rpms
/
mingw-openssl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import mingw-openssl-1.0.2k-2.el8

This commit is contained in:
CentOS Sources 2020-01-21 18:02:05 -05:00 committed by Stepan Oksanichenko
parent c2dcbcb658
commit a1a3d9de2d
10 changed files with 14 additions and 5062 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

174
SOURCES/openssl-1.0.2a-fips-ctor.patch
View File

@ -1,174 +0,0 @@
diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-ctor openssl-1.0.2a/crypto/fips/fips.c
--- openssl-1.0.2a/crypto/fips/fips.c.fips-ctor 2015-04-21 17:42:18.702765856 +0200
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-21 17:42:18.742766794 +0200
@@ -60,6 +60,8 @@
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
#include "fips_locl.h"
#ifdef OPENSSL_FIPS
@@ -201,7 +203,9 @@ static char *bin2hex(void *buf, size_t l
}
# define HMAC_PREFIX "."
-# define HMAC_SUFFIX ".hmac"
+# ifndef HMAC_SUFFIX
+# define HMAC_SUFFIX ".hmac"
+# endif
# define READ_BUFFER_LENGTH 16384
static char *make_hmac_path(const char *origpath)
@@ -279,20 +283,14 @@ static int compute_file_hmac(const char
return rv;
}
-static int FIPSCHECK_verify(const char *libname, const char *symbolname)
+static int FIPSCHECK_verify(const char *path)
{
- char path[PATH_MAX + 1];
- int rv;
+ int rv = 0;
FILE *hf;
char *hmacpath, *p;
char *hmac = NULL;
size_t n;
- rv = get_library_path(libname, symbolname, path, sizeof(path));
-
- if (rv < 0)
- return 0;
-
hmacpath = make_hmac_path(path);
if (hmacpath == NULL)
return 0;
@@ -343,6 +341,51 @@ static int FIPSCHECK_verify(const char *
return 1;
}
+static int verify_checksums(void)
+{
+ int rv;
+ char path[PATH_MAX + 1];
+ char *p;
+
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
+ are in the same directory */
+
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
+ "FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ return 0;
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+
+ /* replace libcrypto with libssl */
+ while ((p = strstr(path, "libcrypto.so")) != NULL) {
+ p = stpcpy(p, "libssl");
+ memmove(p, p + 3, strlen(p + 2));
+ }
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+ return 1;
+}
+
+# ifndef FIPS_MODULE_PATH
+# define FIPS_MODULE_PATH "/etc/system-fips"
+# endif
+
+int FIPS_module_installed(void)
+{
+ int rv;
+ rv = access(FIPS_MODULE_PATH, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ /* Installed == true */
+ return !rv;
+}
+
int FIPS_module_mode_set(int onoff, const char *auth)
{
int ret = 0;
@@ -380,17 +423,7 @@ int FIPS_module_mode_set(int onoff, cons
}
# endif
- if (!FIPSCHECK_verify
- ("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set")) {
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
- fips_selftest_fail = 1;
- ret = 0;
- goto end;
- }
-
- if (!FIPSCHECK_verify
- ("libssl.so." SHLIB_VERSION_NUMBER, "SSL_CTX_new")) {
+ if (!verify_checksums()) {
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
fips_selftest_fail = 1;
diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-ctor openssl-1.0.2a/crypto/fips/fips.h
--- openssl-1.0.2a/crypto/fips/fips.h.fips-ctor 2015-04-21 17:42:18.739766724 +0200
+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-21 17:42:18.743766818 +0200
@@ -74,6 +74,7 @@ extern "C" {
int FIPS_module_mode_set(int onoff, const char *auth);
int FIPS_module_mode(void);
+ int FIPS_module_installed(void);
const void *FIPS_rand_check(void);
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
diff -up openssl-1.0.2a/crypto/o_init.c.fips-ctor openssl-1.0.2a/crypto/o_init.c
--- openssl-1.0.2a/crypto/o_init.c.fips-ctor 2015-04-21 17:42:18.732766559 +0200
+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:45:02.662613173 +0200
@@ -74,6 +74,9 @@ static void init_fips_mode(void)
char buf[2] = "0";
int fd;
+ /* Ensure the selftests always run */
+ FIPS_mode_set(1);
+
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
@@ -85,8 +88,12 @@ static void init_fips_mode(void)
* otherwise..
*/
- if (buf[0] == '1') {
- FIPS_mode_set(1);
+ if (buf[0] != '1') {
+ /* drop down to non-FIPS mode if it is not requested */
+ FIPS_mode_set(0);
+ } else {
+ /* abort if selftest failed */
+ FIPS_selftest_check();
}
}
#endif
@@ -96,13 +103,16 @@ static void init_fips_mode(void)
* sets FIPS callbacks
*/
-void OPENSSL_init_library(void)
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
{
static int done = 0;
if (done)
return;
done = 1;
#ifdef OPENSSL_FIPS
+ if (!FIPS_module_installed()) {
+ return;
+ }
RAND_init_fips();
init_fips_mode();
if (!FIPS_mode()) {

1929
SOURCES/openssl-1.0.2a-fips-ec.patch
View File

File diff suppressed because it is too large Load Diff

525
SOURCES/openssl-1.0.2a-ipv6-apps.patch
View File

@ -1,525 +0,0 @@
diff -up openssl-1.0.2a/apps/s_apps.h.ipv6-apps openssl-1.0.2a/apps/s_apps.h
--- openssl-1.0.2a/apps/s_apps.h.ipv6-apps 2015-04-20 15:01:24.029120104 +0200
+++ openssl-1.0.2a/apps/s_apps.h 2015-04-20 15:05:00.353137701 +0200
@@ -151,7 +151,7 @@ typedef fd_mask fd_set;
#define PORT_STR "4433"
#define PROTOCOL "tcp"
-int do_server(int port, int type, int *ret,
+int do_server(char *port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype,
unsigned char *context), unsigned char *context,
int naccept);
@@ -167,11 +167,10 @@ int ssl_print_point_formats(BIO *out, SS
int ssl_print_curves(BIO *out, SSL *s, int noshared);
#endif
int ssl_print_tmp_key(BIO *out, SSL *s);
-int init_client(int *sock, char *server, int port, int type);
+int init_client(int *sock, char *server, char *port, int type);
int should_retry(int i);
int extract_port(char *str, short *port_ptr);
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
- short *p);
+int extract_host_port(char *str, char **host_ptr, char **port_ptr);
long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
diff -up openssl-1.0.2a/apps/s_client.c.ipv6-apps openssl-1.0.2a/apps/s_client.c
--- openssl-1.0.2a/apps/s_client.c.ipv6-apps 2015-04-20 15:01:24.022119942 +0200
+++ openssl-1.0.2a/apps/s_client.c 2015-04-20 15:06:42.338503234 +0200
@@ -662,7 +662,7 @@ int MAIN(int argc, char **argv)
int cbuf_len, cbuf_off;
int sbuf_len, sbuf_off;
fd_set readfds, writefds;
- short port = PORT;
+ char *port_str = PORT_STR;
int full_log = 1;
char *host = SSL_HOST_NAME;
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
@@ -785,13 +785,11 @@ int MAIN(int argc, char **argv)
} else if (strcmp(*argv, "-port") == 0) {
if (--argc < 1)
goto bad;
- port = atoi(*(++argv));
- if (port == 0)
- goto bad;
+ port_str = *(++argv);
} else if (strcmp(*argv, "-connect") == 0) {
if (--argc < 1)
goto bad;
- if (!extract_host_port(*(++argv), &host, NULL, &port))
+ if (!extract_host_port(*(++argv), &host, &port_str))
goto bad;
} else if (strcmp(*argv, "-verify") == 0) {
verify = SSL_VERIFY_PEER;
@@ -1417,7 +1415,7 @@ int MAIN(int argc, char **argv)
re_start:
- if (init_client(&s, host, port, socket_type) == 0) {
+ if (init_client(&s, host, port_str, socket_type) == 0) {
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
SHUTDOWN(s);
goto end;
diff -up openssl-1.0.2a/apps/s_server.c.ipv6-apps openssl-1.0.2a/apps/s_server.c
--- openssl-1.0.2a/apps/s_server.c.ipv6-apps 2015-04-20 15:01:24.030120127 +0200
+++ openssl-1.0.2a/apps/s_server.c 2015-04-20 15:10:47.245187746 +0200
@@ -1061,7 +1061,7 @@ int MAIN(int argc, char *argv[])
{
X509_VERIFY_PARAM *vpm = NULL;
int badarg = 0;
- short port = PORT;
+ char *port_str = PORT_STR;
char *CApath = NULL, *CAfile = NULL;
char *chCApath = NULL, *chCAfile = NULL;
char *vfyCApath = NULL, *vfyCAfile = NULL;
@@ -1148,7 +1148,8 @@ int MAIN(int argc, char *argv[])
if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
if (--argc < 1)
goto bad;
- if (!extract_port(*(++argv), &port))
+ port_str = *(++argv);
+ if (port_str == NULL || *port_str == '\0')
goto bad;
} else if (strcmp(*argv, "-naccept") == 0) {
if (--argc < 1)
@@ -2020,13 +2021,13 @@ int MAIN(int argc, char *argv[])
BIO_printf(bio_s_out, "ACCEPT\n");
(void)BIO_flush(bio_s_out);
if (rev)
- do_server(port, socket_type, &accept_socket, rev_body, context,
+ do_server(port_str, socket_type, &accept_socket, rev_body, context,
naccept);
else if (www)
- do_server(port, socket_type, &accept_socket, www_body, context,
+ do_server(port_str, socket_type, &accept_socket, www_body, context,
naccept);
else
- do_server(port, socket_type, &accept_socket, sv_body, context,
+ do_server(port_str, socket_type, &accept_socket, sv_body, context,
naccept);
print_stats(bio_s_out, ctx);
ret = 0;
diff -up openssl-1.0.2a/apps/s_socket.c.ipv6-apps openssl-1.0.2a/apps/s_socket.c
--- openssl-1.0.2a/apps/s_socket.c.ipv6-apps 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/apps/s_socket.c 2015-04-20 15:32:53.960079507 +0200
@@ -106,9 +106,7 @@ static struct hostent *GetHostByName(cha
static void ssl_sock_cleanup(void);
# endif
static int ssl_sock_init(void);
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
-static int init_server(int *sock, int port, int type);
-static int init_server_long(int *sock, int port, char *ip, int type);
+static int init_server(int *sock, char *port, int type);
static int do_accept(int acc_sock, int *sock, char **host);
static int host_ip(char *str, unsigned char ip[4]);
@@ -231,65 +229,66 @@ static int ssl_sock_init(void)
return (1);
}
-int init_client(int *sock, char *host, int port, int type)
+int init_client(int *sock, char *host, char *port, int type)
{
- unsigned char ip[4];
-
- memset(ip, '\0', sizeof ip);
- if (!host_ip(host, &(ip[0])))
- return 0;
- return init_client_ip(sock, ip, port, type);
-}
-
-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
-{
- unsigned long addr;
- struct sockaddr_in them;
- int s, i;
+ struct addrinfo *res, *res0, hints;
+ char *failed_call = NULL;
+ int s;
+ int e;
if (!ssl_sock_init())
return (0);
- memset((char *)&them, 0, sizeof(them));
- them.sin_family = AF_INET;
- them.sin_port = htons((unsigned short)port);
- addr = (unsigned long)
- ((unsigned long)ip[0] << 24L) |
- ((unsigned long)ip[1] << 16L) |
- ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
- them.sin_addr.s_addr = htonl(addr);
-
- if (type == SOCK_STREAM)
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
- else /* ( type == SOCK_DGRAM) */
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-
- if (s == INVALID_SOCKET) {
- perror("socket");
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_ADDRCONFIG;
+
+ e = getaddrinfo(host, port, &hints, &res);
+ if (e) {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
return (0);
}
+
+ res0 = res;
+ while (res) {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET) {
+ failed_call = "socket";
+ goto nextres;
+ }
# if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
- if (type == SOCK_STREAM) {
- i = 0;
- i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
- if (i < 0) {
- closesocket(s);
- perror("keepalive");
- return (0);
+ if (type == SOCK_STREAM) {
+ int i = 0;
+ i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE,
+ (char *)&i, sizeof(i));
+ if (i < 0) {
+ failed_call = "keepalive";
+ goto nextres;
+ }
}
- }
# endif
-
- if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
- closesocket(s);
- perror("connect");
- return (0);
+ if (connect(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == 0) {
+ freeaddrinfo(res0);
+ *sock = s;
+ return (1);
+ }
+
+ failed_call = "socket";
+ nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
}
- *sock = s;
- return (1);
+ freeaddrinfo(res0);
+ closesocket(s);
+
+ perror(failed_call);
+ return (0);
}
-int do_server(int port, int type, int *ret,
+int do_server(char *port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype,
unsigned char *context), unsigned char *context,
int naccept)
@@ -328,69 +327,89 @@ int do_server(int port, int type, int *r
}
}
-static int init_server_long(int *sock, int port, char *ip, int type)
+static int init_server(int *sock, char *port, int type)
{
- int ret = 0;
- struct sockaddr_in server;
- int s = -1;
+ struct addrinfo *res, *res0 = NULL, hints;
+ char *failed_call = NULL;
+ int s = INVALID_SOCKET;
+ int e;
if (!ssl_sock_init())
return (0);
- memset((char *)&server, 0, sizeof(server));
- server.sin_family = AF_INET;
- server.sin_port = htons((unsigned short)port);
- if (ip == NULL)
- server.sin_addr.s_addr = INADDR_ANY;
- else
-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
-# ifndef BIT_FIELD_LIMITS
- memcpy(&server.sin_addr.s_addr, ip, 4);
-# else
- memcpy(&server.sin_addr, ip, 4);
-# endif
-
- if (type == SOCK_STREAM)
- s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
- else /* type == SOCK_DGRAM */
- s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ memset(&hints, '\0', sizeof(hints));
+ hints.ai_family = AF_INET6;
+ tryipv4:
+ hints.ai_socktype = type;
+ hints.ai_flags = AI_PASSIVE;
+
+ e = getaddrinfo(NULL, port, &hints, &res);
+ if (e) {
+ if (hints.ai_family == AF_INET) {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(e));
+ if (e == EAI_SYSTEM)
+ perror("getaddrinfo");
+ return (0);
+ } else
+ res = NULL;
+ }
- if (s == INVALID_SOCKET)
- goto err;
+ res0 = res;
+ while (res) {
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == INVALID_SOCKET) {
+ failed_call = "socket";
+ goto nextres;
+ }
+ if (hints.ai_family == AF_INET6) {
+ int j = 0;
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&j, sizeof j);
+ }
# if defined SOL_SOCKET && defined SO_REUSEADDR
- {
- int j = 1;
- setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
- }
-# endif
- if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
-# ifndef OPENSSL_SYS_WINDOWS
- perror("bind");
+ {
+ int j = 1;
+ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
+ }
# endif
- goto err;
+
+ if (bind(s, (struct sockaddr *)res->ai_addr, res->ai_addrlen) == -1) {
+ failed_call = "bind";
+ goto nextres;
+ }
+ if (type == SOCK_STREAM && listen(s, 128) == -1) {
+ failed_call = "listen";
+ goto nextres;
+ }
+
+ *sock = s;
+ return (1);
+
+ nextres:
+ if (s != INVALID_SOCKET)
+ close(s);
+ res = res->ai_next;
}
- /* Make it 128 for linux */
- if (type == SOCK_STREAM && listen(s, 128) == -1)
- goto err;
- *sock = s;
- ret = 1;
- err:
- if ((ret == 0) && (s != -1)) {
- SHUTDOWN(s);
+ if (res0)
+ freeaddrinfo(res0);
+
+ if (s == INVALID_SOCKET) {
+ if (hints.ai_family == AF_INET6) {
+ hints.ai_family = AF_INET;
+ goto tryipv4;
+ }
+ perror("socket");
+ return (0);
}
- return (ret);
-}
-static int init_server(int *sock, int port, int type)
-{
- return (init_server_long(sock, port, NULL, type));
+ perror(failed_call);
+ return (0);
}
static int do_accept(int acc_sock, int *sock, char **host)
{
+ static struct sockaddr_storage from;
+ char buffer[NI_MAXHOST];
int ret;
- struct hostent *h1, *h2;
- static struct sockaddr_in from;
int len;
/* struct linger ling; */
@@ -432,134 +451,60 @@ static int do_accept(int acc_sock, int *
ling.l_onoff=1;
ling.l_linger=0;
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
- if (i < 0) { perror("linger"); return(0); }
+ if (i < 0) { closesocket(ret); perror("linger"); return(0); }
i=0;
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
- if (i < 0) { perror("keepalive"); return(0); }
+ if (i < 0) { closesocket(ret); perror("keepalive"); return(0); }
*/
if (host == NULL)
goto end;
-# ifndef BIT_FIELD_LIMITS
- /* I should use WSAAsyncGetHostByName() under windows */
- h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
- sizeof(from.sin_addr.s_addr), AF_INET);
-# else
- h1 = gethostbyaddr((char *)&from.sin_addr,
- sizeof(struct in_addr), AF_INET);
-# endif
- if (h1 == NULL) {
- BIO_printf(bio_err, "bad gethostbyaddr\n");
+
+ if (getnameinfo((struct sockaddr *)&from, sizeof(from),
+ buffer, sizeof(buffer), NULL, 0, 0)) {
+ BIO_printf(bio_err, "getnameinfo failed\n");
*host = NULL;
/* return(0); */
} else {
- if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
+ if ((*host = (char *)OPENSSL_malloc(strlen(buffer) + 1)) == NULL) {
perror("OPENSSL_malloc");
closesocket(ret);
return (0);
}
- BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
-
- h2 = GetHostByName(*host);
- if (h2 == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- closesocket(ret);
- return (0);
- }
- if (h2->h_addrtype != AF_INET) {
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
- closesocket(ret);
- return (0);
- }
+ strcpy(*host, buffer);
}
end:
*sock = ret;
return (1);
}
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
- short *port_ptr)
+int extract_host_port(char *str, char **host_ptr, char **port_ptr)
{
- char *h, *p;
+ char *h, *p, *x;
- h = str;
- p = strchr(str, ':');
+ x = h = str;
+ if (*h == '[') {
+ h++;
+ p = strchr(h, ']');
+ if (p == NULL) {
+ BIO_printf(bio_err, "no ending bracket for IPv6 address\n");
+ return (0);
+ }
+ *(p++) = '\0';
+ x = p;
+ }
+ p = strchr(x, ':');
if (p == NULL) {
BIO_printf(bio_err, "no port defined\n");
return (0);
}
*(p++) = '\0';
- if ((ip != NULL) && !host_ip(str, ip))
- goto err;
if (host_ptr != NULL)
*host_ptr = h;
+ if (port_ptr != NULL)
+ *port_ptr = p;
- if (!extract_port(p, port_ptr))
- goto err;
- return (1);
- err:
- return (0);
-}
-
-static int host_ip(char *str, unsigned char ip[4])
-{
- unsigned int in[4];
- int i;
-
- if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
- 4) {
- for (i = 0; i < 4; i++)
- if (in[i] > 255) {
- BIO_printf(bio_err, "invalid IP address\n");
- goto err;
- }
- ip[0] = in[0];
- ip[1] = in[1];
- ip[2] = in[2];
- ip[3] = in[3];
- } else { /* do a gethostbyname */
- struct hostent *he;
-
- if (!ssl_sock_init())
- return (0);
-
- he = GetHostByName(str);
- if (he == NULL) {
- BIO_printf(bio_err, "gethostbyname failure\n");
- goto err;
- }
- /* cast to short because of win16 winsock definition */
- if ((short)he->h_addrtype != AF_INET) {
- BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
- return (0);
- }
- ip[0] = he->h_addr_list[0][0];
- ip[1] = he->h_addr_list[0][1];
- ip[2] = he->h_addr_list[0][2];
- ip[3] = he->h_addr_list[0][3];
- }
- return (1);
- err:
- return (0);
-}
-
-int extract_port(char *str, short *port_ptr)
-{
- int i;
- struct servent *s;
-
- i = atoi(str);
- if (i != 0)
- *port_ptr = (unsigned short)i;
- else {
- s = getservbyname(str, "tcp");
- if (s == NULL) {
- BIO_printf(bio_err, "getservbyname failure for %s\n", str);
- return (0);
- }
- *port_ptr = ntohs((unsigned short)s->s_port);
- }
return (1);
}

35
SOURCES/openssl-1.0.2a-rsa-x931.patch
View File

@ -1,35 +0,0 @@
diff -up openssl-1.0.2a/apps/genrsa.c.x931 openssl-1.0.2a/apps/genrsa.c
--- openssl-1.0.2a/apps/genrsa.c.x931 2015-04-09 18:18:24.132107287 +0200
+++ openssl-1.0.2a/apps/genrsa.c 2015-04-09 18:18:18.852985339 +0200
@@ -97,6 +97,7 @@ int MAIN(int argc, char **argv)
int ret = 1;
int i, num = DEFBITS;
long l;
+ int use_x931 = 0;
const EVP_CIPHER *enc = NULL;
unsigned long f4 = RSA_F4;
char *outfile = NULL;
@@ -139,6 +140,8 @@ int MAIN(int argc, char **argv)
f4 = 3;
else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
f4 = RSA_F4;
+ else if (strcmp(*argv, "-x931") == 0)
+ use_x931 = 1;
# ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv, "-engine") == 0) {
if (--argc < 1)
@@ -278,7 +281,13 @@ int MAIN(int argc, char **argv)
if (!rsa)
goto err;
- if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
+ if (use_x931) {
+ if (!BN_set_word(bn, f4))
+ goto err;
+ if (!RSA_X931_generate_key_ex(rsa, num, bn, &cb))
+ goto err;
+ } else if (!BN_set_word(bn, f4)
+ || !RSA_generate_key_ex(rsa, num, bn, &cb))
goto err;
app_RAND_write_file(NULL, bio_err);

83
SOURCES/openssl-1.0.2a-version.patch
View File

@ -1,83 +0,0 @@
diff -up openssl-1.0.2a/crypto/cversion.c.version openssl-1.0.2a/crypto/cversion.c
--- openssl-1.0.2a/crypto/cversion.c.version 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/crypto/cversion.c 2015-04-21 16:48:56.285535316 +0200
@@ -62,7 +62,7 @@
# include "buildinf.h"
#endif
-const char *SSLeay_version(int t)
+const char *_current_SSLeay_version(int t)
{
if (t == SSLEAY_VERSION)
return OPENSSL_VERSION_TEXT;
@@ -101,7 +101,40 @@ const char *SSLeay_version(int t)
return ("not available");
}
-unsigned long SSLeay(void)
+const char *_original_SSLeay_version(int t)
+{
+ if (t == SSLEAY_VERSION)
+ return "OpenSSL 1.0.0-fips 29 Mar 2010";
+ else
+ return _current_SSLeay_version(t);
+}
+
+const char *_original101_SSLeay_version(int t)
+{
+ if (t == SSLEAY_VERSION)
+ return "OpenSSL 1.0.1e-fips 11 Feb 2013";
+ else
+ return _current_SSLeay_version(t);
+}
+
+unsigned long _original_SSLeay(void)
+{
+ return (0x10000003L);
+}
+
+unsigned long _original101_SSLeay(void)
+{
+ return (0x1000105fL);
+}
+
+unsigned long _current_SSLeay(void)
{
return (SSLEAY_VERSION_NUMBER);
}
+
+__asm__(".symver _original_SSLeay,SSLeay@");
+__asm__(".symver _original_SSLeay_version,SSLeay_version@");
+__asm__(".symver _original101_SSLeay,SSLeay@OPENSSL_1.0.1");
+__asm__(".symver _original101_SSLeay_version,SSLeay_version@OPENSSL_1.0.1");
+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.2");
+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.2");
diff -up openssl-1.0.2a/Makefile.shared.version openssl-1.0.2a/Makefile.shared
--- openssl-1.0.2a/Makefile.shared.version 2015-04-21 16:43:02.624170648 +0200
+++ openssl-1.0.2a/Makefile.shared 2015-04-21 16:43:02.676171879 +0200
@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
DO_GNU_APP=LDFLAGS="$(CFLAGS)"
diff -up openssl-1.0.2a/version.map.version openssl-1.0.2a/version.map
--- openssl-1.0.2a/version.map.version 2015-04-21 16:43:02.676171879 +0200
+++ openssl-1.0.2a/version.map 2015-04-21 16:51:49.621630589 +0200
@@ -0,0 +1,13 @@
+OPENSSL_1.0.1 {
+ global:
+ SSLeay;
+ SSLeay_version;
+ local:
+ _original*;
+ _current*;
+};
+OPENSSL_1.0.2 {
+ global:
+ SSLeay;
+ SSLeay_version;
+} OPENSSL_1.0.1;

241
SOURCES/openssl-1.0.2i-secure-getenv.patch
View File

@ -1,241 +0,0 @@
diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_api.c
--- openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/conf/conf_api.c 2016-09-22 13:51:29.847742209 +0200
@@ -63,6 +63,8 @@
# define NDEBUG
#endif
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <assert.h>
#include <stdlib.h>
#include <string.h>
@@ -141,7 +143,7 @@ char *_CONF_get_string(const CONF *conf,
if (v != NULL)
return (v->value);
if (strcmp(section, "ENV") == 0) {
- p = getenv(name);
+ p = secure_getenv(name);
if (p != NULL)
return (p);
}
@@ -154,7 +156,7 @@ char *_CONF_get_string(const CONF *conf,
else
return (NULL);
} else
- return (getenv(name));
+ return (secure_getenv(name));
}
#if 0 /* There's no way to provide error checking
diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_mod.c
--- openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/conf/conf_mod.c 2016-09-22 13:51:29.847742209 +0200
@@ -57,6 +57,8 @@
*
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <ctype.h>
#include <openssl/crypto.h>
@@ -530,7 +532,7 @@ char *CONF_get1_default_config_file(void
char *file;
int len;
- file = getenv("OPENSSL_CONF");
+ file = secure_getenv("OPENSSL_CONF");
if (file)
return BUF_strdup(file);
diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/crypto/engine/eng_list.c
--- openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/engine/eng_list.c 2016-09-22 13:51:29.847742209 +0200
@@ -62,6 +62,8 @@
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include "eng_int.h"
/*
@@ -369,10 +371,10 @@ ENGINE *ENGINE_by_id(const char *id)
*/
if (strcmp(id, "dynamic")) {
# ifdef OPENSSL_SYS_VMS
- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
+ if (OPENSSL_issetugid() || (load_dir = getenv("OPENSSL_ENGINES")) == 0)
load_dir = "SSLROOT:[ENGINES]";
# else
- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
+ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
load_dir = ENGINESDIR;
# endif
iterator = ENGINE_by_id("dynamic");
diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypto/md5/md5_dgst.c
--- openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv 2016-09-22 13:51:29.840742047 +0200
+++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:51:29.847742209 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include "md5_locl.h"
#include <openssl/opensslv.h>
@@ -75,7 +77,8 @@ const char MD5_version[] = "MD5" OPENSSL
int MD5_Init(MD5_CTX *c)
#ifdef OPENSSL_FIPS
{
- if (FIPS_mode() && getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
+ if (FIPS_mode()
+ && secure_getenv("OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW") == NULL)
OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
return private_MD5_Init(c);
}
diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_init.c
--- openssl-1.0.2i/crypto/o_init.c.secure-getenv 2016-09-22 13:51:29.830741814 +0200
+++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:51:30.046746834 +0200
@@ -53,6 +53,8 @@
*
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <e_os.h>
#include <openssl/err.h>
#ifdef OPENSSL_FIPS
@@ -72,7 +74,7 @@ static void init_fips_mode(void)
char buf[2] = "0";
int fd;
- if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/crypto/rand/randfile.c
--- openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/rand/randfile.c 2016-09-22 13:53:17.222237626 +0200
@@ -55,6 +55,8 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <errno.h>
#include <stdio.h>
@@ -327,14 +329,12 @@ const char *RAND_file_name(char *buf, si
struct stat sb;
#endif
- if (OPENSSL_issetugid() == 0)
- s = getenv("RANDFILE");
+ s = secure_getenv("RANDFILE");
if (s != NULL && *s && strlen(s) + 1 < size) {
if (BUF_strlcpy(buf, s, size) >= size)
return NULL;
} else {
- if (OPENSSL_issetugid() == 0)
- s = getenv("HOME");
+ s = secure_getenv("HOME");
#ifdef DEFAULT_HOME
if (s == NULL) {
s = DEFAULT_HOME;
diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto/x509/by_dir.c
--- openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/x509/by_dir.c 2016-09-22 13:51:30.047746858 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <time.h>
#include <errno.h>
@@ -128,7 +130,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
switch (cmd) {
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT) {
- dir = (char *)getenv(X509_get_default_cert_dir_env());
+ dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
if (dir)
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
else
diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypto/x509/by_file.c
--- openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv 2016-09-22 13:51:29.812741396 +0200
+++ openssl-1.0.2i/crypto/x509/by_file.c 2016-09-22 13:51:30.047746858 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <time.h>
#include <errno.h>
@@ -97,7 +99,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
switch (cmd) {
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT) {
- file = (char *)getenv(X509_get_default_cert_file_env());
+ file = (char *)secure_getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0);
diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/crypto/x509/x509_vfy.c
--- openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/x509/x509_vfy.c 2016-09-22 13:51:30.048746881 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdio.h>
#include <time.h>
#include <errno.h>
@@ -620,7 +622,7 @@ static int check_chain_extensions(X509_S
* A hack to keep people who don't want to modify their software
* happy
*/
- if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+ if (secure_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
allow_proxy_certs = 1;
purpose = ctx->param->purpose;
}
diff -up openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2i/engines/ccgost/gost_ctl.c
--- openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/engines/ccgost/gost_ctl.c 2016-09-22 13:51:30.048746881 +0200
@@ -6,6 +6,8 @@
* Implementation of control commands for GOST engine *
* OpenSSL 0.9.9 libraries required *
**********************************************************************/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>
@@ -64,7 +66,7 @@ const char *get_gost_engine_param(int pa
if (gost_params[param] != NULL) {
return gost_params[param];
}
- tmp = getenv(gost_envnames[param]);
+ tmp = secure_getenv(gost_envnames[param]);
if (tmp) {
if (gost_params[param])
OPENSSL_free(gost_params[param]);
@@ -79,7 +81,7 @@ int gost_set_default_param(int param, co
const char *tmp;
if (param < 0 || param > GOST_PARAM_MAX)
return 0;
- tmp = getenv(gost_envnames[param]);
+ tmp = secure_getenv(gost_envnames[param]);
/*
* if there is value in the environment, use it, else -passed string *
*/

1396
SOURCES/openssl-1.0.2j-new-fips-reqs.patch
View File

File diff suppressed because it is too large Load Diff

65
SOURCES/openssl-1.0.2k-fips-randlock.patch
View File

@ -1,65 +0,0 @@
diff -up openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock openssl-1.0.2k/crypto/fips/fips_drbg_lib.c
--- openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock 2017-03-09 17:59:26.249231181 +0100
+++ openssl-1.0.2k/crypto/fips/fips_drbg_lib.c 2017-11-16 09:16:06.188098078 +0100
@@ -338,6 +338,12 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
return drbg_reseed(dctx, adin, adinlen, 1);
}
+void FIPS_drbg_set_reseed(DRBG_CTX *dctx)
+{
+ if (dctx->status == DRBG_STATUS_READY)
+ dctx->reseed_counter = dctx->reseed_interval;
+}
+
static int fips_drbg_check(DRBG_CTX *dctx)
{
if (dctx->xflags & DRBG_FLAG_TEST)
diff -up openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock openssl-1.0.2k/crypto/fips/fips_rand.h
--- openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock 2017-03-09 17:59:26.252231250 +0100
+++ openssl-1.0.2k/crypto/fips/fips_rand.h 2017-11-07 10:06:40.241450151 +0100
@@ -86,6 +86,7 @@ extern "C" {
const unsigned char *pers, size_t perslen);
int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
size_t adinlen);
+ void FIPS_drbg_set_reseed(DRBG_CTX *dctx);
int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
int prediction_resistance,
const unsigned char *adin, size_t adinlen);
diff -up openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock openssl-1.0.2k/crypto/rand/md_rand.c
--- openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock 2017-03-09 17:59:26.255231320 +0100
+++ openssl-1.0.2k/crypto/rand/md_rand.c 2017-12-06 09:20:23.615879425 +0100
@@ -391,10 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
crypto_lock_rand = 1;
- /* always poll for external entropy in FIPS mode, drbg provides the
- * expansion
+ /* always poll for external entropy in FIPS mode, if run as seed
+ * source, drbg provides the expansion
*/
- if (!initialized || FIPS_module_mode()) {
+ if (!initialized || (!lock && FIPS_module_mode())) {
RAND_poll();
initialized = 1;
}
diff -up openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock openssl-1.0.2k/crypto/rand/rand_lib.c
--- openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock 2017-03-09 17:59:26.292232183 +0100
+++ openssl-1.0.2k/crypto/rand/rand_lib.c 2017-11-07 10:20:08.050403861 +0100
@@ -238,7 +238,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
RAND_SSLeay()->add(in, inlen, entropy);
if (FIPS_rand_status()) {
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- FIPS_drbg_reseed(ctx, NULL, 0);
+ FIPS_drbg_set_reseed(ctx);
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
}
return 1;
@@ -249,7 +249,7 @@ static int drbg_rand_seed(DRBG_CTX *ctx,
RAND_SSLeay()->seed(in, inlen);
if (FIPS_rand_status()) {
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
- FIPS_drbg_reseed(ctx, NULL, 0);
+ FIPS_drbg_set_reseed(ctx);
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
}
return 1;

604
SOURCES/openssl-1.0.2k-starttls.patch
View File

@ -1,604 +0,0 @@
diff -up openssl-1.0.2k/apps/apps.c.starttls openssl-1.0.2k/apps/apps.c
--- openssl-1.0.2k/apps/apps.c.starttls 2017-01-26 14:22:03.000000000 +0100
+++ openssl-1.0.2k/apps/apps.c 2017-03-09 17:35:35.519765927 +0100
@@ -3277,3 +3277,11 @@ int raw_write_stdout(const void *buf, in
return write(fileno_stdout(), buf, siz);
}
#endif
+
+void make_uppercase(char *string)
+{
+ int i;
+
+ for (i = 0; string[i] != '\0'; i++)
+ string[i] = toupper((unsigned char)string[i]);
+}
diff -up openssl-1.0.2k/apps/apps.h.starttls openssl-1.0.2k/apps/apps.h
--- openssl-1.0.2k/apps/apps.h.starttls 2017-03-09 17:35:28.632604234 +0100
+++ openssl-1.0.2k/apps/apps.h 2017-03-09 17:35:35.520765950 +0100
@@ -384,6 +384,8 @@ int raw_write_stdout(const void *, int);
# define TM_STOP 1
double app_tminterval(int stop, int usertime);
+void make_uppercase(char *string);
+
# define OPENSSL_NO_SSL_INTERN
#endif
diff -up openssl-1.0.2k/apps/s_client.c.starttls openssl-1.0.2k/apps/s_client.c
--- openssl-1.0.2k/apps/s_client.c.starttls 2017-03-09 17:35:28.684605455 +0100
+++ openssl-1.0.2k/apps/s_client.c 2017-03-09 17:52:59.153207946 +0100
@@ -134,7 +134,8 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE.
*/
-
+/* for strcasestr */
+#define _GNU_SOURCE
#include <assert.h>
#include <ctype.h>
#include <stdio.h>
@@ -202,6 +203,7 @@ static char *krb5svc = NULL;
#undef BUFSIZZ
#define BUFSIZZ 1024*8
+#define S_CLIENT_IRC_READ_TIMEOUT 8
extern int verify_depth;
extern int verify_error;
@@ -228,6 +230,7 @@ static void print_stuff(BIO *berr, SSL *
#ifndef OPENSSL_NO_TLSEXT
static int ocsp_resp_cb(SSL *s, void *arg);
#endif
+static int ldap_ExtendedResponse_parse(const char *buf, long rem);
static BIO *bio_c_out = NULL;
static BIO *bio_c_msg = NULL;
static int c_quiet = 0;
@@ -402,8 +405,14 @@ static void sc_usage(void)
BIO_printf(bio_err,
" 'prot' defines which one to assume. Currently,\n");
BIO_printf(bio_err,
- " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
- BIO_printf(bio_err, " are supported.\n");
+ " only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\",\n");
+ BIO_printf(bio_err,
+ " \"xmpp-server\", \"irc\", \"postgres\", \"lmtp\", \"nntp\",\n");
+ BIO_printf(bio_err, " \"sieve\" and \"ldap\" are supported.\n");
+ BIO_printf(bio_err,
+ " -xmpphost host - Host to use with \"-starttls xmpp[-server]\"\n");
+ BIO_printf(bio_err,
+ " -name host - Hostname to use for \"-starttls lmtp\" or \"-starttls smtp\"\n");
#ifndef OPENSSL_NO_KRB5
BIO_printf(bio_err, " -krb5svc arg - Kerberos service name\n");
#endif
@@ -657,7 +666,15 @@ enum {
PROTO_POP3,
PROTO_IMAP,
PROTO_FTP,
- PROTO_XMPP
+ PROTO_TELNET,
+ PROTO_XMPP,
+ PROTO_XMPP_SERVER,
+ PROTO_IRC,
+ PROTO_POSTGRES,
+ PROTO_LMTP,
+ PROTO_NNTP,
+ PROTO_SIEVE,
+ PROTO_LDAP
};
int MAIN(int, char **);
@@ -726,6 +743,8 @@ int MAIN(int argc, char **argv)
#endif
char *sess_in = NULL;
char *sess_out = NULL;
+ char *xmpphost = NULL;
+ const char *ehlo = "openssl.client.net";
struct sockaddr peer;
int peerlen = sizeof(peer);
int fallback_scsv = 0;
@@ -1097,8 +1116,32 @@ int MAIN(int argc, char **argv)
starttls_proto = PROTO_FTP;
else if (strcmp(*argv, "xmpp") == 0)
starttls_proto = PROTO_XMPP;
+ else if (strcmp(*argv, "xmpp-server") == 0)
+ starttls_proto = PROTO_XMPP_SERVER;
+ else if (strcmp(*argv, "telnet") == 0)
+ starttls_proto = PROTO_TELNET;
+ else if (strcmp(*argv, "irc") == 0)
+ starttls_proto = PROTO_IRC;
+ else if (strcmp(*argv, "postgres") == 0)
+ starttls_proto = PROTO_POSTGRES;
+ else if (strcmp(*argv, "lmtp") == 0)
+ starttls_proto = PROTO_LMTP;
+ else if (strcmp(*argv, "nntp") == 0)
+ starttls_proto = PROTO_NNTP;
+ else if (strcmp(*argv, "sieve") == 0)
+ starttls_proto = PROTO_SIEVE;
+ else if (strcmp(*argv, "ldap") == 0)
+ starttls_proto = PROTO_LDAP;
else
goto bad;
+ } else if (strcmp(*argv, "-xmpphost") == 0) {
+ if (--argc < 1)
+ goto bad;
+ xmpphost = *(++argv);
+ } else if (strcmp(*argv, "-name") == 0) {
+ if (--argc < 1)
+ goto bad;
+ ehlo = *(++argv);
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv, "-engine") == 0) {
@@ -1599,19 +1642,24 @@ int MAIN(int argc, char **argv)
* BIO into the chain that is removed again later on to not disturb the
* rest of the s_client operation.
*/
- if (starttls_proto == PROTO_SMTP) {
+ if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) {
int foundit = 0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
- /* wait for multi-line response to end from SMTP */
+ /* Wait for multi-line response to end from LMTP or SMTP */
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
}
while (mbuf_len > 3 && mbuf[3] == '-');
- /* STARTTLS command requires EHLO... */
- BIO_printf(fbio, "EHLO openssl.client.net\r\n");
+ if (starttls_proto == PROTO_LMTP)
+ BIO_printf(fbio, "LHLO %s\r\n", ehlo);
+ else
+ BIO_printf(fbio, "EHLO %s\r\n", ehlo);
(void)BIO_flush(fbio);
- /* wait for multi-line response to end EHLO SMTP response */
+ /*
+ * Wait for multi-line response to end LHLO LMTP or EHLO SMTP
+ * response.
+ */
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
if (strstr(mbuf, "STARTTLS"))
@@ -1630,10 +1678,15 @@ int MAIN(int argc, char **argv)
} else if (starttls_proto == PROTO_POP3) {
BIO_read(sbio, mbuf, BUFSIZZ);
BIO_printf(sbio, "STLS\r\n");
- BIO_read(sbio, sbuf, BUFSIZZ);
+ mbuf_len = BIO_read(sbio, sbuf, BUFSIZZ);
+ if (mbuf_len < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto end;
+ }
} else if (starttls_proto == PROTO_IMAP) {
int foundit = 0;
BIO *fbio = BIO_new(BIO_f_buffer());
+
BIO_push(fbio, sbio);
BIO_gets(fbio, mbuf, BUFSIZZ);
/* STARTTLS command requires CAPABILITY... */
@@ -1669,27 +1722,287 @@ int MAIN(int argc, char **argv)
BIO_printf(sbio, "AUTH TLS\r\n");
BIO_read(sbio, sbuf, BUFSIZZ);
}
- if (starttls_proto == PROTO_XMPP) {
+ else if (starttls_proto == PROTO_XMPP || starttls_proto == PROTO_XMPP_SERVER) {
int seen = 0;
BIO_printf(sbio, "<stream:stream "
"xmlns:stream='http://etherx.jabber.org/streams' "
- "xmlns='jabber:client' to='%s' version='1.0'>", host);
+ "xmlns='jabber:%s' to='%s' version='1.0'>",
+ starttls_proto == PROTO_XMPP ? "client" : "server",
+ xmpphost ? xmpphost : host);
seen = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (seen < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto end;
+ }
mbuf[seen] = 0;
- while (!strstr
- (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
- if (strstr(mbuf, "/stream:features>"))
- goto shut;
+ while (!strcasestr
+ (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
+ && !strcasestr(mbuf,
+ "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
+ {
seen = BIO_read(sbio, mbuf, BUFSIZZ);
+
+ if (seen <= 0)
+ goto shut;
+
mbuf[seen] = 0;
}
BIO_printf(sbio,
"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
seen = BIO_read(sbio, sbuf, BUFSIZZ);
+ if (seen < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto shut;
+ }
sbuf[seen] = 0;
if (!strstr(sbuf, "<proceed"))
goto shut;
mbuf[0] = 0;
+ } else if (starttls_proto == PROTO_TELNET) {
+ static const unsigned char tls_do[] = {
+ /* IAC DO START_TLS */
+ 255, 253, 46
+ };
+ static const unsigned char tls_will[] = {
+ /* IAC WILL START_TLS */
+ 255, 251, 46
+ };
+ static const unsigned char tls_follows[] = {
+ /* IAC SB START_TLS FOLLOWS IAC SE */
+ 255, 250, 46, 1, 255, 240
+ };
+ int bytes;
+
+ /* Telnet server should demand we issue START_TLS */
+ bytes = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (bytes != 3 || memcmp(mbuf, tls_do, 3) != 0)
+ goto shut;
+ /* Agree to issue START_TLS and send the FOLLOWS sub-command */
+ BIO_write(sbio, tls_will, 3);
+ BIO_write(sbio, tls_follows, 6);
+ (void)BIO_flush(sbio);
+ /* Telnet server also sent the FOLLOWS sub-command */
+ bytes = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (bytes != 6 || memcmp(mbuf, tls_follows, 6) != 0)
+ goto shut;
+ } else if (starttls_proto == PROTO_IRC) {
+ int numeric;
+ BIO *fbio = BIO_new(BIO_f_buffer());
+
+ BIO_push(fbio, sbio);
+ BIO_printf(fbio, "STARTTLS\r\n");
+ (void)BIO_flush(fbio);
+ width = SSL_get_fd(con) + 1;
+
+ do {
+ numeric = 0;
+
+ FD_ZERO(&readfds);
+ openssl_fdset(SSL_get_fd(con), &readfds);
+ timeout.tv_sec = S_CLIENT_IRC_READ_TIMEOUT;
+ timeout.tv_usec = 0;
+ /*
+ * If the IRCd doesn't respond within
+ * S_CLIENT_IRC_READ_TIMEOUT seconds, assume
+ * it doesn't support STARTTLS. Many IRCds
+ * will not give _any_ sort of response to a
+ * STARTTLS command when it's not supported.
+ */
+ if (!BIO_get_buffer_num_lines(fbio)
+ && !BIO_pending(fbio)
+ && !BIO_pending(sbio)
+ && select(width, (void *)&readfds, NULL, NULL,
+ &timeout) < 1) {
+ BIO_printf(bio_err,
+ "Timeout waiting for response (%d seconds).\n",
+ S_CLIENT_IRC_READ_TIMEOUT);
+ break;
+ }
+
+ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+ if (mbuf_len < 1 || sscanf(mbuf, "%*s %d", &numeric) != 1)
+ break;
+ /* :example.net 451 STARTTLS :You have not registered */
+ /* :example.net 421 STARTTLS :Unknown command */
+ if ((numeric == 451 || numeric == 421)
+ && strstr(mbuf, "STARTTLS") != NULL) {
+ BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
+ break;
+ }
+ if (numeric == 691) {
+ BIO_printf(bio_err, "STARTTLS negotiation failed: ");
+ ERR_print_errors(bio_err);
+ break;
+ }
+ } while (numeric != 670);
+
+ (void)BIO_flush(fbio);
+ BIO_pop(fbio);
+ BIO_free(fbio);
+ if (numeric != 670) {
+ BIO_printf(bio_err, "Server does not support STARTTLS.\n");
+ ret = 1;
+ goto shut;
+ }
+ } else if (starttls_proto == PROTO_POSTGRES) {
+ static const unsigned char ssl_request[] = {
+ /* Length SSLRequest */
+ 0, 0, 0, 8, 4, 210, 22, 47
+ };
+ int bytes;
+
+ /* Send SSLRequest packet */
+ BIO_write(sbio, ssl_request, 8);
+ (void)BIO_flush(sbio);
+
+ /* Reply will be a single S if SSL is enabled */
+ bytes = BIO_read(sbio, sbuf, BUFSIZZ);
+ if (bytes != 1 || sbuf[0] != 'S')
+ goto shut;
+ } else if (starttls_proto == PROTO_NNTP) {
+ int foundit = 0;
+ BIO *fbio = BIO_new(BIO_f_buffer());
+
+ BIO_push(fbio, sbio);
+ BIO_gets(fbio, mbuf, BUFSIZZ);
+ /* STARTTLS command requires CAPABILITIES... */
+ BIO_printf(fbio, "CAPABILITIES\r\n");
+ (void)BIO_flush(fbio);
+ /* wait for multi-line CAPABILITIES response */
+ do {
+ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+ if (strstr(mbuf, "STARTTLS"))
+ foundit = 1;
+ } while (mbuf_len > 1 && mbuf[0] != '.');
+ (void)BIO_flush(fbio);
+ BIO_pop(fbio);
+ BIO_free(fbio);
+ if (!foundit)
+ BIO_printf(bio_err,
+ "Didn't find STARTTLS in server response,"
+ " trying anyway...\n");
+ BIO_printf(sbio, "STARTTLS\r\n");
+ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (mbuf_len < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto end;
+ }
+ mbuf[mbuf_len] = '\0';
+ if (strstr(mbuf, "382") == NULL) {
+ BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
+ goto shut;
+ }
+ } else if (starttls_proto == PROTO_SIEVE) {
+ int foundit = 0;
+ BIO *fbio = BIO_new(BIO_f_buffer());
+
+ BIO_push(fbio, sbio);
+ /* wait for multi-line response to end from Sieve */
+ do {
+ mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+ /*
+ * According to RFC 5804 § 1.7, capability
+ * is case-insensitive, make it uppercase
+ */
+ if (mbuf_len > 1 && mbuf[0] == '"') {
+ make_uppercase(mbuf);
+ if (strncmp(mbuf, "\"STARTTLS\"", 10) == 0)
+ foundit = 1;
+ }
+ } while (mbuf_len > 1 && mbuf[0] == '"');
+ (void)BIO_flush(fbio);
+ BIO_pop(fbio);
+ BIO_free(fbio);
+ if (!foundit)
+ BIO_printf(bio_err,
+ "Didn't find STARTTLS in server response,"
+ " trying anyway...\n");
+ BIO_printf(sbio, "STARTTLS\r\n");
+ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (mbuf_len < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto end;
+ }
+ mbuf[mbuf_len] = '\0';
+ if (mbuf_len < 2) {
+ BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
+ goto shut;
+ }
+ /*
+ * According to RFC 5804 § 2.2, response codes are case-
+ * insensitive, make it uppercase but preserve the response.
+ */
+ strncpy(sbuf, mbuf, 2);
+ make_uppercase(sbuf);
+ if (strncmp(sbuf, "OK", 2) != 0) {
+ BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
+ goto shut;
+ }
+ } else if (starttls_proto == PROTO_LDAP) {
+ /* StartTLS Operation according to RFC 4511 */
+ static char ldap_tls_genconf[] = "asn1=SEQUENCE:LDAPMessage\n"
+ "[LDAPMessage]\n"
+ "messageID=INTEGER:1\n"
+ "extendedReq=EXPLICIT:23A,IMPLICIT:0C,"
+ "FORMAT:ASCII,OCT:1.3.6.1.4.1.1466.20037\n";
+ long errline = -1;
+ char *genstr = NULL;
+ int result = -1;
+ ASN1_TYPE *atyp = NULL;
+ BIO *ldapbio = BIO_new(BIO_s_mem());
+ CONF *cnf = NCONF_new(NULL);
+
+ if (cnf == NULL) {
+ BIO_free(ldapbio);
+ goto end;
+ }
+ BIO_puts(ldapbio, ldap_tls_genconf);
+ if (NCONF_load_bio(cnf, ldapbio, &errline) <= 0) {
+ BIO_free(ldapbio);
+ NCONF_free(cnf);
+ if (errline <= 0) {
+ BIO_printf(bio_err, "NCONF_load_bio failed\n");
+ goto end;
+ } else {
+ BIO_printf(bio_err, "Error on line %ld\n", errline);
+ goto end;
+ }
+ }
+ BIO_free(ldapbio);
+ genstr = NCONF_get_string(cnf, "default", "asn1");
+ if (genstr == NULL) {
+ NCONF_free(cnf);
+ BIO_printf(bio_err, "NCONF_get_string failed\n");
+ goto end;
+ }
+ atyp = ASN1_generate_nconf(genstr, cnf);
+ if (atyp == NULL) {
+ NCONF_free(cnf);
+ BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
+ goto end;
+ }
+ NCONF_free(cnf);
+ /* Send SSLRequest packet */
+ BIO_write(sbio, atyp->value.sequence->data,
+ atyp->value.sequence->length);
+ (void)BIO_flush(sbio);
+ ASN1_TYPE_free(atyp);
+
+ mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (mbuf_len < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto end;
+ }
+ result = ldap_ExtendedResponse_parse(mbuf, mbuf_len);
+ if (result < 0) {
+ BIO_printf(bio_err, "ldap_ExtendedResponse_parse failed\n");
+ goto shut;
+ } else if (result > 0) {
+ BIO_printf(bio_err, "STARTTLS failed, LDAP Result Code: %i\n",
+ result);
+ goto shut;
+ }
+ mbuf_len = 0;
}
for (;;) {
@@ -1738,7 +2051,7 @@ int MAIN(int argc, char **argv)
full_log--;
if (starttls_proto) {
- BIO_printf(bio_err, "%s", mbuf);
+ BIO_write(bio_err, mbuf, mbuf_len);
/* We don't need to know any more */
starttls_proto = PROTO_OFF;
}
@@ -2372,3 +2685,87 @@ static int ocsp_resp_cb(SSL *s, void *ar
}
#endif
+
+static int ldap_ExtendedResponse_parse(const char *buf, long rem)
+{
+ const unsigned char *cur, *end;
+ long len;
+ int tag, xclass, inf, ret = -1;
+
+ cur = (const unsigned char *)buf;
+ end = cur + rem;
+
+ /*
+ * From RFC 4511:
+ *
+ * LDAPMessage ::= SEQUENCE {
+ * messageID MessageID,
+ * protocolOp CHOICE {
+ * ...
+ * extendedResp ExtendedResponse,
+ * ... },
+ * controls [0] Controls OPTIONAL }
+ *
+ * ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
+ * COMPONENTS OF LDAPResult,
+ * responseName [10] LDAPOID OPTIONAL,
+ * responseValue [11] OCTET STRING OPTIONAL }
+ *
+ * LDAPResult ::= SEQUENCE {
+ * resultCode ENUMERATED {
+ * success (0),
+ * ...
+ * other (80),
+ * ... },
+ * matchedDN LDAPDN,
+ * diagnosticMessage LDAPString,
+ * referral [3] Referral OPTIONAL }
+ */
+
+ /* pull SEQUENCE */
+ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
+ if (inf != V_ASN1_CONSTRUCTED || tag != V_ASN1_SEQUENCE ||
+ (rem = end - cur, len > rem)) {
+ BIO_printf(bio_err, "Unexpected LDAP response\n");
+ goto end;
+ }
+
+ rem = len; /* ensure that we don't overstep the SEQUENCE */
+
+ /* pull MessageID */
+ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
+ if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_INTEGER ||
+ (rem = end - cur, len > rem)) {
+ BIO_printf(bio_err, "No MessageID\n");
+ goto end;
+ }
+
+ cur += len; /* shall we check for MessageId match or just skip? */
+
+ /* pull [APPLICATION 24] */
+ rem = end - cur;
+ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
+ if (inf != V_ASN1_CONSTRUCTED || xclass != V_ASN1_APPLICATION ||
+ tag != 24) {
+ BIO_printf(bio_err, "Not ExtendedResponse\n");
+ goto end;
+ }
+
+ /* pull resultCode */
+ rem = end - cur;
+ inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
+ if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_ENUMERATED || len == 0 ||
+ (rem = end - cur, len > rem)) {
+ BIO_printf(bio_err, "Not LDAPResult\n");
+ goto end;
+ }
+
+ /* len should always be one, but just in case... */
+ for (ret = 0, inf = 0; inf < len; inf++) {
+ ret <<= 8;
+ ret |= cur[inf];
+ }
+ /* There is more data, but we don't care... */
+ end:
+ return ret;
+}
diff -up openssl-1.0.2k/doc/apps/s_client.pod.starttls openssl-1.0.2k/doc/apps/s_client.pod
--- openssl-1.0.2k/doc/apps/s_client.pod.starttls 2017-03-09 17:35:28.684605455 +0100
+++ openssl-1.0.2k/doc/apps/s_client.pod 2017-03-09 17:42:54.455070967 +0100
@@ -46,6 +46,8 @@ B<openssl> B<s_client>
[B<-krb5svc service>]
[B<-serverpref>]
[B<-starttls protocol>]
+[B<-xmpphost hostname>]
+[B<-name hostname>]
[B<-engine id>]
[B<-tlsextdebug>]
[B<-no_ticket>]
@@ -239,7 +241,20 @@ need keys for that principal in its keyt
send the protocol-specific message(s) to switch to TLS for communication.
B<protocol> is a keyword for the intended protocol. Currently, the only
-supported keywords are "smtp", "pop3", "imap", and "ftp".
+supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
+"irc", "postgres", "lmtp", "nntp", "sieve" and "ldap".
+
+=item B<-xmpphost hostname>
+
+This option, when used with "-starttls xmpp" or "-starttls xmpp-server",
+specifies the host for the "to" attribute of the stream element.
+If this option is not specified, then the host specified with "-connect"
+will be used.
+
+=item B<-name hostname>
+
+the host name to use with "-starttls smtp".
+If this option is not specified, the default "openssl.client.net" will be used.
=item B<-tlsextdebug>

24
SPECS/mingw-openssl.spec
View File

@ -24,7 +24,7 @@
Name: mingw-openssl
Version: 1.0.2k
Release: 1%{?dist}
Release: 2%{?dist}
Summary: MinGW port of the OpenSSL toolkit
License: OpenSSL
@ -63,28 +63,28 @@ Patch24: openssl-1.0.2a-issuer-hash.patch
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-1.0.2a-x509.patch
Patch35: openssl-1.0.2a-version-add-engines.patch
Patch39: openssl-1.0.2a-ipv6-apps.patch
# Patch39: openssl-1.0.2a-ipv6-apps.patch
Patch40: openssl-1.0.2i-fips.patch
Patch43: openssl-1.0.2j-krb5keytab.patch
Patch45: openssl-1.0.2a-env-zlib.patch
Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch
Patch50: openssl-1.0.2a-dtls1-abi.patch
Patch51: openssl-1.0.2a-version.patch
Patch56: openssl-1.0.2a-rsa-x931.patch
# Patch51: openssl-1.0.2a-version.patch
# Patch56: openssl-1.0.2a-rsa-x931.patch
Patch58: openssl-1.0.2a-fips-md5-allow.patch
Patch60: openssl-1.0.2a-apps-dgst.patch
Patch63: openssl-1.0.2k-starttls.patch
# Patch63: openssl-1.0.2k-starttls.patch
Patch65: openssl-1.0.2i-chil-fixes.patch
Patch66: openssl-1.0.2h-pkgconfig.patch
Patch68: openssl-1.0.2i-secure-getenv.patch
Patch70: openssl-1.0.2a-fips-ec.patch
# Patch68: openssl-1.0.2i-secure-getenv.patch
# Patch70: openssl-1.0.2a-fips-ec.patch
Patch71: openssl-1.0.2g-manfix.patch
Patch72: openssl-1.0.2a-fips-ctor.patch
# Patch72: openssl-1.0.2a-fips-ctor.patch
Patch73: openssl-1.0.2c-ecc-suiteb.patch
Patch74: openssl-1.0.2j-deprecate-algos.patch
Patch75: openssl-1.0.2a-compat-symbols.patch
Patch76: openssl-1.0.2j-new-fips-reqs.patch
# Patch76: openssl-1.0.2j-new-fips-reqs.patch
Patch77: openssl-1.0.2j-downgrade-strength.patch
Patch78: openssl-1.0.2k-cc-reqs.patch
Patch90: openssl-1.0.2i-enc-fail.patch
@ -93,7 +93,7 @@ Patch95: openssl-1.0.2e-remove-nistp224.patch
Patch96: openssl-1.0.2e-speed-doc.patch
Patch97: openssl-1.0.2k-no-ssl2.patch
Patch98: openssl-1.0.2k-long-hello.patch
Patch99: openssl-1.0.2k-fips-randlock.patch
# Patch99: openssl-1.0.2k-fips-randlock.patch
# Backported fixes including security fixes
Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch
@ -548,6 +548,10 @@ find %{buildroot}%{mingw64_prefix} | grep -E '.(exe|dll|pyd)$' | sed 's|^%{build
%changelog
* Mon Aug 19 2019 Victor Toso <victortoso@redhat.com> - 1.0.2k-2
- Remove not applied patchs from the source list
Related: rhbz#1704077
* Fri Aug 24 2018 Christophe Fergeau <cfergeau@redhat.com> - 1.0.2k-1
- Sync with rhel 7.6 OpenSSL 1.0.2k+patches in order to get the latest security
fixes