0.1c/ssl/s3_lib.c
--- openssl-1.0.1c/ssl/s3_lib.c.backports 2012-04-17 17:20:17.000000000 +0200
+++ openssl-1.0.1c/ssl/s3_lib.c 2012-05-15 17:42:43.880139566 +0200
@@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
0, /* not implemented (non-ephemeral DH) */
TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
- SSL_kDHr,
+ SSL_kDHd,
SSL_aDH,
SSL_AES128,
SSL_SHA256,
@@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
0, /* not implemented (non-ephemeral DH) */
TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
- SSL_kDHr,
+ SSL_kDHd,
SSL_aDH,
SSL_AES256,
SSL_SHA256,
@@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
0,
TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
- SSL_kDHr,
+ SSL_kDHd,
SSL_aDH,
SSL_AES128GCM,
SSL_AEAD,
@@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
0,
TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
- SSL_kDHr,
+ SSL_kDHd,
SSL_aDH,
SSL_AES256GCM,
SSL_AEAD,
@@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
- SSL_kECDHe,
+ SSL_kECDHr,
SSL_aECDH,
SSL_AES128,
SSL_SHA256,
@@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
- SSL_kECDHe,
+ SSL_kECDHr,
SSL_aECDH,
SSL_AES256,
SSL_SHA384,
@@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
- SSL_kECDHe,
+ SSL_kECDHr,
SSL_aECDH,
SSL_AES128GCM,
SSL_AEAD,
@@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
- SSL_kECDHe,
+ SSL_kECDHr,
SSL_aECDH,
SSL_AES256GCM,
SSL_AEAD,
diff -up openssl-1.0.1c/ssl/s3_pkt.c.backports openssl-1.0.1c/ssl/s3_pkt.c
--- openssl-1.0.1c/ssl/s3_pkt.c.backports 2012-04-17 15:20:19.000000000 +0200
+++ openssl-1.0.1c/ssl/s3_pkt.c 2012-05-15 17:43:48.470555889 +0200
@@ -744,6 +744,7 @@ static int do_ssl3_write(SSL *s, int typ
* bytes and record version number > TLS 1.0
*/
if (s->state == SSL3_ST_CW_CLNT_HELLO_B
+ && !s->renegotiate
&& TLS1_get_version(s) > TLS1_VERSION)
*(p++) = 0x1;
else

103
openssl-1.0.1c-backports2.patch Normal file
View File

@ -0,0 +1,103 @@
diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c
--- openssl-1.0.1c/apps/cms.c.backports2 2012-01-05 14:46:27.000000000 +0100
+++ openssl-1.0.1c/apps/cms.c 2012-09-07 10:34:42.000000000 +0200
@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv)
else if (!strcmp(*args,"-camellia256"))
cipher = EVP_camellia_256_cbc();
#endif
+ else if (!strcmp (*args, "-debug_decrypt"))
+ flags |= CMS_DEBUG_DECRYPT;
else if (!strcmp (*args, "-text"))
flags |= CMS_TEXT;
else if (!strcmp (*args, "-nointern"))
@@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv)
ret = 4;
if (operation == SMIME_DECRYPT)
{
+ if (flags & CMS_DEBUG_DECRYPT)
+ CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
if (secret_key)
{
diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/bn_lcl.h
--- openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 2012-09-06 17:25:22.000000000 +0200
+++ openssl-1.0.1c/crypto/bn/bn_lcl.h 2012-09-07 10:22:43.000000000 +0200
@@ -282,16 +282,23 @@ extern "C" {
# endif
# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
# if defined(__GNUC__) && __GNUC__>=2
-# define BN_UMULT_HIGH(a,b) ({ \
+# if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */
+# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
+# define BN_UMULT_LOHI(low,high,a,b) ({ \
+ __uint128_t ret=(__uint128_t)(a)*(b); \
+ (high)=ret>>64; (low)=ret; })
+# else
+# define BN_UMULT_HIGH(a,b) ({ \
register BN_ULONG ret; \
asm ("dmultu %1,%2" \
: "=h"(ret) \
: "r"(a), "r"(b) : "l"); \
ret; })
-# define BN_UMULT_LOHI(low,high,a,b) \
+# define BN_UMULT_LOHI(low,high,a,b)\
asm ("dmultu %2,%3" \
: "=l"(low),"=h"(high) \
: "r"(a), "r"(b));
+# endif
# endif
# endif /* cpu */
#endif /* OPENSSL_NO_ASM */
diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/modes/gcm128.c
--- openssl-1.0.1c/crypto/modes/gcm128.c.backports2 2012-01-25 18:56:24.000000000 +0100
+++ openssl-1.0.1c/crypto/modes/gcm128.c 2012-09-07 10:24:56.000000000 +0200
@@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT
void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
#endif
- if (ctx->mres)
+ if (ctx->mres || ctx->ares)
GCM_MUL(ctx,Xi);
if (is_endian.little) {
diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c
--- openssl-1.0.1c/ssl/ssl_cert.c.backports2 2011-05-11 15:37:52.000000000 +0200
+++ openssl-1.0.1c/ssl/ssl_cert.c 2012-09-07 10:33:54.000000000 +0200
@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT
{
/* Set digest values to defaults */
#ifndef OPENSSL_NO_DSA
- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
+ cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
#endif
#ifndef OPENSSL_NO_RSA
cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
#endif
#ifndef OPENSSL_NO_ECDSA
- cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
+ cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
#endif
}
diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c
--- openssl-1.0.1c/ssl/t1_lib.c.backports2 2012-03-21 22:32:57.000000000 +0100
+++ openssl-1.0.1c/ssl/t1_lib.c 2012-09-07 10:33:54.000000000 +0200
@@ -2414,7 +2414,7 @@ int tls1_process_sigalgs(SSL *s, const u
*/
#ifndef OPENSSL_NO_DSA
if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
+ c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
#endif
#ifndef OPENSSL_NO_RSA
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
@@ -2425,7 +2425,7 @@ int tls1_process_sigalgs(SSL *s, const u
#endif
#ifndef OPENSSL_NO_ECDSA
if (!c->pkeys[SSL_PKEY_ECC].digest)
- c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
+ c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
#endif
return 1;
}

11
openssl-1.0.1c-ccm-init-str.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up openssl-1.0.1c/crypto/evp/e_aes.c.init-str openssl-1.0.1c/crypto/evp/e_aes.c
--- openssl-1.0.1c/crypto/evp/e_aes.c.init-str 2012-09-06 17:20:45.000000000 +0200
+++ openssl-1.0.1c/crypto/evp/e_aes.c 2012-09-06 17:18:30.000000000 +0200
@@ -1216,6 +1216,7 @@ static int aes_ccm_init_key(EVP_CIPHER_C
vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
&cctx->ks, (block128_f)vpaes_encrypt);
+ cctx->str = NULL;
cctx->key_set = 1;
break;
}

20357
openssl-1.0.1c-fips.patch Normal file
View File

File diff suppressed because it is too large Load Diff

96
openssl-1.0.0b-ipv6-apps.patch → openssl-1.0.1c-ipv6-apps.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
--- openssl-1.0.0b/apps/s_apps.h.ipv6-apps 2010-11-16 17:19:29.000000000 +0100
+++ openssl-1.0.0b/apps/s_apps.h 2010-11-16 17:19:29.000000000 +0100
diff -up openssl-1.0.1c/apps/s_apps.h.ipv6-apps openssl-1.0.1c/apps/s_apps.h
--- openssl-1.0.1c/apps/s_apps.h.ipv6-apps 2012-07-11 22:46:02.409221206 +0200
+++ openssl-1.0.1c/apps/s_apps.h 2012-07-11 22:46:02.451222165 +0200
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
#define PORT_STR "4433"
#define PROTOCOL "tcp"
@ -10,7 +10,7 @@ diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
#ifdef HEADER_X509_H
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
@@ -156,10 +156,9 @@ int MS_CALLBACK verify_callback(int ok,
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
#endif
@ -23,10 +23,10 @@ diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
--- openssl-1.0.0b/apps/s_client.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100
+++ openssl-1.0.0b/apps/s_client.c 2010-11-16 17:19:29.000000000 +0100
@@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
diff -up openssl-1.0.1c/apps/s_client.c.ipv6-apps openssl-1.0.1c/apps/s_client.c
--- openssl-1.0.1c/apps/s_client.c.ipv6-apps 2012-07-11 22:46:02.433221754 +0200
+++ openssl-1.0.1c/apps/s_client.c 2012-07-11 22:46:02.452222187 +0200
@@ -563,7 +563,7 @@ int MAIN(int argc, char **argv)
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
fd_set readfds,writefds;
@ -35,7 +35,7 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
int full_log=1;
char *host=SSL_HOST_NAME;
char *cert_file=NULL,*key_file=NULL;
@@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
@@ -664,13 +664,12 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-port") == 0)
{
if (--argc < 1) goto bad;
@ -51,7 +51,7 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
goto bad;
}
else if (strcmp(*argv,"-verify") == 0)
@@ -967,7 +966,7 @@ bad:
@@ -1253,7 +1252,7 @@ bad:
re_start:
@ -60,10 +60,10 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
{
BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
SHUTDOWN(s);
diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
--- openssl-1.0.0b/apps/s_server.c.ipv6-apps 2010-11-16 17:19:29.000000000 +0100
+++ openssl-1.0.0b/apps/s_server.c 2010-11-16 17:19:29.000000000 +0100
@@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
diff -up openssl-1.0.1c/apps/s_server.c.ipv6-apps openssl-1.0.1c/apps/s_server.c
--- openssl-1.0.1c/apps/s_server.c.ipv6-apps 2012-07-11 22:46:02.434221777 +0200
+++ openssl-1.0.1c/apps/s_server.c 2012-07-11 22:46:02.453222210 +0200
@@ -929,7 +929,7 @@ int MAIN(int argc, char *argv[])
{
X509_VERIFY_PARAM *vpm = NULL;
int badarg = 0;
@ -72,7 +72,7 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
char *CApath=NULL,*CAfile=NULL;
unsigned char *context = NULL;
char *dhfile = NULL;
@@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
@@ -1000,8 +1000,7 @@ int MAIN(int argc, char *argv[])
(strcmp(*argv,"-accept") == 0))
{
if (--argc < 1) goto bad;
@ -82,7 +82,7 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
}
else if (strcmp(*argv,"-verify") == 0)
{
@@ -1700,9 +1699,9 @@ bad:
@@ -1878,9 +1877,9 @@ bad:
BIO_printf(bio_s_out,"ACCEPT\n");
(void)BIO_flush(bio_s_out);
if (www)
@ -94,9 +94,9 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
print_stats(bio_s_out,ctx);
ret=0;
end:
diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
--- openssl-1.0.0b/apps/s_socket.c.ipv6-apps 2010-07-05 13:03:22.000000000 +0200
+++ openssl-1.0.0b/apps/s_socket.c 2010-11-16 17:27:18.000000000 +0100
diff -up openssl-1.0.1c/apps/s_socket.c.ipv6-apps openssl-1.0.1c/apps/s_socket.c
--- openssl-1.0.1c/apps/s_socket.c.ipv6-apps 2011-12-02 15:39:40.000000000 +0100
+++ openssl-1.0.1c/apps/s_socket.c 2012-07-11 22:49:05.411400450 +0200
@@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
static void ssl_sock_cleanup(void);
#endif
@ -108,7 +108,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
static int do_accept(int acc_sock, int *sock, char **host);
static int host_ip(char *str, unsigned char ip[4]);
@@ -234,58 +232,70 @@ static int ssl_sock_init(void)
@@ -234,57 +232,70 @@ static int ssl_sock_init(void)
return(1);
}
@ -117,11 +117,10 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
{
- unsigned char ip[4];
-
- memset(ip, '\0', sizeof ip);
- if (!host_ip(host,&(ip[0])))
- {
- return(0);
- }
- return(init_client_ip(sock,ip,port,type));
- return 0;
- return init_client_ip(sock,ip,port,type);
- }
-
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
@ -217,7 +216,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
{
int sock;
char *name = NULL;
@@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
@@ -322,33 +333,50 @@ int do_server(int port, int type, int *r
}
}
@ -227,10 +226,9 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
- int ret=0;
- struct sockaddr_in server;
- int s= -1;
+ struct addrinfo *res, *res0, hints;
+ struct addrinfo *res, *res0 = NULL, hints;
+ char * failed_call = NULL;
+ char port_name[8];
+ int s;
+ int s = INVALID_SOCKET;
+ int e;
if (!ssl_sock_init()) return(0);
@ -248,8 +246,10 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
- memcpy(&server.sin_addr,ip,4);
-#endif
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_family = AF_INET6;
+tryipv4:
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
+ hints.ai_flags = AI_PASSIVE;
- if (type == SOCK_STREAM)
- s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
@ -258,10 +258,15 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
+ e = getaddrinfo(NULL, port, &hints, &res);
+ if (e)
+ {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
+ return (0);
+ if (hints.ai_family == AF_INET)
+ {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
+ return (0);
+ }
+ else
+ res = NULL;
+ }
- if (s == INVALID_SOCKET) goto err;
@ -273,11 +278,17 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
+ {
+ failed_call = "socket";
+ goto nextres;
+ }
+ if (hints.ai_family == AF_INET6)
+ {
+ int j = 0;
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
+ (void *) &j, sizeof j);
+ }
#if defined SOL_SOCKET && defined SO_REUSEADDR
{
int j = 1;
@@ -357,35 +372,39 @@ static int init_server_long(int *sock, i
@@ -356,35 +384,49 @@ static int init_server_long(int *sock, i
(void *) &j, sizeof j);
}
#endif
@ -314,12 +325,21 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
+ close(s);
+ res = res->ai_next;
}
+ freeaddrinfo(res0);
+ if (res0)
+ freeaddrinfo(res0);
-static int init_server(int *sock, int port, int type)
- {
+ if (s == INVALID_SOCKET)
{
- return(init_server_long(sock, port, NULL, type));
+ if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+ if (hints.ai_family == AF_INET6)
+ {
+ hints.ai_family = AF_INET;
+ goto tryipv4;
+ }
+ perror("socket");
+ return(0);
+ }
+
+ perror(failed_call);
+ return(0);
@ -335,7 +355,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
int len;
/* struct linger ling; */
@@ -432,135 +451,58 @@ redoit:
@@ -431,135 +473,58 @@ redoit:
*/
if (host == NULL) goto end;

16
openssl-1.0.1c-perlfind.patch Normal file
View File

@ -0,0 +1,16 @@
diff -up openssl-1.0.1c/util/perlpath.pl.perlfind openssl-1.0.1c/util/perlpath.pl
--- openssl-1.0.1c/util/perlpath.pl.perlfind 2012-07-11 22:57:33.000000000 +0200
+++ openssl-1.0.1c/util/perlpath.pl 2012-07-12 00:31:12.102156275 +0200
@@ -4,10 +4,10 @@
# line in all scripts that rely on perl.
#
-require "find.pl";
+use File::Find;
$#ARGV == 0 || print STDERR "usage: perlpath newpath (eg /usr/bin)\n";
-&find(".");
+find(\&wanted, ".");
sub wanted
{

244
openssl-1.0.1c-secure-getenv.patch Normal file
View File

@ -0,0 +1,244 @@
diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c
--- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv 2011-09-02 13:20:32.000000000 +0200
+++ openssl-1.0.1c/crypto/conf/conf_api.c 2012-09-10 20:20:24.803968961 +0200
@@ -63,6 +63,8 @@
# define NDEBUG
#endif
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <assert.h>
#include <stdlib.h>
#include <string.h>
@@ -142,7 +144,7 @@ char *_CONF_get_string(const CONF *conf,
if (v != NULL) return(v->value);
if (strcmp(section,"ENV") == 0)
{
- p=getenv(name);
+ p=secure_getenv(name);
if (p != NULL) return(p);
}
}
@@ -155,7 +157,7 @@ char *_CONF_get_string(const CONF *conf,
return(NULL);
}
else
- return(getenv(name));
+ return (secure_getenv(name));
}
#if 0 /* There's no way to provide error checking with this function, so
diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c
--- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv 2008-11-05 19:38:55.000000000 +0100
+++ openssl-1.0.1c/crypto/conf/conf_mod.c 2012-09-10 20:22:46.228970661 +0200
@@ -56,6 +56,8 @@
*
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <ctype.h>
#include <openssl/crypto.h>
@@ -548,8 +550,8 @@ char *CONF_get1_default_config_file(void
char *file;
int len;
- file = getenv("OPENSSL_CONF");
- if (file)
+ file = secure_getenv("OPENSSL_CONF");
+ if (file)
return BUF_strdup(file);
len = strlen(X509_get_default_cert_area());
diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c
--- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv 2010-03-27 19:28:13.000000000 +0100
+++ openssl-1.0.1c/crypto/engine/eng_list.c 2012-09-10 20:20:46.106452027 +0200
@@ -61,6 +61,8 @@
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include "eng_int.h"
/* The linked-list of pointers to engine types. engine_list_head
@@ -399,9 +401,9 @@ ENGINE *ENGINE_by_id(const char *id)
if (strcmp(id, "dynamic"))
{
#ifdef OPENSSL_SYS_VMS
- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
+ if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
#else
- if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
+ if((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
#endif
iterator = ENGINE_by_id("dynamic");
if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c
--- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv 2012-09-10 20:10:26.079391932 +0200
+++ openssl-1.0.1c/crypto/md5/md5_dgst.c 2012-09-10 20:20:31.383118153 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include "md5_locl.h"
#include <openssl/opensslv.h>
@@ -74,7 +76,7 @@ const char MD5_version[]="MD5" OPENSSL_V
int MD5_Init(MD5_CTX *c)
#ifdef OPENSSL_FIPS
{
- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
+ if (FIPS_mode() && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
OpenSSLDie(__FILE__, __LINE__, \
"Digest MD5 forbidden in FIPS mode!");
return private_MD5_Init(c);
diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c
--- openssl-1.0.1c/crypto/o_init.c.secure-getenv 2012-09-10 20:10:26.066391638 +0200
+++ openssl-1.0.1c/crypto/o_init.c 2012-09-10 20:23:27.634908822 +0200
@@ -52,6 +52,8 @@
*
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <e_os.h>
#include <openssl/err.h>
#ifdef OPENSSL_FIPS
@@ -71,7 +73,7 @@ static void init_fips_mode(void)
char buf[2] = "0";
int fd;
- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
{
buf[0] = '1';
}
diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/crypto/rand/randfile.c
--- openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv 2012-01-15 14:40:21.000000000 +0100
+++ openssl-1.0.1c/crypto/rand/randfile.c 2012-09-10 20:20:40.708329617 +0200
@@ -58,6 +58,8 @@
/* We need to define this to get macros like S_IFBLK and S_IFCHR */
#define _XOPEN_SOURCE 500
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <errno.h>
#include <stdio.h>
@@ -275,8 +277,7 @@ const char *RAND_file_name(char *buf, si
struct stat sb;
#endif
- if (OPENSSL_issetugid() == 0)
- s=getenv("RANDFILE");
+ s=secure_getenv("RANDFILE");
if (s != NULL && *s && strlen(s) + 1 < size)
{
if (BUF_strlcpy(buf,s,size) >= size)
@@ -284,8 +285,7 @@ const char *RAND_file_name(char *buf, si
}
else
{
- if (OPENSSL_issetugid() == 0)
- s=getenv("HOME");
+ s=secure_getenv("HOME");
#ifdef DEFAULT_HOME
if (s == NULL)
{
diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c
--- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv 2010-02-19 19:26:23.000000000 +0100
+++ openssl-1.0.1c/crypto/x509/by_dir.c 2012-09-10 20:21:16.641144451 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <time.h>
#include <errno.h>
@@ -135,7 +137,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT)
{
- dir=(char *)getenv(X509_get_default_cert_dir_env());
+ dir=(char *)secure_getenv(X509_get_default_cert_dir_env());
if (dir)
ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
else
diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c
--- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv 2012-09-10 20:10:26.016390503 +0200
+++ openssl-1.0.1c/crypto/x509/by_file.c 2012-09-10 20:21:07.748942806 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <time.h>
#include <errno.h>
@@ -100,7 +102,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT)
{
- file = (char *)getenv(X509_get_default_cert_file_env());
+ file = (char *)secure_getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx,file,
X509_FILETYPE_PEM) != 0);
diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c
--- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv 2011-09-23 15:39:35.000000000 +0200
+++ openssl-1.0.1c/crypto/x509/x509_vfy.c 2012-09-10 20:20:55.951675283 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <time.h>
#include <errno.h>
@@ -481,7 +483,7 @@ static int check_chain_extensions(X509_S
!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
/* A hack to keep people who don't want to modify their
software happy */
- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
allow_proxy_certs = 1;
purpose = ctx->param->purpose;
}
diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c
--- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv 2008-03-16 22:05:44.000000000 +0100
+++ openssl-1.0.1c/engines/ccgost/gost_ctl.c 2012-09-10 20:21:26.759373897 +0200
@@ -6,6 +6,8 @@
* Implementation of control commands for GOST engine *
* OpenSSL 0.9.9 libraries required *
**********************************************************************/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>
@@ -65,7 +67,7 @@ const char *get_gost_engine_param(int pa
{
return gost_params[param];
}
- tmp = getenv(gost_envnames[param]);
+ tmp = secure_getenv(gost_envnames[param]);
if (tmp)
{
if (gost_params[param]) OPENSSL_free(gost_params[param]);
@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
{
const char *tmp;
if (param <0 || param >GOST_PARAM_MAX) return 0;
- tmp = getenv(gost_envnames[param]);
+ tmp = secure_getenv(gost_envnames[param]);
/* if there is value in the environment, use it, else -passed string * */
if (!tmp) tmp=value;
if (gost_params[param]) OPENSSL_free(gost_params[param]);