Added missing patches and removed unused ones
This commit is contained in:
		
							parent
							
								
									7ab115bd4d
								
							
						
					
					
						commit
						942a99b725
					
				
							
								
								
									
										75
									
								
								README.FIPS
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										75
									
								
								README.FIPS
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,75 @@ | |||||||
|  | User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module | ||||||
|  | ================================================================= | ||||||
|  | 
 | ||||||
|  | This package contains libraries which comprise the FIPS 140-2 | ||||||
|  | Red Hat Enterprise Linux - OPENSSL Module. | ||||||
|  | 
 | ||||||
|  | The module files | ||||||
|  | ================ | ||||||
|  | /usr/lib[64]/libcrypto.so.1.0.0d | ||||||
|  | /usr/lib[64]/libssl.so.1.0.0d | ||||||
|  | /usr/lib[64]/.libcrypto.so.1.0.0d.hmac | ||||||
|  | /usr/lib[64]/.libssl.so.1.0.0d.hmac | ||||||
|  | 
 | ||||||
|  | Dependencies | ||||||
|  | ============ | ||||||
|  | 
 | ||||||
|  | The approved mode of operation requires kernel with /dev/urandom RNG running | ||||||
|  | with properties as defined in the security policy of the module. This is | ||||||
|  | provided by kernel packages with validated Red Hat Enterprise Linux - IPSec | ||||||
|  | Crytographic Module. | ||||||
|  | 
 | ||||||
|  | Installation | ||||||
|  | ============ | ||||||
|  | 
 | ||||||
|  | The RPM package of the module can be installed by standard tools recommended | ||||||
|  | for installation of RPM packages on the Red Hat Enterprise Linux system (yum, | ||||||
|  | rpm, RHN remote management tool). | ||||||
|  | 
 | ||||||
|  | For proper operation of the in-module integrity verification the prelink has to | ||||||
|  | be disabled. This can be done with setting PRELINKING=no in the | ||||||
|  | /etc/sysconfig/prelink configuration file. If the libraries were already | ||||||
|  | prelinked the prelink should be undone on all the system files with the | ||||||
|  | 'prelink -u -a' command. | ||||||
|  | 
 | ||||||
|  | Usage and API | ||||||
|  | ============= | ||||||
|  | 
 | ||||||
|  | The module respects kernel command line FIPS setting. If the kernel command | ||||||
|  | line contains option fips=1 the module will initialize in the FIPS approved | ||||||
|  | mode of operation automatically. To allow for the automatic initialization the | ||||||
|  | application using the module has to call one of the following API calls: | ||||||
|  | 
 | ||||||
|  | - void OPENSSL_init_library(void) - this will do only a basic initialization | ||||||
|  | of the library and does initialization of the FIPS approved mode without setting | ||||||
|  | up EVP API with supported algorithms. | ||||||
|  | 
 | ||||||
|  | - void OPENSSL_add_all_algorithms(void) - this API function calls | ||||||
|  | OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API | ||||||
|  | in the approved mode  | ||||||
|  | 
 | ||||||
|  | - void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also | ||||||
|  | adds algorithms which are necessary for TLS protocol support and initializes | ||||||
|  | the SSL library. | ||||||
|  | 
 | ||||||
|  | To explicitely put the library to the approved mode the application can call | ||||||
|  | the following function: | ||||||
|  | 
 | ||||||
|  | - int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch | ||||||
|  | the library from the non-approved to the approved mode. If any of the selftests | ||||||
|  | and integrity verification tests fail, the library is put into the error state | ||||||
|  | and 0 is returned. If they succeed the return value is 1. | ||||||
|  | 
 | ||||||
|  | To query the module whether it is in the approved mode or not: | ||||||
|  | 
 | ||||||
|  | - int FIPS_mode(void) - returns 1 if the module is in the approved mode, | ||||||
|  | 0 otherwise. | ||||||
|  | 
 | ||||||
|  | To query whether the module is in the error state: | ||||||
|  | 
 | ||||||
|  | - int FIPS_selftest_failed(void) - returns 1 if the module is in the error | ||||||
|  | state, 0 otherwise. | ||||||
|  | 
 | ||||||
|  | To zeroize the FIPS RNG key and internal state the application calls: | ||||||
|  | 
 | ||||||
|  | - void RAND_cleanup(void) | ||||||
							
								
								
									
										75
									
								
								mingw-openssl-fix-fips-build-failure.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										75
									
								
								mingw-openssl-fix-fips-build-failure.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,75 @@ | |||||||
|  | --- openssl-1.0.1c/crypto/fips/fips_rand_selftest.c.orig	2012-11-03 18:59:03.620066556 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/fips/fips_rand_selftest.c	2012-11-03 19:57:33.156686682 +0100
 | ||||||
|  | @@ -47,6 +47,8 @@
 | ||||||
|  |   * | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +#ifdef OPENSSL_FIPS
 | ||||||
|  | +
 | ||||||
|  |  #include <string.h> | ||||||
|  |  #include <openssl/err.h> | ||||||
|  |  #include <openssl/fips.h> | ||||||
|  | @@ -54,9 +56,6 @@
 | ||||||
|  |  #include <openssl/fips_rand.h> | ||||||
|  |  #include "fips_locl.h" | ||||||
|  |   | ||||||
|  | -#ifdef OPENSSL_FIPS
 | ||||||
|  | -
 | ||||||
|  | -
 | ||||||
|  |   | ||||||
|  |  typedef struct | ||||||
|  |  	{ | ||||||
|  | --- openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c.orig	2012-11-03 20:03:20.546180631 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/fips/fips_dsa_selftest.c	2012-11-03 20:03:46.069328396 +0100
 | ||||||
|  | @@ -47,6 +47,8 @@
 | ||||||
|  |   * | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +#ifdef OPENSSL_FIPS
 | ||||||
|  | +
 | ||||||
|  |  #include <string.h> | ||||||
|  |  #include <openssl/crypto.h> | ||||||
|  |  #include <openssl/dsa.h> | ||||||
|  | @@ -56,8 +58,6 @@
 | ||||||
|  |  #include <openssl/bn.h> | ||||||
|  |  #include "fips_locl.h" | ||||||
|  |   | ||||||
|  | -#ifdef OPENSSL_FIPS
 | ||||||
|  | -
 | ||||||
|  |  static const unsigned char dsa_test_2048_p[] = { | ||||||
|  |  	0xa8,0x53,0x78,0xd8,0xfd,0x3f,0x8d,0x72,0xec,0x74,0x18,0x08, | ||||||
|  |  	0x0d,0xa2,0x13,0x17,0xe4,0x3e,0xc4,0xb6,0x2b,0xa8,0xc8,0x62, | ||||||
|  | --- openssl-1.0.1c/crypto/fips/fips_rand.c.orig	2012-11-03 20:07:49.956891942 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/fips/fips_rand.c	2012-11-03 20:08:14.260048118 +0100
 | ||||||
|  | @@ -47,6 +47,8 @@
 | ||||||
|  |   * | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +#ifdef OPENSSL_FIPS
 | ||||||
|  | +
 | ||||||
|  |  /* | ||||||
|  |   * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4. | ||||||
|  |   */ | ||||||
|  | @@ -82,8 +84,6 @@
 | ||||||
|  |  #include <openssl/fips.h> | ||||||
|  |  #include "fips_locl.h" | ||||||
|  |   | ||||||
|  | -#ifdef OPENSSL_FIPS
 | ||||||
|  | -
 | ||||||
|  |  void *OPENSSL_stderr(void); | ||||||
|  |   | ||||||
|  |  #define AES_BLOCK_LENGTH	16 | ||||||
|  | --- openssl-1.0.1c/crypto/rand/md_rand.c.orig	2012-11-03 20:19:31.461754618 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/rand/md_rand.c	2012-11-03 20:20:58.294282662 +0100
 | ||||||
|  | @@ -392,7 +392,11 @@
 | ||||||
|  |  	/* always poll for external entropy in FIPS mode, drbg provides the  | ||||||
|  |  	 * expansion | ||||||
|  |  	 */ | ||||||
|  | +#ifdef OPENSSL_FIPS
 | ||||||
|  |  	if (!initialized || FIPS_module_mode())  | ||||||
|  | +#else
 | ||||||
|  | +	if (!initialized)
 | ||||||
|  | +#endif
 | ||||||
|  |  		{ | ||||||
|  |  		RAND_poll(); | ||||||
|  |  		initialized = 1; | ||||||
| @ -1,19 +0,0 @@ | |||||||
| diff -up openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64 openssl-0.9.8g/crypto/bn/bn_lcl.h
 |  | ||||||
| --- openssl-0.9.8g/crypto/bn/bn_lcl.h.ia64	2008-08-10 22:23:55.000000000 +0200
 |  | ||||||
| +++ openssl-0.9.8g/crypto/bn/bn_lcl.h	2008-08-10 22:23:55.000000000 +0200
 |  | ||||||
| @@ -279,6 +279,15 @@ extern "C" {
 |  | ||||||
|  #   define BN_UMULT_HIGH(a,b)		__umulh((a),(b)) |  | ||||||
|  #   define BN_UMULT_LOHI(low,high,a,b)	((low)=_umul128((a),(b),&(high))) |  | ||||||
|  #  endif |  | ||||||
| +# elif defined(__ia64) && defined(SIXTY_FOUR_BIT_LONG)
 |  | ||||||
| +#  if defined(__GNUC__)
 |  | ||||||
| +#   define BN_UMULT_HIGH(a,b) ({      \
 |  | ||||||
| +      register BN_ULONG ret;          \
 |  | ||||||
| +      asm ("xmpy.hu %0 = %1, %2"      \
 |  | ||||||
| +           : "=f"(ret)                \
 |  | ||||||
| +           : "f"(a), "f"(b));         \
 |  | ||||||
| +      ret;                    })
 |  | ||||||
| +#  endif      /* compiler */
 |  | ||||||
|  # endif		/* cpu */ |  | ||||||
|  #endif		/* OPENSSL_NO_ASM */ |  | ||||||
|   |  | ||||||
| @ -1,14 +0,0 @@ | |||||||
| diff -up openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime openssl-0.9.8j/crypto/asn1/asn_mime.c
 |  | ||||||
| --- openssl-0.9.8j/crypto/asn1/asn_mime.c.bad-mime	2008-08-05 17:56:11.000000000 +0200
 |  | ||||||
| +++ openssl-0.9.8j/crypto/asn1/asn_mime.c	2009-01-14 22:08:34.000000000 +0100
 |  | ||||||
| @@ -792,6 +792,10 @@ static int mime_hdr_addparam(MIME_HEADER
 |  | ||||||
|  static int mime_hdr_cmp(const MIME_HEADER * const *a, |  | ||||||
|  			const MIME_HEADER * const *b) |  | ||||||
|  { |  | ||||||
| +	if ((*a)->name == NULL || (*b)->name == NULL)
 |  | ||||||
| +		return (*a)->name - (*b)->name < 0 ? -1 :
 |  | ||||||
| +			(*a)->name - (*b)->name > 0 ? 1 : 0;
 |  | ||||||
| +
 |  | ||||||
|  	return(strcmp((*a)->name, (*b)->name)); |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @ -1,400 +0,0 @@ | |||||||
| diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips.c
 |  | ||||||
| --- openssl-1.0.0-beta3/crypto/fips/fips.c.fipscheck	2009-08-10 20:11:59.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0-beta3/crypto/fips/fips.c	2009-08-10 20:11:59.000000000 +0200
 |  | ||||||
| @@ -47,6 +47,7 @@
 |  | ||||||
|   * |  | ||||||
|   */ |  | ||||||
|   |  | ||||||
| +#define _GNU_SOURCE
 |  | ||||||
|   |  | ||||||
|  #include <openssl/rand.h> |  | ||||||
|  #include <openssl/fips_rand.h> |  | ||||||
| @@ -56,6 +57,9 @@
 |  | ||||||
|  #include <openssl/rsa.h> |  | ||||||
|  #include <string.h> |  | ||||||
|  #include <limits.h> |  | ||||||
| +#include <dlfcn.h>
 |  | ||||||
| +#include <stdio.h>
 |  | ||||||
| +#include <stdlib.h>
 |  | ||||||
|  #include "fips_locl.h" |  | ||||||
|   |  | ||||||
|  #ifdef OPENSSL_FIPS |  | ||||||
| @@ -165,6 +169,204 @@ int FIPS_selftest()
 |  | ||||||
|  	&& FIPS_selftest_dsa(); |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| +/* we implement what libfipscheck does ourselves */
 |  | ||||||
| +
 |  | ||||||
| +static int
 |  | ||||||
| +get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
 |  | ||||||
| +{
 |  | ||||||
| +	Dl_info info;
 |  | ||||||
| +	void *dl, *sym;
 |  | ||||||
| +	int rv = -1;
 |  | ||||||
| +
 |  | ||||||
| +        dl = dlopen(libname, RTLD_LAZY);
 |  | ||||||
| +        if (dl == NULL) {
 |  | ||||||
| +	        return -1;
 |  | ||||||
| +        }       
 |  | ||||||
| +
 |  | ||||||
| +	sym = dlsym(dl, symbolname);
 |  | ||||||
| +
 |  | ||||||
| +	if (sym != NULL && dladdr(sym, &info)) {
 |  | ||||||
| +		strncpy(path, info.dli_fname, pathlen-1);
 |  | ||||||
| +		path[pathlen-1] = '\0';
 |  | ||||||
| +		rv = 0;
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
| +	dlclose(dl);	
 |  | ||||||
| +	
 |  | ||||||
| +	return rv;
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +static const char conv[] = "0123456789abcdef";
 |  | ||||||
| +
 |  | ||||||
| +static char *
 |  | ||||||
| +bin2hex(void *buf, size_t len)
 |  | ||||||
| +{
 |  | ||||||
| +	char *hex, *p;
 |  | ||||||
| +	unsigned char *src = buf;
 |  | ||||||
| +	
 |  | ||||||
| +	hex = malloc(len * 2 + 1);
 |  | ||||||
| +	if (hex == NULL)
 |  | ||||||
| +		return NULL;
 |  | ||||||
| +
 |  | ||||||
| +	p = hex;
 |  | ||||||
| +
 |  | ||||||
| +	while (len > 0) {
 |  | ||||||
| +		unsigned c;
 |  | ||||||
| +
 |  | ||||||
| +		c = *src;
 |  | ||||||
| +		src++;
 |  | ||||||
| +
 |  | ||||||
| +		*p = conv[c >> 4];
 |  | ||||||
| +		++p;
 |  | ||||||
| +		*p = conv[c & 0x0f];
 |  | ||||||
| +		++p;
 |  | ||||||
| +		--len;
 |  | ||||||
| +	}
 |  | ||||||
| +	*p = '\0';
 |  | ||||||
| +	return hex;
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +#define HMAC_PREFIX "." 
 |  | ||||||
| +#define HMAC_SUFFIX ".hmac" 
 |  | ||||||
| +#define READ_BUFFER_LENGTH 16384
 |  | ||||||
| +
 |  | ||||||
| +static char *
 |  | ||||||
| +make_hmac_path(const char *origpath)
 |  | ||||||
| +{
 |  | ||||||
| +	char *path, *p;
 |  | ||||||
| +	const char *fn;
 |  | ||||||
| +
 |  | ||||||
| +	path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
 |  | ||||||
| +	if(path == NULL) {
 |  | ||||||
| +		return NULL;
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
| +	fn = strrchr(origpath, '/');
 |  | ||||||
| +	if (fn == NULL) {
 |  | ||||||
| +		fn = origpath;
 |  | ||||||
| +	} else {
 |  | ||||||
| +		++fn;
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
| +	strncpy(path, origpath, fn-origpath);
 |  | ||||||
| +	p = path + (fn - origpath);
 |  | ||||||
| +	p = stpcpy(p, HMAC_PREFIX);
 |  | ||||||
| +	p = stpcpy(p, fn);
 |  | ||||||
| +	p = stpcpy(p, HMAC_SUFFIX);
 |  | ||||||
| +
 |  | ||||||
| +	return path;
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
 |  | ||||||
| +
 |  | ||||||
| +static int
 |  | ||||||
| +compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
 |  | ||||||
| +{
 |  | ||||||
| +	FILE *f = NULL;
 |  | ||||||
| +	int rv = -1;
 |  | ||||||
| +	unsigned char rbuf[READ_BUFFER_LENGTH];
 |  | ||||||
| +	size_t len;
 |  | ||||||
| +	unsigned int hlen;
 |  | ||||||
| +	HMAC_CTX c;
 |  | ||||||
| +
 |  | ||||||
| +	HMAC_CTX_init(&c);
 |  | ||||||
| +
 |  | ||||||
| +	f = fopen(path, "r");
 |  | ||||||
| +
 |  | ||||||
| +	if (f == NULL) {
 |  | ||||||
| +		goto end;
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
| +	HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
 |  | ||||||
| +
 |  | ||||||
| +	while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
 |  | ||||||
| +		HMAC_Update(&c, rbuf, len);
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
| +	len = sizeof(rbuf);
 |  | ||||||
| +	/* reuse rbuf for hmac */
 |  | ||||||
| +	HMAC_Final(&c, rbuf, &hlen);
 |  | ||||||
| +
 |  | ||||||
| +	*buf = malloc(hlen);
 |  | ||||||
| +	if (*buf == NULL) {
 |  | ||||||
| +		goto end;
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
| +	*hmaclen = hlen;
 |  | ||||||
| +
 |  | ||||||
| +	memcpy(*buf, rbuf, hlen);
 |  | ||||||
| +
 |  | ||||||
| +	rv = 0;
 |  | ||||||
| +end:
 |  | ||||||
| +	HMAC_CTX_cleanup(&c);
 |  | ||||||
| +
 |  | ||||||
| +	if (f)
 |  | ||||||
| +		fclose(f);
 |  | ||||||
| +
 |  | ||||||
| +	return rv;
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
| +static int
 |  | ||||||
| +FIPSCHECK_verify(const char *libname, const char *symbolname)
 |  | ||||||
| +{
 |  | ||||||
| +	char path[PATH_MAX+1];
 |  | ||||||
| +	int rv;
 |  | ||||||
| +	FILE *hf;
 |  | ||||||
| +	char *hmacpath, *p;
 |  | ||||||
| +	char *hmac = NULL;
 |  | ||||||
| +	size_t n;
 |  | ||||||
| +	
 |  | ||||||
| +	rv = get_library_path(libname, symbolname, path, sizeof(path));
 |  | ||||||
| +
 |  | ||||||
| +	if (rv < 0)
 |  | ||||||
| +		return 0;
 |  | ||||||
| +
 |  | ||||||
| +	hmacpath = make_hmac_path(path);
 |  | ||||||
| +
 |  | ||||||
| +	hf = fopen(hmacpath, "r");
 |  | ||||||
| +	if (hf == NULL) {
 |  | ||||||
| +		free(hmacpath);
 |  | ||||||
| +		return 0;
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
| +	if (getline(&hmac, &n, hf) > 0) {
 |  | ||||||
| +		void *buf;
 |  | ||||||
| +		size_t hmaclen;
 |  | ||||||
| +		char *hex;
 |  | ||||||
| +
 |  | ||||||
| +		if ((p=strchr(hmac, '\n')) != NULL)
 |  | ||||||
| +			*p = '\0';
 |  | ||||||
| +
 |  | ||||||
| +		if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
 |  | ||||||
| +			rv = -4;
 |  | ||||||
| +			goto end;
 |  | ||||||
| +		}
 |  | ||||||
| +
 |  | ||||||
| +		if ((hex=bin2hex(buf, hmaclen)) == NULL) {
 |  | ||||||
| +			free(buf);
 |  | ||||||
| +			rv = -5;
 |  | ||||||
| +			goto end;
 |  | ||||||
| +		}
 |  | ||||||
| +
 |  | ||||||
| +		if (strcmp(hex, hmac) != 0) {
 |  | ||||||
| +			rv = -1;
 |  | ||||||
| +		}
 |  | ||||||
| +		free(buf);
 |  | ||||||
| +		free(hex);
 |  | ||||||
| +	}
 |  | ||||||
| +
 |  | ||||||
| +end:
 |  | ||||||
| +	free(hmac);
 |  | ||||||
| +	free(hmacpath);
 |  | ||||||
| +	fclose(hf);
 |  | ||||||
| +
 |  | ||||||
| +	if (rv < 0)
 |  | ||||||
| +		return 0;
 |  | ||||||
| +
 |  | ||||||
| +	/* check successful */
 |  | ||||||
| +	return 1;	
 |  | ||||||
| +}
 |  | ||||||
| +
 |  | ||||||
|  int FIPS_mode_set(int onoff) |  | ||||||
|      { |  | ||||||
|      int fips_set_owning_thread(); |  | ||||||
| @@ -201,6 +403,22 @@ int FIPS_mode_set(int onoff)
 |  | ||||||
|  	    } |  | ||||||
|  #endif |  | ||||||
|   |  | ||||||
| +	if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
 |  | ||||||
| +	    {
 |  | ||||||
| +	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
 |  | ||||||
| +	    fips_selftest_fail = 1;
 |  | ||||||
| +	    ret = 0;
 |  | ||||||
| +	    goto end;
 |  | ||||||
| +	    }
 |  | ||||||
| +
 |  | ||||||
| +	if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
 |  | ||||||
| +	    {
 |  | ||||||
| +	    FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
 |  | ||||||
| +	    fips_selftest_fail = 1;
 |  | ||||||
| +	    ret = 0;
 |  | ||||||
| +	    goto end;
 |  | ||||||
| +	    }
 |  | ||||||
| +
 |  | ||||||
|  	/* Perform RNG KAT before seeding */ |  | ||||||
|  	if (!FIPS_selftest_rng()) |  | ||||||
|  	    { |  | ||||||
| diff -up openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c
 |  | ||||||
| --- openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c.fipscheck	2009-08-10 20:11:59.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0-beta3/crypto/fips/fips_standalone_sha1.c	2009-08-10 20:11:59.000000000 +0200
 |  | ||||||
| @@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
 |  | ||||||
|   |  | ||||||
|  #ifdef OPENSSL_FIPS |  | ||||||
|   |  | ||||||
| -static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
 |  | ||||||
| +static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
 |  | ||||||
|  		      const char *key) |  | ||||||
|      { |  | ||||||
|      size_t len=strlen(key); |  | ||||||
| @@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
 |  | ||||||
|   |  | ||||||
|      if (len > SHA_CBLOCK) |  | ||||||
|  	{ |  | ||||||
| -	SHA1_Init(md_ctx);
 |  | ||||||
| -	SHA1_Update(md_ctx,key,len);
 |  | ||||||
| -	SHA1_Final(keymd,md_ctx);
 |  | ||||||
| -	len=20;
 |  | ||||||
| +	SHA256_Init(md_ctx);
 |  | ||||||
| +	SHA256_Update(md_ctx,key,len);
 |  | ||||||
| +	SHA256_Final(keymd,md_ctx);
 |  | ||||||
| +	len=SHA256_DIGEST_LENGTH;
 |  | ||||||
|  	} |  | ||||||
|      else |  | ||||||
|  	memcpy(keymd,key,len); |  | ||||||
| @@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
 |  | ||||||
|   |  | ||||||
|      for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) |  | ||||||
|  	pad[i]=0x36^keymd[i]; |  | ||||||
| -    SHA1_Init(md_ctx);
 |  | ||||||
| -    SHA1_Update(md_ctx,pad,SHA_CBLOCK);
 |  | ||||||
| +    SHA256_Init(md_ctx);
 |  | ||||||
| +    SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
 |  | ||||||
|   |  | ||||||
|      for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++) |  | ||||||
|  	pad[i]=0x5c^keymd[i]; |  | ||||||
| -    SHA1_Init(o_ctx);
 |  | ||||||
| -    SHA1_Update(o_ctx,pad,SHA_CBLOCK);
 |  | ||||||
| +    SHA256_Init(o_ctx);
 |  | ||||||
| +    SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
 |  | ||||||
| +static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
 |  | ||||||
|      { |  | ||||||
| -    unsigned char buf[20];
 |  | ||||||
| +    unsigned char buf[SHA256_DIGEST_LENGTH];
 |  | ||||||
|   |  | ||||||
| -    SHA1_Final(buf,md_ctx);
 |  | ||||||
| -    SHA1_Update(o_ctx,buf,sizeof buf);
 |  | ||||||
| -    SHA1_Final(md,o_ctx);
 |  | ||||||
| +    SHA256_Final(buf,md_ctx);
 |  | ||||||
| +    SHA256_Update(o_ctx,buf,sizeof buf);
 |  | ||||||
| +    SHA256_Final(md,o_ctx);
 |  | ||||||
|      } |  | ||||||
|   |  | ||||||
|  #endif |  | ||||||
| @@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
 |  | ||||||
|  int main(int argc,char **argv) |  | ||||||
|      { |  | ||||||
|  #ifdef OPENSSL_FIPS |  | ||||||
| -    static char key[]="etaonrishdlcupfm";
 |  | ||||||
| +    static char key[]="orboDeJITITejsirpADONivirpUkvarP";
 |  | ||||||
|      int n,binary=0; |  | ||||||
|   |  | ||||||
|      if(argc < 2) |  | ||||||
| @@ -125,8 +125,8 @@ int main(int argc,char **argv)
 |  | ||||||
|      for(; n < argc ; ++n) |  | ||||||
|  	{ |  | ||||||
|  	FILE *f=fopen(argv[n],"rb"); |  | ||||||
| -	SHA_CTX md_ctx,o_ctx;
 |  | ||||||
| -	unsigned char md[20];
 |  | ||||||
| +	SHA256_CTX md_ctx,o_ctx;
 |  | ||||||
| +	unsigned char md[SHA256_DIGEST_LENGTH];
 |  | ||||||
|  	int i; |  | ||||||
|   |  | ||||||
|  	if(!f) |  | ||||||
| @@ -151,18 +151,18 @@ int main(int argc,char **argv)
 |  | ||||||
|  		else |  | ||||||
|  		    break; |  | ||||||
|  		} |  | ||||||
| -	    SHA1_Update(&md_ctx,buf,l);
 |  | ||||||
| +	    SHA256_Update(&md_ctx,buf,l);
 |  | ||||||
|  	    } |  | ||||||
|  	hmac_final(md,&md_ctx,&o_ctx); |  | ||||||
|   |  | ||||||
|  	if (binary) |  | ||||||
|  	    { |  | ||||||
| -	    fwrite(md,20,1,stdout);
 |  | ||||||
| +	    fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
 |  | ||||||
|  	    break;	/* ... for single(!) file */ |  | ||||||
|  	    } |  | ||||||
|   |  | ||||||
| -	printf("HMAC-SHA1(%s)= ",argv[n]);
 |  | ||||||
| -	for(i=0 ; i < 20 ; ++i)
 |  | ||||||
| +/*	printf("HMAC-SHA1(%s)= ",argv[n]); */
 |  | ||||||
| +	for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
 |  | ||||||
|  	    printf("%02x",md[i]); |  | ||||||
|  	printf("\n"); |  | ||||||
|  	} |  | ||||||
| diff -up openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck openssl-1.0.0-beta3/crypto/fips/Makefile
 |  | ||||||
| --- openssl-1.0.0-beta3/crypto/fips/Makefile.fipscheck	2009-08-10 20:11:59.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0-beta3/crypto/fips/Makefile	2009-08-10 20:27:45.000000000 +0200
 |  | ||||||
| @@ -16,6 +16,9 @@ GENERAL=Makefile
 |  | ||||||
|  TEST=fips_test_suite.c fips_randtest.c |  | ||||||
|  APPS= |  | ||||||
|   |  | ||||||
| +PROGRAM= fips_standalone_sha1
 |  | ||||||
| +EXE= $(PROGRAM)$(EXE_EXT)
 |  | ||||||
| +
 |  | ||||||
|  LIB=$(TOP)/libcrypto.a |  | ||||||
|  LIBSRC=fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c fips_rand_selftest.c \ |  | ||||||
|      fips_rsa_selftest.c fips_sha1_selftest.c fips.c fips_dsa_selftest.c  fips_rand.c \ |  | ||||||
| @@ -25,6 +28,8 @@ LIBOBJ=fips_aes_selftest.o fips_des_self
 |  | ||||||
|      fips_rsa_selftest.o fips_sha1_selftest.o fips.o fips_dsa_selftest.o  fips_rand.o \ |  | ||||||
|      fips_rsa_x931g.o |  | ||||||
|   |  | ||||||
| +LIBCRYPTO=-L.. -lcrypto
 |  | ||||||
| +
 |  | ||||||
|  SRC= $(LIBSRC) fips_standalone_sha1.c |  | ||||||
|   |  | ||||||
|  EXHEADER= fips.h fips_rand.h |  | ||||||
| @@ -35,13 +40,15 @@ ALL=    $(GENERAL) $(SRC) $(HEADER)
 |  | ||||||
|  top: |  | ||||||
|  	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) |  | ||||||
|   |  | ||||||
| -all:	lib
 |  | ||||||
| +all:	lib exe
 |  | ||||||
|   |  | ||||||
|  lib:	$(LIBOBJ) |  | ||||||
|  	$(AR) $(LIB) $(LIBOBJ) |  | ||||||
|  	$(RANLIB) $(LIB) || echo Never mind. |  | ||||||
|  	@touch lib |  | ||||||
|   |  | ||||||
| +exe:	$(EXE)
 |  | ||||||
| +
 |  | ||||||
|  files: |  | ||||||
|  	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO |  | ||||||
|   |  | ||||||
| @@ -77,5 +84,9 @@ dclean:
 |  | ||||||
|  clean: |  | ||||||
|  	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff |  | ||||||
|   |  | ||||||
| +$(EXE): $(PROGRAM).o
 |  | ||||||
| +	FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../sha/$$i" ; done; \
 |  | ||||||
| +	$(CC) -o $@ $(CFLAGS) $(PROGRAM).o $$FIPS_SHA_ASM
 |  | ||||||
| +
 |  | ||||||
|  # DO NOT DELETE THIS LINE -- make depend depends on it. |  | ||||||
|   |  | ||||||
| @ -1,79 +0,0 @@ | |||||||
| diff -up openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips.c
 |  | ||||||
| --- openssl-1.0.0-beta3/crypto/fips/fips.c.fipsrng	2009-08-11 18:12:14.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0-beta3/crypto/fips/fips.c	2009-08-11 18:14:36.000000000 +0200
 |  | ||||||
| @@ -427,22 +427,22 @@ int FIPS_mode_set(int onoff)
 |  | ||||||
|  	    goto end; |  | ||||||
|  	    } |  | ||||||
|   |  | ||||||
| +	/* now switch the RNG into FIPS mode */
 |  | ||||||
| +	fips_set_rand_check(FIPS_rand_method());
 |  | ||||||
| +	RAND_set_rand_method(FIPS_rand_method());
 |  | ||||||
| +
 |  | ||||||
|  	/* automagically seed PRNG if not already seeded */ |  | ||||||
|  	if(!FIPS_rand_status()) |  | ||||||
|  	    { |  | ||||||
| -	    if(RAND_bytes(buf,sizeof buf) <= 0)
 |  | ||||||
| +	    RAND_poll();
 |  | ||||||
| +	    if (!FIPS_rand_status())
 |  | ||||||
|  		{ |  | ||||||
|  		fips_selftest_fail = 1; |  | ||||||
|  		ret = 0; |  | ||||||
|  		goto end; |  | ||||||
|  		} |  | ||||||
| -	    FIPS_rand_set_key(buf,32);
 |  | ||||||
| -	    FIPS_rand_seed(buf+32,16);
 |  | ||||||
|  	    } |  | ||||||
|   |  | ||||||
| -	/* now switch into FIPS mode */
 |  | ||||||
| -	fips_set_rand_check(FIPS_rand_method());
 |  | ||||||
| -	RAND_set_rand_method(FIPS_rand_method());
 |  | ||||||
|  	if(FIPS_selftest()) |  | ||||||
|  	    fips_set_mode(1); |  | ||||||
|  	else |  | ||||||
| diff -up openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng openssl-1.0.0-beta3/crypto/fips/fips_rand.c
 |  | ||||||
| --- openssl-1.0.0-beta3/crypto/fips/fips_rand.c.fipsrng	2009-08-11 18:12:14.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0-beta3/crypto/fips/fips_rand.c	2009-08-11 18:16:48.000000000 +0200
 |  | ||||||
| @@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
 |  | ||||||
|  	{ |  | ||||||
|  	int i; |  | ||||||
|  	if (!ctx->keyed) |  | ||||||
| -		return 0;
 |  | ||||||
| +		{
 |  | ||||||
| +		FIPS_RAND_SIZE_T keylen = 16;
 |  | ||||||
| +
 |  | ||||||
| +		if (seedlen - keylen < AES_BLOCK_LENGTH)
 |  | ||||||
| +			return 0;
 |  | ||||||
| +		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
 |  | ||||||
| +			keylen += 8;
 |  | ||||||
| +		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
 |  | ||||||
| +			keylen += 8;
 |  | ||||||
| +		seedlen -= keylen;
 |  | ||||||
| +		fips_set_prng_key(ctx, seed+seedlen, keylen);
 |  | ||||||
| +		}
 |  | ||||||
|  	/* In test mode seed is just supplied data */ |  | ||||||
|  	if (ctx->test_mode) |  | ||||||
|  		{ |  | ||||||
| @@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
 |  | ||||||
|  	unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH]; |  | ||||||
|  	unsigned char tmp[AES_BLOCK_LENGTH]; |  | ||||||
|  	int i; |  | ||||||
| +	FIPS_selftest_check();
 |  | ||||||
|  	if (ctx->error) |  | ||||||
|  		{ |  | ||||||
|  		RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR); |  | ||||||
| diff -up openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng openssl-1.0.0-beta3/crypto/rand/rand_lcl.h
 |  | ||||||
| --- openssl-1.0.0-beta3/crypto/rand/rand_lcl.h.fipsrng	2009-08-11 18:12:13.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0-beta3/crypto/rand/rand_lcl.h	2009-08-11 18:18:13.000000000 +0200
 |  | ||||||
| @@ -112,8 +112,11 @@
 |  | ||||||
|  #ifndef HEADER_RAND_LCL_H |  | ||||||
|  #define HEADER_RAND_LCL_H |  | ||||||
|   |  | ||||||
| +#ifndef OPENSSL_FIPS
 |  | ||||||
|  #define ENTROPY_NEEDED 32  /* require 256 bits = 32 bytes of randomness */ |  | ||||||
| -
 |  | ||||||
| +#else
 |  | ||||||
| +#define ENTROPY_NEEDED 48  /* we need 48 bytes of randomness for FIPS rng */
 |  | ||||||
| +#endif
 |  | ||||||
|   |  | ||||||
|  #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) |  | ||||||
|  #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) |  | ||||||
| @ -1,44 +0,0 @@ | |||||||
| diff -up openssl-1.0.0-beta3/Configure.soversion openssl-1.0.0-beta3/Configure
 |  | ||||||
| --- openssl-1.0.0-beta3/Configure.soversion	2009-08-04 23:06:52.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0-beta3/Configure	2009-08-04 23:06:52.000000000 +0200
 |  | ||||||
| @@ -1514,7 +1514,7 @@ while (<IN>)
 |  | ||||||
|  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) |  | ||||||
|  		{ |  | ||||||
|  		my $sotmp = $1; |  | ||||||
| -		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
 |  | ||||||
| +		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
 |  | ||||||
|  		} |  | ||||||
|  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) |  | ||||||
|  		{ |  | ||||||
| diff -up openssl-1.0.0-beta3/Makefile.org.soversion openssl-1.0.0-beta3/Makefile.org
 |  | ||||||
| --- openssl-1.0.0-beta3/Makefile.org.soversion	2009-08-04 23:06:52.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0-beta3/Makefile.org	2009-08-04 23:11:01.000000000 +0200
 |  | ||||||
| @@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
 |  | ||||||
|  SHLIB_MAJOR= |  | ||||||
|  SHLIB_MINOR= |  | ||||||
|  SHLIB_EXT= |  | ||||||
| +SHLIB_SONAMEVER=10
 |  | ||||||
|  PLATFORM=dist |  | ||||||
|  OPTIONS= |  | ||||||
|  CONFIGURE_ARGS= |  | ||||||
| @@ -289,10 +290,9 @@ clean-shared:
 |  | ||||||
|  link-shared: |  | ||||||
|  	@ set -e; for i in $(SHLIBDIRS); do \ |  | ||||||
|  		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ |  | ||||||
| -			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 |  | ||||||
| +			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
 |  | ||||||
|  			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ |  | ||||||
|  			symlink.$(SHLIB_TARGET); \ |  | ||||||
| -		libs="$$libs -l$$i"; \
 |  | ||||||
|  	done |  | ||||||
|   |  | ||||||
|  build-shared: do_$(SHLIB_TARGET) link-shared |  | ||||||
| @@ -303,7 +303,7 @@ do_$(SHLIB_TARGET):
 |  | ||||||
|  			libs="$(LIBKRB5) $$libs"; \ |  | ||||||
|  		fi; \ |  | ||||||
|  		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ |  | ||||||
| -			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 |  | ||||||
| +			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
 |  | ||||||
|  			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ |  | ||||||
|  			LIBDEPS="$$libs $(EX_LIBS)" \ |  | ||||||
|  			link_a.$(SHLIB_TARGET); \ |  | ||||||
| @ -1,25 +0,0 @@ | |||||||
| Adding struct member is ABI breaker however as the structure is always allocated by |  | ||||||
| the library calls we just move it to the end and it should be reasonably safe. |  | ||||||
| diff -up openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi openssl-1.0.0-beta4/ssl/dtls1.h
 |  | ||||||
| --- openssl-1.0.0-beta4/ssl/dtls1.h.dtls1-abi	2009-11-12 14:34:37.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0-beta4/ssl/dtls1.h	2009-11-12 14:47:57.000000000 +0100
 |  | ||||||
| @@ -216,9 +216,6 @@ typedef struct dtls1_state_st
 |  | ||||||
|  	 */ |  | ||||||
|  	record_pqueue buffered_app_data; |  | ||||||
|   |  | ||||||
| -	/* Is set when listening for new connections with dtls1_listen() */
 |  | ||||||
| -	unsigned int listen;
 |  | ||||||
| -
 |  | ||||||
|  	unsigned int mtu; /* max DTLS packet size */ |  | ||||||
|   |  | ||||||
|  	struct hm_header_st w_msg_hdr; |  | ||||||
| @@ -242,6 +239,9 @@ typedef struct dtls1_state_st
 |  | ||||||
|  	unsigned int retransmitting; |  | ||||||
|  	unsigned int change_cipher_spec_ok; |  | ||||||
|   |  | ||||||
| +	/* Is set when listening for new connections with dtls1_listen() */
 |  | ||||||
| +	unsigned int listen;
 |  | ||||||
| +
 |  | ||||||
|  	} DTLS1_STATE; |  | ||||||
|   |  | ||||||
|  typedef struct dtls1_record_data_st |  | ||||||
							
								
								
									
										189
									
								
								openssl-1.0.0-fips-pkcs8.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										189
									
								
								openssl-1.0.0-fips-pkcs8.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,189 @@ | |||||||
|  | diff -up openssl-1.0.0/crypto/pem/pem_all.c.pkcs8 openssl-1.0.0/crypto/pem/pem_all.c
 | ||||||
|  | --- openssl-1.0.0/crypto/pem/pem_all.c.pkcs8	2006-11-06 20:53:37.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.0/crypto/pem/pem_all.c	2012-04-26 17:17:35.765317652 +0200
 | ||||||
|  | @@ -147,7 +147,37 @@ IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRIN
 | ||||||
|  |   | ||||||
|  |  IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE, | ||||||
|  |  					PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE) | ||||||
|  | +#ifdef OPENSSL_FIPS
 | ||||||
|  |   | ||||||
|  | +static int fips_PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
 | ||||||
|  | +                                               unsigned char *kstr, int klen,
 | ||||||
|  | +                                               pem_password_cb *cb, void *u)
 | ||||||
|  | +	{
 | ||||||
|  | +		if (FIPS_mode())
 | ||||||
|  | +			return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
 | ||||||
|  | +						(char *)kstr, klen, cb, u);
 | ||||||
|  | +		else
 | ||||||
|  | +                	return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
 | ||||||
|  | +                ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
 | ||||||
|  | +                        bp,x,enc,kstr,klen,cb,u);
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +#ifndef OPENSSL_NO_FP_API
 | ||||||
|  | +static int fips_PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
 | ||||||
|  | +                                               unsigned char *kstr, int klen,
 | ||||||
|  | +                                               pem_password_cb *cb, void *u)
 | ||||||
|  | +	{
 | ||||||
|  | +		if (FIPS_mode())
 | ||||||
|  | +			return PEM_write_PKCS8PrivateKey(fp, x, enc,
 | ||||||
|  | +						(char *)kstr, klen, cb, u);
 | ||||||
|  | +		else
 | ||||||
|  | +                	return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey,
 | ||||||
|  | +                ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:(x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY),
 | ||||||
|  | +                        fp,x,enc,kstr,klen,cb,u);
 | ||||||
|  | +	}
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  | +#endif
 | ||||||
|  |   | ||||||
|  |  #ifndef OPENSSL_NO_RSA | ||||||
|  |   | ||||||
|  | @@ -193,7 +223,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RS
 | ||||||
|  |   | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | +#ifdef OPENSSL_FIPS
 | ||||||
|  | +
 | ||||||
|  | +int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
 | ||||||
|  | +                                               unsigned char *kstr, int klen,
 | ||||||
|  | +                                               pem_password_cb *cb, void *u)
 | ||||||
|  | +{
 | ||||||
|  | +	EVP_PKEY *k;
 | ||||||
|  | +	int ret;
 | ||||||
|  | +	k = EVP_PKEY_new();
 | ||||||
|  | +	if (!k)
 | ||||||
|  | +		return 0;
 | ||||||
|  | +	EVP_PKEY_set1_RSA(k, x);
 | ||||||
|  | +
 | ||||||
|  | +	ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
 | ||||||
|  | +	EVP_PKEY_free(k);
 | ||||||
|  | +	return ret;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +#ifndef OPENSSL_NO_FP_API
 | ||||||
|  | +int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
 | ||||||
|  | +                                               unsigned char *kstr, int klen,
 | ||||||
|  | +                                               pem_password_cb *cb, void *u)
 | ||||||
|  | +{
 | ||||||
|  | +	EVP_PKEY *k;
 | ||||||
|  | +	int ret;
 | ||||||
|  | +	k = EVP_PKEY_new();
 | ||||||
|  | +	if (!k)
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	EVP_PKEY_set1_RSA(k, x);
 | ||||||
|  | +
 | ||||||
|  | +	ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
 | ||||||
|  | +	EVP_PKEY_free(k);
 | ||||||
|  | +	return ret;
 | ||||||
|  | +}
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  | +#else
 | ||||||
|  | +
 | ||||||
|  |  IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) | ||||||
|  | +
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  |  IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) | ||||||
|  |  IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) | ||||||
|  |   | ||||||
|  | @@ -223,7 +295,47 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp,
 | ||||||
|  |  	return pkey_get_dsa(pktmp, dsa);	/* will free pktmp */ | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +#ifdef OPENSSL_FIPS
 | ||||||
|  | +
 | ||||||
|  | +int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
 | ||||||
|  | +                                               unsigned char *kstr, int klen,
 | ||||||
|  | +                                               pem_password_cb *cb, void *u)
 | ||||||
|  | +{
 | ||||||
|  | +	EVP_PKEY *k;
 | ||||||
|  | +	int ret;
 | ||||||
|  | +	k = EVP_PKEY_new();
 | ||||||
|  | +	if (!k)
 | ||||||
|  | +		return 0;
 | ||||||
|  | +	EVP_PKEY_set1_DSA(k, x);
 | ||||||
|  | +
 | ||||||
|  | +	ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
 | ||||||
|  | +	EVP_PKEY_free(k);
 | ||||||
|  | +	return ret;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +#ifndef OPENSSL_NO_FP_API
 | ||||||
|  | +int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
 | ||||||
|  | +                                               unsigned char *kstr, int klen,
 | ||||||
|  | +                                               pem_password_cb *cb, void *u)
 | ||||||
|  | +{
 | ||||||
|  | +	EVP_PKEY *k;
 | ||||||
|  | +	int ret;
 | ||||||
|  | +	k = EVP_PKEY_new();
 | ||||||
|  | +	if (!k)
 | ||||||
|  | +		return 0;
 | ||||||
|  | +	EVP_PKEY_set1_DSA(k, x);
 | ||||||
|  | +	ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
 | ||||||
|  | +	EVP_PKEY_free(k);
 | ||||||
|  | +	return ret;
 | ||||||
|  | +}
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  | +#else
 | ||||||
|  | +
 | ||||||
|  |  IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) | ||||||
|  | +
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  |  IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) | ||||||
|  |   | ||||||
|  |  #ifndef OPENSSL_NO_FP_API | ||||||
|  | @@ -269,8 +381,49 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *b
 | ||||||
|  |   | ||||||
|  |  IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters) | ||||||
|  |   | ||||||
|  | +
 | ||||||
|  | +
 | ||||||
|  | +#ifdef OPENSSL_FIPS
 | ||||||
|  | +
 | ||||||
|  | +int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
 | ||||||
|  | +                                               unsigned char *kstr, int klen,
 | ||||||
|  | +                                               pem_password_cb *cb, void *u)
 | ||||||
|  | +{
 | ||||||
|  | +	EVP_PKEY *k;
 | ||||||
|  | +	int ret;
 | ||||||
|  | +	k = EVP_PKEY_new();
 | ||||||
|  | +	if (!k)
 | ||||||
|  | +		return 0;
 | ||||||
|  | +	EVP_PKEY_set1_EC_KEY(k, x);
 | ||||||
|  | +
 | ||||||
|  | +	ret = fips_PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
 | ||||||
|  | +	EVP_PKEY_free(k);
 | ||||||
|  | +	return ret;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +#ifndef OPENSSL_NO_FP_API
 | ||||||
|  | +int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
 | ||||||
|  | +                                               unsigned char *kstr, int klen,
 | ||||||
|  | +                                               pem_password_cb *cb, void *u)
 | ||||||
|  | +{
 | ||||||
|  | +	EVP_PKEY *k;
 | ||||||
|  | +	int ret;
 | ||||||
|  | +	k = EVP_PKEY_new();
 | ||||||
|  | +	if (!k)
 | ||||||
|  | +		return 0;
 | ||||||
|  | +	EVP_PKEY_set1_EC_KEY(k, x);
 | ||||||
|  | +	ret = fips_PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
 | ||||||
|  | +	EVP_PKEY_free(k);
 | ||||||
|  | +	return ret;
 | ||||||
|  | +}
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  | +#else
 | ||||||
|  | +
 | ||||||
|  |  IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) | ||||||
|  |   | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  |  IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) | ||||||
|  |   | ||||||
|  |  #ifndef OPENSSL_NO_FP_API | ||||||
| @ -1,22 +0,0 @@ | |||||||
| diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c
 |  | ||||||
| --- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash	2010-01-12 18:27:10.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0/crypto/x509/x509_cmp.c	2010-04-06 16:44:52.000000000 +0200
 |  | ||||||
| @@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA
 |  | ||||||
|  	{ |  | ||||||
|  	unsigned long ret=0; |  | ||||||
|  	unsigned char md[16]; |  | ||||||
| +	EVP_MD_CTX ctx; 
 |  | ||||||
|   |  | ||||||
|  	/* Make sure X509_NAME structure contains valid cached encoding */ |  | ||||||
|  	i2d_X509_NAME(x,NULL); |  | ||||||
| -	EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
 |  | ||||||
| +
 |  | ||||||
| +	EVP_MD_CTX_init(&ctx);
 |  | ||||||
| +	EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 |  | ||||||
| +        EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)
 |  | ||||||
| +		&& EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length)
 |  | ||||||
| +		&& EVP_DigestFinal_ex(&ctx, md, NULL);
 |  | ||||||
| +	EVP_MD_CTX_cleanup(&ctx);
 |  | ||||||
|   |  | ||||||
|  	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)| |  | ||||||
|  		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) |  | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,272 +0,0 @@ | |||||||
| diff -up openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode openssl-1.0.0a/crypto/engine/eng_all.c
 |  | ||||||
| --- openssl-1.0.0a/crypto/engine/eng_all.c.fipsmode	2009-07-01 16:55:58.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0a/crypto/engine/eng_all.c	2010-06-04 13:32:13.000000000 +0200
 |  | ||||||
| @@ -58,9 +58,23 @@
 |  | ||||||
|   |  | ||||||
|  #include "cryptlib.h" |  | ||||||
|  #include "eng_int.h" |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +#include <openssl/fips.h>
 |  | ||||||
| +#endif
 |  | ||||||
|   |  | ||||||
|  void ENGINE_load_builtin_engines(void) |  | ||||||
|  	{ |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +	OPENSSL_init_library();
 |  | ||||||
| +	if (FIPS_mode()) {
 |  | ||||||
| +		/* We allow loading dynamic engine as a third party
 |  | ||||||
| +		   engine might be FIPS validated.
 |  | ||||||
| +		   User is disallowed to load non-validated engines
 |  | ||||||
| +		   by security policy. */
 |  | ||||||
| +		ENGINE_load_dynamic();
 |  | ||||||
| +		return;
 |  | ||||||
| +	}
 |  | ||||||
| +#endif
 |  | ||||||
|  #if 0 |  | ||||||
|  	/* There's no longer any need for an "openssl" ENGINE unless, one day, |  | ||||||
|  	 * it is the *only* way for standard builtin implementations to be be |  | ||||||
| diff -up openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode openssl-1.0.0a/crypto/evp/c_allc.c
 |  | ||||||
| --- openssl-1.0.0a/crypto/evp/c_allc.c.fipsmode	2009-12-25 15:12:24.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0a/crypto/evp/c_allc.c	2010-06-04 13:32:13.000000000 +0200
 |  | ||||||
| @@ -65,6 +65,11 @@
 |  | ||||||
|  void OpenSSL_add_all_ciphers(void) |  | ||||||
|  	{ |  | ||||||
|   |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +	OPENSSL_init_library();
 |  | ||||||
| +	if(!FIPS_mode()) 
 |  | ||||||
| +		{
 |  | ||||||
| +#endif
 |  | ||||||
|  #ifndef OPENSSL_NO_DES |  | ||||||
|  	EVP_add_cipher(EVP_des_cfb()); |  | ||||||
|  	EVP_add_cipher(EVP_des_cfb1()); |  | ||||||
| @@ -221,4 +226,61 @@ void OpenSSL_add_all_ciphers(void)
 |  | ||||||
|  	EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256"); |  | ||||||
|  	EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256"); |  | ||||||
|  #endif |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +		}
 |  | ||||||
| +	else
 |  | ||||||
| +		{
 |  | ||||||
| +#ifndef OPENSSL_NO_DES
 |  | ||||||
| +	EVP_add_cipher(EVP_des_ede_cfb());
 |  | ||||||
| +	EVP_add_cipher(EVP_des_ede3_cfb());
 |  | ||||||
| +
 |  | ||||||
| +	EVP_add_cipher(EVP_des_ede_ofb());
 |  | ||||||
| +	EVP_add_cipher(EVP_des_ede3_ofb());
 |  | ||||||
| +
 |  | ||||||
| +	EVP_add_cipher(EVP_des_ede_cbc());
 |  | ||||||
| +	EVP_add_cipher(EVP_des_ede3_cbc());
 |  | ||||||
| +	EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
 |  | ||||||
| +	EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
 |  | ||||||
| +
 |  | ||||||
| +	EVP_add_cipher(EVP_des_ede());
 |  | ||||||
| +	EVP_add_cipher(EVP_des_ede3());
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
| +#ifndef OPENSSL_NO_AES
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_128_ecb());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_128_cbc());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_128_cfb());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_128_cfb1());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_128_cfb8());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_128_ofb());
 |  | ||||||
| +#if 0
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_128_ctr());
 |  | ||||||
| +#endif
 |  | ||||||
| +	EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
 |  | ||||||
| +	EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_192_ecb());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_192_cbc());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_192_cfb());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_192_cfb1());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_192_cfb8());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_192_ofb());
 |  | ||||||
| +#if 0
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_192_ctr());
 |  | ||||||
| +#endif
 |  | ||||||
| +	EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
 |  | ||||||
| +	EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_256_ecb());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_256_cbc());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_256_cfb());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_256_cfb1());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_256_cfb8());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_256_ofb());
 |  | ||||||
| +#if 0
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_256_ctr());
 |  | ||||||
| +#endif
 |  | ||||||
| +	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
 |  | ||||||
| +	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
 |  | ||||||
| +#endif
 |  | ||||||
| +		}
 |  | ||||||
| +#endif
 |  | ||||||
|  	} |  | ||||||
| diff -up openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode openssl-1.0.0a/crypto/evp/c_alld.c
 |  | ||||||
| --- openssl-1.0.0a/crypto/evp/c_alld.c.fipsmode	2009-07-08 10:50:53.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0a/crypto/evp/c_alld.c	2010-06-04 13:32:13.000000000 +0200
 |  | ||||||
| @@ -64,6 +64,11 @@
 |  | ||||||
|   |  | ||||||
|  void OpenSSL_add_all_digests(void) |  | ||||||
|  	{ |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +	OPENSSL_init_library();
 |  | ||||||
| +	if (!FIPS_mode())
 |  | ||||||
| +		{
 |  | ||||||
| +#endif
 |  | ||||||
|  #ifndef OPENSSL_NO_MD4 |  | ||||||
|  	EVP_add_digest(EVP_md4()); |  | ||||||
|  #endif |  | ||||||
| @@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
 |  | ||||||
|  #ifndef OPENSSL_NO_WHIRLPOOL |  | ||||||
|  	EVP_add_digest(EVP_whirlpool()); |  | ||||||
|  #endif |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +		}
 |  | ||||||
| +	else
 |  | ||||||
| +		{
 |  | ||||||
| +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 |  | ||||||
| +	EVP_add_digest(EVP_sha1());
 |  | ||||||
| +	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
 |  | ||||||
| +	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
 |  | ||||||
| +#ifndef OPENSSL_NO_DSA
 |  | ||||||
| +	EVP_add_digest(EVP_dss1());
 |  | ||||||
| +	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
 |  | ||||||
| +	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
 |  | ||||||
| +	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifndef OPENSSL_NO_ECDSA
 |  | ||||||
| +	EVP_add_digest(EVP_ecdsa());
 |  | ||||||
| +#endif
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifndef OPENSSL_NO_SHA256
 |  | ||||||
| +	EVP_add_digest(EVP_sha224());
 |  | ||||||
| +	EVP_add_digest(EVP_sha256());
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifndef OPENSSL_NO_SHA512
 |  | ||||||
| +	EVP_add_digest(EVP_sha384());
 |  | ||||||
| +	EVP_add_digest(EVP_sha512());
 |  | ||||||
| +#endif
 |  | ||||||
| +		}
 |  | ||||||
| +#endif
 |  | ||||||
|  	} |  | ||||||
| diff -up openssl-1.0.0a/crypto/o_init.c.fipsmode openssl-1.0.0a/crypto/o_init.c
 |  | ||||||
| --- openssl-1.0.0a/crypto/o_init.c.fipsmode	2010-06-04 13:32:13.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0a/crypto/o_init.c	2010-06-04 13:32:13.000000000 +0200
 |  | ||||||
| @@ -59,6 +59,43 @@
 |  | ||||||
|  #include <e_os.h> |  | ||||||
|  #include <openssl/err.h> |  | ||||||
|   |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +#include <sys/types.h>
 |  | ||||||
| +#include <sys/stat.h>
 |  | ||||||
| +#include <fcntl.h>
 |  | ||||||
| +#include <unistd.h>
 |  | ||||||
| +#include <errno.h>
 |  | ||||||
| +#include <stdlib.h>
 |  | ||||||
| +#include <openssl/fips.h>
 |  | ||||||
| +
 |  | ||||||
| +#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
 |  | ||||||
| +
 |  | ||||||
| +static void init_fips_mode(void)
 |  | ||||||
| +	{
 |  | ||||||
| +	char buf[2] = "0";
 |  | ||||||
| +	int fd;
 |  | ||||||
| +	
 |  | ||||||
| +	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
 |  | ||||||
| +		{
 |  | ||||||
| +		buf[0] = '1';
 |  | ||||||
| +		}
 |  | ||||||
| +	else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
 |  | ||||||
| +		{
 |  | ||||||
| +		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
 |  | ||||||
| +		close(fd);
 |  | ||||||
| +		}
 |  | ||||||
| +	/* Failure reading the fips mode switch file means just not
 |  | ||||||
| +	 * switching into FIPS mode. We would break too many things
 |  | ||||||
| +	 * otherwise. 
 |  | ||||||
| +	 */
 |  | ||||||
| +	
 |  | ||||||
| +	if (buf[0] == '1')
 |  | ||||||
| +		{
 |  | ||||||
| +		FIPS_mode_set(1);
 |  | ||||||
| +		}
 |  | ||||||
| +	}
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|  /* Perform any essential OpenSSL initialization operations. |  | ||||||
|   * Currently only sets FIPS callbacks |  | ||||||
|   */ |  | ||||||
| @@ -72,6 +109,7 @@ void OPENSSL_init_library(void)
 |  | ||||||
|  #ifdef CRYPTO_MDEBUG |  | ||||||
|  		CRYPTO_malloc_debug_init(); |  | ||||||
|  #endif |  | ||||||
| +		init_fips_mode();
 |  | ||||||
|  		done = 1; |  | ||||||
|  		} |  | ||||||
|  #endif |  | ||||||
| diff -up openssl-1.0.0a/ssl/ssl_algs.c.fipsmode openssl-1.0.0a/ssl/ssl_algs.c
 |  | ||||||
| --- openssl-1.0.0a/ssl/ssl_algs.c.fipsmode	2010-04-07 15:18:30.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0a/ssl/ssl_algs.c	2010-06-04 13:32:48.000000000 +0200
 |  | ||||||
| @@ -64,6 +64,12 @@
 |  | ||||||
|  int SSL_library_init(void) |  | ||||||
|  	{ |  | ||||||
|   |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +	OPENSSL_init_library();
 |  | ||||||
| +	if (!FIPS_mode())
 |  | ||||||
| +		{
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|  #ifndef OPENSSL_NO_DES |  | ||||||
|  	EVP_add_cipher(EVP_des_cbc()); |  | ||||||
|  	EVP_add_cipher(EVP_des_ede3_cbc()); |  | ||||||
| @@ -127,6 +133,48 @@ int SSL_library_init(void)
 |  | ||||||
|  	EVP_add_digest(EVP_sha()); |  | ||||||
|  	EVP_add_digest(EVP_dss()); |  | ||||||
|  #endif |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +		}
 |  | ||||||
| +	else
 |  | ||||||
| +		{
 |  | ||||||
| +#ifndef OPENSSL_NO_DES
 |  | ||||||
| +	EVP_add_cipher(EVP_des_ede3_cbc());
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifndef OPENSSL_NO_AES
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_128_cbc());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_192_cbc());
 |  | ||||||
| +	EVP_add_cipher(EVP_aes_256_cbc());
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifndef OPENSSL_NO_MD5
 |  | ||||||
| +	/* needed even in the FIPS mode for TLS MAC */
 |  | ||||||
| +	EVP_add_digest(EVP_md5());
 |  | ||||||
| +	EVP_add_digest_alias(SN_md5,"ssl2-md5");
 |  | ||||||
| +	EVP_add_digest_alias(SN_md5,"ssl3-md5");
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifndef OPENSSL_NO_SHA
 |  | ||||||
| +	EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
 |  | ||||||
| +	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
 |  | ||||||
| +	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifndef OPENSSL_NO_SHA256
 |  | ||||||
| +	EVP_add_digest(EVP_sha224());
 |  | ||||||
| +	EVP_add_digest(EVP_sha256());
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifndef OPENSSL_NO_SHA512
 |  | ||||||
| +	EVP_add_digest(EVP_sha384());
 |  | ||||||
| +	EVP_add_digest(EVP_sha512());
 |  | ||||||
| +#endif
 |  | ||||||
| +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
 |  | ||||||
| +	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
 |  | ||||||
| +	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
 |  | ||||||
| +	EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
 |  | ||||||
| +	EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
 |  | ||||||
| +#endif
 |  | ||||||
| +#ifndef OPENSSL_NO_ECDSA
 |  | ||||||
| +	EVP_add_digest(EVP_ecdsa());
 |  | ||||||
| +#endif
 |  | ||||||
| +		}
 |  | ||||||
| +#endif
 |  | ||||||
|  #ifndef OPENSSL_NO_COMP |  | ||||||
|  	/* This will initialise the built-in compression algorithms. |  | ||||||
|  	   The value returned is a STACK_OF(SSL_COMP), but that can |  | ||||||
| @ -1,21 +0,0 @@ | |||||||
| diff -up openssl-1.0.0a/doc/apps/openssl.pod.manfix openssl-1.0.0a/doc/apps/openssl.pod
 |  | ||||||
| --- openssl-1.0.0a/doc/apps/openssl.pod.manfix	2010-01-21 19:46:28.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0a/doc/apps/openssl.pod	2010-06-30 14:24:50.000000000 +0200
 |  | ||||||
| @@ -287,8 +287,6 @@ SHA Digest
 |  | ||||||
|   |  | ||||||
|  SHA-1 Digest |  | ||||||
|   |  | ||||||
| -=back
 |  | ||||||
| -
 |  | ||||||
|  =item B<sha224> |  | ||||||
|   |  | ||||||
|  SHA-224 Digest |  | ||||||
| @@ -305,6 +303,8 @@ SHA-384 Digest
 |  | ||||||
|   |  | ||||||
|  SHA-512 Digest |  | ||||||
|   |  | ||||||
| +=back
 |  | ||||||
| +
 |  | ||||||
|  =head2 ENCODING AND CIPHER COMMANDS |  | ||||||
|   |  | ||||||
|  =over 10 |  | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,57 +0,0 @@ | |||||||
| diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c
 |  | ||||||
| --- openssl-1.0.0c/apps/s_socket.c.ipv6listen	2011-01-24 16:44:18.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0c/apps/s_socket.c	2011-01-24 16:56:25.000000000 +0100
 |  | ||||||
| @@ -335,15 +335,16 @@ int do_server(char *port, int type, int 
 |  | ||||||
|   |  | ||||||
|  static int init_server(int *sock, char *port, int type) |  | ||||||
|  	{ |  | ||||||
| -	struct addrinfo *res, *res0, hints;
 |  | ||||||
| +	struct addrinfo *res, *res0 = NULL, hints;
 |  | ||||||
|  	char * failed_call = NULL; |  | ||||||
| -	char port_name[8];
 |  | ||||||
|  	int s; |  | ||||||
|  	int e; |  | ||||||
|   |  | ||||||
|  	if (!ssl_sock_init()) return(0); |  | ||||||
|   |  | ||||||
|  	memset(&hints, '\0', sizeof(hints)); |  | ||||||
| +        hints.ai_family = AF_INET6;
 |  | ||||||
| +tryipv4:
 |  | ||||||
|  	hints.ai_socktype = type; |  | ||||||
|  	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; |  | ||||||
|  	 |  | ||||||
| @@ -365,6 +366,12 @@ static int init_server(int *sock, char *
 |  | ||||||
|  			failed_call = "socket"; |  | ||||||
|  			goto nextres; |  | ||||||
|  			} |  | ||||||
| +		if (hints.ai_family == AF_INET6)
 |  | ||||||
| +			{
 |  | ||||||
| +			int j = 0;
 |  | ||||||
| +			setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
 |  | ||||||
| +				   (void *) &j, sizeof j);
 |  | ||||||
| +			}
 |  | ||||||
|  #if defined SOL_SOCKET && defined SO_REUSEADDR |  | ||||||
|  		{ |  | ||||||
|  		int j = 1; |  | ||||||
| @@ -392,9 +399,19 @@ nextres:
 |  | ||||||
|  			close(s); |  | ||||||
|  		res = res->ai_next; |  | ||||||
|  	} |  | ||||||
| -	freeaddrinfo(res0);
 |  | ||||||
| +	if (res0)
 |  | ||||||
| +		freeaddrinfo(res0);
 |  | ||||||
|   |  | ||||||
| -	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
 |  | ||||||
| +	if (s == INVALID_SOCKET)
 |  | ||||||
| +	{
 |  | ||||||
| +		if (hints.ai_family == AF_INET6)
 |  | ||||||
| +		{
 |  | ||||||
| +			hints.ai_family = AF_INET;
 |  | ||||||
| +			goto tryipv4;
 |  | ||||||
| +		}
 |  | ||||||
| +		perror("socket");
 |  | ||||||
| +		return(0);
 |  | ||||||
| +	}
 |  | ||||||
|   |  | ||||||
|  	perror(failed_call); |  | ||||||
|  	return(0); |  | ||||||
| @ -1,20 +0,0 @@ | |||||||
| diff -up openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.0c/crypto/md5/md5_dgst.c
 |  | ||||||
| --- openssl-1.0.0c/crypto/md5/md5_dgst.c.md5-allow	2011-02-03 19:53:28.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0c/crypto/md5/md5_dgst.c	2011-02-03 20:33:14.000000000 +0100
 |  | ||||||
| @@ -75,7 +75,15 @@ const char MD5_version[]="MD5" OPENSSL_V
 |  | ||||||
|  #define INIT_DATA_C (unsigned long)0x98badcfeL |  | ||||||
|  #define INIT_DATA_D (unsigned long)0x10325476L |  | ||||||
|   |  | ||||||
| -FIPS_NON_FIPS_MD_Init(MD5)
 |  | ||||||
| +int MD5_Init(MD5_CTX *c)
 |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +	{
 |  | ||||||
| +	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
 |  | ||||||
| +		FIPS_BAD_ALGORITHM(alg)
 |  | ||||||
| +	return private_MD5_Init(c);
 |  | ||||||
| +	}
 |  | ||||||
| +int private_MD5_Init(MD5_CTX *c)
 |  | ||||||
| +#endif
 |  | ||||||
|  	{ |  | ||||||
|  	memset (c,0,sizeof(*c)); |  | ||||||
|  	c->A=INIT_DATA_A; |  | ||||||
| @ -1,384 +0,0 @@ | |||||||
| diff -up openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsa_gen.c
 |  | ||||||
| --- openssl-1.0.0c/crypto/dsa/dsa_gen.c.fips186-3	2011-02-03 21:04:14.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0c/crypto/dsa/dsa_gen.c	2011-02-04 08:54:42.000000000 +0100
 |  | ||||||
| @@ -120,11 +120,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
 |  | ||||||
|  	int ok=0; |  | ||||||
|  	unsigned char seed[SHA256_DIGEST_LENGTH]; |  | ||||||
|  	unsigned char md[SHA256_DIGEST_LENGTH]; |  | ||||||
| -	unsigned char buf[SHA256_DIGEST_LENGTH],buf2[SHA256_DIGEST_LENGTH];
 |  | ||||||
| +	unsigned char buf[SHA256_DIGEST_LENGTH];
 |  | ||||||
|  	BIGNUM *r0,*W,*X,*c,*test; |  | ||||||
|  	BIGNUM *g=NULL,*q=NULL,*p=NULL; |  | ||||||
|  	BN_MONT_CTX *mont=NULL; |  | ||||||
| -	int i, k, n=0, m=0, qsize = qbits >> 3;
 |  | ||||||
| +	int i, k, b, n=0, m=0, qsize = qbits >> 3;
 |  | ||||||
|  	int counter=0; |  | ||||||
|  	int r=0; |  | ||||||
|  	BN_CTX *ctx=NULL; |  | ||||||
| @@ -138,9 +138,13 @@ int dsa_builtin_paramgen(DSA *ret, size_
 |  | ||||||
|  	    goto err; |  | ||||||
|  	    } |  | ||||||
|   |  | ||||||
| -	if (FIPS_mode() && (bits < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS))
 |  | ||||||
| +	if (FIPS_mode() &&
 |  | ||||||
| +	    (bits != 1024 || qbits != 160) &&
 |  | ||||||
| +	    (bits != 2048 || qbits != 224) &&
 |  | ||||||
| +	    (bits != 2048 || qbits != 256) &&
 |  | ||||||
| +	    (bits != 3072 || qbits != 256))
 |  | ||||||
|  		{ |  | ||||||
| -		DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_TOO_SMALL);
 |  | ||||||
| +		DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
 |  | ||||||
|  		goto err; |  | ||||||
|  		} |  | ||||||
|  #endif |  | ||||||
| @@ -151,22 +155,25 @@ int dsa_builtin_paramgen(DSA *ret, size_
 |  | ||||||
|  		return 0; |  | ||||||
|   |  | ||||||
|  	if (evpmd == NULL) |  | ||||||
| -		/* use SHA1 as default */
 |  | ||||||
| -		evpmd = EVP_sha1();
 |  | ||||||
| +	    {
 |  | ||||||
| +		if (qbits <= 160)
 |  | ||||||
| +			evpmd = EVP_sha1();
 |  | ||||||
| +		else if (qbits <= 224)
 |  | ||||||
| +			evpmd = EVP_sha224();
 |  | ||||||
| +		else
 |  | ||||||
| +			evpmd = EVP_sha256();
 |  | ||||||
| +	    }
 |  | ||||||
|   |  | ||||||
|  	if (bits < 512) |  | ||||||
|  		bits = 512; |  | ||||||
|   |  | ||||||
|  	bits = (bits+63)/64*64; |  | ||||||
|   |  | ||||||
| -	/* NB: seed_len == 0 is special case: copy generated seed to
 |  | ||||||
| - 	 * seed_in if it is not NULL.
 |  | ||||||
| - 	 */
 |  | ||||||
|  	if (seed_len && (seed_len < (size_t)qsize)) |  | ||||||
|  		seed_in = NULL;		/* seed buffer too small -- ignore */ |  | ||||||
|  	if (seed_len > (size_t)qsize)  |  | ||||||
|  		seed_len = qsize;	/* App. 2.2 of FIPS PUB 186 allows larger SEED, |  | ||||||
| -					 * but our internal buffers are restricted to 160 bits*/
 |  | ||||||
| +					 * but our internal buffers are restricted to 256 bits*/
 |  | ||||||
|  	if (seed_in != NULL) |  | ||||||
|  		memcpy(seed, seed_in, seed_len); |  | ||||||
|   |  | ||||||
| @@ -189,13 +196,18 @@ int dsa_builtin_paramgen(DSA *ret, size_
 |  | ||||||
|  	if (!BN_lshift(test,BN_value_one(),bits-1)) |  | ||||||
|  		goto err; |  | ||||||
|   |  | ||||||
| +	/* step 3 n = \lceil bits / qbits \rceil - 1 */
 |  | ||||||
| +	n = (bits+qbits-1)/qbits - 1;
 |  | ||||||
| +	/* step 4 b = bits - 1 - n * qbits */
 |  | ||||||
| +	b = bits - 1 - n*qbits;
 |  | ||||||
| +
 |  | ||||||
|  	for (;;) |  | ||||||
|  		{ |  | ||||||
|  		for (;;) /* find q */ |  | ||||||
|  			{ |  | ||||||
|  			int seed_is_random; |  | ||||||
|   |  | ||||||
| -			/* step 1 */
 |  | ||||||
| +			/* step 5 generate seed */
 |  | ||||||
|  			if(!BN_GENCB_call(cb, 0, m++)) |  | ||||||
|  				goto err; |  | ||||||
|   |  | ||||||
| @@ -210,28 +222,17 @@ int dsa_builtin_paramgen(DSA *ret, size_
 |  | ||||||
|  				seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/ |  | ||||||
|  				} |  | ||||||
|  			memcpy(buf , seed, qsize); |  | ||||||
| -			memcpy(buf2, seed, qsize);
 |  | ||||||
| -			/* precompute "SEED + 1" for step 7: */
 |  | ||||||
| -			for (i = qsize-1; i >= 0; i--)
 |  | ||||||
| -				{
 |  | ||||||
| -				buf[i]++;
 |  | ||||||
| -				if (buf[i] != 0)
 |  | ||||||
| -					break;
 |  | ||||||
| -				}
 |  | ||||||
|   |  | ||||||
| -			/* step 2 */
 |  | ||||||
| +			/* step 6 U = hash(seed) */
 |  | ||||||
|  			EVP_Digest(seed, qsize, md,   NULL, evpmd, NULL); |  | ||||||
| -			EVP_Digest(buf,  qsize, buf2, NULL, evpmd, NULL);
 |  | ||||||
| -			for (i = 0; i < qsize; i++)
 |  | ||||||
| -				md[i]^=buf2[i];
 |  | ||||||
|   |  | ||||||
| -			/* step 3 */
 |  | ||||||
| +			/* step 7 q = 2^(qbits-1) + U + 1 - (U mod 2) */
 |  | ||||||
|  			md[0] |= 0x80; |  | ||||||
|  			md[qsize-1] |= 0x01; |  | ||||||
|  			if (!BN_bin2bn(md, qsize, q)) |  | ||||||
|  				goto err; |  | ||||||
|   |  | ||||||
| -			/* step 4 */
 |  | ||||||
| +			/* step 8 test for prime (64 round of Rabin-Miller) */
 |  | ||||||
|  			r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, |  | ||||||
|  					seed_is_random, cb); |  | ||||||
|  			if (r > 0) |  | ||||||
| @@ -239,27 +240,22 @@ int dsa_builtin_paramgen(DSA *ret, size_
 |  | ||||||
|  			if (r != 0) |  | ||||||
|  				goto err; |  | ||||||
|   |  | ||||||
| -			/* do a callback call */
 |  | ||||||
| -			/* step 5 */
 |  | ||||||
|  			} |  | ||||||
|   |  | ||||||
|  		if(!BN_GENCB_call(cb, 2, 0)) goto err; |  | ||||||
|  		if(!BN_GENCB_call(cb, 3, 0)) goto err; |  | ||||||
|   |  | ||||||
| -		/* step 6 */
 |  | ||||||
| +		/* step 11 */
 |  | ||||||
|  		counter=0; |  | ||||||
| -		/* "offset = 2" */
 |  | ||||||
| -
 |  | ||||||
| -		n=(bits-1)/160;
 |  | ||||||
| +		/* "offset = 1" */
 |  | ||||||
|   |  | ||||||
|  		for (;;) |  | ||||||
|  			{ |  | ||||||
|  			if ((counter != 0) && !BN_GENCB_call(cb, 0, counter)) |  | ||||||
|  				goto err; |  | ||||||
|   |  | ||||||
| -			/* step 7 */
 |  | ||||||
| +			/* step 11.1, 11.2 obtain W */
 |  | ||||||
|  			BN_zero(W); |  | ||||||
| -			/* now 'buf' contains "SEED + offset - 1" */
 |  | ||||||
|  			for (k=0; k<=n; k++) |  | ||||||
|  				{ |  | ||||||
|  				/* obtain "SEED + offset + k" by incrementing: */ |  | ||||||
| @@ -272,28 +268,30 @@ int dsa_builtin_paramgen(DSA *ret, size_
 |  | ||||||
|   |  | ||||||
|  				EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL); |  | ||||||
|   |  | ||||||
| -				/* step 8 */
 |  | ||||||
|  				if (!BN_bin2bn(md, qsize, r0)) |  | ||||||
|  					goto err; |  | ||||||
| -				if (!BN_lshift(r0,r0,(qsize << 3)*k)) goto err;
 |  | ||||||
| +				if (k == n)
 |  | ||||||
| +					BN_mask_bits(r0,b);
 |  | ||||||
| +				if (!BN_lshift(r0,r0,qbits*k)) goto err;
 |  | ||||||
|  				if (!BN_add(W,W,r0)) goto err; |  | ||||||
|  				} |  | ||||||
|   |  | ||||||
| -			/* more of step 8 */
 |  | ||||||
| -			if (!BN_mask_bits(W,bits-1)) goto err;
 |  | ||||||
| +			/* step 11.3 X = W + 2^(L-1) */
 |  | ||||||
|  			if (!BN_copy(X,W)) goto err; |  | ||||||
|  			if (!BN_add(X,X,test)) goto err; |  | ||||||
|   |  | ||||||
| -			/* step 9 */
 |  | ||||||
| +			/* step 11.4 c = X mod 2*q */
 |  | ||||||
|  			if (!BN_lshift1(r0,q)) goto err; |  | ||||||
|  			if (!BN_mod(c,X,r0,ctx)) goto err; |  | ||||||
| +
 |  | ||||||
| +			/* step 11.5 p = X - (c - 1) */
 |  | ||||||
|  			if (!BN_sub(r0,c,BN_value_one())) goto err; |  | ||||||
|  			if (!BN_sub(p,X,r0)) goto err; |  | ||||||
|   |  | ||||||
| -			/* step 10 */
 |  | ||||||
| +			/* step 11.6 */
 |  | ||||||
|  			if (BN_cmp(p,test) >= 0) |  | ||||||
|  				{ |  | ||||||
| -				/* step 11 */
 |  | ||||||
| +				/* step 11.7 */
 |  | ||||||
|  				r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, |  | ||||||
|  						ctx, 1, cb); |  | ||||||
|  				if (r > 0) |  | ||||||
| @@ -302,12 +300,12 @@ int dsa_builtin_paramgen(DSA *ret, size_
 |  | ||||||
|  					goto err; |  | ||||||
|  				} |  | ||||||
|   |  | ||||||
| -			/* step 13 */
 |  | ||||||
| +			/* step 11.9 */
 |  | ||||||
|  			counter++; |  | ||||||
|  			/* "offset = offset + n + 1" */ |  | ||||||
|   |  | ||||||
| -			/* step 14 */
 |  | ||||||
| -			if (counter >= 4096) break;
 |  | ||||||
| +			/* step 12 */
 |  | ||||||
| +			if (counter >= 4*bits) break;
 |  | ||||||
|  			} |  | ||||||
|  		} |  | ||||||
|  end: |  | ||||||
| diff -up openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3 openssl-1.0.0c/crypto/dsa/dsa.h
 |  | ||||||
| --- openssl-1.0.0c/crypto/dsa/dsa.h.fips186-3	2011-02-03 21:04:14.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0c/crypto/dsa/dsa.h	2011-02-03 21:04:14.000000000 +0100
 |  | ||||||
| @@ -316,6 +316,7 @@ void ERR_load_DSA_strings(void);
 |  | ||||||
|  #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE		 100 |  | ||||||
|  #define DSA_R_DECODE_ERROR				 104 |  | ||||||
|  #define DSA_R_INVALID_DIGEST_TYPE			 106 |  | ||||||
| +#define DSA_R_KEY_SIZE_INVALID				 113
 |  | ||||||
|  #define DSA_R_KEY_SIZE_TOO_SMALL			 110 |  | ||||||
|  #define DSA_R_MISSING_PARAMETERS			 101 |  | ||||||
|  #define DSA_R_MODULUS_TOO_LARGE				 103 |  | ||||||
| diff -up openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3 openssl-1.0.0c/crypto/dsa/dsatest.c
 |  | ||||||
| --- openssl-1.0.0c/crypto/dsa/dsatest.c.fips186-3	2011-02-03 21:14:07.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0c/crypto/dsa/dsatest.c	2011-02-04 08:40:24.000000000 +0100
 |  | ||||||
| @@ -96,36 +96,41 @@ static int MS_CALLBACK dsa_cb(int p, int
 |  | ||||||
|  /* seed, out_p, out_q, out_g are taken from the updated Appendix 5 to |  | ||||||
|   * FIPS PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 */ |  | ||||||
|  static unsigned char seed[20]={ |  | ||||||
| -	0xd5,0x01,0x4e,0x4b,0x60,0xef,0x2b,0xa8,0xb6,0x21,0x1b,0x40,
 |  | ||||||
| -	0x62,0xba,0x32,0x24,0xe0,0x42,0x7d,0xd3,
 |  | ||||||
| +	0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
 |  | ||||||
| +	0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
 |  | ||||||
|  	}; |  | ||||||
|   |  | ||||||
|  static unsigned char out_p[]={ |  | ||||||
| -	0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
 |  | ||||||
| -	0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
 |  | ||||||
| -	0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
 |  | ||||||
| -	0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
 |  | ||||||
| -	0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
 |  | ||||||
| -	0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
 |  | ||||||
| -	0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
 |  | ||||||
| -	0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91,
 |  | ||||||
| +	0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
 |  | ||||||
| +	0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
 |  | ||||||
| +	0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
 |  | ||||||
| +	0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
 |  | ||||||
| +	0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
 |  | ||||||
| +	0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
 |  | ||||||
| +	0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
 |  | ||||||
| +	0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
 |  | ||||||
| +	0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
 |  | ||||||
| +	0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
 |  | ||||||
| +	0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
 |  | ||||||
|  	}; |  | ||||||
|   |  | ||||||
|  static unsigned char out_q[]={ |  | ||||||
| -	0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
 |  | ||||||
| -	0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
 |  | ||||||
| -	0xda,0xce,0x91,0x5f,
 |  | ||||||
| +	0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
 |  | ||||||
| +	0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
 |  | ||||||
|  	}; |  | ||||||
|   |  | ||||||
|  static unsigned char out_g[]={ |  | ||||||
| -	0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
 |  | ||||||
| -	0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
 |  | ||||||
| -	0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
 |  | ||||||
| -	0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
 |  | ||||||
| -	0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
 |  | ||||||
| -	0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
 |  | ||||||
| -	0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
 |  | ||||||
| -	0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02,
 |  | ||||||
| +	0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
 |  | ||||||
| +	0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
 |  | ||||||
| +	0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
 |  | ||||||
| +	0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
 |  | ||||||
| +	0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
 |  | ||||||
| +	0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
 |  | ||||||
| +	0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
 |  | ||||||
| +	0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
 |  | ||||||
| +	0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
 |  | ||||||
| +	0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
 |  | ||||||
| +	0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
 |  | ||||||
|  	}; |  | ||||||
|   |  | ||||||
|  static const unsigned char str1[]="12345678901234567890"; |  | ||||||
| @@ -157,7 +162,7 @@ int main(int argc, char **argv)
 |  | ||||||
|  	BIO_printf(bio_err,"test generation of DSA parameters\n"); |  | ||||||
|   |  | ||||||
|  	BN_GENCB_set(&cb, dsa_cb, bio_err); |  | ||||||
| -	if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 512,
 |  | ||||||
| +	if(((dsa = DSA_new()) == NULL) || !DSA_generate_parameters_ex(dsa, 1024,
 |  | ||||||
|  				seed, 20, &counter, &h, &cb)) |  | ||||||
|  		goto end; |  | ||||||
|   |  | ||||||
| @@ -170,9 +175,9 @@ int main(int argc, char **argv)
 |  | ||||||
|  	BIO_printf(bio_err,"\ncounter=%d h=%ld\n",counter,h); |  | ||||||
|  		 |  | ||||||
|  	DSA_print(bio_err,dsa,0); |  | ||||||
| -	if (counter != 105) 
 |  | ||||||
| +	if (counter != 239) 
 |  | ||||||
|  		{ |  | ||||||
| -		BIO_printf(bio_err,"counter should be 105\n");
 |  | ||||||
| +		BIO_printf(bio_err,"counter should be 239\n");
 |  | ||||||
|  		goto end; |  | ||||||
|  		} |  | ||||||
|  	if (h != 2) |  | ||||||
| diff -up openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3 openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c
 |  | ||||||
| --- openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c.fips186-3	2011-02-03 21:04:14.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0c/crypto/fips/fips_dsa_selftest.c	2011-02-04 09:03:03.000000000 +0100
 |  | ||||||
| @@ -68,44 +68,42 @@
 |  | ||||||
|   |  | ||||||
|  #ifdef OPENSSL_FIPS |  | ||||||
|   |  | ||||||
| -/* seed, out_p, out_q, out_g are taken the NIST test vectors */
 |  | ||||||
| -
 |  | ||||||
|  static unsigned char seed[20] = { |  | ||||||
| -	0x77, 0x8f, 0x40, 0x74, 0x6f, 0x66, 0xbe, 0x33, 0xce, 0xbe, 0x99, 0x34,
 |  | ||||||
| -	0x4c, 0xfc, 0xf3, 0x28, 0xaa, 0x70, 0x2d, 0x3a
 |  | ||||||
| -  	};
 |  | ||||||
| +	0x02,0x47,0x11,0x92,0x11,0x88,0xC8,0xFB,0xAF,0x48,0x4C,0x62,
 |  | ||||||
| +	0xDF,0xA5,0xBE,0xA0,0xA4,0x3C,0x56,0xE3,
 |  | ||||||
| +	};
 |  | ||||||
|   |  | ||||||
|  static unsigned char out_p[] = { |  | ||||||
| -	0xf7, 0x7c, 0x1b, 0x83, 0xd8, 0xe8, 0x5c, 0x7f, 0x85, 0x30, 0x17, 0x57,
 |  | ||||||
| -	0x21, 0x95, 0xfe, 0x26, 0x04, 0xeb, 0x47, 0x4c, 0x3a, 0x4a, 0x81, 0x4b,
 |  | ||||||
| -	0x71, 0x2e, 0xed, 0x6e, 0x4f, 0x3d, 0x11, 0x0f, 0x7c, 0xfe, 0x36, 0x43,
 |  | ||||||
| -	0x51, 0xd9, 0x81, 0x39, 0x17, 0xdf, 0x62, 0xf6, 0x9c, 0x01, 0xa8, 0x69,
 |  | ||||||
| -	0x71, 0xdd, 0x29, 0x7f, 0x47, 0xe6, 0x65, 0xa6, 0x22, 0xe8, 0x6a, 0x12,
 |  | ||||||
| -	0x2b, 0xc2, 0x81, 0xff, 0x32, 0x70, 0x2f, 0x9e, 0xca, 0x53, 0x26, 0x47,
 |  | ||||||
| -	0x0f, 0x59, 0xd7, 0x9e, 0x2c, 0xa5, 0x07, 0xc4, 0x49, 0x52, 0xa3, 0xe4,
 |  | ||||||
| -	0x6b, 0x04, 0x00, 0x25, 0x49, 0xe2, 0xe6, 0x7f, 0x28, 0x78, 0x97, 0xb8,
 |  | ||||||
| -	0x3a, 0x32, 0x14, 0x38, 0xa2, 0x51, 0x33, 0x22, 0x44, 0x7e, 0xd7, 0xef,
 |  | ||||||
| -	0x45, 0xdb, 0x06, 0x4a, 0xd2, 0x82, 0x4a, 0x82, 0x2c, 0xb1, 0xd7, 0xd8,
 |  | ||||||
| -	0xb6, 0x73, 0x00, 0x4d, 0x94, 0x77, 0x94, 0xef
 |  | ||||||
| +	0xAC,0xCB,0x1E,0x63,0x60,0x69,0x0C,0xFB,0x06,0x19,0x68,0x3E,
 |  | ||||||
| +	0xA5,0x01,0x5A,0xA2,0x15,0x5C,0xE2,0x99,0x2D,0xD5,0x30,0x99,
 |  | ||||||
| +	0x7E,0x5F,0x8D,0xE2,0xF7,0xC6,0x2E,0x8D,0xA3,0x9F,0x58,0xAD,
 |  | ||||||
| +	0xD6,0xA9,0x7D,0x0E,0x0D,0x95,0x53,0xA6,0x71,0x3A,0xDE,0xAB,
 |  | ||||||
| +	0xAC,0xE9,0xF4,0x36,0x55,0x9E,0xB9,0xD6,0x93,0xBF,0xF3,0x18,
 |  | ||||||
| +	0x1C,0x14,0x7B,0xA5,0x42,0x2E,0xCD,0x00,0xEB,0x35,0x3B,0x1B,
 |  | ||||||
| +	0xA8,0x51,0xBB,0xE1,0x58,0x42,0x85,0x84,0x22,0xA7,0x97,0x5E,
 |  | ||||||
| +	0x99,0x6F,0x38,0x20,0xBD,0x9D,0xB6,0xD9,0x33,0x37,0x2A,0xFD,
 |  | ||||||
| +	0xBB,0xD4,0xBC,0x0C,0x2A,0x67,0xCB,0x9F,0xBB,0xDF,0xF9,0x93,
 |  | ||||||
| +	0xAA,0xD6,0xF0,0xD6,0x95,0x0B,0x5D,0x65,0x14,0xD0,0x18,0x9D,
 |  | ||||||
| +	0xC6,0xAF,0xF0,0xC6,0x37,0x7C,0xF3,0x5F,
 |  | ||||||
|  	}; |  | ||||||
|   |  | ||||||
|  static unsigned char out_q[] = { |  | ||||||
| -	0xd4, 0x0a, 0xac, 0x9f, 0xbd, 0x8c, 0x80, 0xc2, 0x38, 0x7e, 0x2e, 0x0c,
 |  | ||||||
| -	0x52, 0x5c, 0xea, 0x34, 0xa1, 0x83, 0x32, 0xf3
 |  | ||||||
| +	0xE3,0x8E,0x5E,0x6D,0xBF,0x2B,0x79,0xF8,0xC5,0x4B,0x89,0x8B,
 |  | ||||||
| +	0xBA,0x2D,0x91,0xC3,0x6C,0x80,0xAC,0x87,
 |  | ||||||
|  	}; |  | ||||||
|   |  | ||||||
|  static unsigned char out_g[] = { |  | ||||||
| -	0x34, 0x73, 0x8b, 0x57, 0x84, 0x8e, 0x55, 0xbf, 0x57, 0xcc, 0x41, 0xbb,
 |  | ||||||
| -	0x5e, 0x2b, 0xd5, 0x42, 0xdd, 0x24, 0x22, 0x2a, 0x09, 0xea, 0x26, 0x1e,
 |  | ||||||
| -	0x17, 0x65, 0xcb, 0x1a, 0xb3, 0x12, 0x44, 0xa3, 0x9e, 0x99, 0xe9, 0x63,
 |  | ||||||
| -	0xeb, 0x30, 0xb1, 0x78, 0x7b, 0x09, 0x40, 0x30, 0xfa, 0x83, 0xc2, 0x35,
 |  | ||||||
| -	0xe1, 0xc4, 0x2d, 0x74, 0x1a, 0xb1, 0x83, 0x54, 0xd8, 0x29, 0xf4, 0xcf,
 |  | ||||||
| -	0x7f, 0x6f, 0x67, 0x1c, 0x36, 0x49, 0xee, 0x6c, 0xa2, 0x3c, 0x2d, 0x6a,
 |  | ||||||
| -	0xe9, 0xd3, 0x9a, 0xf6, 0x57, 0x78, 0x6f, 0xfd, 0x33, 0xcd, 0x3c, 0xed,
 |  | ||||||
| -	0xfd, 0xd4, 0x41, 0xe6, 0x5c, 0x8b, 0xe0, 0x68, 0x31, 0x47, 0x47, 0xaf,
 |  | ||||||
| -	0x12, 0xa7, 0xf9, 0x32, 0x0d, 0x94, 0x15, 0x48, 0xd0, 0x54, 0x85, 0xb2,
 |  | ||||||
| -	0x04, 0xb5, 0x4d, 0xd4, 0x9d, 0x05, 0x22, 0x25, 0xd9, 0xfd, 0x6c, 0x36,
 |  | ||||||
| -	0xef, 0xbe, 0x69, 0x6c, 0x55, 0xf4, 0xee, 0xec
 |  | ||||||
| +	0x42,0x4A,0x04,0x4E,0x79,0xB4,0x99,0x7F,0xFD,0x58,0x36,0x2C,
 |  | ||||||
| +	0x1B,0x5F,0x18,0x7E,0x0D,0xCC,0xAB,0x81,0xC9,0x5D,0x10,0xCE,
 |  | ||||||
| +	0x4E,0x80,0x7E,0x58,0xB4,0x34,0x3F,0xA7,0x45,0xC7,0xAA,0x36,
 |  | ||||||
| +	0x24,0x42,0xA9,0x3B,0xE8,0x0E,0x04,0x02,0x2D,0xFB,0xA6,0x13,
 |  | ||||||
| +	0xB9,0xB5,0x15,0xA5,0x56,0x07,0x35,0xE4,0x03,0xB6,0x79,0x7C,
 |  | ||||||
| +	0x62,0xDD,0xDF,0x3F,0x71,0x3A,0x9D,0x8B,0xC4,0xF6,0xE7,0x1D,
 |  | ||||||
| +	0x52,0xA8,0xA9,0x43,0x1D,0x33,0x51,0x88,0x39,0xBD,0x73,0xE9,
 |  | ||||||
| +	0x5F,0xBE,0x82,0x49,0x27,0xE6,0xB5,0x53,0xC1,0x38,0xAC,0x2F,
 |  | ||||||
| +	0x6D,0x97,0x6C,0xEB,0x67,0xC1,0x5F,0x67,0xF8,0x35,0x05,0x5E,
 |  | ||||||
| +	0xD5,0x68,0x80,0xAA,0x96,0xCA,0x0B,0x8A,0xE6,0xF1,0xB1,0x41,
 |  | ||||||
| +	0xC6,0x75,0x94,0x0A,0x0A,0x2A,0xFA,0x29,
 |  | ||||||
|  	}; |  | ||||||
|   |  | ||||||
|  static const unsigned char str1[]="12345678901234567890"; |  | ||||||
| @@ -133,7 +131,7 @@ int FIPS_selftest_dsa()
 |  | ||||||
|  	goto err; |  | ||||||
|      if(!DSA_generate_parameters_ex(dsa, 1024,seed,20,&counter,&h,NULL)) |  | ||||||
|  	goto err; |  | ||||||
| -    if (counter != 378) 
 |  | ||||||
| +    if (counter != 239) 
 |  | ||||||
|  	goto err; |  | ||||||
|      if (h != 2) |  | ||||||
|  	goto err; |  | ||||||
| @ -1,25 +0,0 @@ | |||||||
| diff -up openssl-1.0.0c/apps/pkcs12.c.fips-default openssl-1.0.0c/apps/pkcs12.c
 |  | ||||||
| --- openssl-1.0.0c/apps/pkcs12.c.fips-default	2009-07-27 23:08:45.000000000 +0200
 |  | ||||||
| +++ openssl-1.0.0c/apps/pkcs12.c	2011-02-04 15:25:38.000000000 +0100
 |  | ||||||
| @@ -67,6 +67,9 @@
 |  | ||||||
|  #include <openssl/err.h> |  | ||||||
|  #include <openssl/pem.h> |  | ||||||
|  #include <openssl/pkcs12.h> |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +#include <openssl/fips.h>
 |  | ||||||
| +#endif
 |  | ||||||
|   |  | ||||||
|  #define PROG pkcs12_main |  | ||||||
|   |  | ||||||
| @@ -130,6 +133,11 @@ int MAIN(int argc, char **argv)
 |  | ||||||
|   |  | ||||||
|      apps_startup(); |  | ||||||
|   |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +    if (FIPS_mode())
 |  | ||||||
| +	cert_pbe = key_pbe; /* cannot use RC2 in the FIPS mode */
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|      enc = EVP_des_ede3_cbc(); |  | ||||||
|      if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE); |  | ||||||
|   |  | ||||||
| @ -1,94 +0,0 @@ | |||||||
| diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c
 |  | ||||||
| --- openssl-1.0.0c/apps/speed.c.spfips	2010-11-18 14:22:26.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0c/apps/speed.c	2011-01-24 17:25:32.000000000 +0100
 |  | ||||||
| @@ -100,6 +100,9 @@
 |  | ||||||
|  #include <openssl/err.h> |  | ||||||
|  #include <openssl/evp.h> |  | ||||||
|  #include <openssl/objects.h> |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +#include <openssl/fips.h>
 |  | ||||||
| +#endif
 |  | ||||||
|  #if !defined(OPENSSL_SYS_MSDOS) |  | ||||||
|  #include OPENSSL_UNISTD |  | ||||||
|  #endif |  | ||||||
| @@ -908,7 +911,12 @@ int MAIN(int argc, char **argv)
 |  | ||||||
|  #ifndef OPENSSL_NO_RSA |  | ||||||
|  			if (strcmp(*argv,"rsa") == 0) |  | ||||||
|  			{ |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +				if (!FIPS_mode())
 |  | ||||||
| +#endif
 |  | ||||||
| +				{
 |  | ||||||
|  			rsa_doit[R_RSA_512]=1; |  | ||||||
| +				}
 |  | ||||||
|  			rsa_doit[R_RSA_1024]=1; |  | ||||||
|  			rsa_doit[R_RSA_2048]=1; |  | ||||||
|  			rsa_doit[R_RSA_4096]=1; |  | ||||||
| @@ -918,7 +926,12 @@ int MAIN(int argc, char **argv)
 |  | ||||||
|  #ifndef OPENSSL_NO_DSA |  | ||||||
|  			if (strcmp(*argv,"dsa") == 0) |  | ||||||
|  			{ |  | ||||||
| +#ifdef OPENSSL_FIPS
 |  | ||||||
| +				if (!FIPS_mode())
 |  | ||||||
| +#endif
 |  | ||||||
| +				{
 |  | ||||||
|  			dsa_doit[R_DSA_512]=1; |  | ||||||
| +				}
 |  | ||||||
|  			dsa_doit[R_DSA_1024]=1; |  | ||||||
|  			dsa_doit[R_DSA_2048]=1; |  | ||||||
|  			} |  | ||||||
| @@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv)
 |  | ||||||
|  	AES_set_encrypt_key(key32,256,&aes_ks3); |  | ||||||
|  #endif |  | ||||||
|  #ifndef OPENSSL_NO_CAMELLIA |  | ||||||
| +	if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
 |  | ||||||
| +	    {
 |  | ||||||
|  	Camellia_set_key(key16,128,&camellia_ks1); |  | ||||||
|  	Camellia_set_key(ckey24,192,&camellia_ks2); |  | ||||||
|  	Camellia_set_key(ckey32,256,&camellia_ks3); |  | ||||||
| +	    }
 |  | ||||||
|  #endif |  | ||||||
|  #ifndef OPENSSL_NO_IDEA |  | ||||||
| +	if (doit[D_CBC_IDEA])
 |  | ||||||
| +	    {
 |  | ||||||
|  	idea_set_encrypt_key(key16,&idea_ks); |  | ||||||
| +	    }
 |  | ||||||
|  #endif |  | ||||||
|  #ifndef OPENSSL_NO_SEED |  | ||||||
| +	if (doit[D_CBC_SEED])
 |  | ||||||
| +	    {
 |  | ||||||
|  	SEED_set_key(key16,&seed_ks); |  | ||||||
| +	    }
 |  | ||||||
|  #endif |  | ||||||
|  #ifndef OPENSSL_NO_RC4 |  | ||||||
| +	if (doit[D_RC4])
 |  | ||||||
| +	    {
 |  | ||||||
|  	RC4_set_key(&rc4_ks,16,key16); |  | ||||||
| +	    }
 |  | ||||||
|  #endif |  | ||||||
|  #ifndef OPENSSL_NO_RC2 |  | ||||||
| +	if (doit[D_CBC_RC2])
 |  | ||||||
| +	    {
 |  | ||||||
|  	RC2_set_key(&rc2_ks,16,key16,128); |  | ||||||
| +	    }
 |  | ||||||
|  #endif |  | ||||||
|  #ifndef OPENSSL_NO_RC5 |  | ||||||
| +	if (doit[D_CBC_RC5])
 |  | ||||||
| +	    {
 |  | ||||||
|  	RC5_32_set_key(&rc5_ks,16,key16,12); |  | ||||||
| +	    }
 |  | ||||||
|  #endif |  | ||||||
|  #ifndef OPENSSL_NO_BF |  | ||||||
| +	if (doit[D_CBC_BF])
 |  | ||||||
| +	    {
 |  | ||||||
|  	BF_set_key(&bf_ks,16,key16); |  | ||||||
| +	    }
 |  | ||||||
|  #endif |  | ||||||
|  #ifndef OPENSSL_NO_CAST |  | ||||||
| +	if (doit[D_CBC_CAST])
 |  | ||||||
| +	    {
 |  | ||||||
|  	CAST_set_key(&cast_ks,16,key16); |  | ||||||
| +	    }
 |  | ||||||
|  #endif |  | ||||||
|  #ifndef OPENSSL_NO_RSA |  | ||||||
|  	memset(rsa_c,0,sizeof(rsa_c)); |  | ||||||
| @ -1,22 +0,0 @@ | |||||||
| diff -up openssl-1.0.0d/crypto/opensslv.h.version openssl-1.0.0d/crypto/opensslv.h
 |  | ||||||
| --- openssl-1.0.0d/crypto/opensslv.h.version	2011-02-10 14:24:52.000000000 +0100
 |  | ||||||
| +++ openssl-1.0.0d/crypto/opensslv.h	2011-02-10 14:48:00.000000000 +0100
 |  | ||||||
| @@ -25,7 +25,8 @@
 |  | ||||||
|   * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for |  | ||||||
|   *  major minor fix final patch/beta) |  | ||||||
|   */ |  | ||||||
| -#define OPENSSL_VERSION_NUMBER	0x1000004fL
 |  | ||||||
| +/* we have to keep the version number to not break the abi */
 |  | ||||||
| +#define OPENSSL_VERSION_NUMBER	0x10000003
 |  | ||||||
|  #ifdef OPENSSL_FIPS |  | ||||||
|  #define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.0d-fips 8 Feb 2011" |  | ||||||
|  #else |  | ||||||
| @@ -83,7 +84,7 @@
 |  | ||||||
|   * should only keep the versions that are binary compatible with the current. |  | ||||||
|   */ |  | ||||||
|  #define SHLIB_VERSION_HISTORY "" |  | ||||||
| -#define SHLIB_VERSION_NUMBER "1.0.0"
 |  | ||||||
| +#define SHLIB_VERSION_NUMBER "1.0.0d"
 |  | ||||||
|   |  | ||||||
|   |  | ||||||
|  #endif /* HEADER_OPENSSLV_H */ |  | ||||||
							
								
								
									
										12
									
								
								openssl-1.0.0d-xmpp-starttls.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								openssl-1.0.0d-xmpp-starttls.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,12 @@ | |||||||
|  | diff -ru openssl-1.0.0d.old/apps/s_client.c openssl-1.0.0d/apps/s_client.c
 | ||||||
|  | --- openssl-1.0.0d.old/apps/s_client.c	2011-07-17 21:05:19.934181169 +0200
 | ||||||
|  | +++ openssl-1.0.0d/apps/s_client.c	2011-07-17 21:11:42.747824990 +0200
 | ||||||
|  | @@ -1186,7 +1186,7 @@
 | ||||||
|  |  		    "xmlns='jabber:client' to='%s' version='1.0'>", host); | ||||||
|  |  		seen = BIO_read(sbio,mbuf,BUFSIZZ); | ||||||
|  |  		mbuf[seen] = 0; | ||||||
|  | -		while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))
 | ||||||
|  | +		while (!strcasestr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && !strcasestr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
 | ||||||
|  |  			{ | ||||||
|  |  			if (strstr(mbuf, "/stream:features>")) | ||||||
|  |  				goto shut; | ||||||
							
								
								
									
										24
									
								
								openssl-1.0.0e-chil-fixes.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								openssl-1.0.0e-chil-fixes.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,24 @@ | |||||||
|  | diff -up openssl-1.0.0e/engines/e_chil.c.chil openssl-1.0.0e/engines/e_chil.c
 | ||||||
|  | --- openssl-1.0.0e/engines/e_chil.c.chil	2010-06-15 19:25:12.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.0e/engines/e_chil.c	2011-09-21 17:32:03.000000000 +0200
 | ||||||
|  | @@ -1261,6 +1261,11 @@ static int hwcrhk_insert_card(const char
 | ||||||
|  |          UI *ui; | ||||||
|  |  	void *callback_data = NULL; | ||||||
|  |          UI_METHOD *ui_method = NULL; | ||||||
|  | +	/* Despite what the documentation says prompt_info can be
 | ||||||
|  | +	 * an empty string.
 | ||||||
|  | +	 */
 | ||||||
|  | +	if (prompt_info && !*prompt_info)
 | ||||||
|  | +		prompt_info = NULL;
 | ||||||
|  |   | ||||||
|  |          if (cactx) | ||||||
|  |                  { | ||||||
|  | @@ -1287,7 +1292,7 @@ static int hwcrhk_insert_card(const char
 | ||||||
|  |   | ||||||
|  |  	if (ui) | ||||||
|  |  		{ | ||||||
|  | -		char answer;
 | ||||||
|  | +		char answer = '\0';
 | ||||||
|  |  		char buf[BUFSIZ]; | ||||||
|  |  		/* Despite what the documentation says wrong_info can be | ||||||
|  |  	 	 * an empty string. | ||||||
							
								
								
									
										23
									
								
								openssl-1.0.0e-doc-noeof.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								openssl-1.0.0e-doc-noeof.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,23 @@ | |||||||
|  | diff -up openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof openssl-1.0.0e/doc/apps/s_client.pod
 | ||||||
|  | --- openssl-1.0.0e/doc/apps/s_client.pod.doc-noeof	2009-06-26 13:28:51.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.0e/doc/apps/s_client.pod	2011-11-03 08:30:35.000000000 +0100
 | ||||||
|  | @@ -27,6 +27,7 @@ B<openssl> B<s_client>
 | ||||||
|  |  [B<-nbio>] | ||||||
|  |  [B<-crlf>] | ||||||
|  |  [B<-ign_eof>] | ||||||
|  | +[B<-no_ign_eof>]
 | ||||||
|  |  [B<-quiet>] | ||||||
|  |  [B<-ssl2>] | ||||||
|  |  [B<-ssl3>] | ||||||
|  | @@ -161,6 +162,11 @@ by some servers.
 | ||||||
|  |  inhibit shutting down the connection when end of file is reached in the | ||||||
|  |  input. | ||||||
|  |   | ||||||
|  | +=item B<-no_ign_eof>
 | ||||||
|  | +
 | ||||||
|  | +shut down the connection when end of file is reached in the
 | ||||||
|  | +input. Can be used to override the implicit B<-ign_eof> after B<-quiet>.
 | ||||||
|  | +
 | ||||||
|  |  =item B<-quiet> | ||||||
|  |   | ||||||
|  |  inhibit printing of session and certificate information.  This implicitly | ||||||
| @ -1,6 +1,6 @@ | |||||||
| diff -up openssl-1.0.0-beta3/apps/openssl.cnf.defaults openssl-1.0.0-beta3/apps/openssl.cnf
 | diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf
 | ||||||
| --- openssl-1.0.0-beta3/apps/openssl.cnf.defaults	2009-04-04 20:09:43.000000000 +0200
 | --- openssl-1.0.0f/apps/openssl.cnf.defaults	2011-12-06 01:01:00.000000000 +0100
 | ||||||
| +++ openssl-1.0.0-beta3/apps/openssl.cnf	2009-08-04 22:57:16.000000000 +0200
 | +++ openssl-1.0.0f/apps/openssl.cnf	2012-01-05 13:16:15.000000000 +0100
 | ||||||
| @@ -103,7 +103,8 @@ emailAddress		= optional
 | @@ -103,7 +103,8 @@ emailAddress		= optional
 | ||||||
|   |   | ||||||
|  #################################################################### |  #################################################################### | ||||||
| @ -37,7 +37,7 @@ diff -up openssl-1.0.0-beta3/apps/openssl.cnf.defaults openssl-1.0.0-beta3/apps/ | |||||||
|  organizationalUnitName		= Organizational Unit Name (eg, section) |  organizationalUnitName		= Organizational Unit Name (eg, section) | ||||||
|  #organizationalUnitName_default	= |  #organizationalUnitName_default	= | ||||||
|   |   | ||||||
| -commonName			= Common Name (eg, YOUR name)
 | -commonName			= Common Name (e.g. server FQDN or YOUR name)
 | ||||||
| +commonName			= Common Name (eg, your name or your server\'s hostname)
 | +commonName			= Common Name (eg, your name or your server\'s hostname)
 | ||||||
|  commonName_max			= 64 |  commonName_max			= 64 | ||||||
|   |   | ||||||
							
								
								
									
										23
									
								
								openssl-1.0.1-beta2-dtls1-abi.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								openssl-1.0.1-beta2-dtls1-abi.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,23 @@ | |||||||
|  | diff -up openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi openssl-1.0.1-beta2/ssl/dtls1.h
 | ||||||
|  | --- openssl-1.0.1-beta2/ssl/dtls1.h.dtls1-abi	2012-02-06 17:07:34.630336118 +0100
 | ||||||
|  | +++ openssl-1.0.1-beta2/ssl/dtls1.h	2012-02-06 17:10:08.956623707 +0100
 | ||||||
|  | @@ -222,9 +222,6 @@ typedef struct dtls1_state_st
 | ||||||
|  |  	 */ | ||||||
|  |  	record_pqueue buffered_app_data; | ||||||
|  |   | ||||||
|  | -	/* Is set when listening for new connections with dtls1_listen() */
 | ||||||
|  | -	unsigned int listen;
 | ||||||
|  | -
 | ||||||
|  |  	unsigned int mtu; /* max DTLS packet size */ | ||||||
|  |   | ||||||
|  |  	struct hm_header_st w_msg_hdr; | ||||||
|  | @@ -248,6 +245,9 @@ typedef struct dtls1_state_st
 | ||||||
|  |  	unsigned int retransmitting; | ||||||
|  |  	unsigned int change_cipher_spec_ok; | ||||||
|  |   | ||||||
|  | +	/* Is set when listening for new connections with dtls1_listen() */
 | ||||||
|  | +	unsigned int listen;
 | ||||||
|  | +
 | ||||||
|  |  #ifndef OPENSSL_NO_SCTP | ||||||
|  |  	/* used when SSL_ST_XX_FLUSH is entered */ | ||||||
|  |  	int next_state; | ||||||
							
								
								
									
										21
									
								
								openssl-1.0.1-beta2-fips-md5-allow.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								openssl-1.0.1-beta2-fips-md5-allow.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,21 @@ | |||||||
|  | diff -up openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow openssl-1.0.1-beta2/crypto/md5/md5_dgst.c
 | ||||||
|  | --- openssl-1.0.1-beta2/crypto/md5/md5_dgst.c.md5-allow	2012-02-06 20:09:56.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1-beta2/crypto/md5/md5_dgst.c	2012-02-06 20:14:02.332117603 +0100
 | ||||||
|  | @@ -71,7 +71,16 @@ const char MD5_version[]="MD5" OPENSSL_V
 | ||||||
|  |  #define INIT_DATA_C (unsigned long)0x98badcfeL | ||||||
|  |  #define INIT_DATA_D (unsigned long)0x10325476L | ||||||
|  |   | ||||||
|  | -nonfips_md_init(MD5)
 | ||||||
|  | +int MD5_Init(MD5_CTX *c)
 | ||||||
|  | +#ifdef OPENSSL_FIPS
 | ||||||
|  | +	{
 | ||||||
|  | +	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
 | ||||||
|  | +		OpenSSLDie(__FILE__, __LINE__, \
 | ||||||
|  | +                "Digest MD5 forbidden in FIPS mode!");
 | ||||||
|  | +	return private_MD5_Init(c);
 | ||||||
|  | +	}
 | ||||||
|  | +int private_MD5_Init(MD5_CTX *c)
 | ||||||
|  | +#endif
 | ||||||
|  |  	{ | ||||||
|  |  	memset (c,0,sizeof(*c)); | ||||||
|  |  	c->A=INIT_DATA_A; | ||||||
							
								
								
									
										193
									
								
								openssl-1.0.1-beta2-padlock64.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										193
									
								
								openssl-1.0.1-beta2-padlock64.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,193 @@ | |||||||
|  | diff -up openssl-1.0.1-beta2/engines/e_padlock.c.padlock64 openssl-1.0.1-beta2/engines/e_padlock.c
 | ||||||
|  | --- openssl-1.0.1-beta2/engines/e_padlock.c.padlock64	2011-06-21 18:42:15.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1-beta2/engines/e_padlock.c	2012-02-06 20:18:52.039537799 +0100
 | ||||||
|  | @@ -101,7 +101,10 @@
 | ||||||
|  |     compiler choice is limited to GCC and Microsoft C. */ | ||||||
|  |  #undef COMPILE_HW_PADLOCK | ||||||
|  |  #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM) | ||||||
|  | -# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
 | ||||||
|  | +# if (defined(__GNUC__) && __GNUC__>=2 && \
 | ||||||
|  | +	(defined(__i386__) || defined(__i386) || \
 | ||||||
|  | +	 defined(__x86_64__) || defined(__x86_64)) \
 | ||||||
|  | +     ) || \
 | ||||||
|  |       (defined(_MSC_VER) && defined(_M_IX86)) | ||||||
|  |  #  define COMPILE_HW_PADLOCK | ||||||
|  |  # endif | ||||||
|  | @@ -137,7 +140,7 @@ void ENGINE_load_padlock (void)
 | ||||||
|  |  # endif | ||||||
|  |  #elif defined(__GNUC__) | ||||||
|  |  # ifndef alloca | ||||||
|  | -#  define alloca(s) __builtin_alloca(s)
 | ||||||
|  | +#  define alloca(s) __builtin_alloca((s))
 | ||||||
|  |  # endif | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | @@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da
 | ||||||
|  |   * ======================================================= | ||||||
|  |   */ | ||||||
|  |  #if defined(__GNUC__) && __GNUC__>=2 | ||||||
|  | +#if defined(__i386__) || defined(__i386)
 | ||||||
|  |  /* | ||||||
|  |   * As for excessive "push %ebx"/"pop %ebx" found all over. | ||||||
|  |   * When generating position-independent code GCC won't let | ||||||
|  | @@ -383,21 +387,6 @@ padlock_available(void)
 | ||||||
|  |  	return padlock_use_ace + padlock_use_rng; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -#ifndef OPENSSL_NO_AES
 | ||||||
|  | -/* Our own htonl()/ntohl() */
 | ||||||
|  | -static inline void
 | ||||||
|  | -padlock_bswapl(AES_KEY *ks)
 | ||||||
|  | -{
 | ||||||
|  | -	size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
 | ||||||
|  | -	unsigned int *key = ks->rd_key;
 | ||||||
|  | -
 | ||||||
|  | -	while (i--) {
 | ||||||
|  | -		asm volatile ("bswapl %0" : "+r"(*key));
 | ||||||
|  | -		key++;
 | ||||||
|  | -	}
 | ||||||
|  | -}
 | ||||||
|  | -#endif
 | ||||||
|  | -
 | ||||||
|  |  /* Force key reload from memory to the CPU microcode. | ||||||
|  |     Loading EFLAGS from the stack clears EFLAGS[30]  | ||||||
|  |     which does the trick. */ | ||||||
|  | @@ -455,12 +444,127 @@ static inline void *name(size_t cnt,		\
 | ||||||
|  |  		: "edx", "cc", "memory");	\ | ||||||
|  |  	return iv;				\ | ||||||
|  |  } | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  | +#elif defined(__x86_64__) || defined(__x86_64)
 | ||||||
|  | +
 | ||||||
|  | +/* Load supported features of the CPU to see if
 | ||||||
|  | +   the PadLock is available. */
 | ||||||
|  | +static int
 | ||||||
|  | +padlock_available(void)
 | ||||||
|  | +{
 | ||||||
|  | +	char vendor_string[16];
 | ||||||
|  | +	unsigned int eax, edx;
 | ||||||
|  |   | ||||||
|  | +	/* Are we running on the Centaur (VIA) CPU? */
 | ||||||
|  | +	eax = 0x00000000;
 | ||||||
|  | +	vendor_string[12] = 0;
 | ||||||
|  | +	asm volatile (
 | ||||||
|  | +		"cpuid\n"
 | ||||||
|  | +		"movl	%%ebx,(%1)\n"
 | ||||||
|  | +		"movl	%%edx,4(%1)\n"
 | ||||||
|  | +		"movl	%%ecx,8(%1)\n"
 | ||||||
|  | +		: "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
 | ||||||
|  | +	if (strcmp(vendor_string, "CentaurHauls") != 0)
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	/* Check for Centaur Extended Feature Flags presence */
 | ||||||
|  | +	eax = 0xC0000000;
 | ||||||
|  | +	asm volatile ("cpuid"
 | ||||||
|  | +		: "+a"(eax) : : "rbx", "rcx", "rdx");
 | ||||||
|  | +	if (eax < 0xC0000001)
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	/* Read the Centaur Extended Feature Flags */
 | ||||||
|  | +	eax = 0xC0000001;
 | ||||||
|  | +	asm volatile ("cpuid"
 | ||||||
|  | +		: "+a"(eax), "=d"(edx) : : "rbx", "rcx");
 | ||||||
|  | +
 | ||||||
|  | +	/* Fill up some flags */
 | ||||||
|  | +	padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
 | ||||||
|  | +	padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
 | ||||||
|  | +
 | ||||||
|  | +	return padlock_use_ace + padlock_use_rng;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +/* Force key reload from memory to the CPU microcode.
 | ||||||
|  | +   Loading EFLAGS from the stack clears EFLAGS[30] 
 | ||||||
|  | +   which does the trick. */
 | ||||||
|  | +static inline void
 | ||||||
|  | +padlock_reload_key(void)
 | ||||||
|  | +{
 | ||||||
|  | +	asm volatile ("pushfq; popfq");
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +#ifndef OPENSSL_NO_AES
 | ||||||
|  | +/*
 | ||||||
|  | + * This is heuristic key context tracing. At first one
 | ||||||
|  | + * believes that one should use atomic swap instructions,
 | ||||||
|  | + * but it's not actually necessary. Point is that if
 | ||||||
|  | + * padlock_saved_context was changed by another thread
 | ||||||
|  | + * after we've read it and before we compare it with cdata,
 | ||||||
|  | + * our key *shall* be reloaded upon thread context switch
 | ||||||
|  | + * and we are therefore set in either case...
 | ||||||
|  | + */
 | ||||||
|  | +static inline void
 | ||||||
|  | +padlock_verify_context(struct padlock_cipher_data *cdata)
 | ||||||
|  | +{
 | ||||||
|  | +	asm volatile (
 | ||||||
|  | +	"pushfq\n"
 | ||||||
|  | +"	btl	$30,(%%rsp)\n"
 | ||||||
|  | +"	jnc	1f\n"
 | ||||||
|  | +"	cmpq	%2,%1\n"
 | ||||||
|  | +"	je	1f\n"
 | ||||||
|  | +"	popfq\n"
 | ||||||
|  | +"	subq	$8,%%rsp\n"
 | ||||||
|  | +"1:	addq	$8,%%rsp\n"
 | ||||||
|  | +"	movq	%2,%0"
 | ||||||
|  | +	:"+m"(padlock_saved_context)
 | ||||||
|  | +	: "r"(padlock_saved_context), "r"(cdata) : "cc");
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +/* Template for padlock_xcrypt_* modes */
 | ||||||
|  | +/* BIG FAT WARNING: 
 | ||||||
|  | + * 	The offsets used with 'leal' instructions
 | ||||||
|  | + * 	describe items of the 'padlock_cipher_data'
 | ||||||
|  | + * 	structure.
 | ||||||
|  | + */
 | ||||||
|  | +#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt)	\
 | ||||||
|  | +static inline void *name(size_t cnt,		\
 | ||||||
|  | +	struct padlock_cipher_data *cdata,	\
 | ||||||
|  | +	void *out, const void *inp) 		\
 | ||||||
|  | +{	void *iv; 				\
 | ||||||
|  | +	asm volatile ( "leaq	16(%0),%%rdx\n"	\
 | ||||||
|  | +		"	leaq	32(%0),%%rbx\n"	\
 | ||||||
|  | +			rep_xcrypt "\n"		\
 | ||||||
|  | +		: "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
 | ||||||
|  | +		: "0"(cdata), "1"(cnt), "2"(out), "3"(inp)  \
 | ||||||
|  | +		: "rbx", "rdx", "cc", "memory");	\
 | ||||||
|  | +	return iv;				\
 | ||||||
|  | +}
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  | +#endif	/* cpu */
 | ||||||
|  | +
 | ||||||
|  | +#ifndef OPENSSL_NO_AES
 | ||||||
|  |  /* Generate all functions with appropriate opcodes */ | ||||||
|  |  PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8")	/* rep xcryptecb */ | ||||||
|  |  PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0")	/* rep xcryptcbc */ | ||||||
|  |  PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")	/* rep xcryptcfb */ | ||||||
|  |  PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")	/* rep xcryptofb */ | ||||||
|  | +
 | ||||||
|  | +/* Our own htonl()/ntohl() */
 | ||||||
|  | +static inline void
 | ||||||
|  | +padlock_bswapl(AES_KEY *ks)
 | ||||||
|  | +{
 | ||||||
|  | +	size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]);
 | ||||||
|  | +	unsigned int *key = ks->rd_key;
 | ||||||
|  | +
 | ||||||
|  | +	while (i--) {
 | ||||||
|  | +		asm volatile ("bswapl %0" : "+r"(*key));
 | ||||||
|  | +		key++;
 | ||||||
|  | +	}
 | ||||||
|  | +}
 | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  |  /* The RNG call itself */ | ||||||
|  | @@ -491,8 +595,8 @@ padlock_xstore(void *addr, unsigned int
 | ||||||
|  |  static inline unsigned char * | ||||||
|  |  padlock_memcpy(void *dst,const void *src,size_t n) | ||||||
|  |  { | ||||||
|  | -	long       *d=dst;
 | ||||||
|  | -	const long *s=src;
 | ||||||
|  | +	size_t       *d=dst;
 | ||||||
|  | +	const size_t *s=src;
 | ||||||
|  |   | ||||||
|  |  	n /= sizeof(*d); | ||||||
|  |  	do { *d++ = *s++; } while (--n); | ||||||
| @ -1,7 +1,7 @@ | |||||||
| diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure
 | diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
 | ||||||
| --- openssl-1.0.0-beta4/Configure.redhat	2009-11-09 15:11:13.000000000 +0100
 | --- openssl-1.0.1-beta2/Configure.rpmbuild	2012-01-05 01:07:34.000000000 +0100
 | ||||||
| +++ openssl-1.0.0-beta4/Configure	2009-11-12 12:15:27.000000000 +0100
 | +++ openssl-1.0.1-beta2/Configure	2012-02-02 12:43:56.547409325 +0100
 | ||||||
| @@ -336,32 +336,32 @@ my %table=(
 | @@ -343,23 +343,23 @@ my %table=(
 | ||||||
|  #### |  #### | ||||||
|  # *-generic* is endian-neutral target, but ./config is free to |  # *-generic* is endian-neutral target, but ./config is free to | ||||||
|  # throw in -D[BL]_ENDIAN, whichever appropriate... |  # throw in -D[BL]_ENDIAN, whichever appropriate... | ||||||
| @ -27,10 +27,19 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure | |||||||
| +"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | +"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
 | ||||||
|  "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |  "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | ||||||
|  "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |  "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | ||||||
| -"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | -"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | ||||||
| -"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | -"linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 | ||||||
| +"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | +"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | ||||||
| +"linux-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | +"linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 | ||||||
|  |  #### So called "highgprs" target for z/Architecture CPUs | ||||||
|  |  # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see | ||||||
|  |  # /proc/cpuinfo. The idea is to preserve most significant bits of | ||||||
|  | @@ -373,16 +373,16 @@ my %table=(
 | ||||||
|  |  # ldconfig and run-time linker to autodiscover. Unfortunately it | ||||||
|  |  # doesn't work just yet, because of couple of bugs in glibc | ||||||
|  |  # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1... | ||||||
|  | -"linux32-s390x",	"gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
 | ||||||
|  | +"linux32-s390x",	"gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
 | ||||||
|  #### SPARC Linux setups |  #### SPARC Linux setups | ||||||
|  # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently |  # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently | ||||||
|  # assisted with debugging of following two configs. |  # assisted with debugging of following two configs. | ||||||
| @ -46,7 +55,7 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure | |||||||
|  #### Alpha Linux with GNU C and Compaq C setups |  #### Alpha Linux with GNU C and Compaq C setups | ||||||
|  # Special notes: |  # Special notes: | ||||||
|  # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you |  # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you | ||||||
| @@ -375,8 +375,8 @@ my %table=(
 | @@ -396,8 +396,8 @@ my %table=(
 | ||||||
|  # |  # | ||||||
|  #					<appro@fy.chalmers.se> |  #					<appro@fy.chalmers.se> | ||||||
|  # |  # | ||||||
| @ -57,3 +66,44 @@ diff -up openssl-1.0.0-beta4/Configure.redhat openssl-1.0.0-beta4/Configure | |||||||
|  "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", |  "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", | ||||||
|  "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", |  "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", | ||||||
|   |   | ||||||
|  | @@ -1678,7 +1678,7 @@ while (<IN>)
 | ||||||
|  |  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) | ||||||
|  |  		{ | ||||||
|  |  		my $sotmp = $1; | ||||||
|  | -		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
 | ||||||
|  | +		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
 | ||||||
|  |  		} | ||||||
|  |  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) | ||||||
|  |  		{ | ||||||
|  | diff -up openssl-1.0.1-beta2/Makefile.org.rpmbuild openssl-1.0.1-beta2/Makefile.org
 | ||||||
|  | --- openssl-1.0.1-beta2/Makefile.org.rpmbuild	2011-12-27 16:17:50.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1-beta2/Makefile.org	2012-02-02 12:30:23.652495435 +0100
 | ||||||
|  | @@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
 | ||||||
|  |  SHLIB_MAJOR= | ||||||
|  |  SHLIB_MINOR= | ||||||
|  |  SHLIB_EXT= | ||||||
|  | +SHLIB_SONAMEVER=10
 | ||||||
|  |  PLATFORM=dist | ||||||
|  |  OPTIONS= | ||||||
|  |  CONFIGURE_ARGS= | ||||||
|  | @@ -333,10 +334,9 @@ clean-shared:
 | ||||||
|  |  link-shared: | ||||||
|  |  	@ set -e; for i in $(SHLIBDIRS); do \ | ||||||
|  |  		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ | ||||||
|  | -			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 | ||||||
|  | +			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
 | ||||||
|  |  			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ | ||||||
|  |  			symlink.$(SHLIB_TARGET); \ | ||||||
|  | -		libs="$$libs -l$$i"; \
 | ||||||
|  |  	done | ||||||
|  |   | ||||||
|  |  build-shared: do_$(SHLIB_TARGET) link-shared | ||||||
|  | @@ -347,7 +347,7 @@ do_$(SHLIB_TARGET):
 | ||||||
|  |  			libs="$(LIBKRB5) $$libs"; \ | ||||||
|  |  		fi; \ | ||||||
|  |  		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ | ||||||
|  | -			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 | ||||||
|  | +			LIBNAME=$$i LIBVERSION=$(SHLIB_SONAMEVER) \
 | ||||||
|  |  			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ | ||||||
|  |  			LIBDEPS="$$libs $(EX_LIBS)" \ | ||||||
|  |  			link_a.$(SHLIB_TARGET); \ | ||||||
| @ -1,7 +1,7 @@ | |||||||
| diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl.h
 | diff -up openssl-1.0.1-beta2/ssl/ssl.h.op-all openssl-1.0.1-beta2/ssl/ssl.h
 | ||||||
| --- openssl-1.0.0-beta5/ssl/ssl.h.cipher-change	2010-01-20 18:12:07.000000000 +0100
 | --- openssl-1.0.1-beta2/ssl/ssl.h.op-all	2012-02-02 12:49:00.828035916 +0100
 | ||||||
| +++ openssl-1.0.0-beta5/ssl/ssl.h	2010-01-20 18:13:04.000000000 +0100
 | +++ openssl-1.0.1-beta2/ssl/ssl.h	2012-02-02 12:52:27.297818182 +0100
 | ||||||
| @@ -513,7 +513,7 @@ typedef struct ssl_session_st
 | @@ -540,7 +540,7 @@ struct ssl_session_st
 | ||||||
|  #define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L |  #define SSL_OP_NETSCAPE_CHALLENGE_BUG			0x00000002L | ||||||
|  /* Allow initial connection to servers that don't support RI */ |  /* Allow initial connection to servers that don't support RI */ | ||||||
|  #define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L |  #define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L | ||||||
| @ -10,12 +10,12 @@ diff -up openssl-1.0.0-beta5/ssl/ssl.h.cipher-change openssl-1.0.0-beta5/ssl/ssl | |||||||
|  #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L |  #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L | ||||||
|  #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L |  #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L | ||||||
|  #define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */ |  #define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */ | ||||||
| @@ -530,7 +530,7 @@ typedef struct ssl_session_st
 | @@ -558,7 +558,7 @@ struct ssl_session_st
 | ||||||
|   |   | ||||||
|  /* SSL_OP_ALL: various bug workarounds that should be rather harmless. |  /* SSL_OP_ALL: various bug workarounds that should be rather harmless. | ||||||
|   *             This used to be 0x000FFFFFL before 0.9.7. */ |   *             This used to be 0x000FFFFFL before 0.9.7. */ | ||||||
| -#define SSL_OP_ALL					0x80000FFFL
 | -#define SSL_OP_ALL					0x80000BFFL
 | ||||||
| +#define SSL_OP_ALL					0x80000FF7L
 | +#define SSL_OP_ALL					0x80000BF7L /* we still have to include SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
 | ||||||
|   |   | ||||||
|  /* DTLS options */ |  /* DTLS options */ | ||||||
|  #define SSL_OP_NO_QUERY_MTU                 0x00001000L |  #define SSL_OP_NO_QUERY_MTU                 0x00001000L | ||||||
							
								
								
									
										30
									
								
								openssl-1.0.1-pkgconfig-krb5.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								openssl-1.0.1-pkgconfig-krb5.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,30 @@ | |||||||
|  | diff -up openssl-1.0.1/Makefile.org.krb5 openssl-1.0.1/Makefile.org
 | ||||||
|  | --- openssl-1.0.1/Makefile.org.krb5	2012-03-14 21:15:04.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1/Makefile.org	2012-04-11 16:28:31.254725422 +0200
 | ||||||
|  | @@ -370,7 +370,7 @@ libcrypto.pc: Makefile
 | ||||||
|  |  	    echo 'Requires: '; \ | ||||||
|  |  	    echo 'Libs: -L$${libdir} -lcrypto'; \ | ||||||
|  |  	    echo 'Libs.private: $(EX_LIBS)'; \ | ||||||
|  | -	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
 | ||||||
|  | +	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
 | ||||||
|  |   | ||||||
|  |  libssl.pc: Makefile | ||||||
|  |  	@ ( echo 'prefix=$(INSTALLTOP)'; \ | ||||||
|  | @@ -383,7 +383,7 @@ libssl.pc: Makefile
 | ||||||
|  |  	    echo 'Version: '$(VERSION); \ | ||||||
|  |  	    echo 'Requires: '; \ | ||||||
|  |  	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ | ||||||
|  | -	    echo 'Libs.private: $(EX_LIBS)'; \
 | ||||||
|  | +	    echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
 | ||||||
|  |  	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc | ||||||
|  |   | ||||||
|  |  openssl.pc: Makefile | ||||||
|  | @@ -397,7 +397,7 @@ openssl.pc: Makefile
 | ||||||
|  |  	    echo 'Version: '$(VERSION); \ | ||||||
|  |  	    echo 'Requires: '; \ | ||||||
|  |  	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ | ||||||
|  | -	    echo 'Libs.private: $(EX_LIBS)'; \
 | ||||||
|  | +	    echo 'Libs.private: $(EX_LIBS) $(LIBKRB5)'; \
 | ||||||
|  |  	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc | ||||||
|  |   | ||||||
|  |  Makefile: Makefile.org Configure config | ||||||
							
								
								
									
										55
									
								
								openssl-1.0.1-version.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								openssl-1.0.1-version.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,55 @@ | |||||||
|  | diff -up openssl-1.0.1/crypto/cversion.c.version openssl-1.0.1/crypto/cversion.c
 | ||||||
|  | --- openssl-1.0.1/crypto/cversion.c.version	2004-04-19 20:09:22.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1/crypto/cversion.c	2012-03-14 20:58:20.630352536 +0100
 | ||||||
|  | @@ -110,8 +110,15 @@ const char *SSLeay_version(int t)
 | ||||||
|  |  	return("not available"); | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | -unsigned long SSLeay(void)
 | ||||||
|  | +unsigned long _original_SSLeay(void)
 | ||||||
|  | +	{
 | ||||||
|  | +	return(0x10000003);
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +unsigned long _current_SSLeay(void)
 | ||||||
|  |  	{ | ||||||
|  |  	return(SSLEAY_VERSION_NUMBER); | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | +__asm__(".symver _original_SSLeay,SSLeay@");
 | ||||||
|  | +__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1");
 | ||||||
|  | diff -up openssl-1.0.1/crypto/opensslv.h.version openssl-1.0.1/crypto/opensslv.h
 | ||||||
|  | --- openssl-1.0.1/crypto/opensslv.h.version	2012-03-14 20:58:19.914337879 +0100
 | ||||||
|  | +++ openssl-1.0.1/crypto/opensslv.h	2012-03-14 20:58:20.630352536 +0100
 | ||||||
|  | @@ -83,7 +83,7 @@
 | ||||||
|  |   * should only keep the versions that are binary compatible with the current. | ||||||
|  |   */ | ||||||
|  |  #define SHLIB_VERSION_HISTORY "" | ||||||
|  | -#define SHLIB_VERSION_NUMBER "1.0.0"
 | ||||||
|  | +#define SHLIB_VERSION_NUMBER "1.0.1c"
 | ||||||
|  |   | ||||||
|  |   | ||||||
|  |  #endif /* HEADER_OPENSSLV_H */ | ||||||
|  | diff -up openssl-1.0.1/Makefile.shared.version openssl-1.0.1/Makefile.shared
 | ||||||
|  | --- openssl-1.0.1/Makefile.shared.version	2012-03-14 20:58:20.553350959 +0100
 | ||||||
|  | +++ openssl-1.0.1/Makefile.shared	2012-03-14 20:58:20.631352556 +0100
 | ||||||
|  | @@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
 | ||||||
|  |  	SHLIB_SUFFIX=; \ | ||||||
|  |  	ALLSYMSFLAGS='-Wl,--whole-archive'; \ | ||||||
|  |  	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ | ||||||
|  | -	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
 | ||||||
|  | +	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
 | ||||||
|  |   | ||||||
|  |  DO_GNU_APP=LDFLAGS="$(CFLAGS)" | ||||||
|  |   | ||||||
|  | diff -up openssl-1.0.1/version.map.version openssl-1.0.1/version.map
 | ||||||
|  | --- openssl-1.0.1/version.map.version	2012-03-14 20:58:20.631352556 +0100
 | ||||||
|  | +++ openssl-1.0.1/version.map	2012-03-14 20:58:20.631352556 +0100
 | ||||||
|  | @@ -0,0 +1,7 @@
 | ||||||
|  | +OPENSSL_1.0.1 {
 | ||||||
|  | +    global:
 | ||||||
|  | +	    SSLeay;
 | ||||||
|  | +    local:
 | ||||||
|  | +	    _original*;
 | ||||||
|  | +	    _current*;
 | ||||||
|  | +};
 | ||||||
| @ -1,28 +1,7 @@ | |||||||
| diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod
 | diff -up openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod
 | ||||||
| --- openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc	2009-10-16 17:29:34.000000000 +0200
 | --- openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod.algo-doc	2012-04-11 00:28:22.000000000 +0200
 | ||||||
| +++ openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod	2009-11-12 14:13:21.000000000 +0100
 | +++ openssl-1.0.1a/doc/crypto/EVP_DigestInit.pod	2012-04-20 09:14:01.865167011 +0200
 | ||||||
| @@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_
 | @@ -75,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
 | ||||||
|  EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, |  | ||||||
|  EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, |  | ||||||
|  EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, |  | ||||||
| -EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
 |  | ||||||
| +EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224,
 |  | ||||||
| +EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
 |  | ||||||
|  EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - |  | ||||||
|  EVP digest routines |  | ||||||
|   |  | ||||||
| @@ -51,6 +52,10 @@ EVP digest routines
 |  | ||||||
|   const EVP_MD *EVP_md5(void); |  | ||||||
|   const EVP_MD *EVP_sha(void); |  | ||||||
|   const EVP_MD *EVP_sha1(void); |  | ||||||
| + const EVP_MD *EVP_sha224(void);
 |  | ||||||
| + const EVP_MD *EVP_sha256(void);
 |  | ||||||
| + const EVP_MD *EVP_sha384(void);
 |  | ||||||
| + const EVP_MD *EVP_sha512(void);
 |  | ||||||
|   const EVP_MD *EVP_dss(void); |  | ||||||
|   const EVP_MD *EVP_dss1(void); |  | ||||||
|   const EVP_MD *EVP_mdc2(void); |  | ||||||
| @@ -70,7 +75,7 @@ EVP_MD_CTX_create() allocates, initializ
 |  | ||||||
|   |   | ||||||
|  EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest |  EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest | ||||||
|  B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this |  B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this | ||||||
| @ -31,22 +10,7 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0. | |||||||
|  If B<impl> is NULL then the default implementation of digest B<type> is used. |  If B<impl> is NULL then the default implementation of digest B<type> is used. | ||||||
|   |   | ||||||
|  EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the |  EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the | ||||||
| @@ -127,9 +132,11 @@ with this digest. For example EVP_sha1()
 | @@ -165,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
 | ||||||
|  return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature |  | ||||||
|  algorithms may not be retained in future versions of OpenSSL. |  | ||||||
|   |  | ||||||
| -EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
 |  | ||||||
| -return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
 |  | ||||||
| -algorithms respectively. The associated signature algorithm is RSA in each case.
 |  | ||||||
| +EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
 |  | ||||||
| +EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160()
 |  | ||||||
| +return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384,
 |  | ||||||
| +SHA512, MDC2 and RIPEMD160 digest algorithms respectively. The associated
 |  | ||||||
| +signature algorithm is RSA in each case.
 |  | ||||||
|   |  | ||||||
|  EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest |  | ||||||
|  algorithms but using DSS (DSA) for the signature algorithm. Note: there is  |  | ||||||
| @@ -158,7 +165,8 @@ EVP_MD_size(), EVP_MD_block_size(), EVP_
 |  | ||||||
|  EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block |  EVP_MD_CTX_block_size()	and EVP_MD_block_size() return the digest or block | ||||||
|  size in bytes. |  size in bytes. | ||||||
|   |   | ||||||
| @ -56,9 +20,9 @@ diff -up openssl-1.0.0-beta4/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.0. | |||||||
|  EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the |  EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the | ||||||
|  corresponding EVP_MD structures. |  corresponding EVP_MD structures. | ||||||
|   |   | ||||||
| diff -up openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod
 | diff -up openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod
 | ||||||
| --- openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
 | --- openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod.algo-doc	2005-04-15 18:01:35.000000000 +0200
 | ||||||
| +++ openssl-1.0.0-beta4/doc/crypto/EVP_EncryptInit.pod	2009-11-12 14:11:03.000000000 +0100
 | +++ openssl-1.0.1a/doc/crypto/EVP_EncryptInit.pod	2012-04-20 09:10:59.114736465 +0200
 | ||||||
| @@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
 | @@ -91,6 +91,32 @@ EVP_CIPHER_CTX_set_padding - EVP cipher
 | ||||||
|   int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); |   int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); | ||||||
|   int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); |   int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); | ||||||
							
								
								
									
										12
									
								
								openssl-1.0.1c-aliasing.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								openssl-1.0.1c-aliasing.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,12 @@ | |||||||
|  | diff -up openssl-1.0.1c/crypto/modes/Makefile.aliasing openssl-1.0.1c/crypto/modes/Makefile
 | ||||||
|  | --- openssl-1.0.1c/crypto/modes/Makefile.aliasing	2011-08-12 00:36:17.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1c/crypto/modes/Makefile	2012-07-13 11:32:10.767829077 +0200
 | ||||||
|  | @@ -12,7 +12,7 @@ AR=		ar r
 | ||||||
|  |   | ||||||
|  |  MODES_ASM_OBJ= | ||||||
|  |   | ||||||
|  | -CFLAGS= $(INCLUDES) $(CFLAG)
 | ||||||
|  | +CFLAGS= $(INCLUDES) $(CFLAG) -fno-strict-aliasing
 | ||||||
|  |  ASFLAGS= $(INCLUDES) $(ASFLAG) | ||||||
|  |  AFLAGS= $(ASFLAGS) | ||||||
|  |   | ||||||
							
								
								
									
										106
									
								
								openssl-1.0.1c-backports.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										106
									
								
								openssl-1.0.1c-backports.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,106 @@ | |||||||
|  | diff -up openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports openssl-1.0.1c/crypto/asn1/x_pubkey.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/asn1/x_pubkey.c.backports	2012-02-28 15:47:16.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/asn1/x_pubkey.c	2012-05-15 17:44:14.584128501 +0200
 | ||||||
|  | @@ -175,12 +175,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *k
 | ||||||
|  |  	CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); | ||||||
|  |  	if (key->pkey) | ||||||
|  |  		{ | ||||||
|  | +		CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
 | ||||||
|  |  		EVP_PKEY_free(ret); | ||||||
|  |  		ret = key->pkey; | ||||||
|  |  		} | ||||||
|  |  	else | ||||||
|  | +		{
 | ||||||
|  |  		key->pkey = ret; | ||||||
|  | -	CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
 | ||||||
|  | +		CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
 | ||||||
|  | +		}
 | ||||||
|  |  	CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); | ||||||
|  |   | ||||||
|  |  	return ret; | ||||||
|  | diff -up openssl-1.0.1c/ssl/s3_lib.c.backports openssl-1.0.1c/ssl/s3_lib.c
 | ||||||
|  | --- openssl-1.0.1c/ssl/s3_lib.c.backports	2012-04-17 17:20:17.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1c/ssl/s3_lib.c	2012-05-15 17:42:43.880139566 +0200
 | ||||||
|  | @@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 | ||||||
|  |  	0, /* not implemented (non-ephemeral DH) */ | ||||||
|  |  	TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, | ||||||
|  |  	TLS1_CK_DH_DSS_WITH_AES_128_SHA256, | ||||||
|  | -	SSL_kDHr,
 | ||||||
|  | +	SSL_kDHd,
 | ||||||
|  |  	SSL_aDH, | ||||||
|  |  	SSL_AES128, | ||||||
|  |  	SSL_SHA256, | ||||||
|  | @@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 | ||||||
|  |  	0, /* not implemented (non-ephemeral DH) */ | ||||||
|  |  	TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, | ||||||
|  |  	TLS1_CK_DH_DSS_WITH_AES_256_SHA256, | ||||||
|  | -	SSL_kDHr,
 | ||||||
|  | +	SSL_kDHd,
 | ||||||
|  |  	SSL_aDH, | ||||||
|  |  	SSL_AES256, | ||||||
|  |  	SSL_SHA256, | ||||||
|  | @@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 | ||||||
|  |  	0, | ||||||
|  |  	TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, | ||||||
|  |  	TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, | ||||||
|  | -	SSL_kDHr,
 | ||||||
|  | +	SSL_kDHd,
 | ||||||
|  |  	SSL_aDH, | ||||||
|  |  	SSL_AES128GCM, | ||||||
|  |  	SSL_AEAD, | ||||||
|  | @@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 | ||||||
|  |  	0, | ||||||
|  |  	TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, | ||||||
|  |  	TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, | ||||||
|  | -	SSL_kDHr,
 | ||||||
|  | +	SSL_kDHd,
 | ||||||
|  |  	SSL_aDH, | ||||||
|  |  	SSL_AES256GCM, | ||||||
|  |  	SSL_AEAD, | ||||||
|  | @@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 | ||||||
|  |  	1, | ||||||
|  |  	TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, | ||||||
|  |  	TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, | ||||||
|  | -	SSL_kECDHe,
 | ||||||
|  | +	SSL_kECDHr,
 | ||||||
|  |  	SSL_aECDH, | ||||||
|  |  	SSL_AES128, | ||||||
|  |  	SSL_SHA256, | ||||||
|  | @@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 | ||||||
|  |  	1, | ||||||
|  |  	TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, | ||||||
|  |  	TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, | ||||||
|  | -	SSL_kECDHe,
 | ||||||
|  | +	SSL_kECDHr,
 | ||||||
|  |  	SSL_aECDH, | ||||||
|  |  	SSL_AES256, | ||||||
|  |  	SSL_SHA384, | ||||||
|  | @@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 | ||||||
|  |  	1, | ||||||
|  |  	TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, | ||||||
|  |  	TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, | ||||||
|  | -	SSL_kECDHe,
 | ||||||
|  | +	SSL_kECDHr,
 | ||||||
|  |  	SSL_aECDH, | ||||||
|  |  	SSL_AES128GCM, | ||||||
|  |  	SSL_AEAD, | ||||||
|  | @@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
 | ||||||
|  |  	1, | ||||||
|  |  	TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, | ||||||
|  |  	TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, | ||||||
|  | -	SSL_kECDHe,
 | ||||||
|  | +	SSL_kECDHr,
 | ||||||
|  |  	SSL_aECDH, | ||||||
|  |  	SSL_AES256GCM, | ||||||
|  |  	SSL_AEAD, | ||||||
|  | diff -up openssl-1.0.1c/ssl/s3_pkt.c.backports openssl-1.0.1c/ssl/s3_pkt.c
 | ||||||
|  | --- openssl-1.0.1c/ssl/s3_pkt.c.backports	2012-04-17 15:20:19.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1c/ssl/s3_pkt.c	2012-05-15 17:43:48.470555889 +0200
 | ||||||
|  | @@ -744,6 +744,7 @@ static int do_ssl3_write(SSL *s, int typ
 | ||||||
|  |  	 * bytes and record version number > TLS 1.0 | ||||||
|  |  	 */ | ||||||
|  |  	if (s->state == SSL3_ST_CW_CLNT_HELLO_B | ||||||
|  | +				&& !s->renegotiate
 | ||||||
|  |  				&& TLS1_get_version(s) > TLS1_VERSION) | ||||||
|  |  		*(p++) = 0x1; | ||||||
|  |  	else | ||||||
							
								
								
									
										103
									
								
								openssl-1.0.1c-backports2.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										103
									
								
								openssl-1.0.1c-backports2.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,103 @@ | |||||||
|  | diff -up openssl-1.0.1c/apps/cms.c.backports2 openssl-1.0.1c/apps/cms.c
 | ||||||
|  | --- openssl-1.0.1c/apps/cms.c.backports2	2012-01-05 14:46:27.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1c/apps/cms.c	2012-09-07 10:34:42.000000000 +0200
 | ||||||
|  | @@ -233,6 +233,8 @@ int MAIN(int argc, char **argv)
 | ||||||
|  |  		else if (!strcmp(*args,"-camellia256")) | ||||||
|  |  				cipher = EVP_camellia_256_cbc(); | ||||||
|  |  #endif | ||||||
|  | +		else if (!strcmp (*args, "-debug_decrypt")) 
 | ||||||
|  | +				flags |= CMS_DEBUG_DECRYPT;
 | ||||||
|  |  		else if (!strcmp (*args, "-text"))  | ||||||
|  |  				flags |= CMS_TEXT; | ||||||
|  |  		else if (!strcmp (*args, "-nointern"))  | ||||||
|  | @@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv)
 | ||||||
|  |  	ret = 4; | ||||||
|  |  	if (operation == SMIME_DECRYPT) | ||||||
|  |  		{ | ||||||
|  | +		if (flags & CMS_DEBUG_DECRYPT)
 | ||||||
|  | +			CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
 | ||||||
|  |   | ||||||
|  |  		if (secret_key) | ||||||
|  |  			{ | ||||||
|  | diff -up openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2 openssl-1.0.1c/crypto/bn/bn_lcl.h
 | ||||||
|  | --- openssl-1.0.1c/crypto/bn/bn_lcl.h.backports2	2012-09-06 17:25:22.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1c/crypto/bn/bn_lcl.h	2012-09-07 10:22:43.000000000 +0200
 | ||||||
|  | @@ -282,16 +282,23 @@ extern "C" {
 | ||||||
|  |  #  endif | ||||||
|  |  # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)) | ||||||
|  |  #  if defined(__GNUC__) && __GNUC__>=2 | ||||||
|  | -#   define BN_UMULT_HIGH(a,b)	({	\
 | ||||||
|  | +#   if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */
 | ||||||
|  | +#     define BN_UMULT_HIGH(a,b)		 (((__uint128_t)(a)*(b))>>64)
 | ||||||
|  | +#     define BN_UMULT_LOHI(low,high,a,b) ({	\
 | ||||||
|  | +	__uint128_t ret=(__uint128_t)(a)*(b);	\
 | ||||||
|  | +	(high)=ret>>64; (low)=ret;	 })
 | ||||||
|  | +#   else
 | ||||||
|  | +#     define BN_UMULT_HIGH(a,b)	({	\
 | ||||||
|  |  	register BN_ULONG ret;		\ | ||||||
|  |  	asm ("dmultu	%1,%2"		\ | ||||||
|  |  	     : "=h"(ret)		\ | ||||||
|  |  	     : "r"(a), "r"(b) : "l");	\ | ||||||
|  |  	ret;			}) | ||||||
|  | -#   define BN_UMULT_LOHI(low,high,a,b)	\
 | ||||||
|  | +#     define BN_UMULT_LOHI(low,high,a,b)\
 | ||||||
|  |  	asm ("dmultu	%2,%3"		\ | ||||||
|  |  	     : "=l"(low),"=h"(high)	\ | ||||||
|  |  	     : "r"(a), "r"(b)); | ||||||
|  | +#    endif
 | ||||||
|  |  #  endif | ||||||
|  |  # endif		/* cpu */ | ||||||
|  |  #endif		/* OPENSSL_NO_ASM */ | ||||||
|  | diff -up openssl-1.0.1c/crypto/modes/gcm128.c.backports2 openssl-1.0.1c/crypto/modes/gcm128.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/modes/gcm128.c.backports2	2012-01-25 18:56:24.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/modes/gcm128.c	2012-09-07 10:24:56.000000000 +0200
 | ||||||
|  | @@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT
 | ||||||
|  |  	void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16])	= ctx->gmult; | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | -	if (ctx->mres)
 | ||||||
|  | +	if (ctx->mres || ctx->ares)
 | ||||||
|  |  		GCM_MUL(ctx,Xi); | ||||||
|  |   | ||||||
|  |  	if (is_endian.little) { | ||||||
|  | diff -up openssl-1.0.1c/ssl/ssl_cert.c.backports2 openssl-1.0.1c/ssl/ssl_cert.c
 | ||||||
|  | --- openssl-1.0.1c/ssl/ssl_cert.c.backports2	2011-05-11 15:37:52.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1c/ssl/ssl_cert.c	2012-09-07 10:33:54.000000000 +0200
 | ||||||
|  | @@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT
 | ||||||
|  |  	{ | ||||||
|  |  	/* Set digest values to defaults */ | ||||||
|  |  #ifndef OPENSSL_NO_DSA | ||||||
|  | -	cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
 | ||||||
|  | +	cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
 | ||||||
|  |  #endif | ||||||
|  |  #ifndef OPENSSL_NO_RSA | ||||||
|  |  	cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); | ||||||
|  |  	cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); | ||||||
|  |  #endif | ||||||
|  |  #ifndef OPENSSL_NO_ECDSA | ||||||
|  | -	cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
 | ||||||
|  | +	cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
 | ||||||
|  |  #endif | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | diff -up openssl-1.0.1c/ssl/t1_lib.c.backports2 openssl-1.0.1c/ssl/t1_lib.c
 | ||||||
|  | --- openssl-1.0.1c/ssl/t1_lib.c.backports2	2012-03-21 22:32:57.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1c/ssl/t1_lib.c	2012-09-07 10:33:54.000000000 +0200
 | ||||||
|  | @@ -2414,7 +2414,7 @@ int tls1_process_sigalgs(SSL *s, const u
 | ||||||
|  |  	 */ | ||||||
|  |  #ifndef OPENSSL_NO_DSA | ||||||
|  |  	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) | ||||||
|  | -		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
 | ||||||
|  | +		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
 | ||||||
|  |  #endif | ||||||
|  |  #ifndef OPENSSL_NO_RSA | ||||||
|  |  	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) | ||||||
|  | @@ -2425,7 +2425,7 @@ int tls1_process_sigalgs(SSL *s, const u
 | ||||||
|  |  #endif | ||||||
|  |  #ifndef OPENSSL_NO_ECDSA | ||||||
|  |  	if (!c->pkeys[SSL_PKEY_ECC].digest) | ||||||
|  | -		c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
 | ||||||
|  | +		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
 | ||||||
|  |  #endif | ||||||
|  |  	return 1; | ||||||
|  |  	} | ||||||
							
								
								
									
										11
									
								
								openssl-1.0.1c-ccm-init-str.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								openssl-1.0.1c-ccm-init-str.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,11 @@ | |||||||
|  | diff -up openssl-1.0.1c/crypto/evp/e_aes.c.init-str openssl-1.0.1c/crypto/evp/e_aes.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/evp/e_aes.c.init-str	2012-09-06 17:20:45.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1c/crypto/evp/e_aes.c	2012-09-06 17:18:30.000000000 +0200
 | ||||||
|  | @@ -1216,6 +1216,7 @@ static int aes_ccm_init_key(EVP_CIPHER_C
 | ||||||
|  |  			vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); | ||||||
|  |  			CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, | ||||||
|  |  					&cctx->ks, (block128_f)vpaes_encrypt); | ||||||
|  | +			cctx->str = NULL;
 | ||||||
|  |  			cctx->key_set = 1; | ||||||
|  |  			break; | ||||||
|  |  			} | ||||||
							
								
								
									
										20357
									
								
								openssl-1.0.1c-fips.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20357
									
								
								openssl-1.0.1c-fips.patch
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,6 +1,6 @@ | |||||||
| diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h
 | diff -up openssl-1.0.1c/apps/s_apps.h.ipv6-apps openssl-1.0.1c/apps/s_apps.h
 | ||||||
| --- openssl-1.0.0b/apps/s_apps.h.ipv6-apps	2010-11-16 17:19:29.000000000 +0100
 | --- openssl-1.0.1c/apps/s_apps.h.ipv6-apps	2012-07-11 22:46:02.409221206 +0200
 | ||||||
| +++ openssl-1.0.0b/apps/s_apps.h	2010-11-16 17:19:29.000000000 +0100
 | +++ openssl-1.0.1c/apps/s_apps.h	2012-07-11 22:46:02.451222165 +0200
 | ||||||
| @@ -148,7 +148,7 @@ typedef fd_mask fd_set;
 | @@ -148,7 +148,7 @@ typedef fd_mask fd_set;
 | ||||||
|  #define PORT_STR        "4433" |  #define PORT_STR        "4433" | ||||||
|  #define PROTOCOL        "tcp" |  #define PROTOCOL        "tcp" | ||||||
| @ -23,10 +23,10 @@ diff -up openssl-1.0.0b/apps/s_apps.h.ipv6-apps openssl-1.0.0b/apps/s_apps.h | |||||||
|   |   | ||||||
|  long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, |  long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp, | ||||||
|  				   int argi, long argl, long ret); |  				   int argi, long argl, long ret); | ||||||
| diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c
 | diff -up openssl-1.0.1c/apps/s_client.c.ipv6-apps openssl-1.0.1c/apps/s_client.c
 | ||||||
| --- openssl-1.0.0b/apps/s_client.c.ipv6-apps	2010-11-16 17:19:29.000000000 +0100
 | --- openssl-1.0.1c/apps/s_client.c.ipv6-apps	2012-07-11 22:46:02.433221754 +0200
 | ||||||
| +++ openssl-1.0.0b/apps/s_client.c	2010-11-16 17:19:29.000000000 +0100
 | +++ openssl-1.0.1c/apps/s_client.c	2012-07-11 22:46:02.452222187 +0200
 | ||||||
| @@ -389,7 +389,7 @@ int MAIN(int argc, char **argv)
 | @@ -563,7 +563,7 @@ int MAIN(int argc, char **argv)
 | ||||||
|  	int cbuf_len,cbuf_off; |  	int cbuf_len,cbuf_off; | ||||||
|  	int sbuf_len,sbuf_off; |  	int sbuf_len,sbuf_off; | ||||||
|  	fd_set readfds,writefds; |  	fd_set readfds,writefds; | ||||||
| @ -35,7 +35,7 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c | |||||||
|  	int full_log=1; |  	int full_log=1; | ||||||
|  	char *host=SSL_HOST_NAME; |  	char *host=SSL_HOST_NAME; | ||||||
|  	char *cert_file=NULL,*key_file=NULL; |  	char *cert_file=NULL,*key_file=NULL; | ||||||
| @@ -488,13 +488,12 @@ int MAIN(int argc, char **argv)
 | @@ -664,13 +664,12 @@ int MAIN(int argc, char **argv)
 | ||||||
|  		else if	(strcmp(*argv,"-port") == 0) |  		else if	(strcmp(*argv,"-port") == 0) | ||||||
|  			{ |  			{ | ||||||
|  			if (--argc < 1) goto bad; |  			if (--argc < 1) goto bad; | ||||||
| @ -51,7 +51,7 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c | |||||||
|  				goto bad; |  				goto bad; | ||||||
|  			} |  			} | ||||||
|  		else if	(strcmp(*argv,"-verify") == 0) |  		else if	(strcmp(*argv,"-verify") == 0) | ||||||
| @@ -967,7 +966,7 @@ bad:
 | @@ -1253,7 +1252,7 @@ bad:
 | ||||||
|   |   | ||||||
|  re_start: |  re_start: | ||||||
|   |   | ||||||
| @ -60,10 +60,10 @@ diff -up openssl-1.0.0b/apps/s_client.c.ipv6-apps openssl-1.0.0b/apps/s_client.c | |||||||
|  		{ |  		{ | ||||||
|  		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); |  		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); | ||||||
|  		SHUTDOWN(s); |  		SHUTDOWN(s); | ||||||
| diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c
 | diff -up openssl-1.0.1c/apps/s_server.c.ipv6-apps openssl-1.0.1c/apps/s_server.c
 | ||||||
| --- openssl-1.0.0b/apps/s_server.c.ipv6-apps	2010-11-16 17:19:29.000000000 +0100
 | --- openssl-1.0.1c/apps/s_server.c.ipv6-apps	2012-07-11 22:46:02.434221777 +0200
 | ||||||
| +++ openssl-1.0.0b/apps/s_server.c	2010-11-16 17:19:29.000000000 +0100
 | +++ openssl-1.0.1c/apps/s_server.c	2012-07-11 22:46:02.453222210 +0200
 | ||||||
| @@ -838,7 +838,7 @@ int MAIN(int argc, char *argv[])
 | @@ -929,7 +929,7 @@ int MAIN(int argc, char *argv[])
 | ||||||
|  	{ |  	{ | ||||||
|  	X509_VERIFY_PARAM *vpm = NULL; |  	X509_VERIFY_PARAM *vpm = NULL; | ||||||
|  	int badarg = 0; |  	int badarg = 0; | ||||||
| @ -72,7 +72,7 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c | |||||||
|  	char *CApath=NULL,*CAfile=NULL; |  	char *CApath=NULL,*CAfile=NULL; | ||||||
|  	unsigned char *context = NULL; |  	unsigned char *context = NULL; | ||||||
|  	char *dhfile = NULL; |  	char *dhfile = NULL; | ||||||
| @@ -909,8 +909,7 @@ int MAIN(int argc, char *argv[])
 | @@ -1000,8 +1000,7 @@ int MAIN(int argc, char *argv[])
 | ||||||
|  			 (strcmp(*argv,"-accept") == 0)) |  			 (strcmp(*argv,"-accept") == 0)) | ||||||
|  			{ |  			{ | ||||||
|  			if (--argc < 1) goto bad; |  			if (--argc < 1) goto bad; | ||||||
| @ -82,7 +82,7 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c | |||||||
|  			} |  			} | ||||||
|  		else if	(strcmp(*argv,"-verify") == 0) |  		else if	(strcmp(*argv,"-verify") == 0) | ||||||
|  			{ |  			{ | ||||||
| @@ -1700,9 +1699,9 @@ bad:
 | @@ -1878,9 +1877,9 @@ bad:
 | ||||||
|  	BIO_printf(bio_s_out,"ACCEPT\n"); |  	BIO_printf(bio_s_out,"ACCEPT\n"); | ||||||
|  	(void)BIO_flush(bio_s_out); |  	(void)BIO_flush(bio_s_out); | ||||||
|  	if (www) |  	if (www) | ||||||
| @ -94,9 +94,9 @@ diff -up openssl-1.0.0b/apps/s_server.c.ipv6-apps openssl-1.0.0b/apps/s_server.c | |||||||
|  	print_stats(bio_s_out,ctx); |  	print_stats(bio_s_out,ctx); | ||||||
|  	ret=0; |  	ret=0; | ||||||
|  end: |  end: | ||||||
| diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c
 | diff -up openssl-1.0.1c/apps/s_socket.c.ipv6-apps openssl-1.0.1c/apps/s_socket.c
 | ||||||
| --- openssl-1.0.0b/apps/s_socket.c.ipv6-apps	2010-07-05 13:03:22.000000000 +0200
 | --- openssl-1.0.1c/apps/s_socket.c.ipv6-apps	2011-12-02 15:39:40.000000000 +0100
 | ||||||
| +++ openssl-1.0.0b/apps/s_socket.c	2010-11-16 17:27:18.000000000 +0100
 | +++ openssl-1.0.1c/apps/s_socket.c	2012-07-11 22:49:05.411400450 +0200
 | ||||||
| @@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
 | @@ -102,9 +102,7 @@ static struct hostent *GetHostByName(cha
 | ||||||
|  static void ssl_sock_cleanup(void); |  static void ssl_sock_cleanup(void); | ||||||
|  #endif |  #endif | ||||||
| @ -108,7 +108,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c | |||||||
|  static int do_accept(int acc_sock, int *sock, char **host); |  static int do_accept(int acc_sock, int *sock, char **host); | ||||||
|  static int host_ip(char *str, unsigned char ip[4]); |  static int host_ip(char *str, unsigned char ip[4]); | ||||||
|   |   | ||||||
| @@ -234,58 +232,70 @@ static int ssl_sock_init(void)
 | @@ -234,57 +232,70 @@ static int ssl_sock_init(void)
 | ||||||
|  	return(1); |  	return(1); | ||||||
|  	} |  	} | ||||||
|   |   | ||||||
| @ -117,11 +117,10 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c | |||||||
|  	{ |  	{ | ||||||
| -	unsigned char ip[4];
 | -	unsigned char ip[4];
 | ||||||
| -
 | -
 | ||||||
|  | -	memset(ip, '\0', sizeof ip);
 | ||||||
| -	if (!host_ip(host,&(ip[0])))
 | -	if (!host_ip(host,&(ip[0])))
 | ||||||
| -		{
 | -		return 0;
 | ||||||
| -		return(0);
 | -	return init_client_ip(sock,ip,port,type);
 | ||||||
| -		}
 |  | ||||||
| -	return(init_client_ip(sock,ip,port,type));
 |  | ||||||
| -	}
 | -	}
 | ||||||
| -
 | -
 | ||||||
| -static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
 | -static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
 | ||||||
| @ -217,7 +216,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c | |||||||
|  	{ |  	{ | ||||||
|  	int sock; |  	int sock; | ||||||
|  	char *name = NULL; |  	char *name = NULL; | ||||||
| @@ -323,33 +333,38 @@ int do_server(int port, int type, int *r
 | @@ -322,33 +333,50 @@ int do_server(int port, int type, int *r
 | ||||||
|  		} |  		} | ||||||
|  	} |  	} | ||||||
|   |   | ||||||
| @ -227,10 +226,9 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c | |||||||
| -	int ret=0;
 | -	int ret=0;
 | ||||||
| -	struct sockaddr_in server;
 | -	struct sockaddr_in server;
 | ||||||
| -	int s= -1;
 | -	int s= -1;
 | ||||||
| +	struct addrinfo *res, *res0, hints;
 | +	struct addrinfo *res, *res0 = NULL, hints;
 | ||||||
| +	char * failed_call = NULL;
 | +	char * failed_call = NULL;
 | ||||||
| +	char port_name[8];
 | +	int s = INVALID_SOCKET;
 | ||||||
| +	int s;
 |  | ||||||
| +	int e;
 | +	int e;
 | ||||||
|   |   | ||||||
|  	if (!ssl_sock_init()) return(0); |  	if (!ssl_sock_init()) return(0); | ||||||
| @ -248,8 +246,10 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c | |||||||
| -		memcpy(&server.sin_addr,ip,4);
 | -		memcpy(&server.sin_addr,ip,4);
 | ||||||
| -#endif
 | -#endif
 | ||||||
| +	memset(&hints, '\0', sizeof(hints));
 | +	memset(&hints, '\0', sizeof(hints));
 | ||||||
|  | +	hints.ai_family = AF_INET6;
 | ||||||
|  | +tryipv4:
 | ||||||
| +	hints.ai_socktype = type;
 | +	hints.ai_socktype = type;
 | ||||||
| +	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
 | +	hints.ai_flags = AI_PASSIVE;
 | ||||||
|  	 |  	 | ||||||
| -		if (type == SOCK_STREAM)
 | -		if (type == SOCK_STREAM)
 | ||||||
| -			s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
 | -			s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
 | ||||||
| @ -258,10 +258,15 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c | |||||||
| +	e = getaddrinfo(NULL, port, &hints, &res);
 | +	e = getaddrinfo(NULL, port, &hints, &res);
 | ||||||
| +	if (e)
 | +	if (e)
 | ||||||
| +		{
 | +		{
 | ||||||
| +		fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
 | +		if (hints.ai_family == AF_INET)
 | ||||||
| +		if (e == EAI_SYSTEM)
 | +			{
 | ||||||
| +			perror("getaddrinfo");
 | +			fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
 | ||||||
| +		return (0);
 | +			if (e == EAI_SYSTEM)
 | ||||||
|  | +				perror("getaddrinfo");
 | ||||||
|  | +			return (0);
 | ||||||
|  | +			}
 | ||||||
|  | +			else
 | ||||||
|  | +				res = NULL;
 | ||||||
| +		}
 | +		}
 | ||||||
|   |   | ||||||
| -	if (s == INVALID_SOCKET) goto err;
 | -	if (s == INVALID_SOCKET) goto err;
 | ||||||
| @ -273,11 +278,17 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c | |||||||
| +			{
 | +			{
 | ||||||
| +			failed_call = "socket";
 | +			failed_call = "socket";
 | ||||||
| +			goto nextres;
 | +			goto nextres;
 | ||||||
|  | +			}
 | ||||||
|  | +		if (hints.ai_family == AF_INET6)
 | ||||||
|  | +			{
 | ||||||
|  | +			int j = 0;
 | ||||||
|  | +			setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
 | ||||||
|  | +				   (void *) &j, sizeof j);
 | ||||||
| +			}
 | +			}
 | ||||||
|  #if defined SOL_SOCKET && defined SO_REUSEADDR |  #if defined SOL_SOCKET && defined SO_REUSEADDR | ||||||
|  		{ |  		{ | ||||||
|  		int j = 1; |  		int j = 1; | ||||||
| @@ -357,35 +372,39 @@ static int init_server_long(int *sock, i
 | @@ -356,35 +384,49 @@ static int init_server_long(int *sock, i
 | ||||||
|  			   (void *) &j, sizeof j); |  			   (void *) &j, sizeof j); | ||||||
|  		} |  		} | ||||||
|  #endif |  #endif | ||||||
| @ -314,12 +325,21 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c | |||||||
| +			close(s);
 | +			close(s);
 | ||||||
| +		res = res->ai_next;
 | +		res = res->ai_next;
 | ||||||
|  	} |  	} | ||||||
| +	freeaddrinfo(res0);
 | +	if (res0)
 | ||||||
|  | +		freeaddrinfo(res0);
 | ||||||
|   |   | ||||||
| -static int init_server(int *sock, int port, int type)
 | -static int init_server(int *sock, int port, int type)
 | ||||||
| -	{
 | +	if (s == INVALID_SOCKET)
 | ||||||
|  |  	{ | ||||||
| -	return(init_server_long(sock, port, NULL, type));
 | -	return(init_server_long(sock, port, NULL, type));
 | ||||||
| +	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
 | +		if (hints.ai_family == AF_INET6)
 | ||||||
|  | +		{
 | ||||||
|  | +			hints.ai_family = AF_INET;
 | ||||||
|  | +			goto tryipv4;
 | ||||||
|  | +		}
 | ||||||
|  | +		perror("socket");
 | ||||||
|  | +		return(0);
 | ||||||
|  | +	}
 | ||||||
| +
 | +
 | ||||||
| +	perror(failed_call);
 | +	perror(failed_call);
 | ||||||
| +	return(0);
 | +	return(0);
 | ||||||
| @ -335,7 +355,7 @@ diff -up openssl-1.0.0b/apps/s_socket.c.ipv6-apps openssl-1.0.0b/apps/s_socket.c | |||||||
|  	int len; |  	int len; | ||||||
|  /*	struct linger ling; */ |  /*	struct linger ling; */ | ||||||
|   |   | ||||||
| @@ -432,135 +451,58 @@ redoit:
 | @@ -431,135 +473,58 @@ redoit:
 | ||||||
|  */ |  */ | ||||||
|   |   | ||||||
|  	if (host == NULL) goto end; |  	if (host == NULL) goto end; | ||||||
							
								
								
									
										16
									
								
								openssl-1.0.1c-perlfind.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								openssl-1.0.1c-perlfind.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,16 @@ | |||||||
|  | diff -up openssl-1.0.1c/util/perlpath.pl.perlfind openssl-1.0.1c/util/perlpath.pl
 | ||||||
|  | --- openssl-1.0.1c/util/perlpath.pl.perlfind	2012-07-11 22:57:33.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1c/util/perlpath.pl	2012-07-12 00:31:12.102156275 +0200
 | ||||||
|  | @@ -4,10 +4,10 @@
 | ||||||
|  |  # line in all scripts that rely on perl. | ||||||
|  |  # | ||||||
|  |   | ||||||
|  | -require "find.pl";
 | ||||||
|  | +use File::Find;
 | ||||||
|  |   | ||||||
|  |  $#ARGV == 0 || print STDERR "usage: perlpath newpath  (eg /usr/bin)\n"; | ||||||
|  | -&find(".");
 | ||||||
|  | +find(\&wanted, ".");
 | ||||||
|  |   | ||||||
|  |  sub wanted | ||||||
|  |  	{ | ||||||
							
								
								
									
										244
									
								
								openssl-1.0.1c-secure-getenv.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										244
									
								
								openssl-1.0.1c-secure-getenv.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,244 @@ | |||||||
|  | diff -up openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_api.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/conf/conf_api.c.secure-getenv	2011-09-02 13:20:32.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1c/crypto/conf/conf_api.c	2012-09-10 20:20:24.803968961 +0200
 | ||||||
|  | @@ -63,6 +63,8 @@
 | ||||||
|  |  # define NDEBUG | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |  #include <assert.h> | ||||||
|  |  #include <stdlib.h> | ||||||
|  |  #include <string.h> | ||||||
|  | @@ -142,7 +144,7 @@ char *_CONF_get_string(const CONF *conf,
 | ||||||
|  |  			if (v != NULL) return(v->value); | ||||||
|  |  			if (strcmp(section,"ENV") == 0) | ||||||
|  |  				{ | ||||||
|  | -				p=getenv(name);
 | ||||||
|  | +				p=secure_getenv(name);
 | ||||||
|  |  				if (p != NULL) return(p); | ||||||
|  |  				} | ||||||
|  |  			} | ||||||
|  | @@ -155,7 +157,7 @@ char *_CONF_get_string(const CONF *conf,
 | ||||||
|  |  			return(NULL); | ||||||
|  |  		} | ||||||
|  |  	else | ||||||
|  | -		return(getenv(name));
 | ||||||
|  | +		return (secure_getenv(name));
 | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  |  #if 0 /* There's no way to provide error checking with this function, so | ||||||
|  | diff -up openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.1c/crypto/conf/conf_mod.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/conf/conf_mod.c.secure-getenv	2008-11-05 19:38:55.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/conf/conf_mod.c	2012-09-10 20:22:46.228970661 +0200
 | ||||||
|  | @@ -56,6 +56,8 @@
 | ||||||
|  |   * | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |  #include <stdio.h> | ||||||
|  |  #include <ctype.h> | ||||||
|  |  #include <openssl/crypto.h> | ||||||
|  | @@ -548,8 +550,8 @@ char *CONF_get1_default_config_file(void
 | ||||||
|  |  	char *file; | ||||||
|  |  	int len; | ||||||
|  |   | ||||||
|  | -	file = getenv("OPENSSL_CONF");
 | ||||||
|  | -	if (file) 
 | ||||||
|  | +	file = secure_getenv("OPENSSL_CONF");
 | ||||||
|  | +	if (file)
 | ||||||
|  |  		return BUF_strdup(file); | ||||||
|  |   | ||||||
|  |  	len = strlen(X509_get_default_cert_area()); | ||||||
|  | diff -up openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv openssl-1.0.1c/crypto/engine/eng_list.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/engine/eng_list.c.secure-getenv	2010-03-27 19:28:13.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/engine/eng_list.c	2012-09-10 20:20:46.106452027 +0200
 | ||||||
|  | @@ -61,6 +61,8 @@
 | ||||||
|  |   * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |  #include "eng_int.h" | ||||||
|  |   | ||||||
|  |  /* The linked-list of pointers to engine types. engine_list_head | ||||||
|  | @@ -399,9 +401,9 @@ ENGINE *ENGINE_by_id(const char *id)
 | ||||||
|  |  	if (strcmp(id, "dynamic")) | ||||||
|  |  		{ | ||||||
|  |  #ifdef OPENSSL_SYS_VMS | ||||||
|  | -		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
 | ||||||
|  | +		if(OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
 | ||||||
|  |  #else | ||||||
|  | -		if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
 | ||||||
|  | +		if((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0) load_dir = ENGINESDIR;
 | ||||||
|  |  #endif | ||||||
|  |  		iterator = ENGINE_by_id("dynamic"); | ||||||
|  |  		if(!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || | ||||||
|  | diff -up openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.1c/crypto/md5/md5_dgst.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/md5/md5_dgst.c.secure-getenv	2012-09-10 20:10:26.079391932 +0200
 | ||||||
|  | +++ openssl-1.0.1c/crypto/md5/md5_dgst.c	2012-09-10 20:20:31.383118153 +0200
 | ||||||
|  | @@ -56,6 +56,8 @@
 | ||||||
|  |   * [including the GNU Public Licence.] | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |  #include <stdio.h> | ||||||
|  |  #include "md5_locl.h" | ||||||
|  |  #include <openssl/opensslv.h> | ||||||
|  | @@ -74,7 +76,7 @@ const char MD5_version[]="MD5" OPENSSL_V
 | ||||||
|  |  int MD5_Init(MD5_CTX *c) | ||||||
|  |  #ifdef OPENSSL_FIPS | ||||||
|  |  	{ | ||||||
|  | -	if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
 | ||||||
|  | +	if (FIPS_mode() && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
 | ||||||
|  |  		OpenSSLDie(__FILE__, __LINE__, \ | ||||||
|  |                  "Digest MD5 forbidden in FIPS mode!"); | ||||||
|  |  	return private_MD5_Init(c); | ||||||
|  | diff -up openssl-1.0.1c/crypto/o_init.c.secure-getenv openssl-1.0.1c/crypto/o_init.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/o_init.c.secure-getenv	2012-09-10 20:10:26.066391638 +0200
 | ||||||
|  | +++ openssl-1.0.1c/crypto/o_init.c	2012-09-10 20:23:27.634908822 +0200
 | ||||||
|  | @@ -52,6 +52,8 @@
 | ||||||
|  |   * | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |  #include <e_os.h> | ||||||
|  |  #include <openssl/err.h> | ||||||
|  |  #ifdef OPENSSL_FIPS | ||||||
|  | @@ -71,7 +73,7 @@ static void init_fips_mode(void)
 | ||||||
|  |  	char buf[2] = "0"; | ||||||
|  |  	int fd; | ||||||
|  |  	 | ||||||
|  | -	if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
 | ||||||
|  | +	if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
 | ||||||
|  |  		{ | ||||||
|  |  		buf[0] = '1'; | ||||||
|  |  		} | ||||||
|  | diff -up openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv openssl-1.0.1c/crypto/rand/randfile.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/rand/randfile.c.secure-getenv	2012-01-15 14:40:21.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/rand/randfile.c	2012-09-10 20:20:40.708329617 +0200
 | ||||||
|  | @@ -58,6 +58,8 @@
 | ||||||
|  |   | ||||||
|  |  /* We need to define this to get macros like S_IFBLK and S_IFCHR */ | ||||||
|  |  #define _XOPEN_SOURCE 500 | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |   | ||||||
|  |  #include <errno.h> | ||||||
|  |  #include <stdio.h> | ||||||
|  | @@ -275,8 +277,7 @@ const char *RAND_file_name(char *buf, si
 | ||||||
|  |  	struct stat sb; | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | -	if (OPENSSL_issetugid() == 0)
 | ||||||
|  | -		s=getenv("RANDFILE");
 | ||||||
|  | +	s=secure_getenv("RANDFILE");
 | ||||||
|  |  	if (s != NULL && *s && strlen(s) + 1 < size) | ||||||
|  |  		{ | ||||||
|  |  		if (BUF_strlcpy(buf,s,size) >= size) | ||||||
|  | @@ -284,8 +285,7 @@ const char *RAND_file_name(char *buf, si
 | ||||||
|  |  		} | ||||||
|  |  	else | ||||||
|  |  		{ | ||||||
|  | -		if (OPENSSL_issetugid() == 0)
 | ||||||
|  | -			s=getenv("HOME");
 | ||||||
|  | +		s=secure_getenv("HOME");
 | ||||||
|  |  #ifdef DEFAULT_HOME | ||||||
|  |  		if (s == NULL) | ||||||
|  |  			{ | ||||||
|  | diff -up openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv openssl-1.0.1c/crypto/x509/by_dir.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/x509/by_dir.c.secure-getenv	2010-02-19 19:26:23.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1c/crypto/x509/by_dir.c	2012-09-10 20:21:16.641144451 +0200
 | ||||||
|  | @@ -56,6 +56,8 @@
 | ||||||
|  |   * [including the GNU Public Licence.] | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |  #include <stdio.h> | ||||||
|  |  #include <time.h> | ||||||
|  |  #include <errno.h> | ||||||
|  | @@ -135,7 +137,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
 | ||||||
|  |  	case X509_L_ADD_DIR: | ||||||
|  |  		if (argl == X509_FILETYPE_DEFAULT) | ||||||
|  |  			{ | ||||||
|  | -			dir=(char *)getenv(X509_get_default_cert_dir_env());
 | ||||||
|  | +			dir=(char *)secure_getenv(X509_get_default_cert_dir_env());
 | ||||||
|  |  			if (dir) | ||||||
|  |  				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM); | ||||||
|  |  			else | ||||||
|  | diff -up openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv openssl-1.0.1c/crypto/x509/by_file.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/x509/by_file.c.secure-getenv	2012-09-10 20:10:26.016390503 +0200
 | ||||||
|  | +++ openssl-1.0.1c/crypto/x509/by_file.c	2012-09-10 20:21:07.748942806 +0200
 | ||||||
|  | @@ -56,6 +56,8 @@
 | ||||||
|  |   * [including the GNU Public Licence.] | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |  #include <stdio.h> | ||||||
|  |  #include <time.h> | ||||||
|  |  #include <errno.h> | ||||||
|  | @@ -100,7 +102,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
 | ||||||
|  |  	case X509_L_FILE_LOAD: | ||||||
|  |  		if (argl == X509_FILETYPE_DEFAULT) | ||||||
|  |  			{ | ||||||
|  | -			file = (char *)getenv(X509_get_default_cert_file_env());
 | ||||||
|  | +			file = (char *)secure_getenv(X509_get_default_cert_file_env());
 | ||||||
|  |  			if (file) | ||||||
|  |  				ok = (X509_load_cert_crl_file(ctx,file, | ||||||
|  |  					      X509_FILETYPE_PEM) != 0); | ||||||
|  | diff -up openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.1c/crypto/x509/x509_vfy.c
 | ||||||
|  | --- openssl-1.0.1c/crypto/x509/x509_vfy.c.secure-getenv	2011-09-23 15:39:35.000000000 +0200
 | ||||||
|  | +++ openssl-1.0.1c/crypto/x509/x509_vfy.c	2012-09-10 20:20:55.951675283 +0200
 | ||||||
|  | @@ -56,6 +56,8 @@
 | ||||||
|  |   * [including the GNU Public Licence.] | ||||||
|  |   */ | ||||||
|  |   | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |  #include <stdio.h> | ||||||
|  |  #include <time.h> | ||||||
|  |  #include <errno.h> | ||||||
|  | @@ -481,7 +483,7 @@ static int check_chain_extensions(X509_S
 | ||||||
|  |  			!!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); | ||||||
|  |  		/* A hack to keep people who don't want to modify their | ||||||
|  |  		   software happy */ | ||||||
|  | -		if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
 | ||||||
|  | +		if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
 | ||||||
|  |  			allow_proxy_certs = 1; | ||||||
|  |  		purpose = ctx->param->purpose; | ||||||
|  |  		} | ||||||
|  | diff -up openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.1c/engines/ccgost/gost_ctl.c
 | ||||||
|  | --- openssl-1.0.1c/engines/ccgost/gost_ctl.c.secure-getenv	2008-03-16 22:05:44.000000000 +0100
 | ||||||
|  | +++ openssl-1.0.1c/engines/ccgost/gost_ctl.c	2012-09-10 20:21:26.759373897 +0200
 | ||||||
|  | @@ -6,6 +6,8 @@
 | ||||||
|  |   *        Implementation of control commands for GOST engine          * | ||||||
|  |   *            OpenSSL 0.9.9 libraries required                        * | ||||||
|  |   **********************************************************************/             | ||||||
|  | +/* for secure_getenv */
 | ||||||
|  | +#define _GNU_SOURCE
 | ||||||
|  |  #include <stdlib.h> | ||||||
|  |  #include <string.h> | ||||||
|  |  #include <openssl/crypto.h> | ||||||
|  | @@ -65,7 +67,7 @@ const char *get_gost_engine_param(int pa
 | ||||||
|  |  		{ | ||||||
|  |  		return gost_params[param]; | ||||||
|  |  		} | ||||||
|  | -	tmp = getenv(gost_envnames[param]);
 | ||||||
|  | +	tmp = secure_getenv(gost_envnames[param]);
 | ||||||
|  |  	if (tmp)  | ||||||
|  |  		{ | ||||||
|  |  		if (gost_params[param]) OPENSSL_free(gost_params[param]); | ||||||
|  | @@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
 | ||||||
|  |  	{ | ||||||
|  |  	const char *tmp; | ||||||
|  |  	if (param <0 || param >GOST_PARAM_MAX) return 0; | ||||||
|  | -	tmp = getenv(gost_envnames[param]);
 | ||||||
|  | +	tmp = secure_getenv(gost_envnames[param]);
 | ||||||
|  |  	/* if there is value in the environment, use it, else -passed string * */ | ||||||
|  |  	if (!tmp) tmp=value; | ||||||
|  |  	if (gost_params[param]) OPENSSL_free(gost_params[param]); | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user