Dropped several unused (obsoleted) patches and added a comment to the .spec
file about the purpose of one of patches
This commit is contained in:
parent
1bc08028b9
commit
aa14161f4f
@ -89,6 +89,8 @@ Patch100: mingw32-openssl-1.0.0-beta3-configure.patch
|
|||||||
Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch
|
Patch101: mingw32-openssl-1.0.0-beta3-libversion.patch
|
||||||
# Fix engines/ install target after lib rename
|
# Fix engines/ install target after lib rename
|
||||||
Patch102: mingw32-openssl-1.0.0-beta3-sfx.patch
|
Patch102: mingw32-openssl-1.0.0-beta3-sfx.patch
|
||||||
|
# Ugly patch to fix a compilation error (the linker can't find
|
||||||
|
# some symbols mentioned in an autogenerated .def file)
|
||||||
Patch105: mingw32-openssl-1.0.0-beta3-linker-fix.patch
|
Patch105: mingw32-openssl-1.0.0-beta3-linker-fix.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
@ -1,50 +0,0 @@
|
|||||||
--- openssl-0.9.8a/apps/openssl.cnf.defaults 2005-09-16 14:20:24.000000000 +0200
|
|
||||||
+++ openssl-0.9.8a/apps/openssl.cnf 2005-11-04 11:00:37.000000000 +0100
|
|
||||||
@@ -99,6 +99,7 @@
|
|
||||||
####################################################################
|
|
||||||
[ req ]
|
|
||||||
default_bits = 1024
|
|
||||||
+default_md = sha1
|
|
||||||
default_keyfile = privkey.pem
|
|
||||||
distinguished_name = req_distinguished_name
|
|
||||||
attributes = req_attributes
|
|
||||||
@@ -116,23 +117,26 @@
|
|
||||||
# MASK:XXXX a literal mask value.
|
|
||||||
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
|
|
||||||
# so use this option with caution!
|
|
||||||
-string_mask = nombstr
|
|
||||||
+# we use PrintableString+UTF8String mask so if pure ASCII texts are used
|
|
||||||
+# the resulting certificates are compatible with Netscape
|
|
||||||
+string_mask = MASK:0x2002
|
|
||||||
|
|
||||||
# req_extensions = v3_req # The extensions to add to a certificate request
|
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
|
||||||
countryName = Country Name (2 letter code)
|
|
||||||
-countryName_default = AU
|
|
||||||
+countryName_default = GB
|
|
||||||
countryName_min = 2
|
|
||||||
countryName_max = 2
|
|
||||||
|
|
||||||
stateOrProvinceName = State or Province Name (full name)
|
|
||||||
-stateOrProvinceName_default = Some-State
|
|
||||||
+stateOrProvinceName_default = Berkshire
|
|
||||||
|
|
||||||
localityName = Locality Name (eg, city)
|
|
||||||
+localityName_default = Newbury
|
|
||||||
|
|
||||||
0.organizationName = Organization Name (eg, company)
|
|
||||||
-0.organizationName_default = Internet Widgits Pty Ltd
|
|
||||||
+0.organizationName_default = My Company Ltd
|
|
||||||
|
|
||||||
# we can do this but it is not needed normally :-)
|
|
||||||
#1.organizationName = Second Organization Name (eg, company)
|
|
||||||
@@ -141,7 +145,7 @@
|
|
||||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
|
||||||
#organizationalUnitName_default =
|
|
||||||
|
|
||||||
-commonName = Common Name (eg, YOUR name)
|
|
||||||
+commonName = Common Name (eg, your name or your server\'s hostname)
|
|
||||||
commonName_max = 64
|
|
||||||
|
|
||||||
emailAddress = Email Address
|
|
@ -1,11 +0,0 @@
|
|||||||
--- openssl-0.9.8a/Makefile.org.link-krb5 2005-07-05 07:14:21.000000000 +0200
|
|
||||||
+++ openssl-0.9.8a/Makefile.org 2005-11-07 18:00:08.000000000 +0100
|
|
||||||
@@ -266,7 +266,7 @@
|
|
||||||
|
|
||||||
do_$(SHLIB_TARGET):
|
|
||||||
@ set -e; libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
|
|
||||||
- if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
|
||||||
+ if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
|
||||||
libs="$(LIBKRB5) $$libs"; \
|
|
||||||
fi; \
|
|
||||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
|
@ -1,20 +0,0 @@
|
|||||||
--- openssl-0.9.8a/ssl/ssl.h.cipher-change 2005-11-22 16:36:22.000000000 +0100
|
|
||||||
+++ openssl-0.9.8a/ssl/ssl.h 2005-12-15 11:28:05.000000000 +0100
|
|
||||||
@@ -477,7 +477,7 @@
|
|
||||||
|
|
||||||
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
|
|
||||||
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
|
|
||||||
-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
|
|
||||||
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L /* can break some security expectations */
|
|
||||||
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
|
|
||||||
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
|
|
||||||
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
|
|
||||||
@@ -494,7 +494,7 @@
|
|
||||||
|
|
||||||
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
|
|
||||||
* This used to be 0x000FFFFFL before 0.9.7. */
|
|
||||||
-#define SSL_OP_ALL 0x00000FFFL
|
|
||||||
+#define SSL_OP_ALL 0x00000FF7L /* without SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG */
|
|
||||||
|
|
||||||
/* DTLS options */
|
|
||||||
#define SSL_OP_NO_QUERY_MTU 0x00001000L
|
|
@ -1,18 +0,0 @@
|
|||||||
--- openssl-0.9.8b/crypto/x509/x509_cmp.c.name-cmp 2004-12-01 02:45:30.000000000 +0100
|
|
||||||
+++ openssl-0.9.8b/crypto/x509/x509_cmp.c 2006-11-30 23:37:26.000000000 +0100
|
|
||||||
@@ -282,14 +282,7 @@
|
|
||||||
nb=sk_X509_NAME_ENTRY_value(b->entries,i);
|
|
||||||
j=na->value->type-nb->value->type;
|
|
||||||
if (j)
|
|
||||||
- {
|
|
||||||
- nabit = ASN1_tag2bit(na->value->type);
|
|
||||||
- nbbit = ASN1_tag2bit(nb->value->type);
|
|
||||||
- if (!(nabit & STR_TYPE_CMP) ||
|
|
||||||
- !(nbbit & STR_TYPE_CMP))
|
|
||||||
- return j;
|
|
||||||
- j = asn1_string_memcmp(na->value, nb->value);
|
|
||||||
- }
|
|
||||||
+ return j;
|
|
||||||
else if (na->value->type == V_ASN1_PRINTABLESTRING)
|
|
||||||
j=nocase_spacenorm_cmp(na->value, nb->value);
|
|
||||||
else if (na->value->type == V_ASN1_IA5STRING
|
|
@ -1,77 +0,0 @@
|
|||||||
diff -up openssl-0.9.8g/apps/s_server.c.default-paths openssl-0.9.8g/apps/s_server.c
|
|
||||||
--- openssl-0.9.8g/apps/s_server.c.default-paths 2007-12-13 17:41:34.000000000 +0100
|
|
||||||
+++ openssl-0.9.8g/apps/s_server.c 2007-12-13 17:36:58.000000000 +0100
|
|
||||||
@@ -1077,12 +1077,13 @@ bad:
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
|
|
||||||
- (!SSL_CTX_set_default_verify_paths(ctx)))
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
+ if (!SSL_CTX_set_default_verify_paths(ctx))
|
|
||||||
{
|
|
||||||
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
|
|
||||||
ERR_print_errors(bio_err);
|
|
||||||
- /* goto end; */
|
|
||||||
}
|
|
||||||
store = SSL_CTX_get_cert_store(ctx);
|
|
||||||
X509_STORE_set_flags(store, vflags);
|
|
||||||
@@ -1132,8 +1133,11 @@ bad:
|
|
||||||
|
|
||||||
SSL_CTX_sess_set_cache_size(ctx2,128);
|
|
||||||
|
|
||||||
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
|
|
||||||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
|
|
||||||
{
|
|
||||||
ERR_print_errors(bio_err);
|
|
||||||
}
|
|
||||||
diff -up openssl-0.9.8g/apps/s_client.c.default-paths openssl-0.9.8g/apps/s_client.c
|
|
||||||
--- openssl-0.9.8g/apps/s_client.c.default-paths 2007-12-13 17:41:34.000000000 +0100
|
|
||||||
+++ openssl-0.9.8g/apps/s_client.c 2007-12-13 17:37:34.000000000 +0100
|
|
||||||
@@ -673,12 +673,13 @@ bad:
|
|
||||||
if (!set_cert_key_stuff(ctx,cert,key))
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
|
|
||||||
- (!SSL_CTX_set_default_verify_paths(ctx)))
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
+ if (!SSL_CTX_set_default_verify_paths(ctx))
|
|
||||||
{
|
|
||||||
- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
|
|
||||||
ERR_print_errors(bio_err);
|
|
||||||
- /* goto end; */
|
|
||||||
}
|
|
||||||
|
|
||||||
store = SSL_CTX_get_cert_store(ctx);
|
|
||||||
diff -up openssl-0.9.8g/apps/s_time.c.default-paths openssl-0.9.8g/apps/s_time.c
|
|
||||||
--- openssl-0.9.8g/apps/s_time.c.default-paths 2003-12-27 15:40:17.000000000 +0100
|
|
||||||
+++ openssl-0.9.8g/apps/s_time.c 2007-12-13 17:35:27.000000000 +0100
|
|
||||||
@@ -476,12 +476,13 @@ int MAIN(int argc, char **argv)
|
|
||||||
|
|
||||||
SSL_load_error_strings();
|
|
||||||
|
|
||||||
- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
|
|
||||||
- (!SSL_CTX_set_default_verify_paths(tm_ctx)))
|
|
||||||
+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
|
|
||||||
+ {
|
|
||||||
+ ERR_print_errors(bio_err);
|
|
||||||
+ }
|
|
||||||
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
|
|
||||||
{
|
|
||||||
- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
|
|
||||||
ERR_print_errors(bio_err);
|
|
||||||
- /* goto end; */
|
|
||||||
}
|
|
||||||
|
|
||||||
if (tm_cipher == NULL)
|
|
@ -1,27 +0,0 @@
|
|||||||
diff -up openssl-0.9.8g/ssl/t1_lib.c.no-extssl openssl-0.9.8g/ssl/t1_lib.c
|
|
||||||
--- openssl-0.9.8g/ssl/t1_lib.c.no-extssl 2007-10-19 09:44:10.000000000 +0200
|
|
||||||
+++ openssl-0.9.8g/ssl/t1_lib.c 2008-08-10 21:42:11.000000000 +0200
|
|
||||||
@@ -132,6 +132,11 @@ unsigned char *ssl_add_clienthello_tlsex
|
|
||||||
int extdatalen=0;
|
|
||||||
unsigned char *ret = p;
|
|
||||||
|
|
||||||
+ if (s->client_version != TLS1_VERSION && s->client_version != DTLS1_VERSION)
|
|
||||||
+ {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret+=2;
|
|
||||||
|
|
||||||
if (ret>=limit) return NULL; /* this really never occurs, but ... */
|
|
||||||
@@ -202,6 +207,11 @@ unsigned char *ssl_add_serverhello_tlsex
|
|
||||||
int extdatalen=0;
|
|
||||||
unsigned char *ret = p;
|
|
||||||
|
|
||||||
+ if (s->version != TLS1_VERSION && s->version != DTLS1_VERSION)
|
|
||||||
+ {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret+=2;
|
|
||||||
if (ret>=limit) return NULL; /* this really never occurs, but ... */
|
|
||||||
|
|
@ -1,378 +0,0 @@
|
|||||||
diff -up openssl-0.9.8j/ssl/t1_lib.c.eap-fast openssl-0.9.8j/ssl/t1_lib.c
|
|
||||||
--- openssl-0.9.8j/ssl/t1_lib.c.eap-fast 2009-01-14 16:39:41.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/ssl/t1_lib.c 2009-01-14 21:35:38.000000000 +0100
|
|
||||||
@@ -106,6 +106,12 @@ int tls1_new(SSL *s)
|
|
||||||
|
|
||||||
void tls1_free(SSL *s)
|
|
||||||
{
|
|
||||||
+#ifndef OPENSSL_NO_TLSEXT
|
|
||||||
+ if (s && s->tlsext_session_ticket)
|
|
||||||
+ {
|
|
||||||
+ OPENSSL_free(s->tlsext_session_ticket);
|
|
||||||
+ }
|
|
||||||
+#endif /* OPENSSL_NO_TLSEXT */
|
|
||||||
ssl3_free(s);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -180,8 +186,23 @@ unsigned char *ssl_add_clienthello_tlsex
|
|
||||||
int ticklen;
|
|
||||||
if (s->session && s->session->tlsext_tick)
|
|
||||||
ticklen = s->session->tlsext_ticklen;
|
|
||||||
+ else if (s->session && s->tlsext_session_ticket &&
|
|
||||||
+ s->tlsext_session_ticket->data)
|
|
||||||
+ {
|
|
||||||
+ ticklen = s->tlsext_session_ticket->length;
|
|
||||||
+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
|
|
||||||
+ if (!s->session->tlsext_tick)
|
|
||||||
+ return NULL;
|
|
||||||
+ memcpy(s->session->tlsext_tick,
|
|
||||||
+ s->tlsext_session_ticket->data,
|
|
||||||
+ ticklen);
|
|
||||||
+ s->session->tlsext_ticklen = ticklen;
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
ticklen = 0;
|
|
||||||
+ if (ticklen == 0 && s->tlsext_session_ticket &&
|
|
||||||
+ s->tlsext_session_ticket->data == NULL)
|
|
||||||
+ goto skip_ext;
|
|
||||||
/* Check for enough room 2 for extension type, 2 for len
|
|
||||||
* rest for ticket
|
|
||||||
*/
|
|
||||||
@@ -195,6 +216,7 @@ unsigned char *ssl_add_clienthello_tlsex
|
|
||||||
ret += ticklen;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ skip_ext:
|
|
||||||
|
|
||||||
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
|
|
||||||
{
|
|
||||||
@@ -417,6 +439,15 @@ int ssl_parse_clienthello_tlsext(SSL *s,
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
+ else if (type == TLSEXT_TYPE_session_ticket)
|
|
||||||
+ {
|
|
||||||
+ if (s->tls_session_ticket_ext_cb &&
|
|
||||||
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
|
|
||||||
+ {
|
|
||||||
+ *al = TLS1_AD_INTERNAL_ERROR;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
else if (type == TLSEXT_TYPE_status_request
|
|
||||||
&& s->ctx->tlsext_status_cb)
|
|
||||||
{
|
|
||||||
@@ -563,6 +594,12 @@ int ssl_parse_serverhello_tlsext(SSL *s,
|
|
||||||
}
|
|
||||||
else if (type == TLSEXT_TYPE_session_ticket)
|
|
||||||
{
|
|
||||||
+ if (s->tls_session_ticket_ext_cb &&
|
|
||||||
+ !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg))
|
|
||||||
+ {
|
|
||||||
+ *al = TLS1_AD_INTERNAL_ERROR;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
|
|
||||||
|| (size > 0))
|
|
||||||
{
|
|
||||||
@@ -786,6 +823,15 @@ int tls1_process_ticket(SSL *s, unsigned
|
|
||||||
s->tlsext_ticket_expected = 1;
|
|
||||||
return 0; /* Cache miss */
|
|
||||||
}
|
|
||||||
+ if (s->tls_session_secret_cb)
|
|
||||||
+ {
|
|
||||||
+ /* Indicate cache miss here and instead of
|
|
||||||
+ * generating the session from ticket now,
|
|
||||||
+ * trigger abbreviated handshake based on
|
|
||||||
+ * external mechanism to calculate the master
|
|
||||||
+ * secret later. */
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
return tls_decrypt_ticket(s, p, size, session_id, len,
|
|
||||||
ret);
|
|
||||||
}
|
|
||||||
diff -up openssl-0.9.8j/ssl/s3_clnt.c.eap-fast openssl-0.9.8j/ssl/s3_clnt.c
|
|
||||||
--- openssl-0.9.8j/ssl/s3_clnt.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/ssl/s3_clnt.c 2009-01-14 21:13:47.000000000 +0100
|
|
||||||
@@ -759,6 +759,23 @@ int ssl3_get_server_hello(SSL *s)
|
|
||||||
goto f_err;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifndef OPENSSL_NO_TLSEXT
|
|
||||||
+ /* check if we want to resume the session based on external pre-shared secret */
|
|
||||||
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
|
|
||||||
+ {
|
|
||||||
+ SSL_CIPHER *pref_cipher=NULL;
|
|
||||||
+ s->session->master_key_length=sizeof(s->session->master_key);
|
|
||||||
+ if (s->tls_session_secret_cb(s, s->session->master_key,
|
|
||||||
+ &s->session->master_key_length,
|
|
||||||
+ NULL, &pref_cipher,
|
|
||||||
+ s->tls_session_secret_cb_arg))
|
|
||||||
+ {
|
|
||||||
+ s->session->cipher = pref_cipher ?
|
|
||||||
+ pref_cipher : ssl_get_cipher_by_char(s, p+j);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif /* OPENSSL_NO_TLSEXT */
|
|
||||||
+
|
|
||||||
if (j != 0 && j == s->session->session_id_length
|
|
||||||
&& memcmp(p,s->session->session_id,j) == 0)
|
|
||||||
{
|
|
||||||
@@ -2701,11 +2718,8 @@ static int ssl3_check_finished(SSL *s)
|
|
||||||
{
|
|
||||||
int ok;
|
|
||||||
long n;
|
|
||||||
- /* If we have no ticket or session ID is non-zero length (a match of
|
|
||||||
- * a non-zero session length would never reach here) it cannot be a
|
|
||||||
- * resumed session.
|
|
||||||
- */
|
|
||||||
- if (!s->session->tlsext_tick || s->session->session_id_length)
|
|
||||||
+ /* If we have no ticket it cannot be a resumed session. */
|
|
||||||
+ if (!s->session->tlsext_tick)
|
|
||||||
return 1;
|
|
||||||
/* this function is called when we really expect a Certificate
|
|
||||||
* message, so permit appropriate message length */
|
|
||||||
diff -up openssl-0.9.8j/ssl/ssl_sess.c.eap-fast openssl-0.9.8j/ssl/ssl_sess.c
|
|
||||||
--- openssl-0.9.8j/ssl/ssl_sess.c.eap-fast 2008-06-04 20:35:27.000000000 +0200
|
|
||||||
+++ openssl-0.9.8j/ssl/ssl_sess.c 2009-01-14 21:13:47.000000000 +0100
|
|
||||||
@@ -707,6 +707,61 @@ long SSL_CTX_get_timeout(const SSL_CTX *
|
|
||||||
return(s->session_timeout);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifndef OPENSSL_NO_TLSEXT
|
|
||||||
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
|
|
||||||
+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
|
|
||||||
+ {
|
|
||||||
+ if (s == NULL) return(0);
|
|
||||||
+ s->tls_session_secret_cb = tls_session_secret_cb;
|
|
||||||
+ s->tls_session_secret_cb_arg = arg;
|
|
||||||
+ return(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
|
|
||||||
+ void *arg)
|
|
||||||
+ {
|
|
||||||
+ if (s == NULL) return(0);
|
|
||||||
+ s->tls_session_ticket_ext_cb = cb;
|
|
||||||
+ s->tls_session_ticket_ext_cb_arg = arg;
|
|
||||||
+ return(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
|
|
||||||
+ {
|
|
||||||
+ if (s->version >= TLS1_VERSION)
|
|
||||||
+ {
|
|
||||||
+ if (s->tlsext_session_ticket)
|
|
||||||
+ {
|
|
||||||
+ OPENSSL_free(s->tlsext_session_ticket);
|
|
||||||
+ s->tlsext_session_ticket = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
|
|
||||||
+ if (!s->tlsext_session_ticket)
|
|
||||||
+ {
|
|
||||||
+ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (ext_data)
|
|
||||||
+ {
|
|
||||||
+ s->tlsext_session_ticket->length = ext_len;
|
|
||||||
+ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
|
|
||||||
+ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ s->tlsext_session_ticket->length = 0;
|
|
||||||
+ s->tlsext_session_ticket->data = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif /* OPENSSL_NO_TLSEXT */
|
|
||||||
+
|
|
||||||
typedef struct timeout_param_st
|
|
||||||
{
|
|
||||||
SSL_CTX *ctx;
|
|
||||||
diff -up openssl-0.9.8j/ssl/s3_srvr.c.eap-fast openssl-0.9.8j/ssl/s3_srvr.c
|
|
||||||
--- openssl-0.9.8j/ssl/s3_srvr.c.eap-fast 2009-01-07 11:48:23.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/ssl/s3_srvr.c 2009-01-14 21:22:37.000000000 +0100
|
|
||||||
@@ -965,6 +965,59 @@ int ssl3_get_client_hello(SSL *s)
|
|
||||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* Check if we want to use external pre-shared secret for this
|
|
||||||
+ * handshake for not reused session only. We need to generate
|
|
||||||
+ * server_random before calling tls_session_secret_cb in order to allow
|
|
||||||
+ * SessionTicket processing to use it in key derivation. */
|
|
||||||
+ {
|
|
||||||
+ unsigned long Time;
|
|
||||||
+ unsigned char *pos;
|
|
||||||
+ Time=(unsigned long)time(NULL); /* Time */
|
|
||||||
+ pos=s->s3->server_random;
|
|
||||||
+ l2n(Time,pos);
|
|
||||||
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
|
|
||||||
+ {
|
|
||||||
+ al=SSL_AD_INTERNAL_ERROR;
|
|
||||||
+ goto f_err;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
|
|
||||||
+ {
|
|
||||||
+ SSL_CIPHER *pref_cipher=NULL;
|
|
||||||
+
|
|
||||||
+ s->session->master_key_length=sizeof(s->session->master_key);
|
|
||||||
+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
|
|
||||||
+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
|
|
||||||
+ {
|
|
||||||
+ s->hit=1;
|
|
||||||
+ s->session->ciphers=ciphers;
|
|
||||||
+ s->session->verify_result=X509_V_OK;
|
|
||||||
+
|
|
||||||
+ ciphers=NULL;
|
|
||||||
+
|
|
||||||
+ /* check if some cipher was preferred by call back */
|
|
||||||
+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
|
|
||||||
+ if (pref_cipher == NULL)
|
|
||||||
+ {
|
|
||||||
+ al=SSL_AD_HANDSHAKE_FAILURE;
|
|
||||||
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
|
|
||||||
+ goto f_err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ s->session->cipher=pref_cipher;
|
|
||||||
+
|
|
||||||
+ if (s->cipher_list)
|
|
||||||
+ sk_SSL_CIPHER_free(s->cipher_list);
|
|
||||||
+
|
|
||||||
+ if (s->cipher_list_by_id)
|
|
||||||
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
|
|
||||||
+
|
|
||||||
+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
|
|
||||||
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
#endif
|
|
||||||
/* Worst case, we will use the NULL compression, but if we have other
|
|
||||||
* options, we will now look for them. We have i-1 compression
|
|
||||||
@@ -1103,16 +1156,22 @@ int ssl3_send_server_hello(SSL *s)
|
|
||||||
unsigned char *buf;
|
|
||||||
unsigned char *p,*d;
|
|
||||||
int i,sl;
|
|
||||||
- unsigned long l,Time;
|
|
||||||
+ unsigned long l;
|
|
||||||
+#ifdef OPENSSL_NO_TLSEXT
|
|
||||||
+ unsigned long Time;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
|
|
||||||
{
|
|
||||||
buf=(unsigned char *)s->init_buf->data;
|
|
||||||
+#ifdef OPENSSL_NO_TLSEXT
|
|
||||||
p=s->s3->server_random;
|
|
||||||
+ /* Generate server_random if it was not needed previously */
|
|
||||||
Time=(unsigned long)time(NULL); /* Time */
|
|
||||||
l2n(Time,p);
|
|
||||||
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
|
|
||||||
return -1;
|
|
||||||
+#endif
|
|
||||||
/* Do the message type and length last */
|
|
||||||
d=p= &(buf[4]);
|
|
||||||
|
|
||||||
diff -up openssl-0.9.8j/ssl/tls1.h.eap-fast openssl-0.9.8j/ssl/tls1.h
|
|
||||||
--- openssl-0.9.8j/ssl/tls1.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/ssl/tls1.h 2009-01-14 21:13:47.000000000 +0100
|
|
||||||
@@ -398,6 +398,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
|
|
||||||
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+/* TLS Session Ticket extension struct */
|
|
||||||
+struct tls_session_ticket_ext_st
|
|
||||||
+ {
|
|
||||||
+ unsigned short length;
|
|
||||||
+ void *data;
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
#ifdef __cplusplus
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
diff -up openssl-0.9.8j/ssl/ssl_err.c.eap-fast openssl-0.9.8j/ssl/ssl_err.c
|
|
||||||
--- openssl-0.9.8j/ssl/ssl_err.c.eap-fast 2008-08-13 21:44:44.000000000 +0200
|
|
||||||
+++ openssl-0.9.8j/ssl/ssl_err.c 2009-01-14 21:13:47.000000000 +0100
|
|
||||||
@@ -253,6 +253,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
|
||||||
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
|
|
||||||
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
|
|
||||||
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
|
|
||||||
+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
|
|
||||||
{0,NULL}
|
|
||||||
};
|
|
||||||
|
|
||||||
diff -up openssl-0.9.8j/ssl/ssl.h.eap-fast openssl-0.9.8j/ssl/ssl.h
|
|
||||||
--- openssl-0.9.8j/ssl/ssl.h.eap-fast 2009-01-14 16:39:41.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/ssl/ssl.h 2009-01-14 21:26:45.000000000 +0100
|
|
||||||
@@ -344,6 +344,7 @@ extern "C" {
|
|
||||||
* 'struct ssl_st *' function parameters used to prototype callbacks
|
|
||||||
* in SSL_CTX. */
|
|
||||||
typedef struct ssl_st *ssl_crock_st;
|
|
||||||
+typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
|
|
||||||
|
|
||||||
/* used to hold info on the particular ciphers used */
|
|
||||||
typedef struct ssl_cipher_st
|
|
||||||
@@ -362,6 +363,9 @@ typedef struct ssl_cipher_st
|
|
||||||
|
|
||||||
DECLARE_STACK_OF(SSL_CIPHER)
|
|
||||||
|
|
||||||
+typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
|
|
||||||
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
|
|
||||||
+
|
|
||||||
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
|
|
||||||
typedef struct ssl_method_st
|
|
||||||
{
|
|
||||||
@@ -1034,6 +1038,18 @@ struct ssl_st
|
|
||||||
|
|
||||||
/* RFC4507 session ticket expected to be received or sent */
|
|
||||||
int tlsext_ticket_expected;
|
|
||||||
+
|
|
||||||
+ /* TLS Session Ticket extension override */
|
|
||||||
+ TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
|
|
||||||
+
|
|
||||||
+ /* TLS Session Ticket extension callback */
|
|
||||||
+ tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
|
|
||||||
+ void *tls_session_ticket_ext_cb_arg;
|
|
||||||
+
|
|
||||||
+ /* TLS pre-shared secret session resumption */
|
|
||||||
+ tls_session_secret_cb_fn tls_session_secret_cb;
|
|
||||||
+ void *tls_session_secret_cb_arg;
|
|
||||||
+
|
|
||||||
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
|
|
||||||
#define session_ctx initial_ctx
|
|
||||||
#else
|
|
||||||
@@ -1624,6 +1640,15 @@ void *SSL_COMP_get_compression_methods(v
|
|
||||||
int SSL_COMP_add_compression_method(int id,void *cm);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+/* TLS extensions functions */
|
|
||||||
+int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
|
|
||||||
+
|
|
||||||
+int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
|
|
||||||
+ void *arg);
|
|
||||||
+
|
|
||||||
+/* Pre-shared secret session resumption functions */
|
|
||||||
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
|
|
||||||
+
|
|
||||||
/* BEGIN ERROR CODES */
|
|
||||||
/* The following lines are auto generated by the script mkerr.pl. Any changes
|
|
||||||
* made after this point may be overwritten when the script is next run.
|
|
||||||
@@ -1816,6 +1841,7 @@ void ERR_load_SSL_strings(void);
|
|
||||||
#define SSL_F_TLS1_ENC 210
|
|
||||||
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
|
|
||||||
#define SSL_F_WRITE_PENDING 212
|
|
||||||
+#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213
|
|
||||||
|
|
||||||
/* Reason codes. */
|
|
||||||
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
|
|
@ -1,40 +0,0 @@
|
|||||||
diff -up openssl-0.9.8j/Configure.enginesdir openssl-0.9.8j/Configure
|
|
||||||
--- openssl-0.9.8j/Configure.enginesdir 2009-01-13 23:17:40.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/Configure 2009-01-13 23:17:40.000000000 +0100
|
|
||||||
@@ -577,6 +577,7 @@ my $idx_arflags = $idx++;
|
|
||||||
|
|
||||||
my $prefix="";
|
|
||||||
my $openssldir="";
|
|
||||||
+my $enginesdir="";
|
|
||||||
my $exe_ext="";
|
|
||||||
my $install_prefix="";
|
|
||||||
my $fipslibdir="/usr/local/ssl/fips-1.0/lib/";
|
|
||||||
@@ -815,6 +816,10 @@ PROCESS_ARGS:
|
|
||||||
{
|
|
||||||
$openssldir=$1;
|
|
||||||
}
|
|
||||||
+ elsif (/^--enginesdir=(.*)$/)
|
|
||||||
+ {
|
|
||||||
+ $enginesdir=$1;
|
|
||||||
+ }
|
|
||||||
elsif (/^--install.prefix=(.*)$/)
|
|
||||||
{
|
|
||||||
$install_prefix=$1;
|
|
||||||
@@ -1080,7 +1085,7 @@ chop $prefix if $prefix =~ /.\/$/;
|
|
||||||
|
|
||||||
$openssldir=$prefix . "/ssl" if $openssldir eq "";
|
|
||||||
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
|
|
||||||
-
|
|
||||||
+$enginesdir="$prefix/lib/engines" if $enginesdir eq "";
|
|
||||||
|
|
||||||
print "IsMK1MF=$IsMK1MF\n";
|
|
||||||
|
|
||||||
@@ -1635,7 +1640,7 @@ while (<IN>)
|
|
||||||
if (/^#define\s+OPENSSLDIR/)
|
|
||||||
{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
|
|
||||||
elsif (/^#define\s+ENGINESDIR/)
|
|
||||||
- { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; }
|
|
||||||
+ { print OUT "#define ENGINESDIR \"$enginesdir\"\n"; }
|
|
||||||
elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
|
|
||||||
{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
|
|
||||||
if $export_var_as_fn;
|
|
@ -1,127 +0,0 @@
|
|||||||
diff -up openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_alld.c
|
|
||||||
--- openssl-0.9.8j/crypto/evp/c_alld.c.evp-nonfips 2005-04-30 23:51:40.000000000 +0200
|
|
||||||
+++ openssl-0.9.8j/crypto/evp/c_alld.c 2009-01-14 17:51:41.000000000 +0100
|
|
||||||
@@ -64,6 +64,11 @@
|
|
||||||
|
|
||||||
void OpenSSL_add_all_digests(void)
|
|
||||||
{
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+ OPENSSL_init();
|
|
||||||
+ if (!FIPS_mode())
|
|
||||||
+ {
|
|
||||||
+#endif
|
|
||||||
#ifndef OPENSSL_NO_MD2
|
|
||||||
EVP_add_digest(EVP_md2());
|
|
||||||
#endif
|
|
||||||
@@ -111,4 +116,32 @@ void OpenSSL_add_all_digests(void)
|
|
||||||
EVP_add_digest(EVP_sha384());
|
|
||||||
EVP_add_digest(EVP_sha512());
|
|
||||||
#endif
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+#ifndef OPENSSL_NO_SHA
|
|
||||||
+ EVP_add_digest(EVP_sha1());
|
|
||||||
+ EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
|
|
||||||
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
|
|
||||||
+#ifndef OPENSSL_NO_DSA
|
|
||||||
+ EVP_add_digest(EVP_dss1());
|
|
||||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
|
|
||||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
|
|
||||||
+ EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
|
|
||||||
+#endif
|
|
||||||
+#ifndef OPENSSL_NO_ECDSA
|
|
||||||
+ EVP_add_digest(EVP_ecdsa());
|
|
||||||
+#endif
|
|
||||||
+#endif
|
|
||||||
+#ifndef OPENSSL_NO_SHA256
|
|
||||||
+ EVP_add_digest(EVP_sha224());
|
|
||||||
+ EVP_add_digest(EVP_sha256());
|
|
||||||
+#endif
|
|
||||||
+#ifndef OPENSSL_NO_SHA512
|
|
||||||
+ EVP_add_digest(EVP_sha384());
|
|
||||||
+ EVP_add_digest(EVP_sha512());
|
|
||||||
+#endif
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
diff -up openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips openssl-0.9.8j/crypto/evp/c_allc.c
|
|
||||||
--- openssl-0.9.8j/crypto/evp/c_allc.c.evp-nonfips 2007-04-24 01:50:04.000000000 +0200
|
|
||||||
+++ openssl-0.9.8j/crypto/evp/c_allc.c 2009-01-14 17:51:41.000000000 +0100
|
|
||||||
@@ -65,6 +65,11 @@
|
|
||||||
void OpenSSL_add_all_ciphers(void)
|
|
||||||
{
|
|
||||||
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+ OPENSSL_init();
|
|
||||||
+ if(!FIPS_mode())
|
|
||||||
+ {
|
|
||||||
+#endif
|
|
||||||
#ifndef OPENSSL_NO_DES
|
|
||||||
EVP_add_cipher(EVP_des_cfb());
|
|
||||||
EVP_add_cipher(EVP_des_cfb1());
|
|
||||||
@@ -219,6 +224,63 @@ void OpenSSL_add_all_ciphers(void)
|
|
||||||
EVP_add_cipher_alias(SN_camellia_256_cbc,"CAMELLIA256");
|
|
||||||
EVP_add_cipher_alias(SN_camellia_256_cbc,"camellia256");
|
|
||||||
#endif
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+#ifndef OPENSSL_NO_DES
|
|
||||||
+ EVP_add_cipher(EVP_des_ede_cfb());
|
|
||||||
+ EVP_add_cipher(EVP_des_ede3_cfb());
|
|
||||||
+
|
|
||||||
+ EVP_add_cipher(EVP_des_ede_ofb());
|
|
||||||
+ EVP_add_cipher(EVP_des_ede3_ofb());
|
|
||||||
+
|
|
||||||
+ EVP_add_cipher(EVP_des_ede_cbc());
|
|
||||||
+ EVP_add_cipher(EVP_des_ede3_cbc());
|
|
||||||
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
|
|
||||||
+ EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
|
|
||||||
+
|
|
||||||
+ EVP_add_cipher(EVP_des_ede());
|
|
||||||
+ EVP_add_cipher(EVP_des_ede3());
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_NO_AES
|
|
||||||
+ EVP_add_cipher(EVP_aes_128_ecb());
|
|
||||||
+ EVP_add_cipher(EVP_aes_128_cbc());
|
|
||||||
+ EVP_add_cipher(EVP_aes_128_cfb());
|
|
||||||
+ EVP_add_cipher(EVP_aes_128_cfb1());
|
|
||||||
+ EVP_add_cipher(EVP_aes_128_cfb8());
|
|
||||||
+ EVP_add_cipher(EVP_aes_128_ofb());
|
|
||||||
+#if 0
|
|
||||||
+ EVP_add_cipher(EVP_aes_128_ctr());
|
|
||||||
+#endif
|
|
||||||
+ EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
|
|
||||||
+ EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
|
|
||||||
+ EVP_add_cipher(EVP_aes_192_ecb());
|
|
||||||
+ EVP_add_cipher(EVP_aes_192_cbc());
|
|
||||||
+ EVP_add_cipher(EVP_aes_192_cfb());
|
|
||||||
+ EVP_add_cipher(EVP_aes_192_cfb1());
|
|
||||||
+ EVP_add_cipher(EVP_aes_192_cfb8());
|
|
||||||
+ EVP_add_cipher(EVP_aes_192_ofb());
|
|
||||||
+#if 0
|
|
||||||
+ EVP_add_cipher(EVP_aes_192_ctr());
|
|
||||||
+#endif
|
|
||||||
+ EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
|
|
||||||
+ EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
|
|
||||||
+ EVP_add_cipher(EVP_aes_256_ecb());
|
|
||||||
+ EVP_add_cipher(EVP_aes_256_cbc());
|
|
||||||
+ EVP_add_cipher(EVP_aes_256_cfb());
|
|
||||||
+ EVP_add_cipher(EVP_aes_256_cfb1());
|
|
||||||
+ EVP_add_cipher(EVP_aes_256_cfb8());
|
|
||||||
+ EVP_add_cipher(EVP_aes_256_ofb());
|
|
||||||
+#if 0
|
|
||||||
+ EVP_add_cipher(EVP_aes_256_ctr());
|
|
||||||
+#endif
|
|
||||||
+ EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
|
|
||||||
+ EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
|
|
||||||
+#endif
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
PKCS12_PBE_add();
|
|
||||||
PKCS5_PBE_add();
|
|
@ -1,24 +0,0 @@
|
|||||||
diff -up openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-0.9.8j/fips/rsa/fips_rsa_gen.c
|
|
||||||
--- openssl-0.9.8j/fips/rsa/fips_rsa_gen.c.no-pairwise 2009-01-17 20:27:37.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/fips/rsa/fips_rsa_gen.c 2009-01-17 20:27:28.000000000 +0100
|
|
||||||
@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa,
|
|
||||||
if (fips_rsa_pairwise_fail)
|
|
||||||
BN_add_word(rsa->n, 1);
|
|
||||||
|
|
||||||
- if(!fips_check_rsa(rsa))
|
|
||||||
+ if(FIPS_mode() && !fips_check_rsa(rsa))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
ok=1;
|
|
||||||
diff -up openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise openssl-0.9.8j/fips/dsa/fips_dsa_key.c
|
|
||||||
--- openssl-0.9.8j/fips/dsa/fips_dsa_key.c.no-pairwise 2008-09-16 12:12:15.000000000 +0200
|
|
||||||
+++ openssl-0.9.8j/fips/dsa/fips_dsa_key.c 2009-01-17 20:26:20.000000000 +0100
|
|
||||||
@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa)
|
|
||||||
dsa->pub_key=pub_key;
|
|
||||||
if (fips_dsa_pairwise_fail)
|
|
||||||
BN_add_word(dsa->pub_key, 1);
|
|
||||||
- if(!fips_check_dsa(dsa))
|
|
||||||
+ if(FIPS_mode() && !fips_check_dsa(dsa))
|
|
||||||
goto err;
|
|
||||||
ok=1;
|
|
||||||
|
|
@ -1,125 +0,0 @@
|
|||||||
Produce fipscheck compatible HMAC-SHA256 with the fips_standalone_sha1 binary.
|
|
||||||
We use the binary just during the OpenSSL build to checksum the libcrypto.
|
|
||||||
diff -up openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac openssl-0.9.8j/fips/sha/Makefile
|
|
||||||
--- openssl-0.9.8j/fips/sha/Makefile.fipscheck-hmac 2008-10-26 19:42:05.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/fips/sha/Makefile 2009-01-14 16:39:41.000000000 +0100
|
|
||||||
@@ -46,7 +46,7 @@ lib: $(LIBOBJ)
|
|
||||||
@echo $(LIBOBJ) > lib
|
|
||||||
|
|
||||||
../fips_standalone_sha1$(EXE_EXT): fips_standalone_sha1.o
|
|
||||||
- FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha1dgst.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
|
||||||
+ FIPS_SHA_ASM=""; for i in $(SHA1_ASM_OBJ) sha256.o ; do FIPS_SHA_ASM="$$FIPS_SHA_ASM ../../crypto/sha/$$i" ; done; \
|
|
||||||
$(CC) -o $@ $(CFLAGS) fips_standalone_sha1.o $$FIPS_SHA_ASM
|
|
||||||
|
|
||||||
files:
|
|
||||||
diff -up openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac openssl-0.9.8j/fips/sha/fips_standalone_sha1.c
|
|
||||||
--- openssl-0.9.8j/fips/sha/fips_standalone_sha1.c.fipscheck-hmac 2008-09-16 12:12:23.000000000 +0200
|
|
||||||
+++ openssl-0.9.8j/fips/sha/fips_standalone_sha1.c 2009-01-14 17:07:56.000000000 +0100
|
|
||||||
@@ -62,7 +62,7 @@ void OPENSSL_cleanse(void *p,size_t len)
|
|
||||||
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
|
|
||||||
-static void hmac_init(SHA_CTX *md_ctx,SHA_CTX *o_ctx,
|
|
||||||
+static void hmac_init(SHA256_CTX *md_ctx,SHA256_CTX *o_ctx,
|
|
||||||
const char *key)
|
|
||||||
{
|
|
||||||
int len=strlen(key);
|
|
||||||
@@ -72,10 +72,10 @@ static void hmac_init(SHA_CTX *md_ctx,SH
|
|
||||||
|
|
||||||
if (len > SHA_CBLOCK)
|
|
||||||
{
|
|
||||||
- SHA1_Init(md_ctx);
|
|
||||||
- SHA1_Update(md_ctx,key,len);
|
|
||||||
- SHA1_Final(keymd,md_ctx);
|
|
||||||
- len=20;
|
|
||||||
+ SHA256_Init(md_ctx);
|
|
||||||
+ SHA256_Update(md_ctx,key,len);
|
|
||||||
+ SHA256_Final(keymd,md_ctx);
|
|
||||||
+ len=SHA256_DIGEST_LENGTH;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
memcpy(keymd,key,len);
|
|
||||||
@@ -83,22 +83,22 @@ static void hmac_init(SHA_CTX *md_ctx,SH
|
|
||||||
|
|
||||||
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
|
||||||
pad[i]=0x36^keymd[i];
|
|
||||||
- SHA1_Init(md_ctx);
|
|
||||||
- SHA1_Update(md_ctx,pad,SHA_CBLOCK);
|
|
||||||
+ SHA256_Init(md_ctx);
|
|
||||||
+ SHA256_Update(md_ctx,pad,SHA256_CBLOCK);
|
|
||||||
|
|
||||||
for(i=0 ; i < HMAC_MAX_MD_CBLOCK ; i++)
|
|
||||||
pad[i]=0x5c^keymd[i];
|
|
||||||
- SHA1_Init(o_ctx);
|
|
||||||
- SHA1_Update(o_ctx,pad,SHA_CBLOCK);
|
|
||||||
+ SHA256_Init(o_ctx);
|
|
||||||
+ SHA256_Update(o_ctx,pad,SHA256_CBLOCK);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void hmac_final(unsigned char *md,SHA_CTX *md_ctx,SHA_CTX *o_ctx)
|
|
||||||
+static void hmac_final(unsigned char *md,SHA256_CTX *md_ctx,SHA256_CTX *o_ctx)
|
|
||||||
{
|
|
||||||
- unsigned char buf[20];
|
|
||||||
+ unsigned char buf[SHA256_DIGEST_LENGTH];
|
|
||||||
|
|
||||||
- SHA1_Final(buf,md_ctx);
|
|
||||||
- SHA1_Update(o_ctx,buf,sizeof buf);
|
|
||||||
- SHA1_Final(md,o_ctx);
|
|
||||||
+ SHA256_Final(buf,md_ctx);
|
|
||||||
+ SHA256_Update(o_ctx,buf,sizeof buf);
|
|
||||||
+ SHA256_Final(md,o_ctx);
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif
|
|
||||||
@@ -106,7 +106,7 @@ static void hmac_final(unsigned char *md
|
|
||||||
int main(int argc,char **argv)
|
|
||||||
{
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
- static char key[]="etaonrishdlcupfm";
|
|
||||||
+ static char key[]="orboDeJITITejsirpADONivirpUkvarP";
|
|
||||||
int n,binary=0;
|
|
||||||
|
|
||||||
if(argc < 2)
|
|
||||||
@@ -125,8 +125,8 @@ int main(int argc,char **argv)
|
|
||||||
for(; n < argc ; ++n)
|
|
||||||
{
|
|
||||||
FILE *f=fopen(argv[n],"rb");
|
|
||||||
- SHA_CTX md_ctx,o_ctx;
|
|
||||||
- unsigned char md[20];
|
|
||||||
+ SHA256_CTX md_ctx,o_ctx;
|
|
||||||
+ unsigned char md[SHA256_DIGEST_LENGTH];
|
|
||||||
int i;
|
|
||||||
|
|
||||||
if(!f)
|
|
||||||
@@ -139,7 +139,7 @@ int main(int argc,char **argv)
|
|
||||||
for( ; ; )
|
|
||||||
{
|
|
||||||
char buf[1024];
|
|
||||||
- int l=fread(buf,1,sizeof buf,f);
|
|
||||||
+ size_t l=fread(buf,1,sizeof buf,f);
|
|
||||||
|
|
||||||
if(l == 0)
|
|
||||||
{
|
|
||||||
@@ -151,18 +151,18 @@ int main(int argc,char **argv)
|
|
||||||
else
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
- SHA1_Update(&md_ctx,buf,l);
|
|
||||||
+ SHA256_Update(&md_ctx,buf,l);
|
|
||||||
}
|
|
||||||
hmac_final(md,&md_ctx,&o_ctx);
|
|
||||||
|
|
||||||
if (binary)
|
|
||||||
{
|
|
||||||
- fwrite(md,20,1,stdout);
|
|
||||||
+ fwrite(md,SHA256_DIGEST_LENGTH,1,stdout);
|
|
||||||
break; /* ... for single(!) file */
|
|
||||||
}
|
|
||||||
|
|
||||||
- printf("HMAC-SHA1(%s)= ",argv[n]);
|
|
||||||
- for(i=0 ; i < 20 ; ++i)
|
|
||||||
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
|
|
||||||
+ for(i=0 ; i < SHA256_DIGEST_LENGTH ; ++i)
|
|
||||||
printf("%02x",md[i]);
|
|
||||||
printf("\n");
|
|
||||||
}
|
|
@ -1,62 +0,0 @@
|
|||||||
diff -up openssl-0.9.8j/crypto/o_init.c.fipsmode openssl-0.9.8j/crypto/o_init.c
|
|
||||||
--- openssl-0.9.8j/crypto/o_init.c.fipsmode 2008-11-05 19:36:36.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/crypto/o_init.c 2009-01-14 17:57:39.000000000 +0100
|
|
||||||
@@ -59,6 +59,45 @@
|
|
||||||
#include <e_os.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <sys/stat.h>
|
|
||||||
+#include <fcntl.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+#include <openssl/evp.h>
|
|
||||||
+#include <openssl/rand.h>
|
|
||||||
+
|
|
||||||
+#define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
|
||||||
+
|
|
||||||
+static void init_fips_mode(void)
|
|
||||||
+ {
|
|
||||||
+ char buf[2] = "0";
|
|
||||||
+ int fd;
|
|
||||||
+
|
|
||||||
+ if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
|
|
||||||
+ {
|
|
||||||
+ buf[0] = '1';
|
|
||||||
+ }
|
|
||||||
+ else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0)
|
|
||||||
+ {
|
|
||||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
|
|
||||||
+ close(fd);
|
|
||||||
+ }
|
|
||||||
+ /* Failure reading the fips mode switch file means just not
|
|
||||||
+ * switching into FIPS mode. We would break too many things
|
|
||||||
+ * otherwise.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+ if (buf[0] == '1')
|
|
||||||
+ {
|
|
||||||
+ FIPS_mode_set(1);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Perform any essential OpenSSL initialization operations.
|
|
||||||
* Currently only sets FIPS callbacks
|
|
||||||
*/
|
|
||||||
@@ -73,11 +112,10 @@ void OPENSSL_init(void)
|
|
||||||
#ifdef CRYPTO_MDEBUG
|
|
||||||
CRYPTO_malloc_debug_init();
|
|
||||||
#endif
|
|
||||||
-#ifdef OPENSSL_ENGINE
|
|
||||||
+ init_fips_mode();
|
|
||||||
int_EVP_MD_init_engine_callbacks();
|
|
||||||
int_EVP_CIPHER_init_engine_callbacks();
|
|
||||||
int_RAND_init_engine_callbacks();
|
|
||||||
-#endif
|
|
||||||
done = 1;
|
|
||||||
}
|
|
||||||
#endif
|
|
@ -1,31 +0,0 @@
|
|||||||
Do not create a fipscanister.o, add the objects directly.
|
|
||||||
diff -up openssl-0.9.8j/fips/Makefile.nocanister openssl-0.9.8j/fips/Makefile
|
|
||||||
--- openssl-0.9.8j/fips/Makefile.nocanister 2009-01-13 18:26:15.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/fips/Makefile 2009-01-13 21:43:43.000000000 +0100
|
|
||||||
@@ -142,8 +142,24 @@ lib: $(LIB)
|
|
||||||
if [ "$(FIPSCANISTERINTERNAL)" = "n" -a -n "$(FIPSCANLOC)" ]; then $(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC); fi
|
|
||||||
@touch lib
|
|
||||||
|
|
||||||
-$(LIB): $(FIPSLIBDIR)fipscanister.o
|
|
||||||
- $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
|
|
||||||
+$(LIB): $(LIBOBJ) $(FIPS_OBJ_LISTS)
|
|
||||||
+ FIPS_ASM=""; \
|
|
||||||
+ list="$(BN_ASM)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/bn/$$i" ; done; \
|
|
||||||
+ list="$(AES_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/aes/$$i" ; done; \
|
|
||||||
+ list="$(DES_ENC)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/des/$$i" ; done; \
|
|
||||||
+ list="$(SHA1_ASM_OBJ)"; for i in $$list; do FIPS_ASM="$$FIPS_ASM ../crypto/sha/$$i" ; done; \
|
|
||||||
+ if [ -n "$(CPUID_OBJ)" ]; then \
|
|
||||||
+ CPUID=../crypto/$(CPUID_OBJ) ; \
|
|
||||||
+ else \
|
|
||||||
+ CPUID="" ; \
|
|
||||||
+ fi ; \
|
|
||||||
+ objs="$(LIBOBJ) $(FIPS_EX_OBJ) $$CPUID $$FIPS_ASM"; \
|
|
||||||
+ for i in $(FIPS_OBJ_LISTS); do \
|
|
||||||
+ dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
|
|
||||||
+ objs="$$objs `sed "$$script" $$i`"; \
|
|
||||||
+ done; \
|
|
||||||
+ objs="$$objs" ; \
|
|
||||||
+ $(AR) $(LIB) $$objs
|
|
||||||
$(RANLIB) $(LIB) || echo Never mind.
|
|
||||||
|
|
||||||
$(FIPSCANLIB): $(FIPSCANLOC)
|
|
@ -1,53 +0,0 @@
|
|||||||
diff -up openssl-0.9.8j/Configure.redhat openssl-0.9.8j/Configure
|
|
||||||
--- openssl-0.9.8j/Configure.redhat 2008-12-29 01:18:23.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/Configure 2009-01-13 14:03:54.000000000 +0100
|
|
||||||
@@ -320,28 +320,28 @@ my %table=(
|
|
||||||
####
|
|
||||||
# *-generic* is endian-neutral target, but ./config is free to
|
|
||||||
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
|
||||||
-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
#### IA-32 targets...
|
|
||||||
"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
|
|
||||||
####
|
|
||||||
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
+"linux-ppc64", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-x86_64", "gcc:-DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
#### SPARC Linux setups
|
|
||||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
|
||||||
# assisted with debugging of following two configs.
|
|
||||||
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
# it's a real mess with -mcpu=ultrasparc option under Linux, but
|
|
||||||
# -Wa,-Av8plus should do the trick no matter what.
|
|
||||||
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall -Wa,-Av8plus -DBN_DIV2W \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
# GCC 3.1 is a requirement
|
|
||||||
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
#### Alpha Linux with GNU C and Compaq C setups
|
|
||||||
# Special notes:
|
|
||||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
|
||||||
@@ -355,8 +355,8 @@ my %table=(
|
|
||||||
#
|
|
||||||
# <appro@fy.chalmers.se>
|
|
||||||
#
|
|
||||||
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
|
||||||
+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -mcpu=ev5 \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
|
||||||
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
|
|
||||||
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up openssl-0.9.8j/crypto/opensslv.h.shlib-version openssl-0.9.8j/crypto/opensslv.h
|
|
||||||
--- openssl-0.9.8j/crypto/opensslv.h.shlib-version 2007-12-13 17:57:40.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/crypto/opensslv.h 2008-01-25 17:10:13.000000000 +0100
|
|
||||||
@@ -83,7 +83,7 @@
|
|
||||||
* should only keep the versions that are binary compatible with the current.
|
|
||||||
*/
|
|
||||||
#define SHLIB_VERSION_HISTORY ""
|
|
||||||
-#define SHLIB_VERSION_NUMBER "0.9.8"
|
|
||||||
+#define SHLIB_VERSION_NUMBER "0.9.8j"
|
|
||||||
|
|
||||||
|
|
||||||
#endif /* HEADER_OPENSSLV_H */
|
|
@ -1,49 +0,0 @@
|
|||||||
Define and use a soname -- because we have to care about binary
|
|
||||||
compatibility, we have to increment the soname in order to allow
|
|
||||||
this version to co-exist with another versions and have everything
|
|
||||||
work right.
|
|
||||||
|
|
||||||
diff -up openssl-0.9.8j/Configure.soversion openssl-0.9.8j/Configure
|
|
||||||
--- openssl-0.9.8j/Configure.soversion 2007-12-03 14:41:19.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/Configure 2007-12-03 14:41:19.000000000 +0100
|
|
||||||
@@ -1371,7 +1371,7 @@ while (<IN>)
|
|
||||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
|
||||||
{
|
|
||||||
my $sotmp = $1;
|
|
||||||
- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
|
|
||||||
+ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_SONAMEVER) .s$sotmp/;
|
|
||||||
}
|
|
||||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
|
||||||
{
|
|
||||||
diff -up openssl-0.9.8j/Makefile.org.soversion openssl-0.9.8j/Makefile.org
|
|
||||||
--- openssl-0.9.8j/Makefile.org.soversion 2007-12-03 14:41:19.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/Makefile.org 2007-12-03 14:41:19.000000000 +0100
|
|
||||||
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
|
||||||
SHLIB_MAJOR=
|
|
||||||
SHLIB_MINOR=
|
|
||||||
SHLIB_EXT=
|
|
||||||
+SHLIB_SONAMEVER=8
|
|
||||||
PLATFORM=dist
|
|
||||||
OPTIONS=
|
|
||||||
CONFIGURE_ARGS=
|
|
||||||
@@ -277,10 +278,9 @@ clean-shared:
|
|
||||||
link-shared:
|
|
||||||
@ set -e; for i in ${SHLIBDIRS}; do \
|
|
||||||
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
|
||||||
- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
|
||||||
+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
|
|
||||||
LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
|
|
||||||
symlink.$(SHLIB_TARGET); \
|
|
||||||
- libs="$$libs -l$$i"; \
|
|
||||||
done
|
|
||||||
|
|
||||||
build-shared: do_$(SHLIB_TARGET) link-shared
|
|
||||||
@@ -291,7 +291,7 @@ do_$(SHLIB_TARGET):
|
|
||||||
libs="$(LIBKRB5) $$libs"; \
|
|
||||||
fi; \
|
|
||||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
|
||||||
- LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
|
||||||
+ LIBNAME=$$i LIBVERSION=${SHLIB_SONAMEVER} \
|
|
||||||
LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
|
|
||||||
LIBDEPS="$$libs $(EX_LIBS)" \
|
|
||||||
link_a.$(SHLIB_TARGET); \
|
|
@ -1,384 +0,0 @@
|
|||||||
Use fipscheck compatible way of verification of the integrity of the libcrypto
|
|
||||||
shared library.
|
|
||||||
diff -up openssl-0.9.8j/test/Makefile.use-fipscheck openssl-0.9.8j/test/Makefile
|
|
||||||
--- openssl-0.9.8j/test/Makefile.use-fipscheck 2008-12-13 13:22:47.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/test/Makefile 2009-01-13 22:49:25.000000000 +0100
|
|
||||||
@@ -402,8 +402,7 @@ FIPS_BUILD_CMD=shlib_target=; if [ -n "$
|
|
||||||
if [ "$(FIPSCANLIB)" = "libfips" ]; then \
|
|
||||||
LIBRARIES="-L$(TOP) -lfips"; \
|
|
||||||
elif [ -n "$(FIPSCANLIB)" ]; then \
|
|
||||||
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
|
||||||
- LIBRARIES="$${FIPSLIBDIR:-$(TOP)/fips/}fipscanister.o"; \
|
|
||||||
+ LIBRARIES="$(LIBCRYPTO)"; \
|
|
||||||
fi; \
|
|
||||||
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
|
||||||
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
|
|
||||||
@@ -414,9 +413,6 @@ FIPS_CRYPTO_BUILD_CMD=shlib_target=; if
|
|
||||||
shlib_target="$(SHLIB_TARGET)"; \
|
|
||||||
fi; \
|
|
||||||
LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
|
|
||||||
- if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
|
|
||||||
- FIPSLD_CC=$(CC); CC=$(TOP)/fips/fipsld; export CC FIPSLD_CC; \
|
|
||||||
- fi; \
|
|
||||||
[ "$(FIPSCANLIB)" = "libfips" ] && LIBRARIES="$$LIBRARIES -lfips"; \
|
|
||||||
$(MAKE) -f $(TOP)/Makefile.shared -e \
|
|
||||||
CC=$${CC} APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
|
|
||||||
diff -up openssl-0.9.8j/Makefile.org.use-fipscheck openssl-0.9.8j/Makefile.org
|
|
||||||
--- openssl-0.9.8j/Makefile.org.use-fipscheck 2009-01-13 22:35:48.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/Makefile.org 2009-01-13 22:35:49.000000000 +0100
|
|
||||||
@@ -357,10 +357,6 @@ libcrypto$(SHLIB_EXT): libcrypto.a $(SHA
|
|
||||||
$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
|
|
||||||
$(AR) libcrypto.a fips/fipscanister.o ; \
|
|
||||||
else \
|
|
||||||
- if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
|
|
||||||
- FIPSLD_CC=$(CC); CC=fips/fipsld; \
|
|
||||||
- export CC FIPSLD_CC; \
|
|
||||||
- fi; \
|
|
||||||
$(MAKE) -e SHLIBDIRS='crypto' build-shared; \
|
|
||||||
fi \
|
|
||||||
else \
|
|
||||||
@@ -381,9 +377,8 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT
|
|
||||||
fips/fipscanister.o: build_fips
|
|
||||||
libfips$(SHLIB_EXT): fips/fipscanister.o
|
|
||||||
@if [ "$(SHLIB_TARGET)" != "" ]; then \
|
|
||||||
- FIPSLD_CC=$(CC); CC=fips/fipsld; export CC FIPSLD_CC; \
|
|
||||||
$(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
|
||||||
- CC=$${CC} LIBNAME=fips THIS=$@ \
|
|
||||||
+ CC=$(CC) LIBNAME=fips THIS=$@ \
|
|
||||||
LIBEXTRAS=fips/fipscanister.o \
|
|
||||||
LIBDEPS="$(EX_LIBS)" \
|
|
||||||
LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
|
||||||
@@ -469,7 +464,7 @@ openssl.pc: Makefile
|
|
||||||
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
|
|
||||||
echo 'Version: '$(VERSION); \
|
|
||||||
echo 'Requires: '; \
|
|
||||||
- echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
|
|
||||||
+ echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)';\
|
|
||||||
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
|
|
||||||
|
|
||||||
Makefile: Makefile.org Configure config
|
|
||||||
diff -up openssl-0.9.8j/fips/fips.c.use-fipscheck openssl-0.9.8j/fips/fips.c
|
|
||||||
--- openssl-0.9.8j/fips/fips.c.use-fipscheck 2008-09-16 12:12:09.000000000 +0200
|
|
||||||
+++ openssl-0.9.8j/fips/fips.c 2009-01-13 22:35:49.000000000 +0100
|
|
||||||
@@ -47,6 +47,7 @@
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
|
|
||||||
#include <openssl/rand.h>
|
|
||||||
#include <openssl/fips_rand.h>
|
|
||||||
@@ -56,6 +57,9 @@
|
|
||||||
#include <openssl/rsa.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <limits.h>
|
|
||||||
+#include <dlfcn.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
#include "fips_locl.h"
|
|
||||||
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
@@ -165,6 +169,7 @@ int FIPS_selftest()
|
|
||||||
&& FIPS_selftest_dsa();
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if 0
|
|
||||||
extern const void *FIPS_text_start(), *FIPS_text_end();
|
|
||||||
extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
|
|
||||||
unsigned char FIPS_signature [20] = { 0 };
|
|
||||||
@@ -243,6 +248,206 @@ int FIPS_check_incore_fingerprint(void)
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
+#else
|
|
||||||
+/* we implement what libfipscheck does ourselves */
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen)
|
|
||||||
+{
|
|
||||||
+ Dl_info info;
|
|
||||||
+ void *dl, *sym;
|
|
||||||
+ int rv = -1;
|
|
||||||
+
|
|
||||||
+ dl = dlopen(libname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
|
|
||||||
+ if (dl == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ sym = dlsym(dl, symbolname);
|
|
||||||
+
|
|
||||||
+ if (sym != NULL && dladdr(sym, &info)) {
|
|
||||||
+ strncpy(path, info.dli_fname, pathlen-1);
|
|
||||||
+ path[pathlen-1] = '\0';
|
|
||||||
+ rv = 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ dlclose(dl);
|
|
||||||
+
|
|
||||||
+ return rv;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static const char conv[] = "0123456789abcdef";
|
|
||||||
+
|
|
||||||
+static char *
|
|
||||||
+bin2hex(void *buf, size_t len)
|
|
||||||
+{
|
|
||||||
+ char *hex, *p;
|
|
||||||
+ unsigned char *src = buf;
|
|
||||||
+
|
|
||||||
+ hex = malloc(len * 2 + 1);
|
|
||||||
+ if (hex == NULL)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ p = hex;
|
|
||||||
+
|
|
||||||
+ while (len > 0) {
|
|
||||||
+ unsigned c;
|
|
||||||
+
|
|
||||||
+ c = *src;
|
|
||||||
+ src++;
|
|
||||||
+
|
|
||||||
+ *p = conv[c >> 4];
|
|
||||||
+ ++p;
|
|
||||||
+ *p = conv[c & 0x0f];
|
|
||||||
+ ++p;
|
|
||||||
+ --len;
|
|
||||||
+ }
|
|
||||||
+ *p = '\0';
|
|
||||||
+ return hex;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define HMAC_PREFIX "."
|
|
||||||
+#define HMAC_SUFFIX ".hmac"
|
|
||||||
+#define READ_BUFFER_LENGTH 16384
|
|
||||||
+
|
|
||||||
+static char *
|
|
||||||
+make_hmac_path(const char *origpath)
|
|
||||||
+{
|
|
||||||
+ char *path, *p;
|
|
||||||
+ const char *fn;
|
|
||||||
+
|
|
||||||
+ path = malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
|
|
||||||
+ if(path == NULL) {
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ fn = strrchr(origpath, '/');
|
|
||||||
+ if (fn == NULL) {
|
|
||||||
+ fn = origpath;
|
|
||||||
+ } else {
|
|
||||||
+ ++fn;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ strncpy(path, origpath, fn-origpath);
|
|
||||||
+ p = path + (fn - origpath);
|
|
||||||
+ p = stpcpy(p, HMAC_PREFIX);
|
|
||||||
+ p = stpcpy(p, fn);
|
|
||||||
+ p = stpcpy(p, HMAC_SUFFIX);
|
|
||||||
+
|
|
||||||
+ return path;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
|
|
||||||
+{
|
|
||||||
+ FILE *f = NULL;
|
|
||||||
+ int rv = -1;
|
|
||||||
+ unsigned char rbuf[READ_BUFFER_LENGTH];
|
|
||||||
+ size_t len;
|
|
||||||
+ unsigned int hlen;
|
|
||||||
+ HMAC_CTX c;
|
|
||||||
+
|
|
||||||
+ HMAC_CTX_init(&c);
|
|
||||||
+
|
|
||||||
+ f = fopen(path, "r");
|
|
||||||
+
|
|
||||||
+ if (f == NULL) {
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ HMAC_Init(&c, hmackey, sizeof(hmackey)-1, EVP_sha256());
|
|
||||||
+
|
|
||||||
+ while ((len=fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
|
|
||||||
+ HMAC_Update(&c, rbuf, len);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ len = sizeof(rbuf);
|
|
||||||
+ /* reuse rbuf for hmac */
|
|
||||||
+ HMAC_Final(&c, rbuf, &hlen);
|
|
||||||
+
|
|
||||||
+ *buf = malloc(hlen);
|
|
||||||
+ if (*buf == NULL) {
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *hmaclen = hlen;
|
|
||||||
+
|
|
||||||
+ memcpy(*buf, rbuf, hlen);
|
|
||||||
+
|
|
||||||
+ rv = 0;
|
|
||||||
+end:
|
|
||||||
+ HMAC_CTX_cleanup(&c);
|
|
||||||
+
|
|
||||||
+ if (f)
|
|
||||||
+ fclose(f);
|
|
||||||
+
|
|
||||||
+ return rv;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+FIPSCHECK_verify(const char *libname, const char *symbolname)
|
|
||||||
+{
|
|
||||||
+ char path[PATH_MAX+1];
|
|
||||||
+ int rv;
|
|
||||||
+ FILE *hf;
|
|
||||||
+ char *hmacpath, *p;
|
|
||||||
+ char *hmac = NULL;
|
|
||||||
+ size_t n;
|
|
||||||
+
|
|
||||||
+ rv = get_library_path(libname, symbolname, path, sizeof(path));
|
|
||||||
+
|
|
||||||
+ if (rv < 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ hmacpath = make_hmac_path(path);
|
|
||||||
+
|
|
||||||
+ hf = fopen(hmacpath, "r");
|
|
||||||
+ if (hf == NULL) {
|
|
||||||
+ free(hmacpath);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (getline(&hmac, &n, hf) > 0) {
|
|
||||||
+ void *buf;
|
|
||||||
+ size_t hmaclen;
|
|
||||||
+ char *hex;
|
|
||||||
+
|
|
||||||
+ if ((p=strchr(hmac, '\n')) != NULL)
|
|
||||||
+ *p = '\0';
|
|
||||||
+
|
|
||||||
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
|
|
||||||
+ rv = -4;
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((hex=bin2hex(buf, hmaclen)) == NULL) {
|
|
||||||
+ free(buf);
|
|
||||||
+ rv = -5;
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (strcmp(hex, hmac) != 0) {
|
|
||||||
+ rv = -1;
|
|
||||||
+ }
|
|
||||||
+ free(buf);
|
|
||||||
+ free(hex);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+end:
|
|
||||||
+ free(hmac);
|
|
||||||
+ free(hmacpath);
|
|
||||||
+ fclose(hf);
|
|
||||||
+
|
|
||||||
+ if (rv < 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ /* check successful */
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
int FIPS_mode_set(int onoff)
|
|
||||||
{
|
|
||||||
@@ -280,16 +485,9 @@ int FIPS_mode_set(int onoff)
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if(fips_signature_witness() != FIPS_signature)
|
|
||||||
- {
|
|
||||||
- FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_CONTRADICTING_EVIDENCE);
|
|
||||||
- fips_selftest_fail = 1;
|
|
||||||
- ret = 0;
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if(!FIPS_check_incore_fingerprint())
|
|
||||||
+ if(!FIPSCHECK_verify("libcrypto.so.0.9.8e","FIPS_mode_set"))
|
|
||||||
{
|
|
||||||
+ FIPSerr(FIPS_F_FIPS_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
|
||||||
fips_selftest_fail = 1;
|
|
||||||
ret = 0;
|
|
||||||
goto end;
|
|
||||||
@@ -405,11 +603,13 @@ int fips_clear_owning_thread(void)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#if 0
|
|
||||||
unsigned char *fips_signature_witness(void)
|
|
||||||
{
|
|
||||||
extern unsigned char FIPS_signature[];
|
|
||||||
return FIPS_signature;
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Generalized public key test routine. Signs and verifies the data
|
|
||||||
* supplied in tbs using mesage digest md and setting option digest
|
|
||||||
diff -up openssl-0.9.8j/fips/Makefile.use-fipscheck openssl-0.9.8j/fips/Makefile
|
|
||||||
--- openssl-0.9.8j/fips/Makefile.use-fipscheck 2009-01-13 22:35:49.000000000 +0100
|
|
||||||
+++ openssl-0.9.8j/fips/Makefile 2009-01-13 22:36:15.000000000 +0100
|
|
||||||
@@ -62,9 +62,9 @@ testapps:
|
|
||||||
|
|
||||||
all:
|
|
||||||
@if [ -z "$(FIPSLIBDIR)" ]; then \
|
|
||||||
- $(MAKE) -e subdirs lib fips_premain_dso$(EXE_EXT); \
|
|
||||||
+ $(MAKE) -e subdirs lib; \
|
|
||||||
else \
|
|
||||||
- $(MAKE) -e lib fips_premain_dso$(EXE_EXT) fips_standalone_sha1$(EXE_EXT); \
|
|
||||||
+ $(MAKE) -e lib; \
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Idea behind fipscanister.o is to "seize" the sequestered code between
|
|
||||||
@@ -109,7 +109,6 @@ fipscanister.o: fips_start.o $(LIBOBJ) $
|
|
||||||
HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
|
|
||||||
*) set -x; $(CC) $$cflags -r -o $@ $$objs ;; \
|
|
||||||
esac fi
|
|
||||||
- ./fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
|
|
||||||
|
|
||||||
# If another exception is immediately required, assign approprite
|
|
||||||
# site-specific ld command to FIPS_SITE_LD environment variable.
|
|
||||||
@@ -171,7 +170,7 @@ $(FIPSCANLIB): $(FIPSCANLOC)
|
|
||||||
$(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
|
|
||||||
@touch lib
|
|
||||||
|
|
||||||
-shared: lib subdirs fips_premain_dso$(EXE_EXT)
|
|
||||||
+shared: lib subdirs
|
|
||||||
|
|
||||||
libs:
|
|
||||||
@target=lib; $(RECURSIVE_MAKE)
|
|
||||||
@@ -195,10 +194,6 @@ install:
|
|
||||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
|
|
||||||
done;
|
|
||||||
@target=install; $(RECURSIVE_MAKE)
|
|
||||||
- @cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
|
|
||||||
- fips_premain.c.sha1 \
|
|
||||||
- $(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
|
|
||||||
- chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
|
|
||||||
|
|
||||||
lint:
|
|
||||||
@target=lint; $(RECURSIVE_MAKE)
|
|
||||||
diff -up openssl-0.9.8j/fips/fips_locl.h.use-fipscheck openssl-0.9.8j/fips/fips_locl.h
|
|
||||||
--- openssl-0.9.8j/fips/fips_locl.h.use-fipscheck 2008-09-16 12:12:10.000000000 +0200
|
|
||||||
+++ openssl-0.9.8j/fips/fips_locl.h 2009-01-13 22:35:49.000000000 +0100
|
|
||||||
@@ -63,7 +63,9 @@ int fips_is_owning_thread(void);
|
|
||||||
int fips_set_owning_thread(void);
|
|
||||||
void fips_set_selftest_fail(void);
|
|
||||||
int fips_clear_owning_thread(void);
|
|
||||||
+#if 0
|
|
||||||
unsigned char *fips_signature_witness(void);
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#define FIPS_MAX_CIPHER_TEST_SIZE 16
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user