rpms/mingw-openssl
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Synced with native openssl-1.0.2f-2

Browse Source
This commit is contained in:
Erik van Pienbroek 2016-02-06 20:46:00 +01:00
parent 50a50ed7f6
commit 9d21f19320
15 changed files with 742 additions and 731 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.1i-hobbled.tar.xz /openssl-1.0.1i-hobbled.tar.xz
/openssl-1.0.1j-hobbled.tar.xz /openssl-1.0.1j-hobbled.tar.xz
/openssl-1.0.2a-hobbled.tar.xz /openssl-1.0.2a-hobbled.tar.xz
/openssl-1.0.2f-hobbled.tar.xz

51
mingw-openssl.spec
View File

@ -23,8 +23,8 @@
%global thread_test_threads %{?threads:%{threads}}%{!?threads:1} %global thread_test_threads %{?threads:%{threads}}%{!?threads:1}
Name: mingw-openssl Name: mingw-openssl
Version: 1.0.2a Version: 1.0.2f
Release: 3%{?dist} Release: 1%{?dist}
Summary: MinGW port of the OpenSSL toolkit Summary: MinGW port of the OpenSSL toolkit
License: OpenSSL License: OpenSSL
@ -48,7 +48,7 @@ Source12: ec_curve.c
Source13: ectest.c Source13: ectest.c
# Build changes # Build changes
Patch1: openssl-1.0.2a-rpmbuild.patch Patch1: openssl-1.0.2e-rpmbuild.patch
Patch2: openssl-1.0.2a-defaults.patch Patch2: openssl-1.0.2a-defaults.patch
Patch4: openssl-1.0.2a-enginesdir.patch Patch4: openssl-1.0.2a-enginesdir.patch
Patch5: openssl-1.0.2a-no-rpath.patch Patch5: openssl-1.0.2a-no-rpath.patch
@ -57,14 +57,14 @@ Patch7: openssl-1.0.0-timezone.patch
Patch8: openssl-1.0.1c-perlfind.patch Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch Patch9: openssl-1.0.1c-aliasing.patch
# Bug fixes # Bug fixes
Patch23: openssl-1.0.2a-default-paths.patch Patch23: openssl-1.0.2c-default-paths.patch
Patch24: openssl-1.0.2a-issuer-hash.patch Patch24: openssl-1.0.2a-issuer-hash.patch
# Functionality changes # Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-1.0.2a-x509.patch Patch34: openssl-1.0.2a-x509.patch
Patch35: openssl-1.0.2a-version-add-engines.patch Patch35: openssl-1.0.2a-version-add-engines.patch
Patch39: openssl-1.0.2a-ipv6-apps.patch Patch39: openssl-1.0.2a-ipv6-apps.patch
Patch40: openssl-1.0.2a-fips.patch Patch40: openssl-1.0.2e-fips.patch
Patch45: openssl-1.0.2a-env-zlib.patch Patch45: openssl-1.0.2a-env-zlib.patch
Patch47: openssl-1.0.2a-readme-warning.patch Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch Patch49: openssl-1.0.1i-algo-doc.patch
@ -77,23 +77,25 @@ Patch63: openssl-1.0.2a-xmpp-starttls.patch
Patch65: openssl-1.0.2a-chil-fixes.patch Patch65: openssl-1.0.2a-chil-fixes.patch
Patch66: openssl-1.0.2a-pkgconfig-krb5.patch Patch66: openssl-1.0.2a-pkgconfig-krb5.patch
Patch68: openssl-1.0.2a-secure-getenv.patch Patch68: openssl-1.0.2a-secure-getenv.patch
Patch69: openssl-1.0.2a-dh-1024.patch
Patch70: openssl-1.0.2a-fips-ec.patch Patch70: openssl-1.0.2a-fips-ec.patch
Patch71: openssl-1.0.2a-manfix.patch Patch71: openssl-1.0.2d-manfix.patch
Patch72: openssl-1.0.2a-fips-ctor.patch Patch72: openssl-1.0.2a-fips-ctor.patch
Patch73: openssl-1.0.2a-ecc-suiteb.patch Patch73: openssl-1.0.2c-ecc-suiteb.patch
Patch74: openssl-1.0.2a-no-md5-verify.patch Patch74: openssl-1.0.2a-no-md5-verify.patch
Patch75: openssl-1.0.2a-compat-symbols.patch Patch75: openssl-1.0.2a-compat-symbols.patch
Patch76: openssl-1.0.2a-new-fips-reqs.patch Patch76: openssl-1.0.2f-new-fips-reqs.patch
Patch77: openssl-1.0.2a-weak-ciphers.patch Patch77: openssl-1.0.2a-weak-ciphers.patch
Patch78: openssl-1.0.2a-cc-reqs.patch
Patch90: openssl-1.0.2a-enc-fail.patch Patch90: openssl-1.0.2a-enc-fail.patch
Patch92: openssl-1.0.2a-system-cipherlist.patch Patch92: openssl-1.0.2a-system-cipherlist.patch
Patch93: openssl-1.0.2a-disable-sslv2v3.patch Patch93: openssl-1.0.2a-disable-sslv2v3.patch
Patch94: openssl-1.0.2d-secp256k1.patch
Patch95: openssl-1.0.2e-remove-nistp224.patch
Patch96: openssl-1.0.2e-speed-doc.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch80: openssl-1.0.2a-wrap-pad.patch Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch Patch81: openssl-1.0.2a-padlock64.patch
Patch84: openssl-1.0.2a-trusted-first-doc.patch Patch82: openssl-1.0.2c-trusted-first-doc.patch
Patch87: openssl-1.0.2a-cc-reqs.patch
# MinGW-specific patches. # MinGW-specific patches.
# Rename *eay32.dll to lib*.dll # Rename *eay32.dll to lib*.dll
@ -129,7 +131,9 @@ BuildRequires: mktemp
BuildRequires: perl BuildRequires: perl
BuildRequires: sed BuildRequires: sed
BuildRequires: /usr/bin/cmp BuildRequires: /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename BuildRequires: /usr/bin/rename
BuildRequires: /usr/bin/pod2man
# XXX Not really sure about this one. The build script uses # XXX Not really sure about this one. The build script uses
# /usr/bin/makedepend which comes from imake. # /usr/bin/makedepend which comes from imake.
@ -239,7 +243,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch65 -p1 -b .chil %patch65 -p1 -b .chil
%patch66 -p1 -b .krb5 %patch66 -p1 -b .krb5
#patch68 -p1 -b .secure-getenv #patch68 -p1 -b .secure-getenv
%patch69 -p1 -b .dh1024
#patch70 -p1 -b .fips-ec #patch70 -p1 -b .fips-ec
%patch71 -p1 -b .manfix %patch71 -p1 -b .manfix
#patch72 -p1 -b .fips-ctor #patch72 -p1 -b .fips-ctor
@ -248,14 +251,17 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch75 -p1 -b .compat %patch75 -p1 -b .compat
#patch76 -p1 -b .fips-reqs #patch76 -p1 -b .fips-reqs
%patch77 -p1 -b .weak-ciphers %patch77 -p1 -b .weak-ciphers
%patch78 -p1 -b .cc-reqs
%patch90 -p1 -b .enc-fail %patch90 -p1 -b .enc-fail
%patch92 -p1 -b .system %patch92 -p1 -b .system
%patch93 -p1 -b .v2v3 %patch93 -p1 -b .v2v3
%patch94 -p1 -b .secp256k1
%patch95 -p1 -b .nistp224
%patch96 -p1 -b .speed-doc
%patch80 -p1 -b .wrap %patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64 %patch81 -p1 -b .padlock64
%patch84 -p1 -b .trusted-first %patch82 -p1 -b .trusted-first
%patch87 -p1 -b .cc-reqs
# MinGW specific patches # MinGW specific patches
%patch101 -p1 -b .mingw-libversion %patch101 -p1 -b .mingw-libversion
@ -298,7 +304,8 @@ PERL=%{__perl} \
--prefix=%{mingw32_prefix} \ --prefix=%{mingw32_prefix} \
--openssldir=%{mingw32_sysconfdir}/pki/tls \ --openssldir=%{mingw32_sysconfdir}/pki/tls \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \ enable-cms enable-md2 \
no-mdc2 no-rc5 no-ec2m no-gost no-srp \
no-fips no-hw \ no-fips no-hw \
--cross-compile-prefix=%{mingw32_target}- \ --cross-compile-prefix=%{mingw32_target}- \
--enginesdir=%{mingw32_libdir}/openssl/engines \ --enginesdir=%{mingw32_libdir}/openssl/engines \
@ -325,7 +332,8 @@ PERL=%{__perl} \
--prefix=%{mingw64_prefix} \ --prefix=%{mingw64_prefix} \
--openssldir=%{mingw64_sysconfdir}/pki/tls \ --openssldir=%{mingw64_sysconfdir}/pki/tls \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \ enable-cms enable-md2 \
no-mdc2 no-rc5 no-ec2m no-gost no-srp \
no-fips no-hw \ no-fips no-hw \
--cross-compile-prefix=%{mingw64_target}- \ --cross-compile-prefix=%{mingw64_target}- \
--enginesdir=%{mingw64_libdir}/openssl/engines \ --enginesdir=%{mingw64_libdir}/openssl/engines \
@ -342,6 +350,11 @@ make rehash build-shared
popd popd
# Clean up the .pc files
for i in build_win{32,64}/libcrypto.pc build_win{32,64}/libssl.pc build_win{32,64}/openssl.pc ; do
sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
done
%if %{run_tests} %if %{run_tests}
%check %check
@ -501,6 +514,10 @@ mkdir -m700 $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/CA/private
%changelog %changelog
* Sat Feb 6 2016 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.2f-1
- Synced with native openssl-1.0.2f-2
- Fixes RHBZ #1239685 #1290334 #1302768
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2a-3 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2a-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

75
openssl-1.0.2a-dh-1024.patch
View File

@ -1,75 +0,0 @@
diff -up openssl-1.0.2a/apps/s_server.c.dh1024 openssl-1.0.2a/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.dh1024 2015-04-09 18:19:55.978228949 +0200
+++ openssl-1.0.2a/apps/s_server.c 2015-04-09 18:19:50.842110304 +0200
@@ -230,29 +230,44 @@ static void s_server_init(void);
#endif
#ifndef OPENSSL_NO_DH
-static unsigned char dh512_p[] = {
- 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
- 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
- 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
- 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
- 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
- 0x47, 0x74, 0xE8, 0x33,
-};
-
-static unsigned char dh512_g[] = {
- 0x02,
-};
-
-static DH *get_dh512(void)
+static DH *get_dh1024()
{
- DH *dh = NULL;
+ static unsigned char dh1024_p[] = {
+ 0x99, 0x58, 0xFA, 0x90, 0x53, 0x2F, 0xE0, 0x61, 0x83, 0x9D, 0x54,
+ 0x63,
+ 0xBD, 0x35, 0x5A, 0x31, 0xF3, 0xC6, 0x79, 0xE5, 0xA0, 0x0F, 0x66,
+ 0x79,
+ 0x3C, 0xA0, 0x7F, 0xE8, 0xA2, 0x5F, 0xDF, 0x11, 0x08, 0xA3, 0xF0,
+ 0x3C,
+ 0xC3, 0x3C, 0x5D, 0x50, 0x2C, 0xD5, 0xD6, 0x58, 0x12, 0xDB, 0xC1,
+ 0xEF,
+ 0xB4, 0x47, 0x4A, 0x5A, 0x39, 0x8A, 0x4E, 0xEB, 0x44, 0xE2, 0x07,
+ 0xFB,
+ 0x3D, 0xA3, 0xC7, 0x6E, 0x52, 0xF3, 0x2B, 0x7B, 0x10, 0xA5, 0x98,
+ 0xE3,
+ 0x38, 0x2A, 0xE2, 0x7F, 0xA4, 0x8F, 0x26, 0x87, 0x9B, 0x66, 0x7A,
+ 0xED,
+ 0x2D, 0x4C, 0xE7, 0x33, 0x77, 0x47, 0x94, 0x43, 0xB6, 0xAA, 0x97,
+ 0x23,
+ 0x8A, 0xFC, 0xA5, 0xA6, 0x64, 0x09, 0xC0, 0x27, 0xC0, 0xEF, 0xCB,
+ 0x05,
+ 0x90, 0x9D, 0xD5, 0x75, 0xBA, 0x00, 0xE0, 0xFB, 0xA8, 0x81, 0x52,
+ 0xA4,
+ 0xB2, 0x83, 0x22, 0x5B, 0xCB, 0xD7, 0x16, 0x93,
+ };
+ static unsigned char dh1024_g[] = {
+ 0x02,
+ };
+ DH *dh;
if ((dh = DH_new()) == NULL)
return (NULL);
- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
+ dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+ dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+ if ((dh->p == NULL) || (dh->g == NULL)) {
+ DH_free(dh);
return (NULL);
+ }
return (dh);
}
#endif
@@ -1872,7 +1987,7 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_s_out, "Setting temp DH parameters\n");
} else {
BIO_printf(bio_s_out, "Using default temp DH parameters\n");
- dh = get_dh512();
+ dh = get_dh1024();
}
(void)BIO_flush(bio_s_out);

47
openssl-1.0.2a-default-paths.patch → openssl-1.0.2c-default-paths.patch
View File

@ -1,38 +1,7 @@
diff -up openssl-1.0.2a/apps/s_client.c.default-paths openssl-1.0.2a/apps/s_client.c diff -up openssl-1.0.2c/apps/s_server.c.default-paths openssl-1.0.2c/apps/s_server.c
--- openssl-1.0.2a/apps/s_client.c.default-paths 2015-04-20 14:48:31.462166971 +0200 --- openssl-1.0.2c/apps/s_server.c.default-paths 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 14:52:55.125316170 +0200 +++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:24:17.747446515 +0200
@@ -1336,19 +1336,16 @@ int MAIN(int argc, char **argv) @@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
SSL_CTX_set_verify(ctx, verify, verify_callback);
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- /*
- * BIO_printf(bio_err,"error setting default verify locations\n");
- */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
- ssl_ctx_add_crls(ctx, crls, crl_download);
- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
- goto end;
-
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL) {
tlsextcbp.biodebug = bio_err;
diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.default-paths 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 14:48:31.462166971 +0200
@@ -1768,12 +1768,16 @@ int MAIN(int argc, char *argv[])
} }
#endif #endif
@ -54,7 +23,7 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv
if (vpm) if (vpm)
SSL_CTX_set1_param(ctx, vpm); SSL_CTX_set1_param(ctx, vpm);
@@ -1830,8 +1834,10 @@ int MAIN(int argc, char *argv[]) @@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
else else
SSL_CTX_sess_set_cache_size(ctx2, 128); SSL_CTX_sess_set_cache_size(ctx2, 128);
@ -67,9 +36,9 @@ diff -up openssl-1.0.2a/apps/s_server.c.default-paths openssl-1.0.2a/apps/s_serv
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
} }
if (vpm) if (vpm)
diff -up openssl-1.0.2a/apps/s_time.c.default-paths openssl-1.0.2a/apps/s_time.c diff -up openssl-1.0.2c/apps/s_time.c.default-paths openssl-1.0.2c/apps/s_time.c
--- openssl-1.0.2a/apps/s_time.c.default-paths 2015-04-20 14:48:31.462166971 +0200 --- openssl-1.0.2c/apps/s_time.c.default-paths 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/apps/s_time.c 2015-04-20 14:55:14.232542738 +0200 +++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:24:17.747446515 +0200
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv) @@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings(); SSL_load_error_strings();

66
openssl-1.0.2a-ecc-suiteb.patch → openssl-1.0.2c-ecc-suiteb.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c diff -up openssl-1.0.2c/apps/speed.c.suiteb openssl-1.0.2c/apps/speed.c
--- openssl-1.0.2a/apps/speed.c.suiteb 2015-04-21 17:46:15.452321183 +0200 --- openssl-1.0.2c/apps/speed.c.suiteb 2015-06-15 17:37:06.285083685 +0200
+++ openssl-1.0.2a/apps/speed.c 2015-04-22 14:52:45.362272296 +0200 +++ openssl-1.0.2c/apps/speed.c 2015-06-15 17:37:06.335084836 +0200
@@ -996,78 +996,26 @@ int MAIN(int argc, char **argv) @@ -996,78 +996,26 @@ int MAIN(int argc, char **argv)
} else } else
# endif # endif
@ -122,52 +122,48 @@ diff -up openssl-1.0.2a/apps/speed.c.suiteb openssl-1.0.2a/apps/speed.c
ecdh_doit[i] = 1; ecdh_doit[i] = 1;
# endif # endif
} }
diff -up openssl-1.0.2a/ssl/t1_lib.c.suiteb openssl-1.0.2a/ssl/t1_lib.c diff -up openssl-1.0.2c/ssl/t1_lib.c.suiteb openssl-1.0.2c/ssl/t1_lib.c
--- openssl-1.0.2a/ssl/t1_lib.c.suiteb 2015-04-21 17:46:15.506322451 +0200 --- openssl-1.0.2c/ssl/t1_lib.c.suiteb 2015-06-12 16:51:27.000000000 +0200
+++ openssl-1.0.2a/ssl/t1_lib.c 2015-04-22 15:03:32.464591096 +0200 +++ openssl-1.0.2c/ssl/t1_lib.c 2015-06-15 17:44:03.578681271 +0200
@@ -266,41 +266,30 @@ static const unsigned char eccurves_defa @@ -268,11 +268,7 @@ static const unsigned char eccurves_auto
0, 13, /* sect571k1 (13) */ 0, 23, /* secp256r1 (23) */
# endif /* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */ 0, 25, /* secp521r1 (25) */
- 0, 28, /* brainpool512r1 (28) */ - 0, 28, /* brainpool512r1 (28) */
# ifndef OPENSSL_NO_EC2M
0, 11, /* sect409k1 (11) */
0, 12, /* sect409r1 (12) */
# endif
- 0, 27, /* brainpoolP384r1 (27) */ - 0, 27, /* brainpoolP384r1 (27) */
0, 24, /* secp384r1 (24) */ 0, 24, /* secp384r1 (24) */
# ifndef OPENSSL_NO_EC2M
0, 9, /* sect283k1 (9) */
0, 10, /* sect283r1 (10) */
# endif
- 0, 26, /* brainpoolP256r1 (26) */ - 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */ - 0, 22, /* secp256k1 (22) */
0, 23, /* secp256r1 (23) */
# ifndef OPENSSL_NO_EC2M # ifndef OPENSSL_NO_EC2M
0, 8, /* sect239k1 (8) */ /* >= 256-bit binary curves. */
0, 6, /* sect233k1 (6) */ 0, 14, /* sect571r1 (14) */
0, 7, /* sect233r1 (7) */ @@ -289,11 +285,7 @@ static const unsigned char eccurves_all[
# endif 0, 23, /* secp256r1 (23) */
/* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */
- 0, 28, /* brainpool512r1 (28) */
- 0, 27, /* brainpoolP384r1 (27) */
0, 24, /* secp384r1 (24) */
- 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */
# ifndef OPENSSL_NO_EC2M
/* >= 256-bit binary curves. */
0, 14, /* sect571r1 (14) */
@@ -307,13 +299,6 @@ static const unsigned char eccurves_all[
* Remaining curves disabled by default but still permitted if set
* via an explicit callback or parameters.
*/
- 0, 20, /* secp224k1 (20) */ - 0, 20, /* secp224k1 (20) */
- 0, 21, /* secp224r1 (21) */ - 0, 21, /* secp224r1 (21) */
# ifndef OPENSSL_NO_EC2M
0, 4, /* sect193r1 (4) */
0, 5, /* sect193r2 (5) */
# endif
- 0, 18, /* secp192k1 (18) */ - 0, 18, /* secp192k1 (18) */
- 0, 19, /* secp192r1 (19) */ - 0, 19, /* secp192r1 (19) */
# ifndef OPENSSL_NO_EC2M
0, 1, /* sect163k1 (1) */
0, 2, /* sect163r1 (2) */
0, 3, /* sect163r2 (3) */
# endif
- 0, 15, /* secp160k1 (15) */ - 0, 15, /* secp160k1 (15) */
- 0, 16, /* secp160r1 (16) */ - 0, 16, /* secp160r1 (16) */
- 0, 17, /* secp160r2 (17) */ - 0, 17, /* secp160r2 (17) */
}; # ifndef OPENSSL_NO_EC2M
0, 8, /* sect239k1 (8) */
static const unsigned char suiteb_curves[] = { 0, 6, /* sect233k1 (6) */
@@ -325,29 +314,21 @@ static const unsigned char fips_curves_d @@ -348,29 +333,21 @@ static const unsigned char fips_curves_d
0, 9, /* sect283k1 (9) */ 0, 9, /* sect283k1 (9) */
0, 10, /* sect283r1 (10) */ 0, 10, /* sect283r1 (10) */
# endif # endif

156
openssl-1.0.2a-trusted-first-doc.patch → openssl-1.0.2c-trusted-first-doc.patch
View File

@ -1,66 +1,66 @@
diff -up openssl-1.0.2a/apps/cms.c.trusted-first openssl-1.0.2a/apps/cms.c diff -up openssl-1.0.2c/apps/cms.c.trusted-first openssl-1.0.2c/apps/cms.c
--- openssl-1.0.2a/apps/cms.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/apps/cms.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
+++ openssl-1.0.2a/apps/cms.c 2015-04-22 16:25:31.839164061 +0200 +++ openssl-1.0.2c/apps/cms.c 2015-06-15 17:46:11.045611575 +0200
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv) @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n"); "-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n"); + "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n"); "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); "-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2a/apps/ocsp.c.trusted-first openssl-1.0.2a/apps/ocsp.c diff -up openssl-1.0.2c/apps/ocsp.c.trusted-first openssl-1.0.2c/apps/ocsp.c
--- openssl-1.0.2a/apps/ocsp.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/apps/ocsp.c.trusted-first 2015-06-15 17:45:13.112279761 +0200
+++ openssl-1.0.2a/apps/ocsp.c 2015-04-22 16:25:31.840164085 +0200 +++ openssl-1.0.2c/apps/ocsp.c 2015-06-15 17:46:31.898090948 +0200
@@ -536,6 +536,8 @@ int MAIN(int argc, char **argv) @@ -536,6 +536,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, BIO_printf(bio_err,
"-CAfile file trusted certificates file\n"); "-CAfile file trusted certificates file\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n"); + "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
"-VAfile file validator certificates file\n"); "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
"-validity_period n maximum validity discrepancy in seconds\n"); "-VAfile file validator certificates file\n");
diff -up openssl-1.0.2a/apps/s_client.c.trusted-first openssl-1.0.2a/apps/s_client.c diff -up openssl-1.0.2c/apps/s_client.c.trusted-first openssl-1.0.2c/apps/s_client.c
--- openssl-1.0.2a/apps/s_client.c.trusted-first 2015-04-22 16:25:31.799163115 +0200 --- openssl-1.0.2c/apps/s_client.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
+++ openssl-1.0.2a/apps/s_client.c 2015-04-22 16:25:31.840164085 +0200 +++ openssl-1.0.2c/apps/s_client.c 2015-06-15 17:47:05.645866767 +0200
@@ -333,6 +333,8 @@ static void sc_usage(void) @@ -333,6 +333,8 @@ static void sc_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ " -trusted_first - Use trusted CA's first when building the trust chain\n"); + " -trusted_first - Use trusted CA's first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
" -reconnect - Drop and re-make the connection with the same Session-ID\n"); " -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
" -pause - sleep(1) after each read(2) and write(2) system call\n"); " -reconnect - Drop and re-make the connection with the same Session-ID\n");
diff -up openssl-1.0.2a/apps/smime.c.trusted-first openssl-1.0.2a/apps/smime.c diff -up openssl-1.0.2c/apps/smime.c.trusted-first openssl-1.0.2c/apps/smime.c
--- openssl-1.0.2a/apps/smime.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/apps/smime.c.trusted-first 2015-06-15 17:45:13.113279784 +0200
+++ openssl-1.0.2a/apps/smime.c 2015-04-22 16:25:31.840164085 +0200 +++ openssl-1.0.2c/apps/smime.c 2015-06-15 17:47:39.090635621 +0200
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv) @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n"); "-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n"); + "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n"); "-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
"-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); "-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2a/apps/s_server.c.trusted-first openssl-1.0.2a/apps/s_server.c diff -up openssl-1.0.2c/apps/s_server.c.trusted-first openssl-1.0.2c/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.trusted-first 2015-04-22 16:25:31.806163281 +0200 --- openssl-1.0.2c/apps/s_server.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
+++ openssl-1.0.2a/apps/s_server.c 2015-04-22 16:25:31.841164108 +0200 +++ openssl-1.0.2c/apps/s_server.c 2015-06-15 17:47:24.841308046 +0200
@@ -569,6 +569,8 @@ static void sv_usage(void) @@ -572,6 +572,8 @@ static void sv_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err, BIO_printf(bio_err,
+ " -trusted_first - Use trusted CA's first when building the trust chain\n"); + " -trusted_first - Use trusted CA's first when building the trust chain\n");
+ BIO_printf(bio_err, + BIO_printf(bio_err,
" -nocert - Don't use any certificates (Anon-DH)\n"); " -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err, BIO_printf(bio_err,
" -cipher arg - play with 'openssl ciphers' to see what goes here\n"); " -nocert - Don't use any certificates (Anon-DH)\n");
diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c diff -up openssl-1.0.2c/apps/s_time.c.trusted-first openssl-1.0.2c/apps/s_time.c
--- openssl-1.0.2a/apps/s_time.c.trusted-first 2015-04-22 16:25:31.755162075 +0200 --- openssl-1.0.2c/apps/s_time.c.trusted-first 2015-06-15 17:45:13.010277416 +0200
+++ openssl-1.0.2a/apps/s_time.c 2015-04-22 16:25:31.841164108 +0200 +++ openssl-1.0.2c/apps/s_time.c 2015-06-15 17:45:13.114279807 +0200
@@ -182,6 +182,7 @@ static void s_time_usage(void) @@ -182,6 +182,7 @@ static void s_time_usage(void)
file if not specified by this option\n\ file if not specified by this option\n\
-CApath arg - PEM format directory of CA's\n\ -CApath arg - PEM format directory of CA's\n\
@ -69,9 +69,9 @@ diff -up openssl-1.0.2a/apps/s_time.c.trusted-first openssl-1.0.2a/apps/s_time.c
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; -cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
printf("usage: s_time <args>\n\n"); printf("usage: s_time <args>\n\n");
diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c diff -up openssl-1.0.2c/apps/ts.c.trusted-first openssl-1.0.2c/apps/ts.c
--- openssl-1.0.2a/apps/ts.c.trusted-first 2015-04-22 16:25:31.797163068 +0200 --- openssl-1.0.2c/apps/ts.c.trusted-first 2015-06-15 17:45:13.065278681 +0200
+++ openssl-1.0.2a/apps/ts.c 2015-04-22 16:25:31.841164108 +0200 +++ openssl-1.0.2c/apps/ts.c 2015-06-15 17:45:13.114279807 +0200
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv) @@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
"ts -verify [-data file_to_hash] [-digest digest_bytes] " "ts -verify [-data file_to_hash] [-digest digest_bytes] "
"[-queryfile request.tsq] " "[-queryfile request.tsq] "
@ -81,30 +81,30 @@ diff -up openssl-1.0.2a/apps/ts.c.trusted-first openssl-1.0.2a/apps/ts.c
"-untrusted cert_file.pem\n"); "-untrusted cert_file.pem\n");
cleanup: cleanup:
/* Clean up. */ /* Clean up. */
diff -up openssl-1.0.2a/apps/verify.c.trusted-first openssl-1.0.2a/apps/verify.c diff -up openssl-1.0.2c/apps/verify.c.trusted-first openssl-1.0.2c/apps/verify.c
--- openssl-1.0.2a/apps/verify.c.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/apps/verify.c.trusted-first 2015-06-15 17:45:13.114279807 +0200
+++ openssl-1.0.2a/apps/verify.c 2015-04-22 16:25:31.841164108 +0200 +++ openssl-1.0.2c/apps/verify.c 2015-06-15 17:48:03.979207778 +0200
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv) @@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
end: end:
if (ret == 1) { if (ret == 1) {
BIO_printf(bio_err, BIO_printf(bio_err,
- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); - "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]"); + "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
BIO_printf(bio_err, " [-attime timestamp]"); BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " [-engine e]"); BIO_printf(bio_err, " [-engine e]");
diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/cms.pod diff -up openssl-1.0.2c/doc/apps/cms.pod.trusted-first openssl-1.0.2c/doc/apps/cms.pod
--- openssl-1.0.2a/doc/apps/cms.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/doc/apps/cms.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-22 16:25:31.842164132 +0200 +++ openssl-1.0.2c/doc/apps/cms.pod 2015-06-15 17:48:43.615118958 +0200
@@ -35,6 +35,7 @@ B<openssl> B<cms> @@ -35,6 +35,7 @@ B<openssl> B<cms>
[B<-print>] [B<-print>]
[B<-CAfile file>] [B<-CAfile file>]
[B<-CApath dir>] [B<-CApath dir>]
+[B<-trusted_first>] +[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-md digest>] [B<-md digest>]
[B<-[cipher]>] [B<-[cipher]>]
[B<-nointern>] @@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta
@@ -244,6 +245,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate. to each certificate.
@ -117,18 +117,20 @@ diff -up openssl-1.0.2a/doc/apps/cms.pod.trusted-first openssl-1.0.2a/doc/apps/c
=item B<-md digest> =item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/ocsp.pod diff -up openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first openssl-1.0.2c/doc/apps/ocsp.pod
--- openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first 2015-04-22 16:25:31.798163092 +0200 --- openssl-1.0.2c/doc/apps/ocsp.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
+++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-22 16:25:31.842164132 +0200 +++ openssl-1.0.2c/doc/apps/ocsp.pod 2015-06-15 17:49:06.337641320 +0200
@@ -29,6 +29,7 @@ B<openssl> B<ocsp> @@ -29,7 +29,8 @@ B<openssl> B<ocsp>
[B<-path>] [B<-path>]
[B<-CApath dir>] [B<-CApath dir>]
[B<-CAfile file>] [B<-CAfile file>]
-[B<-no_alt_chains>]]
+[B<-trusted_first>] +[B<-trusted_first>]
+[B<-no_alt_chains>]
[B<-VAfile file>] [B<-VAfile file>]
[B<-validity_period n>] [B<-validity_period n>]
[B<-status_age n>] [B<-status_age n>]
@@ -143,6 +144,13 @@ connection timeout to the OCSP responder @@ -144,6 +145,13 @@ connection timeout to the OCSP responder
file or pathname containing trusted CA certificates. These are used to verify file or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response. the signature on the OCSP response.
@ -139,32 +141,32 @@ diff -up openssl-1.0.2a/doc/apps/ocsp.pod.trusted-first openssl-1.0.2a/doc/apps/
+chain to verify responder certificate. +chain to verify responder certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+ +
=item B<-verify_other file> =item B<-no_alt_chains>
file containing additional certificates to search when attempting to locate See L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2a/doc/apps/s_client.pod.trusted-first openssl-1.0.2a/doc/apps/s_client.pod diff -up openssl-1.0.2c/doc/apps/s_client.pod.trusted-first openssl-1.0.2c/doc/apps/s_client.pod
--- openssl-1.0.2a/doc/apps/s_client.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200 --- openssl-1.0.2c/doc/apps/s_client.pod.trusted-first 2015-06-15 17:45:13.115279830 +0200
+++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/s_client.pod 2015-06-15 17:49:23.984046989 +0200
@@ -19,6 +19,7 @@ B<openssl> B<s_client> @@ -19,6 +19,7 @@ B<openssl> B<s_client>
[B<-pass arg>] [B<-pass arg>]
[B<-CApath directory>] [B<-CApath directory>]
[B<-CAfile filename>] [B<-CAfile filename>]
+[B<-trusted_first>] +[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-reconnect>] [B<-reconnect>]
[B<-pause>] [B<-pause>]
[B<-showcerts>] @@ -124,7 +125,7 @@ also used when building the client certi
@@ -123,7 +124,7 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain. and to use when attempting to build the client certificate chain.
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
Set various certificate chain valiadition option. See the Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details. L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps/smime.pod diff -up openssl-1.0.2c/doc/apps/smime.pod.trusted-first openssl-1.0.2c/doc/apps/smime.pod
--- openssl-1.0.2a/doc/apps/smime.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100 --- openssl-1.0.2c/doc/apps/smime.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/smime.pod 2015-06-15 17:50:00.856894648 +0200
@@ -15,6 +15,9 @@ B<openssl> B<smime> @@ -15,6 +15,9 @@ B<openssl> B<smime>
[B<-pk7out>] [B<-pk7out>]
[B<-[cipher]>] [B<-[cipher]>]
@ -172,10 +174,10 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps
+[B<-CAfile file>] +[B<-CAfile file>]
+[B<-CApath dir>] +[B<-CApath dir>]
+[B<-trusted_first>] +[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-certfile file>] [B<-certfile file>]
[B<-signer file>] [B<-signer file>]
[B<-recip file>] @@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta
@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate. to each certificate.
@ -188,18 +190,18 @@ diff -up openssl-1.0.2a/doc/apps/smime.pod.trusted-first openssl-1.0.2a/doc/apps
=item B<-md digest> =item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/apps/s_server.pod diff -up openssl-1.0.2c/doc/apps/s_server.pod.trusted-first openssl-1.0.2c/doc/apps/s_server.pod
--- openssl-1.0.2a/doc/apps/s_server.pod.trusted-first 2015-04-22 16:25:31.814163470 +0200 --- openssl-1.0.2c/doc/apps/s_server.pod.trusted-first 2015-06-15 17:45:13.116279853 +0200
+++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/s_server.pod 2015-06-15 17:49:37.420355873 +0200
@@ -33,6 +33,7 @@ B<openssl> B<s_server> @@ -33,6 +33,7 @@ B<openssl> B<s_server>
[B<-state>] [B<-state>]
[B<-CApath directory>] [B<-CApath directory>]
[B<-CAfile filename>] [B<-CAfile filename>]
+[B<-trusted_first>] +[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-nocert>] [B<-nocert>]
[B<-cipher cipherlist>] [B<-cipher cipherlist>]
[B<-serverpref>] @@ -175,6 +176,12 @@ and to use when attempting to build the
@@ -174,6 +175,12 @@ and to use when attempting to build the
is also used in the list of acceptable client CAs passed to the client when is also used in the list of acceptable client CAs passed to the client when
a certificate is requested. a certificate is requested.
@ -209,12 +211,12 @@ diff -up openssl-1.0.2a/doc/apps/s_server.pod.trusted-first openssl-1.0.2a/doc/a
+when building the trust chain to verify client certificates. +when building the trust chain to verify client certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs. +This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+ +
=item B<-state> =item B<-no_alt_chains>
prints out the SSL session states. See the L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/apps/s_time.pod diff -up openssl-1.0.2c/doc/apps/s_time.pod.trusted-first openssl-1.0.2c/doc/apps/s_time.pod
--- openssl-1.0.2a/doc/apps/s_time.pod.trusted-first 2015-01-15 15:43:49.000000000 +0100 --- openssl-1.0.2c/doc/apps/s_time.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/s_time.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/s_time.pod 2015-06-15 17:45:13.116279853 +0200
@@ -14,6 +14,7 @@ B<openssl> B<s_time> @@ -14,6 +14,7 @@ B<openssl> B<s_time>
[B<-key filename>] [B<-key filename>]
[B<-CApath directory>] [B<-CApath directory>]
@ -236,9 +238,9 @@ diff -up openssl-1.0.2a/doc/apps/s_time.pod.trusted-first openssl-1.0.2a/doc/app
=item B<-new> =item B<-new>
performs the timing test using a new session ID for each connection. performs the timing test using a new session ID for each connection.
diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts.pod diff -up openssl-1.0.2c/doc/apps/ts.pod.trusted-first openssl-1.0.2c/doc/apps/ts.pod
--- openssl-1.0.2a/doc/apps/ts.pod.trusted-first 2015-01-20 13:33:36.000000000 +0100 --- openssl-1.0.2c/doc/apps/ts.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/ts.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/ts.pod 2015-06-15 17:45:13.116279853 +0200
@@ -46,6 +46,7 @@ B<-verify> @@ -46,6 +46,7 @@ B<-verify>
[B<-token_in>] [B<-token_in>]
[B<-CApath> trusted_cert_path] [B<-CApath> trusted_cert_path]
@ -260,9 +262,9 @@ diff -up openssl-1.0.2a/doc/apps/ts.pod.trusted-first openssl-1.0.2a/doc/apps/ts
=item B<-untrusted> cert_file.pem =item B<-untrusted> cert_file.pem
Set of additional untrusted certificates in PEM format which may be Set of additional untrusted certificates in PEM format which may be
diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/apps/verify.pod diff -up openssl-1.0.2c/doc/apps/verify.pod.trusted-first openssl-1.0.2c/doc/apps/verify.pod
--- openssl-1.0.2a/doc/apps/verify.pod.trusted-first 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2c/doc/apps/verify.pod.trusted-first 2015-06-12 16:51:21.000000000 +0200
+++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-22 16:25:31.843164156 +0200 +++ openssl-1.0.2c/doc/apps/verify.pod 2015-06-15 17:45:13.116279853 +0200
@@ -9,6 +9,7 @@ verify - Utility to verify certificates. @@ -9,6 +9,7 @@ verify - Utility to verify certificates.
B<openssl> B<verify> B<openssl> B<verify>
[B<-CApath directory>] [B<-CApath directory>]
@ -271,7 +273,7 @@ diff -up openssl-1.0.2a/doc/apps/verify.pod.trusted-first openssl-1.0.2a/doc/app
[B<-purpose purpose>] [B<-purpose purpose>]
[B<-policy arg>] [B<-policy arg>]
[B<-ignore_critical>] [B<-ignore_critical>]
@@ -78,6 +79,12 @@ If a valid CRL cannot be found an error @@ -79,6 +80,12 @@ If a valid CRL cannot be found an error
A file of untrusted certificates. The file should contain multiple certificates A file of untrusted certificates. The file should contain multiple certificates
in PEM format concatenated together. in PEM format concatenated together.

12
openssl-1.0.2a-manfix.patch → openssl-1.0.2d-manfix.patch
View File

@ -79,15 +79,3 @@ diff -up openssl-1.0.2a/doc/apps/s_server.pod.manfix openssl-1.0.2a/doc/apps/s_s
these options disable the use of certain SSL or TLS protocols. By default these options disable the use of certain SSL or TLS protocols. By default
the initial handshake uses a method which should be compatible with all the initial handshake uses a method which should be compatible with all
diff -up openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod
--- openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod 2015-04-22 20:12:43.082395251 +0200
@@ -2,7 +2,7 @@
=head1 NAME
-SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file
+SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - load serverinfo extensions
=head1 SYNOPSIS

82
openssl-1.0.2d-secp256k1.patch Normal file
View File

@ -0,0 +1,82 @@
diff -up openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 openssl-1.0.2d/crypto/ec/ec_curve.c
--- openssl-1.0.2d/crypto/ec/ec_curve.c.secp256k1 2015-08-12 14:55:15.203415420 -0400
+++ openssl-1.0.2d/crypto/ec/ec_curve.c 2015-08-12 15:07:12.659113262 -0400
@@ -86,6 +86,42 @@ typedef struct {
unsigned int cofactor; /* promoted to BN_ULONG */
} EC_CURVE_DATA;
+static const struct {
+ EC_CURVE_DATA h;
+ unsigned char data[0 + 32 * 6];
+} _EC_SECG_PRIME_256K1 = {
+ {
+ NID_X9_62_prime_field, 0, 32, 1
+ },
+ {
+ /* no seed */
+ /* p */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
+ /* a */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ /* b */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
+ /* x */
+ 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
+ 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
+ 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
+ /* y */
+ 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
+ 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
+ 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
+ /* order */
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
+ 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
+ }
+};
+
/* the nist prime curves */
static const struct {
EC_CURVE_DATA h;
@@ -235,6 +271,8 @@ typedef struct _ec_list_element_st {
static const ec_list_element curve_list[] = {
/* prime field curves */
/* secg curves */
+ {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
+ "SECG curve over a 256 bit prime field"},
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
{NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
"NIST/SECG curve over a 384 bit prime field"},
diff -up openssl-1.0.2d/ssl/t1_lib.c.secp256k1 openssl-1.0.2d/ssl/t1_lib.c
--- openssl-1.0.2d/ssl/t1_lib.c.secp256k1 2015-08-12 15:04:42.876925441 -0400
+++ openssl-1.0.2d/ssl/t1_lib.c 2015-08-12 15:04:47.837699822 -0400
@@ -269,6 +269,7 @@ static const unsigned char eccurves_auto
/* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */
0, 24, /* secp384r1 (24) */
+ 0, 22, /* secp256k1 (22) */
# ifndef OPENSSL_NO_EC2M
/* >= 256-bit binary curves. */
0, 14, /* sect571r1 (14) */
@@ -286,6 +287,7 @@ static const unsigned char eccurves_all[
/* Other >= 256-bit prime curves. */
0, 25, /* secp521r1 (25) */
0, 24, /* secp384r1 (24) */
+ 0, 22, /* secp256k1 (22) */
# ifndef OPENSSL_NO_EC2M
/* >= 256-bit binary curves. */
0, 14, /* sect571r1 (14) */
@@ -333,6 +335,7 @@ static const unsigned char fips_curves_d
0, 9, /* sect283k1 (9) */
0, 10, /* sect283r1 (10) */
# endif
+ 0, 22, /* secp256k1 (22) */
0, 23, /* secp256r1 (23) */
# ifndef OPENSSL_NO_EC2M
0, 8, /* sect239k1 (8) */

665
openssl-1.0.2a-fips.patch → openssl-1.0.2e-fips.patch
View File

File diff suppressed because it is too large Load Diff

15
openssl-1.0.2e-remove-nistp224.patch Normal file
View File

@ -0,0 +1,15 @@
diff -up openssl-1.0.2e/crypto/ec/ec.h.nistp224 openssl-1.0.2e/crypto/ec/ec.h
--- openssl-1.0.2e/crypto/ec/ec.h.nistp224 2015-12-04 14:00:57.000000000 +0100
+++ openssl-1.0.2e/crypto/ec/ec.h 2015-12-08 15:51:37.046747916 +0100
@@ -149,11 +149,6 @@ const EC_METHOD *EC_GFp_mont_method(void
const EC_METHOD *EC_GFp_nist_method(void);
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-/** Returns 64-bit optimized methods for nistp224
- * \return EC_METHOD object
- */
-const EC_METHOD *EC_GFp_nistp224_method(void);
-
/** Returns 64-bit optimized methods for nistp256
* \return EC_METHOD object
*/

35
openssl-1.0.2a-rpmbuild.patch → openssl-1.0.2e-rpmbuild.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure
--- openssl-1.0.2a/Configure.rpmbuild 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2e/Configure.rpmbuild 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2a/Configure 2015-04-20 14:35:03.516318252 +0200 +++ openssl-1.0.2e/Configure 2015-12-04 13:20:22.996835604 +0100
@@ -348,8 +348,8 @@ my %table=( @@ -365,8 +365,8 @@ my %table=(
#### ####
# *-generic* is endian-neutral target, but ./config is free to # *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate... # throw in -D[BL]_ENDIAN, whichever appropriate...
@ -12,14 +12,14 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
####################################################################### #######################################################################
# Note that -march is not among compiler options in below linux-armv4 # Note that -march is not among compiler options in below linux-armv4
@@ -378,30 +378,30 @@ my %table=( @@ -395,31 +395,31 @@ my %table=(
# #
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
# #
-"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-armv4", "gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-aarch64","gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
# Configure script adds minimally required -march for assembly support, # Configure script adds minimally required -march for assembly support,
# if no -march was specified at command line. mips32 and mips64 below # if no -march was specified at command line. mips32 and mips64 below
# refer to contemporary MIPS Architecture specifications, MIPS32 and # refer to contemporary MIPS Architecture specifications, MIPS32 and
@ -40,14 +40,15 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::", -"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64", +"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
@ -55,12 +56,12 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
#### So called "highgprs" target for z/Architecture CPUs #### So called "highgprs" target for z/Architecture CPUs
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
# /proc/cpuinfo. The idea is to preserve most significant bits of # /proc/cpuinfo. The idea is to preserve most significant bits of
@@ -419,12 +419,12 @@ my %table=( @@ -437,12 +437,12 @@ my %table=(
#### SPARC Linux setups #### SPARC Linux setups
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
# assisted with debugging of following two configs. # assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)", +"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
# it's a real mess with -mcpu=ultrasparc option under Linux, but # it's a real mess with -mcpu=ultrasparc option under Linux, but
# -Wa,-Av8plus should do the trick no matter what. # -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@ -71,7 +72,7 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
#### Alpha Linux with GNU C and Compaq C setups #### Alpha Linux with GNU C and Compaq C setups
# Special notes: # Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
@@ -1737,7 +1737,7 @@ while (<IN>) @@ -1767,7 +1767,7 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{ {
my $sotmp = $1; my $sotmp = $1;
@ -80,9 +81,9 @@ diff -up openssl-1.0.2a/Configure.rpmbuild openssl-1.0.2a/Configure
} }
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{ {
diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org
--- openssl-1.0.2a/Makefile.org.rpmbuild 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2e/Makefile.org.rpmbuild 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2a/Makefile.org 2015-04-20 14:11:52.152847093 +0200 +++ openssl-1.0.2e/Makefile.org 2015-12-04 13:18:44.913538616 +0100
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY= @@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR= SHLIB_MAJOR=
SHLIB_MINOR= SHLIB_MINOR=
@ -91,7 +92,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
PLATFORM=dist PLATFORM=dist
OPTIONS= OPTIONS=
CONFIGURE_ARGS= CONFIGURE_ARGS=
@@ -335,10 +336,9 @@ clean-shared: @@ -341,10 +342,9 @@ clean-shared:
link-shared: link-shared:
@ set -e; for i in $(SHLIBDIRS); do \ @ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
@ -103,7 +104,7 @@ diff -up openssl-1.0.2a/Makefile.org.rpmbuild openssl-1.0.2a/Makefile.org
done done
build-shared: do_$(SHLIB_TARGET) link-shared build-shared: do_$(SHLIB_TARGET) link-shared
@@ -349,7 +349,7 @@ do_$(SHLIB_TARGET): @@ -355,7 +355,7 @@ do_$(SHLIB_TARGET):
libs="$(LIBKRB5) $$libs"; \ libs="$(LIBKRB5) $$libs"; \
fi; \ fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \

58
openssl-1.0.2e-speed-doc.patch Normal file
View File

@ -0,0 +1,58 @@
diff -up openssl-1.0.2e/apps/speed.c.speed-doc openssl-1.0.2e/apps/speed.c
--- openssl-1.0.2e/apps/speed.c.speed-doc 2015-12-04 14:00:58.000000000 +0100
+++ openssl-1.0.2e/apps/speed.c 2016-01-15 14:15:56.482343557 +0100
@@ -648,10 +648,6 @@ int MAIN(int argc, char **argv)
# endif
int multiblock = 0;
-# ifndef TIMES
- usertime = -1;
-# endif
-
apps_startup();
memset(results, 0, sizeof(results));
# ifndef OPENSSL_NO_DSA
@@ -1145,10 +1141,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "\n");
BIO_printf(bio_err, "Available options:\n");
-# if defined(TIMES) || defined(USE_TOD)
BIO_printf(bio_err, "-elapsed "
"measure time in real time instead of CPU user time.\n");
-# endif
# ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
"-engine e "
diff -up openssl-1.0.2e/doc/apps/speed.pod.speed-doc openssl-1.0.2e/doc/apps/speed.pod
--- openssl-1.0.2e/doc/apps/speed.pod.speed-doc 2015-12-03 14:42:07.000000000 +0100
+++ openssl-1.0.2e/doc/apps/speed.pod 2016-01-15 14:05:23.044222376 +0100
@@ -8,6 +8,9 @@ speed - test library performance
B<openssl speed>
[B<-engine id>]
+[B<-elapsed>]
+[B<-evp algo>]
+[B<-decrypt>]
[B<md2>]
[B<mdc2>]
[B<md5>]
@@ -49,6 +52,19 @@ to attempt to obtain a functional refere
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
+=item B<-elapsed>
+
+Measure time in real time instead of CPU time. It can be useful when testing
+speed of hardware engines.
+
+=item B<-evp algo>
+
+Use the specified cipher or message digest algorithm via the EVP interface.
+
+=item B<-decrypt>
+
+Time the decryption instead of encryption. Affects only the EVP testing.
+
=item B<[zero or more test algorithms]>
If any options are given, B<speed> tests those algorithms, otherwise all of

72
openssl-1.0.2a-wrap-pad.patch → openssl-1.0.2e-wrap-pad.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2a/crypto/evp/c_allc.c.wrap openssl-1.0.2a/crypto/evp/c_allc.c diff -up openssl-1.0.2e/crypto/evp/c_allc.c.wrap openssl-1.0.2e/crypto/evp/c_allc.c
--- openssl-1.0.2a/crypto/evp/c_allc.c.wrap 2015-04-22 15:41:32.147488107 +0200 --- openssl-1.0.2e/crypto/evp/c_allc.c.wrap 2015-12-04 13:33:42.118550036 +0100
+++ openssl-1.0.2a/crypto/evp/c_allc.c 2015-04-22 15:47:25.486946239 +0200 +++ openssl-1.0.2e/crypto/evp/c_allc.c 2015-12-04 13:33:42.190551722 +0100
@@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void) @@ -179,6 +179,7 @@ void OpenSSL_add_all_ciphers(void)
EVP_add_cipher(EVP_aes_128_xts()); EVP_add_cipher(EVP_aes_128_xts());
EVP_add_cipher(EVP_aes_128_ccm()); EVP_add_cipher(EVP_aes_128_ccm());
@ -57,9 +57,9 @@ diff -up openssl-1.0.2a/crypto/evp/c_allc.c.wrap openssl-1.0.2a/crypto/evp/c_all
EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
# endif # endif
diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.c diff -up openssl-1.0.2e/crypto/evp/e_aes.c.wrap openssl-1.0.2e/crypto/evp/e_aes.c
--- openssl-1.0.2a/crypto/evp/e_aes.c.wrap 2015-04-22 15:41:32.148488131 +0200 --- openssl-1.0.2e/crypto/evp/e_aes.c.wrap 2015-12-04 13:33:42.119550059 +0100
+++ openssl-1.0.2a/crypto/evp/e_aes.c 2015-04-22 15:52:21.809039506 +0200 +++ openssl-1.0.2e/crypto/evp/e_aes.c 2015-12-04 13:33:42.190551722 +0100
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/* ==================================================================== /* ====================================================================
- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. - * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
@ -67,7 +67,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@@ -1952,7 +1952,7 @@ static int aes_wrap_init_key(EVP_CIPHER_ @@ -1953,7 +1953,7 @@ static int aes_wrap_init_key(EVP_CIPHER_
wctx->iv = NULL; wctx->iv = NULL;
} }
if (iv) { if (iv) {
@ -76,7 +76,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.
wctx->iv = ctx->iv; wctx->iv = ctx->iv;
} }
return 1; return 1;
@@ -1963,30 +1963,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT @@ -1964,30 +1964,57 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
{ {
EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; EVP_AES_WRAP_CTX *wctx = ctx->cipher_data;
size_t rv; size_t rv;
@ -142,7 +142,7 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
@@ -2031,3 +2058,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void) @@ -2032,3 +2059,45 @@ const EVP_CIPHER *EVP_aes_256_wrap(void)
{ {
return &aes_256_wrap; return &aes_256_wrap;
} }
@ -188,10 +188,10 @@ diff -up openssl-1.0.2a/crypto/evp/e_aes.c.wrap openssl-1.0.2a/crypto/evp/e_aes.
+{ +{
+ return &aes_256_wrap_pad; + return &aes_256_wrap_pad;
+} +}
diff -up openssl-1.0.2a/crypto/evp/e_des3.c.wrap openssl-1.0.2a/crypto/evp/e_des3.c diff -up openssl-1.0.2e/crypto/evp/e_des3.c.wrap openssl-1.0.2e/crypto/evp/e_des3.c
--- openssl-1.0.2a/crypto/evp/e_des3.c.wrap 2015-04-22 15:41:40.301683300 +0200 --- openssl-1.0.2e/crypto/evp/e_des3.c.wrap 2015-12-04 13:33:42.119550059 +0100
+++ openssl-1.0.2a/crypto/evp/e_des3.c 2015-04-22 15:53:39.529899964 +0200 +++ openssl-1.0.2e/crypto/evp/e_des3.c 2015-12-04 13:33:42.191551745 +0100
@@ -473,7 +473,7 @@ static const EVP_CIPHER des3_wrap = { @@ -474,7 +474,7 @@ static const EVP_CIPHER des3_wrap = {
NID_id_smime_alg_CMS3DESwrap, NID_id_smime_alg_CMS3DESwrap,
8, 24, 0, 8, 24, 0,
EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
@ -200,10 +200,10 @@ diff -up openssl-1.0.2a/crypto/evp/e_des3.c.wrap openssl-1.0.2a/crypto/evp/e_des
des_ede3_init_key, des_ede3_wrap_cipher, des_ede3_init_key, des_ede3_wrap_cipher,
NULL, NULL,
sizeof(DES_EDE_KEY), sizeof(DES_EDE_KEY),
diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h diff -up openssl-1.0.2e/crypto/evp/evp.h.wrap openssl-1.0.2e/crypto/evp/evp.h
--- openssl-1.0.2a/crypto/evp/evp.h.wrap 2015-04-22 19:30:57.000000000 +0200 --- openssl-1.0.2e/crypto/evp/evp.h.wrap 2015-12-04 13:33:42.120550083 +0100
+++ openssl-1.0.2a/crypto/evp/evp.h 2015-04-22 19:51:06.352832516 +0200 +++ openssl-1.0.2e/crypto/evp/evp.h 2015-12-04 13:33:42.191551745 +0100
@@ -832,6 +832,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void); @@ -834,6 +834,7 @@ const EVP_CIPHER *EVP_aes_128_ccm(void);
const EVP_CIPHER *EVP_aes_128_gcm(void); const EVP_CIPHER *EVP_aes_128_gcm(void);
const EVP_CIPHER *EVP_aes_128_xts(void); const EVP_CIPHER *EVP_aes_128_xts(void);
const EVP_CIPHER *EVP_aes_128_wrap(void); const EVP_CIPHER *EVP_aes_128_wrap(void);
@ -211,7 +211,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h
const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_ecb(void);
const EVP_CIPHER *EVP_aes_192_cbc(void); const EVP_CIPHER *EVP_aes_192_cbc(void);
const EVP_CIPHER *EVP_aes_192_cfb1(void); const EVP_CIPHER *EVP_aes_192_cfb1(void);
@@ -843,6 +844,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void); @@ -845,6 +846,7 @@ const EVP_CIPHER *EVP_aes_192_ctr(void);
const EVP_CIPHER *EVP_aes_192_ccm(void); const EVP_CIPHER *EVP_aes_192_ccm(void);
const EVP_CIPHER *EVP_aes_192_gcm(void); const EVP_CIPHER *EVP_aes_192_gcm(void);
const EVP_CIPHER *EVP_aes_192_wrap(void); const EVP_CIPHER *EVP_aes_192_wrap(void);
@ -219,7 +219,7 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h
const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_ecb(void);
const EVP_CIPHER *EVP_aes_256_cbc(void); const EVP_CIPHER *EVP_aes_256_cbc(void);
const EVP_CIPHER *EVP_aes_256_cfb1(void); const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -855,6 +857,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void); @@ -857,6 +859,7 @@ const EVP_CIPHER *EVP_aes_256_ccm(void);
const EVP_CIPHER *EVP_aes_256_gcm(void); const EVP_CIPHER *EVP_aes_256_gcm(void);
const EVP_CIPHER *EVP_aes_256_xts(void); const EVP_CIPHER *EVP_aes_256_xts(void);
const EVP_CIPHER *EVP_aes_256_wrap(void); const EVP_CIPHER *EVP_aes_256_wrap(void);
@ -227,9 +227,9 @@ diff -up openssl-1.0.2a/crypto/evp/evp.h.wrap openssl-1.0.2a/crypto/evp/evp.h
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void); const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void); const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void);
diff -up openssl-1.0.2a/crypto/evp/evptests.txt.wrap openssl-1.0.2a/crypto/evp/evptests.txt diff -up openssl-1.0.2e/crypto/evp/evptests.txt.wrap openssl-1.0.2e/crypto/evp/evptests.txt
--- openssl-1.0.2a/crypto/evp/evptests.txt.wrap 2015-04-22 15:41:47.194848307 +0200 --- openssl-1.0.2e/crypto/evp/evptests.txt.wrap 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2a/crypto/evp/evptests.txt 2015-04-22 16:01:08.174540977 +0200 +++ openssl-1.0.2e/crypto/evp/evptests.txt 2015-12-04 13:33:42.191551745 +0100
@@ -399,3 +399,7 @@ id-aes256-wrap:000102030405060708090A0B0 @@ -399,3 +399,7 @@ id-aes256-wrap:000102030405060708090A0B0
id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2 id-aes192-wrap:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF0001020304050607:031D33264E15D33268F24EC260743EDCE1C6C7DDEE725A936BA814915C6762D2
id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1 id-aes256-wrap:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF0001020304050607:A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1
@ -238,9 +238,9 @@ diff -up openssl-1.0.2a/crypto/evp/evptests.txt.wrap openssl-1.0.2a/crypto/evp/e
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a +id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::c37b7e6492584340bed12207808941155068f738:138bdeaa9b8fa7fc61f97742e72248ee5ae6ae5360d1ae6a5f54f373fa543b6a
+id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f +id-aes192-wrap-pad:5840df6e29b02af1ab493b705bf16ea1ae8338f4dcc176a8::466f7250617369:afbeb0f07dfbf5419200f2ccb50bb24f
+ +
diff -up openssl-1.0.2a/crypto/modes/modes.h.wrap openssl-1.0.2a/crypto/modes/modes.h diff -up openssl-1.0.2e/crypto/modes/modes.h.wrap openssl-1.0.2e/crypto/modes/modes.h
--- openssl-1.0.2a/crypto/modes/modes.h.wrap 2015-04-22 15:41:49.228896997 +0200 --- openssl-1.0.2e/crypto/modes/modes.h.wrap 2015-12-04 13:33:41.770541886 +0100
+++ openssl-1.0.2a/crypto/modes/modes.h 2015-04-22 16:03:40.724152855 +0200 +++ openssl-1.0.2e/crypto/modes/modes.h 2015-12-04 13:33:42.191551745 +0100
@@ -157,6 +157,12 @@ size_t CRYPTO_128_unwrap(void *key, cons @@ -157,6 +157,12 @@ size_t CRYPTO_128_unwrap(void *key, cons
unsigned char *out, unsigned char *out,
const unsigned char *in, size_t inlen, const unsigned char *in, size_t inlen,
@ -254,9 +254,9 @@ diff -up openssl-1.0.2a/crypto/modes/modes.h.wrap openssl-1.0.2a/crypto/modes/mo
#ifdef __cplusplus #ifdef __cplusplus
} }
diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/wrap128.c diff -up openssl-1.0.2e/crypto/modes/wrap128.c.wrap openssl-1.0.2e/crypto/modes/wrap128.c
--- openssl-1.0.2a/crypto/modes/wrap128.c.wrap 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2e/crypto/modes/wrap128.c.wrap 2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2a/crypto/modes/wrap128.c 2015-04-22 16:06:16.798848197 +0200 +++ openssl-1.0.2e/crypto/modes/wrap128.c 2015-12-04 13:37:51.486366984 +0100
@@ -2,6 +2,7 @@ @@ -2,6 +2,7 @@
/* /*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
@ -312,7 +312,7 @@ diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/
size_t CRYPTO_128_wrap(void *key, const unsigned char *iv, size_t CRYPTO_128_wrap(void *key, const unsigned char *iv,
unsigned char *out, unsigned char *out,
const unsigned char *in, size_t inlen, const unsigned char *in, size_t inlen,
@@ -72,11 +98,11 @@ size_t CRYPTO_128_wrap(void *key, const @@ -72,7 +98,7 @@ size_t CRYPTO_128_wrap(void *key, const
{ {
unsigned char *A, B[16], *R; unsigned char *A, B[16], *R;
size_t i, j, t; size_t i, j, t;
@ -321,11 +321,6 @@ diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/
return 0; return 0;
A = B; A = B;
t = 1; t = 1;
- memcpy(out + 8, in, inlen);
+ memmove(out + 8, in, inlen);
if (!iv)
iv = default_iv;
@@ -100,7 +126,23 @@ size_t CRYPTO_128_wrap(void *key, const @@ -100,7 +126,23 @@ size_t CRYPTO_128_wrap(void *key, const
return inlen + 8; return inlen + 8;
} }
@ -351,15 +346,6 @@ diff -up openssl-1.0.2a/crypto/modes/wrap128.c.wrap openssl-1.0.2a/crypto/modes/
unsigned char *out, unsigned char *out,
const unsigned char *in, size_t inlen, const unsigned char *in, size_t inlen,
block128_f block) block128_f block)
@@ -113,7 +155,7 @@ size_t CRYPTO_128_unwrap(void *key, cons
A = B;
t = 6 * (inlen >> 3);
memcpy(A, in, 8);
- memcpy(out, in + 8, inlen);
+ memmove(out, in + 8, inlen);
for (j = 0; j < 6; j++) {
R = out + inlen - 8;
for (i = 0; i < inlen; i += 8, t--, R -= 8) {
@@ -128,11 +170,190 @@ size_t CRYPTO_128_unwrap(void *key, cons @@ -128,11 +170,190 @@ size_t CRYPTO_128_unwrap(void *key, cons
memcpy(R, B + 8, 8); memcpy(R, B + 8, 8);
} }

134
openssl-1.0.2a-new-fips-reqs.patch → openssl-1.0.2f-new-fips-reqs.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2a/crypto/bn/bn_rand.c diff -up openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2f/crypto/bn/bn_rand.c
--- openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100 --- openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs 2016-01-28 14:38:30.000000000 +0100
+++ openssl-1.0.2a/crypto/bn/bn_rand.c 2015-04-22 15:06:37.907003880 +0200 +++ openssl-1.0.2f/crypto/bn/bn_rand.c 2016-01-28 16:36:22.811387420 +0100
@@ -136,9 +136,11 @@ static int bnrand(int pseudorand, BIGNUM @@ -141,9 +141,11 @@ static int bnrand(int pseudorand, BIGNUM
goto err; goto err;
} }
@ -16,9 +16,9 @@ diff -up openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2a/crypto/bn/b
if (pseudorand) { if (pseudorand) {
if (RAND_pseudo_bytes(buf, bytes) == -1) if (RAND_pseudo_bytes(buf, bytes) == -1)
diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_gen.c diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh_gen.c
--- openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs 2015-04-22 15:06:37.840002285 +0200 --- openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs 2016-01-28 16:36:22.767386408 +0100
+++ openssl-1.0.2a/crypto/dh/dh_gen.c 2015-04-22 15:06:37.907003880 +0200 +++ openssl-1.0.2f/crypto/dh/dh_gen.c 2016-01-28 16:36:22.811387420 +0100
@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret, @@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret,
return 0; return 0;
} }
@ -28,9 +28,9 @@ diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2a/crypto/dh/dh
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
goto err; goto err;
} }
diff -up openssl-1.0.2a/crypto/dh/dh.h.fips-reqs openssl-1.0.2a/crypto/dh/dh.h diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h
--- openssl-1.0.2a/crypto/dh/dh.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200 --- openssl-1.0.2f/crypto/dh/dh.h.fips-reqs 2016-01-28 16:36:22.767386408 +0100
+++ openssl-1.0.2a/crypto/dh/dh.h 2015-04-22 15:07:25.265130812 +0200 +++ openssl-1.0.2f/crypto/dh/dh.h 2016-01-28 16:36:22.812387443 +0100
@@ -78,6 +78,7 @@ @@ -78,6 +78,7 @@
# endif # endif
@ -39,44 +39,10 @@ diff -up openssl-1.0.2a/crypto/dh/dh.h.fips-reqs openssl-1.0.2a/crypto/dh/dh.h
# define DH_FLAG_CACHE_MONT_P 0x01 # define DH_FLAG_CACHE_MONT_P 0x01
diff -up openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_check.c diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_gen.c
--- openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs 2016-01-28 16:36:22.768386431 +0100
+++ openssl-1.0.2a/crypto/dh/dh_check.c 2015-04-22 15:06:37.908003903 +0200 +++ openssl-1.0.2f/crypto/dsa/dsa_gen.c 2016-01-28 16:36:22.812387443 +0100
@@ -164,7 +164,30 @@ int DH_check_pub_key(const DH *dh, const @@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
BN_sub_word(q, 1);
if (BN_cmp(pub_key, q) >= 0)
*ret |= DH_CHECK_PUBKEY_TOO_LARGE;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && dh->q != NULL) {
+ BN_CTX *ctx = NULL;
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ if (BN_mod_exp_mont(q, pub_key, dh->q, dh->p, ctx, NULL) <= 0) {
+ BN_CTX_free(ctx);
+ goto err;
+ }
+ if (!BN_is_one(q)) {
+ /* it would be more correct to add new return flag
+ * for this test, but we do not want to do it
+ * so just error out
+ */
+ BN_CTX_free(ctx);
+ goto err;
+ }
+
+ BN_CTX_free(ctx);
+ }
+#endif
ok = 1;
err:
if (q != NULL)
diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_gen.c
--- openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs 2015-04-22 15:06:37.841002309 +0200
+++ openssl-1.0.2a/crypto/dsa/dsa_gen.c 2015-04-22 15:06:37.908003903 +0200
@@ -165,9 +165,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
} }
if (FIPS_module_mode() && if (FIPS_module_mode() &&
@ -91,9 +57,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2a/crypto/dsa
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID); DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
goto err; goto err;
} }
diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2a/crypto/dsa/dsa.h diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa.h
--- openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200 --- openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs 2016-01-28 16:36:22.768386431 +0100
+++ openssl-1.0.2a/crypto/dsa/dsa.h 2015-04-22 15:09:01.291415852 +0200 +++ openssl-1.0.2f/crypto/dsa/dsa.h 2016-01-28 16:36:22.812387443 +0100
@@ -89,6 +89,7 @@ @@ -89,6 +89,7 @@
# endif # endif
@ -114,9 +80,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2a/crypto/dsa/dsa
* Rabin-Miller * Rabin-Miller
*/ */
# define DSA_is_prime(n, callback, cb_arg) \ # define DSA_is_prime(n, callback, cb_arg) \
diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_key.c diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_key.c
--- openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200 --- openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100
+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-22 15:06:37.908003903 +0200 +++ openssl-1.0.2f/crypto/dsa/dsa_key.c 2016-01-28 16:36:22.812387443 +0100
@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa) @@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa)
# ifdef OPENSSL_FIPS # ifdef OPENSSL_FIPS
@ -126,9 +92,9 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2a/crypto/dsa
DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
goto err; goto err;
} }
diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-reqs openssl-1.0.2a/crypto/fips/fips.c diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/fips.c
--- openssl-1.0.2a/crypto/fips/fips.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200 --- openssl-1.0.2f/crypto/fips/fips.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-22 15:06:37.909003927 +0200 +++ openssl-1.0.2f/crypto/fips/fips.c 2016-01-28 16:36:22.813387467 +0100
@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons @@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons
ret = 0; ret = 0;
goto end; goto end;
@ -162,9 +128,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-reqs openssl-1.0.2a/crypto/fips/
ret = 1; ret = 1;
goto end; goto end;
} }
diff -up openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_dh_selftest.c diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_dh_selftest.c
--- openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs 2015-04-22 15:06:37.909003927 +0200 --- openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-01-28 16:36:22.813387467 +0100
+++ openssl-1.0.2a/crypto/fips/fips_dh_selftest.c 2015-04-22 15:06:37.909003927 +0200 +++ openssl-1.0.2f/crypto/fips/fips_dh_selftest.c 2016-01-28 16:36:22.813387467 +0100
@@ -0,0 +1,162 @@ @@ -0,0 +1,162 @@
+/* ==================================================================== +/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@ -328,9 +294,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2a/
+ return ret; + return ret;
+} +}
+#endif +#endif
diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-reqs openssl-1.0.2a/crypto/fips/fips.h diff -up openssl-1.0.2f/crypto/fips/fips.h.fips-reqs openssl-1.0.2f/crypto/fips/fips.h
--- openssl-1.0.2a/crypto/fips/fips.h.fips-reqs 2015-04-22 15:06:37.899003689 +0200 --- openssl-1.0.2f/crypto/fips/fips.h.fips-reqs 2016-01-28 16:36:22.806387305 +0100
+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 15:06:37.909003927 +0200 +++ openssl-1.0.2f/crypto/fips/fips.h 2016-01-28 16:36:22.813387467 +0100
@@ -96,6 +96,7 @@ extern "C" { @@ -96,6 +96,7 @@ extern "C" {
int FIPS_selftest_dsa(void); int FIPS_selftest_dsa(void);
int FIPS_selftest_ecdsa(void); int FIPS_selftest_ecdsa(void);
@ -339,9 +305,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-reqs openssl-1.0.2a/crypto/fips/
void FIPS_corrupt_rng(void); void FIPS_corrupt_rng(void);
void FIPS_rng_stick(void); void FIPS_rng_stick(void);
void FIPS_x931_stick(int onoff); void FIPS_x931_stick(int onoff);
diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_post.c diff -up openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_post.c
--- openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs 2015-04-22 15:06:37.895003594 +0200 --- openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs 2016-01-28 16:36:22.803387236 +0100
+++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 15:06:37.909003927 +0200 +++ openssl-1.0.2f/crypto/fips/fips_post.c 2016-01-28 16:36:22.813387467 +0100
@@ -99,6 +99,8 @@ int FIPS_selftest(void) @@ -99,6 +99,8 @@ int FIPS_selftest(void)
rv = 0; rv = 0;
if (!FIPS_selftest_dsa()) if (!FIPS_selftest_dsa())
@ -351,9 +317,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2a/crypto/
if (!FIPS_selftest_ecdh()) if (!FIPS_selftest_ecdh())
rv = 0; rv = 0;
return rv; return rv;
diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c diff -up openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c
--- openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs 2015-04-22 15:06:37.854002618 +0200 --- openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs 2016-01-28 16:36:22.778386661 +0100
+++ openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c 2015-04-22 15:06:37.910003951 +0200 +++ openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c 2016-01-28 16:36:22.814387489 +0100
@@ -60,68 +60,107 @@ @@ -60,68 +60,107 @@
#ifdef OPENSSL_FIPS #ifdef OPENSSL_FIPS
@ -1008,9 +974,9 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2a
RSA_free(key); RSA_free(key);
return ret; return ret;
} }
diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-reqs openssl-1.0.2a/crypto/fips/Makefile diff -up openssl-1.0.2f/crypto/fips/Makefile.fips-reqs openssl-1.0.2f/crypto/fips/Makefile
--- openssl-1.0.2a/crypto/fips/Makefile.fips-reqs 2015-04-22 15:06:37.895003594 +0200 --- openssl-1.0.2f/crypto/fips/Makefile.fips-reqs 2016-01-28 16:36:22.803387236 +0100
+++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 15:06:37.910003951 +0200 +++ openssl-1.0.2f/crypto/fips/Makefile 2016-01-28 16:36:22.814387489 +0100
@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self @@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
@ -1029,9 +995,9 @@ diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-reqs openssl-1.0.2a/crypto/fip
LIBCRYPTO=-L.. -lcrypto LIBCRYPTO=-L.. -lcrypto
diff -up openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2a/crypto/rand/rand_lcl.h diff -up openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2f/crypto/rand/rand_lcl.h
--- openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs 2015-04-22 15:06:37.599996574 +0200 --- openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs 2016-01-28 16:36:22.516380636 +0100
+++ openssl-1.0.2a/crypto/rand/rand_lcl.h 2015-04-22 15:06:37.910003951 +0200 +++ openssl-1.0.2f/crypto/rand/rand_lcl.h 2016-01-28 16:36:22.814387489 +0100
@@ -112,7 +112,7 @@ @@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H #ifndef HEADER_RAND_LCL_H
# define HEADER_RAND_LCL_H # define HEADER_RAND_LCL_H
@ -1041,9 +1007,9 @@ diff -up openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2a/crypto/r
# if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) # if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
diff -up openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2a/crypto/rand/rand_lib.c diff -up openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2f/crypto/rand/rand_lib.c
--- openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100 --- openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs 2016-01-28 14:38:31.000000000 +0100
+++ openssl-1.0.2a/crypto/rand/rand_lib.c 2015-04-22 15:06:37.910003951 +0200 +++ openssl-1.0.2f/crypto/rand/rand_lib.c 2016-01-28 16:36:22.814387489 +0100
@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx, @@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx,
double entropy) double entropy)
{ {
@ -1067,9 +1033,9 @@ diff -up openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2a/crypto/r
return 1; return 1;
} }
diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c diff -up openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2f/crypto/rsa/rsa_gen.c
--- openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs 2015-04-22 15:06:37.858002714 +0200 --- openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs 2016-01-28 16:36:22.781386731 +0100
+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-22 15:06:37.910003951 +0200 +++ openssl-1.0.2f/crypto/rsa/rsa_gen.c 2016-01-28 16:36:22.814387489 +0100
@@ -1,5 +1,6 @@ @@ -1,5 +1,6 @@
/* crypto/rsa/rsa_gen.c */ /* crypto/rsa/rsa_gen.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
@ -1371,9 +1337,9 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2a/crypto/rsa
ok = 1; ok = 1;
err: err:
if (ok == -1) { if (ok == -1) {
diff -up openssl-1.0.2a/ssl/t1_enc.c.fips-reqs openssl-1.0.2a/ssl/t1_enc.c diff -up openssl-1.0.2f/ssl/t1_enc.c.fips-reqs openssl-1.0.2f/ssl/t1_enc.c
--- openssl-1.0.2a/ssl/t1_enc.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100 --- openssl-1.0.2f/ssl/t1_enc.c.fips-reqs 2016-01-28 14:56:08.000000000 +0100
+++ openssl-1.0.2a/ssl/t1_enc.c 2015-04-22 15:06:37.911003975 +0200 +++ openssl-1.0.2f/ssl/t1_enc.c 2016-01-28 16:36:22.814387489 +0100
@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask, @@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask,
return ret; return ret;
} }

2
sources
View File

@ -1 +1 @@
f51c4df95c3d53fc82a0885fd169225a openssl-1.0.2a-hobbled.tar.xz e9d29bc1688f65fcb9d1b564d53d6f13 openssl-1.0.2f-hobbled.tar.xz