Synced patches with native openssl-1.0.1e-38.fc21
- Synced patches with native openssl-1.0.1e-38.fc21 - Enable ECC support (RHBZ #1037919) - Fixes CVE-2013-6450 (RHBZ #1047844) - Fixes CVE-2013-4353 (RHBZ #1049062) - Fixes CVE-2013-6449 (RHBZ #1045444)
This commit is contained in:
parent
cb23950912
commit
b629b66276
1
.gitignore
vendored
1
.gitignore
vendored
@ -2,3 +2,4 @@ openssl-1.0.0a-usa.tar.bz2
|
|||||||
/openssl-1.0.0d-usa.tar.bz2
|
/openssl-1.0.0d-usa.tar.bz2
|
||||||
/openssl-1.0.1c-usa.tar.xz
|
/openssl-1.0.1c-usa.tar.xz
|
||||||
/openssl-1.0.1e-usa.tar.xz
|
/openssl-1.0.1e-usa.tar.xz
|
||||||
|
/openssl-1.0.1e-hobbled.tar.xz
|
||||||
|
10
README.FIPS
10
README.FIPS
@ -3,13 +3,15 @@ User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
|
|||||||
|
|
||||||
This package contains libraries which comprise the FIPS 140-2
|
This package contains libraries which comprise the FIPS 140-2
|
||||||
Red Hat Enterprise Linux - OPENSSL Module.
|
Red Hat Enterprise Linux - OPENSSL Module.
|
||||||
|
Note that the openssl-fips subpackage needs to be installed for the
|
||||||
|
OpenSSL FIPS module installation to be complete.
|
||||||
|
|
||||||
The module files
|
The module files
|
||||||
================
|
================
|
||||||
/usr/lib[64]/libcrypto.so.1.0.0d
|
/usr/lib[64]/libcrypto.so.1.0.1e
|
||||||
/usr/lib[64]/libssl.so.1.0.0d
|
/usr/lib[64]/libssl.so.1.0.1e
|
||||||
/usr/lib[64]/.libcrypto.so.1.0.0d.hmac
|
/usr/lib[64]/.libcrypto.so.1.0.1e.hmac
|
||||||
/usr/lib[64]/.libssl.so.1.0.0d.hmac
|
/usr/lib[64]/.libssl.so.1.0.1e.hmac
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
============
|
============
|
||||||
|
396
ec_curve.c
Normal file
396
ec_curve.c
Normal file
@ -0,0 +1,396 @@
|
|||||||
|
/* crypto/ec/ec_curve.c */
|
||||||
|
/*
|
||||||
|
* Written by Nils Larsch for the OpenSSL project.
|
||||||
|
*/
|
||||||
|
/* ====================================================================
|
||||||
|
* Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
*
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
*
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in
|
||||||
|
* the documentation and/or other materials provided with the
|
||||||
|
* distribution.
|
||||||
|
*
|
||||||
|
* 3. All advertising materials mentioning features or use of this
|
||||||
|
* software must display the following acknowledgment:
|
||||||
|
* "This product includes software developed by the OpenSSL Project
|
||||||
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||||
|
*
|
||||||
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||||
|
* endorse or promote products derived from this software without
|
||||||
|
* prior written permission. For written permission, please contact
|
||||||
|
* openssl-core@openssl.org.
|
||||||
|
*
|
||||||
|
* 5. Products derived from this software may not be called "OpenSSL"
|
||||||
|
* nor may "OpenSSL" appear in their names without prior written
|
||||||
|
* permission of the OpenSSL Project.
|
||||||
|
*
|
||||||
|
* 6. Redistributions of any form whatsoever must retain the following
|
||||||
|
* acknowledgment:
|
||||||
|
* "This product includes software developed by the OpenSSL Project
|
||||||
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||||
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||||
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||||
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||||
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||||
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||||
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||||
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||||
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
* ====================================================================
|
||||||
|
*
|
||||||
|
* This product includes cryptographic software written by Eric Young
|
||||||
|
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||||
|
* Hudson (tjh@cryptsoft.com).
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
/* ====================================================================
|
||||||
|
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
||||||
|
*
|
||||||
|
* Portions of the attached software ("Contribution") are developed by
|
||||||
|
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
|
||||||
|
*
|
||||||
|
* The Contribution is licensed pursuant to the OpenSSL open source
|
||||||
|
* license provided above.
|
||||||
|
*
|
||||||
|
* The elliptic curve binary polynomial software is originally written by
|
||||||
|
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "ec_lcl.h"
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
int field_type, /* either NID_X9_62_prime_field or
|
||||||
|
* NID_X9_62_characteristic_two_field */
|
||||||
|
seed_len,
|
||||||
|
param_len;
|
||||||
|
unsigned int cofactor; /* promoted to BN_ULONG */
|
||||||
|
} EC_CURVE_DATA;
|
||||||
|
|
||||||
|
static const struct { EC_CURVE_DATA h; unsigned char data[20+48*6]; }
|
||||||
|
_EC_NIST_PRIME_384 = {
|
||||||
|
{ NID_X9_62_prime_field,20,48,1 },
|
||||||
|
{ 0xA3,0x35,0x92,0x6A,0xA3,0x19,0xA2,0x7A,0x1D,0x00, /* seed */
|
||||||
|
0x89,0x6A,0x67,0x73,0xA4,0x82,0x7A,0xCD,0xAC,0x73,
|
||||||
|
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFE,0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0xFF,0xFF,0xFF,0xFC,
|
||||||
|
0xB3,0x31,0x2F,0xA7,0xE2,0x3E,0xE7,0xE4,0x98,0x8E, /* b */
|
||||||
|
0x05,0x6B,0xE3,0xF8,0x2D,0x19,0x18,0x1D,0x9C,0x6E,
|
||||||
|
0xFE,0x81,0x41,0x12,0x03,0x14,0x08,0x8F,0x50,0x13,
|
||||||
|
0x87,0x5A,0xC6,0x56,0x39,0x8D,0x8A,0x2E,0xD1,0x9D,
|
||||||
|
0x2A,0x85,0xC8,0xED,0xD3,0xEC,0x2A,0xEF,
|
||||||
|
0xAA,0x87,0xCA,0x22,0xBE,0x8B,0x05,0x37,0x8E,0xB1, /* x */
|
||||||
|
0xC7,0x1E,0xF3,0x20,0xAD,0x74,0x6E,0x1D,0x3B,0x62,
|
||||||
|
0x8B,0xA7,0x9B,0x98,0x59,0xF7,0x41,0xE0,0x82,0x54,
|
||||||
|
0x2A,0x38,0x55,0x02,0xF2,0x5D,0xBF,0x55,0x29,0x6C,
|
||||||
|
0x3A,0x54,0x5E,0x38,0x72,0x76,0x0A,0xB7,
|
||||||
|
0x36,0x17,0xde,0x4a,0x96,0x26,0x2c,0x6f,0x5d,0x9e, /* y */
|
||||||
|
0x98,0xbf,0x92,0x92,0xdc,0x29,0xf8,0xf4,0x1d,0xbd,
|
||||||
|
0x28,0x9a,0x14,0x7c,0xe9,0xda,0x31,0x13,0xb5,0xf0,
|
||||||
|
0xb8,0xc0,0x0a,0x60,0xb1,0xce,0x1d,0x7e,0x81,0x9d,
|
||||||
|
0x7a,0x43,0x1d,0x7c,0x90,0xea,0x0e,0x5f,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xC7,0x63,0x4D,0x81,0xF4,0x37,
|
||||||
|
0x2D,0xDF,0x58,0x1A,0x0D,0xB2,0x48,0xB0,0xA7,0x7A,
|
||||||
|
0xEC,0xEC,0x19,0x6A,0xCC,0xC5,0x29,0x73 }
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct { EC_CURVE_DATA h; unsigned char data[20+66*6]; }
|
||||||
|
_EC_NIST_PRIME_521 = {
|
||||||
|
{ NID_X9_62_prime_field,20,66,1 },
|
||||||
|
{ 0xD0,0x9E,0x88,0x00,0x29,0x1C,0xB8,0x53,0x96,0xCC, /* seed */
|
||||||
|
0x67,0x17,0x39,0x32,0x84,0xAA,0xA0,0xDA,0x64,0xBA,
|
||||||
|
|
||||||
|
0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* a */
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFC,
|
||||||
|
0x00,0x51,0x95,0x3E,0xB9,0x61,0x8E,0x1C,0x9A,0x1F, /* b */
|
||||||
|
0x92,0x9A,0x21,0xA0,0xB6,0x85,0x40,0xEE,0xA2,0xDA,
|
||||||
|
0x72,0x5B,0x99,0xB3,0x15,0xF3,0xB8,0xB4,0x89,0x91,
|
||||||
|
0x8E,0xF1,0x09,0xE1,0x56,0x19,0x39,0x51,0xEC,0x7E,
|
||||||
|
0x93,0x7B,0x16,0x52,0xC0,0xBD,0x3B,0xB1,0xBF,0x07,
|
||||||
|
0x35,0x73,0xDF,0x88,0x3D,0x2C,0x34,0xF1,0xEF,0x45,
|
||||||
|
0x1F,0xD4,0x6B,0x50,0x3F,0x00,
|
||||||
|
0x00,0xC6,0x85,0x8E,0x06,0xB7,0x04,0x04,0xE9,0xCD, /* x */
|
||||||
|
0x9E,0x3E,0xCB,0x66,0x23,0x95,0xB4,0x42,0x9C,0x64,
|
||||||
|
0x81,0x39,0x05,0x3F,0xB5,0x21,0xF8,0x28,0xAF,0x60,
|
||||||
|
0x6B,0x4D,0x3D,0xBA,0xA1,0x4B,0x5E,0x77,0xEF,0xE7,
|
||||||
|
0x59,0x28,0xFE,0x1D,0xC1,0x27,0xA2,0xFF,0xA8,0xDE,
|
||||||
|
0x33,0x48,0xB3,0xC1,0x85,0x6A,0x42,0x9B,0xF9,0x7E,
|
||||||
|
0x7E,0x31,0xC2,0xE5,0xBD,0x66,
|
||||||
|
0x01,0x18,0x39,0x29,0x6a,0x78,0x9a,0x3b,0xc0,0x04, /* y */
|
||||||
|
0x5c,0x8a,0x5f,0xb4,0x2c,0x7d,0x1b,0xd9,0x98,0xf5,
|
||||||
|
0x44,0x49,0x57,0x9b,0x44,0x68,0x17,0xaf,0xbd,0x17,
|
||||||
|
0x27,0x3e,0x66,0x2c,0x97,0xee,0x72,0x99,0x5e,0xf4,
|
||||||
|
0x26,0x40,0xc5,0x50,0xb9,0x01,0x3f,0xad,0x07,0x61,
|
||||||
|
0x35,0x3c,0x70,0x86,0xa2,0x72,0xc2,0x40,0x88,0xbe,
|
||||||
|
0x94,0x76,0x9f,0xd1,0x66,0x50,
|
||||||
|
0x01,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFA,0x51,0x86,0x87,0x83,0xBF,0x2F,
|
||||||
|
0x96,0x6B,0x7F,0xCC,0x01,0x48,0xF7,0x09,0xA5,0xD0,
|
||||||
|
0x3B,0xB5,0xC9,0xB8,0x89,0x9C,0x47,0xAE,0xBB,0x6F,
|
||||||
|
0xB7,0x1E,0x91,0x38,0x64,0x09 }
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct { EC_CURVE_DATA h; unsigned char data[20+32*6]; }
|
||||||
|
_EC_X9_62_PRIME_256V1 = {
|
||||||
|
{ NID_X9_62_prime_field,20,32,1 },
|
||||||
|
{ 0xC4,0x9D,0x36,0x08,0x86,0xE7,0x04,0x93,0x6A,0x66, /* seed */
|
||||||
|
0x78,0xE1,0x13,0x9D,0x26,0xB7,0x81,0x9F,0x7E,0x90,
|
||||||
|
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* p */
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFF,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x01,0x00,0x00, /* a */
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
0xFF,0xFC,
|
||||||
|
0x5A,0xC6,0x35,0xD8,0xAA,0x3A,0x93,0xE7,0xB3,0xEB, /* b */
|
||||||
|
0xBD,0x55,0x76,0x98,0x86,0xBC,0x65,0x1D,0x06,0xB0,
|
||||||
|
0xCC,0x53,0xB0,0xF6,0x3B,0xCE,0x3C,0x3E,0x27,0xD2,
|
||||||
|
0x60,0x4B,
|
||||||
|
0x6B,0x17,0xD1,0xF2,0xE1,0x2C,0x42,0x47,0xF8,0xBC, /* x */
|
||||||
|
0xE6,0xE5,0x63,0xA4,0x40,0xF2,0x77,0x03,0x7D,0x81,
|
||||||
|
0x2D,0xEB,0x33,0xA0,0xF4,0xA1,0x39,0x45,0xD8,0x98,
|
||||||
|
0xC2,0x96,
|
||||||
|
0x4f,0xe3,0x42,0xe2,0xfe,0x1a,0x7f,0x9b,0x8e,0xe7, /* y */
|
||||||
|
0xeb,0x4a,0x7c,0x0f,0x9e,0x16,0x2b,0xce,0x33,0x57,
|
||||||
|
0x6b,0x31,0x5e,0xce,0xcb,0xb6,0x40,0x68,0x37,0xbf,
|
||||||
|
0x51,0xf5,
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0x00,0x00,0x00,0x00,0xFF,0xFF, /* order */
|
||||||
|
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xBC,0xE6,0xFA,0xAD,
|
||||||
|
0xA7,0x17,0x9E,0x84,0xF3,0xB9,0xCA,0xC2,0xFC,0x63,
|
||||||
|
0x25,0x51 }
|
||||||
|
};
|
||||||
|
|
||||||
|
typedef struct _ec_list_element_st {
|
||||||
|
int nid;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const EC_METHOD *(*meth)(void);
|
||||||
|
const char *comment;
|
||||||
|
} ec_list_element;
|
||||||
|
|
||||||
|
static const ec_list_element curve_list[] = {
|
||||||
|
/* prime field curves */
|
||||||
|
/* secg curves */
|
||||||
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||||
|
{ NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" },
|
||||||
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
{ NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field" },
|
||||||
|
#else
|
||||||
|
{ NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field" },
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, EC_GFp_nistp256_method, "X9.62/SECG curve over a 256 bit prime field" },
|
||||||
|
#else
|
||||||
|
{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field" },
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
#define curve_list_length (sizeof(curve_list)/sizeof(ec_list_element))
|
||||||
|
|
||||||
|
static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
|
||||||
|
{
|
||||||
|
EC_GROUP *group=NULL;
|
||||||
|
EC_POINT *P=NULL;
|
||||||
|
BN_CTX *ctx=NULL;
|
||||||
|
BIGNUM *p=NULL, *a=NULL, *b=NULL, *x=NULL, *y=NULL, *order=NULL;
|
||||||
|
int ok=0;
|
||||||
|
int seed_len,param_len;
|
||||||
|
const EC_METHOD *meth;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const unsigned char *params;
|
||||||
|
|
||||||
|
if ((ctx = BN_CTX_new()) == NULL)
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
data = curve.data;
|
||||||
|
seed_len = data->seed_len;
|
||||||
|
param_len = data->param_len;
|
||||||
|
params = (const unsigned char *)(data+1); /* skip header */
|
||||||
|
params += seed_len; /* skip seed */
|
||||||
|
|
||||||
|
if (!(p = BN_bin2bn(params+0*param_len, param_len, NULL))
|
||||||
|
|| !(a = BN_bin2bn(params+1*param_len, param_len, NULL))
|
||||||
|
|| !(b = BN_bin2bn(params+2*param_len, param_len, NULL)))
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (curve.meth != 0)
|
||||||
|
{
|
||||||
|
meth = curve.meth();
|
||||||
|
if (((group = EC_GROUP_new(meth)) == NULL) ||
|
||||||
|
(!(group->meth->group_set_curve(group, p, a, b, ctx))))
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (data->field_type == NID_X9_62_prime_field)
|
||||||
|
{
|
||||||
|
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL)
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#ifndef OPENSSL_NO_EC2M
|
||||||
|
else /* field_type == NID_X9_62_characteristic_two_field */
|
||||||
|
{
|
||||||
|
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL)
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if ((P = EC_POINT_new(group)) == NULL)
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!(x = BN_bin2bn(params+3*param_len, param_len, NULL))
|
||||||
|
|| !(y = BN_bin2bn(params+4*param_len, param_len, NULL)))
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (!(order = BN_bin2bn(params+5*param_len, param_len, NULL))
|
||||||
|
|| !BN_set_word(x, (BN_ULONG)data->cofactor))
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (!EC_GROUP_set_generator(group, P, order, x))
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (seed_len)
|
||||||
|
{
|
||||||
|
if (!EC_GROUP_set_seed(group, params-seed_len, seed_len))
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ok=1;
|
||||||
|
err:
|
||||||
|
if (!ok)
|
||||||
|
{
|
||||||
|
EC_GROUP_free(group);
|
||||||
|
group = NULL;
|
||||||
|
}
|
||||||
|
if (P)
|
||||||
|
EC_POINT_free(P);
|
||||||
|
if (ctx)
|
||||||
|
BN_CTX_free(ctx);
|
||||||
|
if (p)
|
||||||
|
BN_free(p);
|
||||||
|
if (a)
|
||||||
|
BN_free(a);
|
||||||
|
if (b)
|
||||||
|
BN_free(b);
|
||||||
|
if (order)
|
||||||
|
BN_free(order);
|
||||||
|
if (x)
|
||||||
|
BN_free(x);
|
||||||
|
if (y)
|
||||||
|
BN_free(y);
|
||||||
|
return group;
|
||||||
|
}
|
||||||
|
|
||||||
|
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
EC_GROUP *ret = NULL;
|
||||||
|
|
||||||
|
if (nid <= 0)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
for (i=0; i<curve_list_length; i++)
|
||||||
|
if (curve_list[i].nid == nid)
|
||||||
|
{
|
||||||
|
ret = ec_group_new_from_data(curve_list[i]);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ret == NULL)
|
||||||
|
{
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
EC_GROUP_set_curve_name(ret, nid);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||||
|
{
|
||||||
|
size_t i, min;
|
||||||
|
|
||||||
|
if (r == NULL || nitems == 0)
|
||||||
|
return curve_list_length;
|
||||||
|
|
||||||
|
min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||||
|
|
||||||
|
for (i = 0; i < min; i++)
|
||||||
|
{
|
||||||
|
r[i].nid = curve_list[i].nid;
|
||||||
|
r[i].comment = curve_list[i].comment;
|
||||||
|
}
|
||||||
|
|
||||||
|
return curve_list_length;
|
||||||
|
}
|
742
ectest.c
Normal file
742
ectest.c
Normal file
@ -0,0 +1,742 @@
|
|||||||
|
/* crypto/ec/ectest.c */
|
||||||
|
/*
|
||||||
|
* Originally written by Bodo Moeller for the OpenSSL project.
|
||||||
|
*/
|
||||||
|
/* ====================================================================
|
||||||
|
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
*
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
*
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in
|
||||||
|
* the documentation and/or other materials provided with the
|
||||||
|
* distribution.
|
||||||
|
*
|
||||||
|
* 3. All advertising materials mentioning features or use of this
|
||||||
|
* software must display the following acknowledgment:
|
||||||
|
* "This product includes software developed by the OpenSSL Project
|
||||||
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||||
|
*
|
||||||
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||||
|
* endorse or promote products derived from this software without
|
||||||
|
* prior written permission. For written permission, please contact
|
||||||
|
* openssl-core@openssl.org.
|
||||||
|
*
|
||||||
|
* 5. Products derived from this software may not be called "OpenSSL"
|
||||||
|
* nor may "OpenSSL" appear in their names without prior written
|
||||||
|
* permission of the OpenSSL Project.
|
||||||
|
*
|
||||||
|
* 6. Redistributions of any form whatsoever must retain the following
|
||||||
|
* acknowledgment:
|
||||||
|
* "This product includes software developed by the OpenSSL Project
|
||||||
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||||
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||||
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||||
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||||
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||||
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||||
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||||
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||||
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
* ====================================================================
|
||||||
|
*
|
||||||
|
* This product includes cryptographic software written by Eric Young
|
||||||
|
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||||
|
* Hudson (tjh@cryptsoft.com).
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
/* ====================================================================
|
||||||
|
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
||||||
|
*
|
||||||
|
* Portions of the attached software ("Contribution") are developed by
|
||||||
|
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
|
||||||
|
*
|
||||||
|
* The Contribution is licensed pursuant to the OpenSSL open source
|
||||||
|
* license provided above.
|
||||||
|
*
|
||||||
|
* The elliptic curve binary polynomial software is originally written by
|
||||||
|
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#ifdef FLAT_INC
|
||||||
|
#include "e_os.h"
|
||||||
|
#else
|
||||||
|
#include "../e_os.h"
|
||||||
|
#endif
|
||||||
|
#include <string.h>
|
||||||
|
#include <time.h>
|
||||||
|
|
||||||
|
|
||||||
|
#ifdef OPENSSL_NO_EC
|
||||||
|
int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); return 0; }
|
||||||
|
#else
|
||||||
|
|
||||||
|
|
||||||
|
#include <openssl/ec.h>
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
#include <openssl/engine.h>
|
||||||
|
#endif
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include <openssl/objects.h>
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
#include <openssl/bn.h>
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
|
||||||
|
#if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
|
||||||
|
/* suppress "too big too optimize" warning */
|
||||||
|
#pragma warning(disable:4959)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#define ABORT do { \
|
||||||
|
fflush(stdout); \
|
||||||
|
fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
|
||||||
|
ERR_print_errors_fp(stderr); \
|
||||||
|
EXIT(1); \
|
||||||
|
} while (0)
|
||||||
|
|
||||||
|
#define TIMING_BASE_PT 0
|
||||||
|
#define TIMING_RAND_PT 1
|
||||||
|
#define TIMING_SIMUL 2
|
||||||
|
|
||||||
|
#if 0
|
||||||
|
static void timings(EC_GROUP *group, int type, BN_CTX *ctx)
|
||||||
|
{
|
||||||
|
clock_t clck;
|
||||||
|
int i, j;
|
||||||
|
BIGNUM *s;
|
||||||
|
BIGNUM *r[10], *r0[10];
|
||||||
|
EC_POINT *P;
|
||||||
|
|
||||||
|
s = BN_new();
|
||||||
|
if (s == NULL) ABORT;
|
||||||
|
|
||||||
|
fprintf(stdout, "Timings for %d-bit field, ", EC_GROUP_get_degree(group));
|
||||||
|
if (!EC_GROUP_get_order(group, s, ctx)) ABORT;
|
||||||
|
fprintf(stdout, "%d-bit scalars ", (int)BN_num_bits(s));
|
||||||
|
fflush(stdout);
|
||||||
|
|
||||||
|
P = EC_POINT_new(group);
|
||||||
|
if (P == NULL) ABORT;
|
||||||
|
EC_POINT_copy(P, EC_GROUP_get0_generator(group));
|
||||||
|
|
||||||
|
for (i = 0; i < 10; i++)
|
||||||
|
{
|
||||||
|
if ((r[i] = BN_new()) == NULL) ABORT;
|
||||||
|
if (!BN_pseudo_rand(r[i], BN_num_bits(s), 0, 0)) ABORT;
|
||||||
|
if (type != TIMING_BASE_PT)
|
||||||
|
{
|
||||||
|
if ((r0[i] = BN_new()) == NULL) ABORT;
|
||||||
|
if (!BN_pseudo_rand(r0[i], BN_num_bits(s), 0, 0)) ABORT;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
clck = clock();
|
||||||
|
for (i = 0; i < 10; i++)
|
||||||
|
{
|
||||||
|
for (j = 0; j < 10; j++)
|
||||||
|
{
|
||||||
|
if (!EC_POINT_mul(group, P, (type != TIMING_RAND_PT) ? r[i] : NULL,
|
||||||
|
(type != TIMING_BASE_PT) ? P : NULL, (type != TIMING_BASE_PT) ? r0[i] : NULL, ctx)) ABORT;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
clck = clock() - clck;
|
||||||
|
|
||||||
|
fprintf(stdout, "\n");
|
||||||
|
|
||||||
|
#ifdef CLOCKS_PER_SEC
|
||||||
|
/* "To determine the time in seconds, the value returned
|
||||||
|
* by the clock function should be divided by the value
|
||||||
|
* of the macro CLOCKS_PER_SEC."
|
||||||
|
* -- ISO/IEC 9899 */
|
||||||
|
# define UNIT "s"
|
||||||
|
#else
|
||||||
|
/* "`CLOCKS_PER_SEC' undeclared (first use this function)"
|
||||||
|
* -- cc on NeXTstep/OpenStep */
|
||||||
|
# define UNIT "units"
|
||||||
|
# define CLOCKS_PER_SEC 1
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (type == TIMING_BASE_PT) {
|
||||||
|
fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
|
||||||
|
"base point multiplications", (double)clck/CLOCKS_PER_SEC);
|
||||||
|
} else if (type == TIMING_RAND_PT) {
|
||||||
|
fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
|
||||||
|
"random point multiplications", (double)clck/CLOCKS_PER_SEC);
|
||||||
|
} else if (type == TIMING_SIMUL) {
|
||||||
|
fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
|
||||||
|
"s*P+t*Q operations", (double)clck/CLOCKS_PER_SEC);
|
||||||
|
}
|
||||||
|
fprintf(stdout, "average: %.4f " UNIT "\n", (double)clck/(CLOCKS_PER_SEC*i*j));
|
||||||
|
|
||||||
|
EC_POINT_free(P);
|
||||||
|
BN_free(s);
|
||||||
|
for (i = 0; i < 10; i++)
|
||||||
|
{
|
||||||
|
BN_free(r[i]);
|
||||||
|
if (type != TIMING_BASE_PT) BN_free(r0[i]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* test multiplication with group order, long and negative scalars */
|
||||||
|
static void group_order_tests(EC_GROUP *group)
|
||||||
|
{
|
||||||
|
BIGNUM *n1, *n2, *order;
|
||||||
|
EC_POINT *P = EC_POINT_new(group);
|
||||||
|
EC_POINT *Q = EC_POINT_new(group);
|
||||||
|
BN_CTX *ctx = BN_CTX_new();
|
||||||
|
|
||||||
|
n1 = BN_new(); n2 = BN_new(); order = BN_new();
|
||||||
|
fprintf(stdout, "verify group order ...");
|
||||||
|
fflush(stdout);
|
||||||
|
if (!EC_GROUP_get_order(group, order, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
|
||||||
|
fprintf(stdout, ".");
|
||||||
|
fflush(stdout);
|
||||||
|
if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
|
||||||
|
fprintf(stdout, " ok\n");
|
||||||
|
fprintf(stdout, "long/negative scalar tests ... ");
|
||||||
|
if (!BN_one(n1)) ABORT;
|
||||||
|
/* n1 = 1 - order */
|
||||||
|
if (!BN_sub(n1, n1, order)) ABORT;
|
||||||
|
if(!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) ABORT;
|
||||||
|
if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
|
||||||
|
/* n2 = 1 + order */
|
||||||
|
if (!BN_add(n2, order, BN_value_one())) ABORT;
|
||||||
|
if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
|
||||||
|
if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
|
||||||
|
/* n2 = (1 - order) * (1 + order) */
|
||||||
|
if (!BN_mul(n2, n1, n2, ctx)) ABORT;
|
||||||
|
if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
|
||||||
|
if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
|
||||||
|
fprintf(stdout, "ok\n");
|
||||||
|
EC_POINT_free(P);
|
||||||
|
EC_POINT_free(Q);
|
||||||
|
BN_free(n1);
|
||||||
|
BN_free(n2);
|
||||||
|
BN_free(order);
|
||||||
|
BN_CTX_free(ctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void prime_field_tests(void)
|
||||||
|
{
|
||||||
|
BN_CTX *ctx = NULL;
|
||||||
|
BIGNUM *p, *a, *b;
|
||||||
|
EC_GROUP *group;
|
||||||
|
EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
|
||||||
|
EC_POINT *P, *Q, *R;
|
||||||
|
BIGNUM *x, *y, *z;
|
||||||
|
unsigned char buf[100];
|
||||||
|
size_t i, len;
|
||||||
|
int k;
|
||||||
|
|
||||||
|
#if 1 /* optional */
|
||||||
|
ctx = BN_CTX_new();
|
||||||
|
if (!ctx) ABORT;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
p = BN_new();
|
||||||
|
a = BN_new();
|
||||||
|
b = BN_new();
|
||||||
|
if (!p || !a || !b) ABORT;
|
||||||
|
|
||||||
|
group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp
|
||||||
|
* so that the library gets to choose the EC_METHOD */
|
||||||
|
if (!group) ABORT;
|
||||||
|
|
||||||
|
P = EC_POINT_new(group);
|
||||||
|
Q = EC_POINT_new(group);
|
||||||
|
R = EC_POINT_new(group);
|
||||||
|
if (!P || !Q || !R) ABORT;
|
||||||
|
|
||||||
|
x = BN_new();
|
||||||
|
y = BN_new();
|
||||||
|
z = BN_new();
|
||||||
|
if (!x || !y || !z) ABORT;
|
||||||
|
|
||||||
|
/* Curve P-256 (FIPS PUB 186-2, App. 6) */
|
||||||
|
|
||||||
|
if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
|
||||||
|
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
|
||||||
|
if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
|
||||||
|
if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT;
|
||||||
|
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
|
||||||
|
|
||||||
|
if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) ABORT;
|
||||||
|
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
|
||||||
|
if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
|
||||||
|
"84F3B9CAC2FC632551")) ABORT;
|
||||||
|
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
|
||||||
|
|
||||||
|
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
|
||||||
|
fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x");
|
||||||
|
BN_print_fp(stdout, x);
|
||||||
|
fprintf(stdout, "\n y = 0x");
|
||||||
|
BN_print_fp(stdout, y);
|
||||||
|
fprintf(stdout, "\n");
|
||||||
|
/* G_y value taken from the standard: */
|
||||||
|
if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
|
||||||
|
if (0 != BN_cmp(y, z)) ABORT;
|
||||||
|
|
||||||
|
fprintf(stdout, "verify degree ...");
|
||||||
|
if (EC_GROUP_get_degree(group) != 256) ABORT;
|
||||||
|
fprintf(stdout, " ok\n");
|
||||||
|
|
||||||
|
group_order_tests(group);
|
||||||
|
|
||||||
|
if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
|
||||||
|
if (!EC_GROUP_copy(P_256, group)) ABORT;
|
||||||
|
|
||||||
|
|
||||||
|
/* Curve P-384 (FIPS PUB 186-2, App. 6) */
|
||||||
|
|
||||||
|
if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
|
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT;
|
||||||
|
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
|
||||||
|
if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
|
"FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT;
|
||||||
|
if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
|
||||||
|
"120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT;
|
||||||
|
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
|
||||||
|
|
||||||
|
if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
|
||||||
|
"9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT;
|
||||||
|
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
|
||||||
|
if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
|
"FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT;
|
||||||
|
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
|
||||||
|
|
||||||
|
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
|
||||||
|
fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x");
|
||||||
|
BN_print_fp(stdout, x);
|
||||||
|
fprintf(stdout, "\n y = 0x");
|
||||||
|
BN_print_fp(stdout, y);
|
||||||
|
fprintf(stdout, "\n");
|
||||||
|
/* G_y value taken from the standard: */
|
||||||
|
if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
|
||||||
|
"7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
|
||||||
|
if (0 != BN_cmp(y, z)) ABORT;
|
||||||
|
|
||||||
|
fprintf(stdout, "verify degree ...");
|
||||||
|
if (EC_GROUP_get_degree(group) != 384) ABORT;
|
||||||
|
fprintf(stdout, " ok\n");
|
||||||
|
|
||||||
|
group_order_tests(group);
|
||||||
|
|
||||||
|
if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
|
||||||
|
if (!EC_GROUP_copy(P_384, group)) ABORT;
|
||||||
|
|
||||||
|
|
||||||
|
/* Curve P-521 (FIPS PUB 186-2, App. 6) */
|
||||||
|
|
||||||
|
if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
|
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
|
"FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
|
||||||
|
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
|
||||||
|
if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
|
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
|
"FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
|
||||||
|
if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
|
||||||
|
"315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
|
||||||
|
"DF883D2C34F1EF451FD46B503F00")) ABORT;
|
||||||
|
if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
|
||||||
|
|
||||||
|
if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
|
||||||
|
"B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
|
||||||
|
"3C1856A429BF97E7E31C2E5BD66")) ABORT;
|
||||||
|
if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
|
||||||
|
if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||||
|
"FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
|
||||||
|
"C9B8899C47AEBB6FB71E91386409")) ABORT;
|
||||||
|
if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
|
||||||
|
|
||||||
|
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
|
||||||
|
fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x");
|
||||||
|
BN_print_fp(stdout, x);
|
||||||
|
fprintf(stdout, "\n y = 0x");
|
||||||
|
BN_print_fp(stdout, y);
|
||||||
|
fprintf(stdout, "\n");
|
||||||
|
/* G_y value taken from the standard: */
|
||||||
|
if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
|
||||||
|
"B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
|
||||||
|
"7086A272C24088BE94769FD16650")) ABORT;
|
||||||
|
if (0 != BN_cmp(y, z)) ABORT;
|
||||||
|
|
||||||
|
fprintf(stdout, "verify degree ...");
|
||||||
|
if (EC_GROUP_get_degree(group) != 521) ABORT;
|
||||||
|
fprintf(stdout, " ok\n");
|
||||||
|
|
||||||
|
group_order_tests(group);
|
||||||
|
|
||||||
|
if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
|
||||||
|
if (!EC_GROUP_copy(P_521, group)) ABORT;
|
||||||
|
|
||||||
|
|
||||||
|
/* more tests using the last curve */
|
||||||
|
|
||||||
|
if (!EC_POINT_copy(Q, P)) ABORT;
|
||||||
|
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
|
||||||
|
if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
|
||||||
|
|
||||||
|
if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
|
||||||
|
|
||||||
|
{
|
||||||
|
const EC_POINT *points[4];
|
||||||
|
const BIGNUM *scalars[4];
|
||||||
|
BIGNUM scalar3;
|
||||||
|
|
||||||
|
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
|
||||||
|
points[0] = Q;
|
||||||
|
points[1] = Q;
|
||||||
|
points[2] = Q;
|
||||||
|
points[3] = Q;
|
||||||
|
|
||||||
|
if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
|
||||||
|
if (!BN_add(y, z, BN_value_one())) ABORT;
|
||||||
|
if (BN_is_odd(y)) ABORT;
|
||||||
|
if (!BN_rshift1(y, y)) ABORT;
|
||||||
|
scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */
|
||||||
|
scalars[1] = y;
|
||||||
|
|
||||||
|
fprintf(stdout, "combined multiplication ...");
|
||||||
|
fflush(stdout);
|
||||||
|
|
||||||
|
/* z is still the group order */
|
||||||
|
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
|
||||||
|
if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
|
||||||
|
if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
|
||||||
|
if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
|
||||||
|
|
||||||
|
fprintf(stdout, ".");
|
||||||
|
fflush(stdout);
|
||||||
|
|
||||||
|
if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
|
||||||
|
if (!BN_add(z, z, y)) ABORT;
|
||||||
|
BN_set_negative(z, 1);
|
||||||
|
scalars[0] = y;
|
||||||
|
scalars[1] = z; /* z = -(order + y) */
|
||||||
|
|
||||||
|
if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
|
||||||
|
|
||||||
|
fprintf(stdout, ".");
|
||||||
|
fflush(stdout);
|
||||||
|
|
||||||
|
if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
|
||||||
|
if (!BN_add(z, x, y)) ABORT;
|
||||||
|
BN_set_negative(z, 1);
|
||||||
|
scalars[0] = x;
|
||||||
|
scalars[1] = y;
|
||||||
|
scalars[2] = z; /* z = -(x+y) */
|
||||||
|
|
||||||
|
BN_init(&scalar3);
|
||||||
|
BN_zero(&scalar3);
|
||||||
|
scalars[3] = &scalar3;
|
||||||
|
|
||||||
|
if (!EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) ABORT;
|
||||||
|
if (!EC_POINT_is_at_infinity(group, P)) ABORT;
|
||||||
|
|
||||||
|
fprintf(stdout, " ok\n\n");
|
||||||
|
|
||||||
|
BN_free(&scalar3);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#if 0
|
||||||
|
timings(P_256, TIMING_BASE_PT, ctx);
|
||||||
|
timings(P_256, TIMING_RAND_PT, ctx);
|
||||||
|
timings(P_256, TIMING_SIMUL, ctx);
|
||||||
|
timings(P_384, TIMING_BASE_PT, ctx);
|
||||||
|
timings(P_384, TIMING_RAND_PT, ctx);
|
||||||
|
timings(P_384, TIMING_SIMUL, ctx);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
if (ctx)
|
||||||
|
BN_CTX_free(ctx);
|
||||||
|
BN_free(p); BN_free(a); BN_free(b);
|
||||||
|
EC_GROUP_free(group);
|
||||||
|
EC_POINT_free(P);
|
||||||
|
EC_POINT_free(Q);
|
||||||
|
EC_POINT_free(R);
|
||||||
|
BN_free(x); BN_free(y); BN_free(z);
|
||||||
|
|
||||||
|
if (P_160) EC_GROUP_free(P_160);
|
||||||
|
if (P_192) EC_GROUP_free(P_192);
|
||||||
|
if (P_224) EC_GROUP_free(P_224);
|
||||||
|
if (P_256) EC_GROUP_free(P_256);
|
||||||
|
if (P_384) EC_GROUP_free(P_384);
|
||||||
|
if (P_521) EC_GROUP_free(P_521);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void internal_curve_test(void)
|
||||||
|
{
|
||||||
|
EC_builtin_curve *curves = NULL;
|
||||||
|
size_t crv_len = 0, n = 0;
|
||||||
|
int ok = 1;
|
||||||
|
|
||||||
|
crv_len = EC_get_builtin_curves(NULL, 0);
|
||||||
|
|
||||||
|
curves = OPENSSL_malloc(sizeof(EC_builtin_curve) * crv_len);
|
||||||
|
|
||||||
|
if (curves == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
if (!EC_get_builtin_curves(curves, crv_len))
|
||||||
|
{
|
||||||
|
OPENSSL_free(curves);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
fprintf(stdout, "testing internal curves: ");
|
||||||
|
|
||||||
|
for (n = 0; n < crv_len; n++)
|
||||||
|
{
|
||||||
|
EC_GROUP *group = NULL;
|
||||||
|
int nid = curves[n].nid;
|
||||||
|
if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL)
|
||||||
|
{
|
||||||
|
ok = 0;
|
||||||
|
fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with"
|
||||||
|
" curve %s\n", OBJ_nid2sn(nid));
|
||||||
|
/* try next curve */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if (!EC_GROUP_check(group, NULL))
|
||||||
|
{
|
||||||
|
ok = 0;
|
||||||
|
fprintf(stdout, "\nEC_GROUP_check() failed with"
|
||||||
|
" curve %s\n", OBJ_nid2sn(nid));
|
||||||
|
EC_GROUP_free(group);
|
||||||
|
/* try the next curve */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
fprintf(stdout, ".");
|
||||||
|
fflush(stdout);
|
||||||
|
EC_GROUP_free(group);
|
||||||
|
}
|
||||||
|
if (ok)
|
||||||
|
fprintf(stdout, " ok\n\n");
|
||||||
|
else
|
||||||
|
{
|
||||||
|
fprintf(stdout, " failed\n\n");
|
||||||
|
ABORT;
|
||||||
|
}
|
||||||
|
OPENSSL_free(curves);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
/* nistp_test_params contains magic numbers for testing our optimized
|
||||||
|
* implementations of several NIST curves with characteristic > 3. */
|
||||||
|
struct nistp_test_params
|
||||||
|
{
|
||||||
|
const EC_METHOD* (*meth) ();
|
||||||
|
int degree;
|
||||||
|
/* Qx, Qy and D are taken from
|
||||||
|
* http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
|
||||||
|
* Otherwise, values are standard curve parameters from FIPS 180-3 */
|
||||||
|
const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct nistp_test_params nistp_tests_params[] =
|
||||||
|
{
|
||||||
|
{
|
||||||
|
/* P-256 */
|
||||||
|
EC_GFp_nistp256_method,
|
||||||
|
256,
|
||||||
|
"ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", /* p */
|
||||||
|
"ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", /* a */
|
||||||
|
"5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", /* b */
|
||||||
|
"b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", /* Qx */
|
||||||
|
"3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", /* Qy */
|
||||||
|
"6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", /* Gx */
|
||||||
|
"4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", /* Gy */
|
||||||
|
"ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", /* order */
|
||||||
|
"c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", /* d */
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
void nistp_single_test(const struct nistp_test_params *test)
|
||||||
|
{
|
||||||
|
BN_CTX *ctx;
|
||||||
|
BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
|
||||||
|
EC_GROUP *NISTP;
|
||||||
|
EC_POINT *G, *P, *Q, *Q_CHECK;
|
||||||
|
|
||||||
|
fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n", test->degree);
|
||||||
|
ctx = BN_CTX_new();
|
||||||
|
p = BN_new();
|
||||||
|
a = BN_new();
|
||||||
|
b = BN_new();
|
||||||
|
x = BN_new(); y = BN_new();
|
||||||
|
m = BN_new(); n = BN_new(); order = BN_new();
|
||||||
|
|
||||||
|
NISTP = EC_GROUP_new(test->meth());
|
||||||
|
if(!NISTP) ABORT;
|
||||||
|
if (!BN_hex2bn(&p, test->p)) ABORT;
|
||||||
|
if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
|
||||||
|
if (!BN_hex2bn(&a, test->a)) ABORT;
|
||||||
|
if (!BN_hex2bn(&b, test->b)) ABORT;
|
||||||
|
if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx)) ABORT;
|
||||||
|
G = EC_POINT_new(NISTP);
|
||||||
|
P = EC_POINT_new(NISTP);
|
||||||
|
Q = EC_POINT_new(NISTP);
|
||||||
|
Q_CHECK = EC_POINT_new(NISTP);
|
||||||
|
if(!BN_hex2bn(&x, test->Qx)) ABORT;
|
||||||
|
if(!BN_hex2bn(&y, test->Qy)) ABORT;
|
||||||
|
if(!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) ABORT;
|
||||||
|
if (!BN_hex2bn(&x, test->Gx)) ABORT;
|
||||||
|
if (!BN_hex2bn(&y, test->Gy)) ABORT;
|
||||||
|
if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx)) ABORT;
|
||||||
|
if (!BN_hex2bn(&order, test->order)) ABORT;
|
||||||
|
if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
|
||||||
|
|
||||||
|
fprintf(stdout, "verify degree ... ");
|
||||||
|
if (EC_GROUP_get_degree(NISTP) != test->degree) ABORT;
|
||||||
|
fprintf(stdout, "ok\n");
|
||||||
|
|
||||||
|
fprintf(stdout, "NIST test vectors ... ");
|
||||||
|
if (!BN_hex2bn(&n, test->d)) ABORT;
|
||||||
|
/* fixed point multiplication */
|
||||||
|
EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
|
||||||
|
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
|
||||||
|
/* random point multiplication */
|
||||||
|
EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
|
||||||
|
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
|
||||||
|
|
||||||
|
/* set generator to P = 2*G, where G is the standard generator */
|
||||||
|
if (!EC_POINT_dbl(NISTP, P, G, ctx)) ABORT;
|
||||||
|
if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) ABORT;
|
||||||
|
/* set the scalar to m=n/2, where n is the NIST test scalar */
|
||||||
|
if (!BN_rshift(m, n, 1)) ABORT;
|
||||||
|
|
||||||
|
/* test the non-standard generator */
|
||||||
|
/* fixed point multiplication */
|
||||||
|
EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
|
||||||
|
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
|
||||||
|
/* random point multiplication */
|
||||||
|
EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
|
||||||
|
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
|
||||||
|
|
||||||
|
/* now repeat all tests with precomputation */
|
||||||
|
if (!EC_GROUP_precompute_mult(NISTP, ctx)) ABORT;
|
||||||
|
|
||||||
|
/* fixed point multiplication */
|
||||||
|
EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
|
||||||
|
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
|
||||||
|
/* random point multiplication */
|
||||||
|
EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
|
||||||
|
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
|
||||||
|
|
||||||
|
/* reset generator */
|
||||||
|
if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
|
||||||
|
/* fixed point multiplication */
|
||||||
|
EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
|
||||||
|
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
|
||||||
|
/* random point multiplication */
|
||||||
|
EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
|
||||||
|
if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
|
||||||
|
|
||||||
|
fprintf(stdout, "ok\n");
|
||||||
|
group_order_tests(NISTP);
|
||||||
|
#if 0
|
||||||
|
timings(NISTP, TIMING_BASE_PT, ctx);
|
||||||
|
timings(NISTP, TIMING_RAND_PT, ctx);
|
||||||
|
#endif
|
||||||
|
EC_GROUP_free(NISTP);
|
||||||
|
EC_POINT_free(G);
|
||||||
|
EC_POINT_free(P);
|
||||||
|
EC_POINT_free(Q);
|
||||||
|
EC_POINT_free(Q_CHECK);
|
||||||
|
BN_free(n);
|
||||||
|
BN_free(m);
|
||||||
|
BN_free(p);
|
||||||
|
BN_free(a);
|
||||||
|
BN_free(b);
|
||||||
|
BN_free(x);
|
||||||
|
BN_free(y);
|
||||||
|
BN_free(order);
|
||||||
|
BN_CTX_free(ctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
void nistp_tests()
|
||||||
|
{
|
||||||
|
unsigned i;
|
||||||
|
|
||||||
|
for (i = 0; i < sizeof(nistp_tests_params) / sizeof(struct nistp_test_params); i++)
|
||||||
|
{
|
||||||
|
nistp_single_test(&nistp_tests_params[i]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static const char rnd_seed[] = "string to make the random number generator think it has entropy";
|
||||||
|
|
||||||
|
int main(int argc, char *argv[])
|
||||||
|
{
|
||||||
|
|
||||||
|
/* enable memory leak checking unless explicitly disabled */
|
||||||
|
if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
|
||||||
|
{
|
||||||
|
CRYPTO_malloc_debug_init();
|
||||||
|
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* OPENSSL_DEBUG_MEMORY=off */
|
||||||
|
CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
|
||||||
|
}
|
||||||
|
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
|
RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */
|
||||||
|
|
||||||
|
prime_field_tests();
|
||||||
|
puts("");
|
||||||
|
#ifndef OPENSSL_NO_EC2M
|
||||||
|
char2_field_tests();
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
nistp_tests();
|
||||||
|
#endif
|
||||||
|
/* test the internal curves */
|
||||||
|
internal_curve_test();
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
ENGINE_cleanup();
|
||||||
|
#endif
|
||||||
|
CRYPTO_cleanup_all_ex_data();
|
||||||
|
ERR_free_strings();
|
||||||
|
ERR_remove_thread_state(NULL);
|
||||||
|
CRYPTO_mem_leaks_fp(stderr);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
15
fixpatch
Executable file
15
fixpatch
Executable file
@ -0,0 +1,15 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Fixes patch from upstream tracker view
|
||||||
|
gawk '
|
||||||
|
BEGIN {
|
||||||
|
dir=""
|
||||||
|
}
|
||||||
|
/^Index: openssl\// {
|
||||||
|
dir = $2
|
||||||
|
}
|
||||||
|
/^(---|\+\+\+)/ {
|
||||||
|
$2 = dir
|
||||||
|
}
|
||||||
|
{
|
||||||
|
print
|
||||||
|
}'
|
@ -13,15 +13,15 @@ set -e
|
|||||||
# Remove assembler portions of IDEA, MDC2, and RC5.
|
# Remove assembler portions of IDEA, MDC2, and RC5.
|
||||||
(find crypto/rc5/asm -type f | xargs -r rm -fv)
|
(find crypto/rc5/asm -type f | xargs -r rm -fv)
|
||||||
|
|
||||||
# RC5, EC, SRP.
|
# RC5, SRP.
|
||||||
for a in rc5 ec ecdh ecdsa srp; do
|
for a in rc5 srp; do
|
||||||
for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
|
for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
|
||||||
echo Destroying $c
|
echo Destroying $c
|
||||||
> $c
|
> $c
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
for c in `find crypto/evp -name "*_rc5.c" -o -name "*_ecdsa.c"`; do
|
for c in `find crypto/evp -name "*_rc5.c"`; do
|
||||||
echo Destroying $c
|
echo Destroying $c
|
||||||
> $c
|
> $c
|
||||||
done
|
done
|
||||||
@ -31,15 +31,18 @@ for c in `find crypto/bn -name "*gf2m.c"`; do
|
|||||||
> $c
|
> $c
|
||||||
done
|
done
|
||||||
|
|
||||||
|
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp?2?.c" -o -name "ectest.c"`; do
|
||||||
|
echo Destroying $c
|
||||||
|
> $c
|
||||||
|
done
|
||||||
|
|
||||||
for h in `find crypto ssl apps test -name "*.h"` ; do
|
for h in `find crypto ssl apps test -name "*.h"` ; do
|
||||||
echo Removing RC5, SRP and EC references from $h
|
echo Removing RC5, SRP and EC2M references from $h
|
||||||
cat $h | \
|
cat $h | \
|
||||||
awk 'BEGIN {ech=1;} \
|
awk 'BEGIN {ech=1;} \
|
||||||
/^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
|
/^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
|
||||||
/^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
|
/^#[ \t]*ifndef.*NO_RC5/ {ech--; next;} \
|
||||||
/^#[ \t]*ifndef.*NO_EC/ {ech--; next;} \
|
/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
|
||||||
/^#[ \t]*ifndef.*NO_ECDH/ {ech--; next;} \
|
|
||||||
/^#[ \t]*ifndef.*NO_ECDSA/ {ech--; next;} \
|
|
||||||
/^#[ \t]*if/ {if(ech < 1) ech--;} \
|
/^#[ \t]*if/ {if(ech < 1) ech--;} \
|
||||||
{if(ech>0) {;print $0};} \
|
{if(ech>0) {;print $0};} \
|
||||||
/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
|
/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
|
||||||
|
@ -24,16 +24,17 @@
|
|||||||
|
|
||||||
Name: mingw-openssl
|
Name: mingw-openssl
|
||||||
Version: 1.0.1e
|
Version: 1.0.1e
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
Summary: MinGW port of the OpenSSL toolkit
|
Summary: MinGW port of the OpenSSL toolkit
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
|
|
||||||
# We remove certain patented algorithms from the openssl source tarball
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
Source0: openssl-%{version}-usa.tar.xz
|
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
|
||||||
|
Source: openssl-%{version}-hobbled.tar.xz
|
||||||
|
|
||||||
Source1: hobble-openssl
|
Source1: hobble-openssl
|
||||||
Source2: Makefile.certificate
|
Source2: Makefile.certificate
|
||||||
@ -42,8 +43,10 @@ Source7: renew-dummy-cert
|
|||||||
Source8: openssl-thread-test.c
|
Source8: openssl-thread-test.c
|
||||||
Source9: opensslconf-new.h
|
Source9: opensslconf-new.h
|
||||||
Source10: opensslconf-new-warning.h
|
Source10: opensslconf-new-warning.h
|
||||||
|
Source11: README.FIPS
|
||||||
|
Source12: ec_curve.c
|
||||||
|
Source13: ectest.c
|
||||||
|
|
||||||
Source11: README.FIPS
|
|
||||||
# Build changes
|
# Build changes
|
||||||
Patch1: openssl-1.0.1-beta2-rpmbuild.patch
|
Patch1: openssl-1.0.1-beta2-rpmbuild.patch
|
||||||
Patch2: openssl-1.0.0f-defaults.patch
|
Patch2: openssl-1.0.0f-defaults.patch
|
||||||
@ -68,7 +71,7 @@ Patch45: openssl-1.0.1e-env-zlib.patch
|
|||||||
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
Patch47: openssl-1.0.0-beta5-readme-warning.patch
|
||||||
Patch49: openssl-1.0.1a-algo-doc.patch
|
Patch49: openssl-1.0.1a-algo-doc.patch
|
||||||
Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
|
Patch50: openssl-1.0.1-beta2-dtls1-abi.patch
|
||||||
Patch51: openssl-1.0.1-version.patch
|
Patch51: openssl-1.0.1e-version.patch
|
||||||
Patch56: openssl-1.0.0c-rsa-x931.patch
|
Patch56: openssl-1.0.0c-rsa-x931.patch
|
||||||
Patch58: openssl-1.0.1-beta2-fips-md5-allow.patch
|
Patch58: openssl-1.0.1-beta2-fips-md5-allow.patch
|
||||||
Patch60: openssl-1.0.0d-apps-dgst.patch
|
Patch60: openssl-1.0.0d-apps-dgst.patch
|
||||||
@ -77,11 +80,24 @@ Patch65: openssl-1.0.0e-chil-fixes.patch
|
|||||||
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
|
Patch66: openssl-1.0.1-pkgconfig-krb5.patch
|
||||||
Patch68: openssl-1.0.1e-secure-getenv.patch
|
Patch68: openssl-1.0.1e-secure-getenv.patch
|
||||||
Patch69: openssl-1.0.1c-dh-1024.patch
|
Patch69: openssl-1.0.1c-dh-1024.patch
|
||||||
|
Patch70: openssl-1.0.1e-fips-ec.patch
|
||||||
Patch71: openssl-1.0.1e-manfix.patch
|
Patch71: openssl-1.0.1e-manfix.patch
|
||||||
|
Patch72: openssl-1.0.1e-fips-ctor.patch
|
||||||
|
Patch73: openssl-1.0.1e-ecc-suiteb.patch
|
||||||
|
Patch74: openssl-1.0.1e-no-md5-verify.patch
|
||||||
|
Patch75: openssl-1.0.1e-compat-symbols.patch
|
||||||
|
Patch76: openssl-1.0.1e-new-fips-reqs.patch
|
||||||
|
Patch77: openssl-1.0.1e-weak-ciphers.patch
|
||||||
|
Patch78: openssl-1.0.1e-3des-strength.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
Patch81: openssl-1.0.1-beta2-padlock64.patch
|
||||||
Patch82: openssl-1.0.1e-backports.patch
|
Patch82: openssl-1.0.1e-backports.patch
|
||||||
Patch83: openssl-1.0.1e-bad-mac.patch
|
Patch83: openssl-1.0.1e-bad-mac.patch
|
||||||
|
Patch84: openssl-1.0.1e-trusted-first.patch
|
||||||
|
Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
|
||||||
|
Patch86: openssl-1.0.1e-cve-2013-6449.patch
|
||||||
|
Patch87: openssl-1.0.1e-cve-2013-6450.patch
|
||||||
|
Patch88: openssl-1.0.1e-cve-2013-4353.patch
|
||||||
|
|
||||||
# MinGW-specific patches.
|
# MinGW-specific patches.
|
||||||
# Rename *eay32.dll to lib*.dll
|
# Rename *eay32.dll to lib*.dll
|
||||||
@ -192,6 +208,9 @@ Static version of the MinGW port of the OpenSSL toolkit.
|
|||||||
# The hobble_openssl is called here redundantly, just to be sure.
|
# The hobble_openssl is called here redundantly, just to be sure.
|
||||||
# The tarball has already the sources removed.
|
# The tarball has already the sources removed.
|
||||||
%{SOURCE1} > /dev/null
|
%{SOURCE1} > /dev/null
|
||||||
|
|
||||||
|
cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
||||||
|
|
||||||
%patch1 -p1 -b .rpmbuild
|
%patch1 -p1 -b .rpmbuild
|
||||||
%patch2 -p1 -b .defaults
|
%patch2 -p1 -b .defaults
|
||||||
%patch4 -p1 -b .enginesdir %{?_rawbuild}
|
%patch4 -p1 -b .enginesdir %{?_rawbuild}
|
||||||
@ -200,6 +219,7 @@ Static version of the MinGW port of the OpenSSL toolkit.
|
|||||||
%patch7 -p1 -b .timezone
|
%patch7 -p1 -b .timezone
|
||||||
%patch8 -p1 -b .perlfind %{?_rawbuild}
|
%patch8 -p1 -b .perlfind %{?_rawbuild}
|
||||||
%patch9 -p1 -b .aliasing
|
%patch9 -p1 -b .aliasing
|
||||||
|
|
||||||
%patch23 -p1 -b .default-paths
|
%patch23 -p1 -b .default-paths
|
||||||
%patch24 -p1 -b .issuer-hash
|
%patch24 -p1 -b .issuer-hash
|
||||||
|
|
||||||
@ -223,11 +243,24 @@ Static version of the MinGW port of the OpenSSL toolkit.
|
|||||||
%patch66 -p1 -b .krb5
|
%patch66 -p1 -b .krb5
|
||||||
#patch68 -p1 -b .secure-getenv
|
#patch68 -p1 -b .secure-getenv
|
||||||
%patch69 -p1 -b .dh1024
|
%patch69 -p1 -b .dh1024
|
||||||
|
#patch70 -p1 -b .fips-ec
|
||||||
|
#patch72 -p1 -b .fips-ctor
|
||||||
|
%patch73 -p1 -b .suiteb
|
||||||
|
#patch74 -p1 -b .no-md5-verify
|
||||||
|
%patch75 -p1 -b .compat
|
||||||
|
#patch76 -p1 -b .fips-reqs
|
||||||
|
%patch77 -p1 -b .weak-ciphers
|
||||||
|
%patch78 -p1 -b .3des-strength
|
||||||
|
|
||||||
%patch81 -p1 -b .padlock64
|
%patch81 -p1 -b .padlock64
|
||||||
%patch82 -p1 -b .backports
|
%patch82 -p1 -b .backports
|
||||||
%patch71 -p1 -b .manfix
|
%patch71 -p1 -b .manfix
|
||||||
%patch83 -p1 -b .bad-mac
|
%patch83 -p1 -b .bad-mac
|
||||||
|
%patch84 -p1 -b .trusted-first
|
||||||
|
%patch85 -p1 -b .armcap
|
||||||
|
%patch86 -p1 -b .hash-crash
|
||||||
|
%patch87 -p1 -b .dtls1-mitm
|
||||||
|
%patch88 -p1 -b .handshake-crash
|
||||||
|
|
||||||
# MinGW specific patches
|
# MinGW specific patches
|
||||||
%patch101 -p1 -b .mingw-libversion
|
%patch101 -p1 -b .mingw-libversion
|
||||||
@ -269,9 +302,9 @@ PERL=%{__perl} \
|
|||||||
--prefix=%{mingw32_prefix} \
|
--prefix=%{mingw32_prefix} \
|
||||||
--openssldir=%{mingw32_sysconfdir}/pki/tls \
|
--openssldir=%{mingw32_sysconfdir}/pki/tls \
|
||||||
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
|
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
|
||||||
enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa \
|
enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \
|
||||||
no-srp no-fips \
|
no-fips no-hw \
|
||||||
no-hw --cross-compile-prefix=%{mingw32_target}- \
|
--cross-compile-prefix=%{mingw32_target}- \
|
||||||
--enginesdir=%{mingw32_libdir}/openssl/engines \
|
--enginesdir=%{mingw32_libdir}/openssl/engines \
|
||||||
shared mingw
|
shared mingw
|
||||||
|
|
||||||
@ -284,11 +317,6 @@ make all build-shared
|
|||||||
# Generate hashes for the included certs.
|
# Generate hashes for the included certs.
|
||||||
make rehash build-shared
|
make rehash build-shared
|
||||||
|
|
||||||
if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then
|
|
||||||
iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \
|
|
||||||
mv -f CHANGES.utf8 CHANGES
|
|
||||||
fi
|
|
||||||
|
|
||||||
popd
|
popd
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
@ -301,9 +329,9 @@ PERL=%{__perl} \
|
|||||||
--prefix=%{mingw64_prefix} \
|
--prefix=%{mingw64_prefix} \
|
||||||
--openssldir=%{mingw64_sysconfdir}/pki/tls \
|
--openssldir=%{mingw64_sysconfdir}/pki/tls \
|
||||||
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
|
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
|
||||||
enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa \
|
enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \
|
||||||
no-srp no-fips \
|
no-fips no-hw \
|
||||||
no-hw --cross-compile-prefix=%{mingw64_target}- \
|
--cross-compile-prefix=%{mingw64_target}- \
|
||||||
--enginesdir=%{mingw64_libdir}/openssl/engines \
|
--enginesdir=%{mingw64_libdir}/openssl/engines \
|
||||||
shared mingw64
|
shared mingw64
|
||||||
|
|
||||||
@ -316,11 +344,6 @@ make all build-shared
|
|||||||
# Generate hashes for the included certs.
|
# Generate hashes for the included certs.
|
||||||
make rehash build-shared
|
make rehash build-shared
|
||||||
|
|
||||||
if ! iconv -f UTF-8 -t ASCII//TRANSLIT CHANGES >/dev/null 2>&1 ; then
|
|
||||||
iconv -f ISO-8859-1 -t UTF-8 -o CHANGES.utf8 CHANGES && \
|
|
||||||
mv -f CHANGES.utf8 CHANGES
|
|
||||||
fi
|
|
||||||
|
|
||||||
popd
|
popd
|
||||||
|
|
||||||
|
|
||||||
@ -482,6 +505,13 @@ mkdir -m700 $RPM_BUILD_ROOT%{mingw64_sysconfdir}/pki/CA/private
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Jan 25 2014 Erik van Pienbroek <epienbro@fedoraproject.org> - 1.0.1e-5
|
||||||
|
- Synced patches with native openssl-1.0.1e-38.fc21
|
||||||
|
- Enable ECC support (RHBZ #1037919)
|
||||||
|
- Fixes CVE-2013-6450 (RHBZ #1047844)
|
||||||
|
- Fixes CVE-2013-4353 (RHBZ #1049062)
|
||||||
|
- Fixes CVE-2013-6449 (RHBZ #1045444)
|
||||||
|
|
||||||
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.1e-4
|
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.1e-4
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
@ -7,66 +7,67 @@ diff -up openssl-1.0.1-beta2/Configure.rpmbuild openssl-1.0.1-beta2/Configure
|
|||||||
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
# throw in -D[BL]_ENDIAN, whichever appropriate...
|
||||||
-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-generic32","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
# It's believed that majority of ARM toolchains predefine appropriate -march.
|
# It's believed that majority of ARM toolchains predefine appropriate -march.
|
||||||
# If you compiler does not, do complement config command line with one!
|
# If you compiler does not, do complement config command line with one!
|
||||||
-"linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-armv4", "gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-armv4", "gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
#### IA-32 targets...
|
#### IA-32 targets...
|
||||||
"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
|
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
|
||||||
####
|
####
|
||||||
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-generic64","gcc:-DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
#### So called "highgprs" target for z/Architecture CPUs
|
#### So called "highgprs" target for z/Architecture CPUs
|
||||||
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
|
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
|
||||||
# /proc/cpuinfo. The idea is to preserve most significant bits of
|
# /proc/cpuinfo. The idea is to preserve most significant bits of
|
||||||
@@ -373,16 +373,16 @@ my %table=(
|
@@ -373,16 +373,17 @@ my %table=(
|
||||||
# ldconfig and run-time linker to autodiscover. Unfortunately it
|
# ldconfig and run-time linker to autodiscover. Unfortunately it
|
||||||
# doesn't work just yet, because of couple of bugs in glibc
|
# doesn't work just yet, because of couple of bugs in glibc
|
||||||
# sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
|
# sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1...
|
||||||
-"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
|
-"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/highgprs",
|
||||||
+"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
|
+"linux32-s390x", "gcc:-m31 -Wa,-mzarch -DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$s390x_asm;$asm=~s/bn\-s390x\.o/bn_asm.o/;$asm}.":31:dlfcn:linux-shared:-fPIC:-m31 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::/highgprs",
|
||||||
#### SPARC Linux setups
|
#### SPARC Linux setups
|
||||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||||
# assisted with debugging of following two configs.
|
# assisted with debugging of following two configs.
|
||||||
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-sparcv8","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT::-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
# it's a real mess with -mcpu=ultrasparc option under Linux, but
|
# it's a real mess with -mcpu=ultrasparc option under Linux, but
|
||||||
# -Wa,-Av8plus should do the trick no matter what.
|
# -Wa,-Av8plus should do the trick no matter what.
|
||||||
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS) -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
# GCC 3.1 is a requirement
|
# GCC 3.1 is a requirement
|
||||||
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||||
+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
+"linux64-sparcv9","gcc:-DB_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT:ULTRASPARC:-Wl,-z,relro -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
|
+"linux-aarch64","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||||
#### Alpha Linux with GNU C and Compaq C setups
|
#### Alpha Linux with GNU C and Compaq C setups
|
||||||
# Special notes:
|
# Special notes:
|
||||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
||||||
@@ -396,8 +396,8 @@ my %table=(
|
@@ -396,8 +397,8 @@ my %table=(
|
||||||
#
|
#
|
||||||
# <appro@fy.chalmers.se>
|
# <appro@fy.chalmers.se>
|
||||||
#
|
#
|
||||||
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||||
+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-alpha-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
+"linux-alpha+bwx-gcc","gcc:-DL_ENDIAN -DTERMIO -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||||
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
||||||
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
|
||||||
|
|
||||||
@@ -1678,7 +1678,7 @@ while (<IN>)
|
@@ -1678,7 +1679,7 @@ while (<IN>)
|
||||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
||||||
{
|
{
|
||||||
my $sotmp = $1;
|
my $sotmp = $1;
|
||||||
|
@ -1,43 +0,0 @@
|
|||||||
diff -up openssl-1.0.1/crypto/cversion.c.version openssl-1.0.1/crypto/cversion.c
|
|
||||||
--- openssl-1.0.1/crypto/cversion.c.version 2004-04-19 20:09:22.000000000 +0200
|
|
||||||
+++ openssl-1.0.1/crypto/cversion.c 2012-03-14 20:58:20.630352536 +0100
|
|
||||||
@@ -110,8 +110,15 @@ const char *SSLeay_version(int t)
|
|
||||||
return("not available");
|
|
||||||
}
|
|
||||||
|
|
||||||
-unsigned long SSLeay(void)
|
|
||||||
+unsigned long _original_SSLeay(void)
|
|
||||||
+ {
|
|
||||||
+ return(0x10000003);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+unsigned long _current_SSLeay(void)
|
|
||||||
{
|
|
||||||
return(SSLEAY_VERSION_NUMBER);
|
|
||||||
}
|
|
||||||
|
|
||||||
+__asm__(".symver _original_SSLeay,SSLeay@");
|
|
||||||
+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1");
|
|
||||||
diff -up openssl-1.0.1/Makefile.shared.version openssl-1.0.1/Makefile.shared
|
|
||||||
--- openssl-1.0.1/Makefile.shared.version 2012-03-14 20:58:20.553350959 +0100
|
|
||||||
+++ openssl-1.0.1/Makefile.shared 2012-03-14 20:58:20.631352556 +0100
|
|
||||||
@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
|
|
||||||
SHLIB_SUFFIX=; \
|
|
||||||
ALLSYMSFLAGS='-Wl,--whole-archive'; \
|
|
||||||
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
|
|
||||||
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
|
||||||
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
|
||||||
|
|
||||||
DO_GNU_APP=LDFLAGS="$(CFLAGS)"
|
|
||||||
|
|
||||||
diff -up openssl-1.0.1/version.map.version openssl-1.0.1/version.map
|
|
||||||
--- openssl-1.0.1/version.map.version 2012-03-14 20:58:20.631352556 +0100
|
|
||||||
+++ openssl-1.0.1/version.map 2012-03-14 20:58:20.631352556 +0100
|
|
||||||
@@ -0,0 +1,7 @@
|
|
||||||
+OPENSSL_1.0.1 {
|
|
||||||
+ global:
|
|
||||||
+ SSLeay;
|
|
||||||
+ local:
|
|
||||||
+ _original*;
|
|
||||||
+ _current*;
|
|
||||||
+};
|
|
171
openssl-1.0.1e-3des-strength.patch
Normal file
171
openssl-1.0.1e-3des-strength.patch
Normal file
@ -0,0 +1,171 @@
|
|||||||
|
Although the real strength is rather 112 bits we use 128 here as
|
||||||
|
we do not want to sort it behind more obscure ciphers.
|
||||||
|
AES-128 is preferred anyway.
|
||||||
|
diff -up openssl-1.0.1e/ssl/s2_lib.c.3des-strength openssl-1.0.1e/ssl/s2_lib.c
|
||||||
|
--- openssl-1.0.1e/ssl/s2_lib.c.3des-strength 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s2_lib.c 2014-01-22 16:32:45.791700322 +0100
|
||||||
|
@@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
|
||||||
|
SSL_SSLV2,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
0,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
|
||||||
|
--- openssl-1.0.1e/ssl/s3_lib.c.3des-strength 2014-01-17 11:41:11.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s3_lib.c 2014-01-22 16:31:14.713666777 +0100
|
||||||
|
@@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -377,7 +377,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -474,7 +474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -602,7 +602,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -687,7 +687,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -751,7 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_SSLV3,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -1685,7 +1685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2062,7 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2142,7 +2142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2222,7 +2222,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2302,7 +2302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2382,7 +2382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2432,7 +2432,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2448,7 +2448,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
||||||
|
@@ -2464,7 +2464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
|
||||||
|
SSL_TLSV1,
|
||||||
|
SSL_NOT_EXP|SSL_HIGH,
|
||||||
|
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
|
||||||
|
- 168,
|
||||||
|
+ 128,
|
||||||
|
168,
|
||||||
|
},
|
||||||
|
|
93
openssl-1.0.1e-arm-use-elf-auxv-caps.patch
Normal file
93
openssl-1.0.1e-arm-use-elf-auxv-caps.patch
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
diff --git a/crypto/armcap.c b/crypto/armcap.c
|
||||||
|
index 5258d2f..efb4009 100644
|
||||||
|
--- a/crypto/armcap.c
|
||||||
|
+++ b/crypto/armcap.c
|
||||||
|
@@ -9,11 +9,6 @@
|
||||||
|
|
||||||
|
unsigned int OPENSSL_armcap_P;
|
||||||
|
|
||||||
|
-static sigset_t all_masked;
|
||||||
|
-
|
||||||
|
-static sigjmp_buf ill_jmp;
|
||||||
|
-static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Following subroutines could have been inlined, but it's not all
|
||||||
|
* ARM compilers support inline assembler...
|
||||||
|
@@ -29,24 +24,26 @@ unsigned int OPENSSL_rdtsc(void)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#if defined(__GNUC__) && __GNUC__>=2
|
||||||
|
-void OPENSSL_cpuid_setup(void) __attribute__((constructor));
|
||||||
|
-#endif
|
||||||
|
-void OPENSSL_cpuid_setup(void)
|
||||||
|
+#if defined(__GLIBC__) && __GLIBC__>=2 && __GLIBC_MINOR__>=16
|
||||||
|
+#include <sys/auxv.h>
|
||||||
|
+
|
||||||
|
+void OPENSSL_cpuid_find(void)
|
||||||
|
+ {
|
||||||
|
+ unsigned long hwcap = getauxval(AT_HWCAP);
|
||||||
|
+ char *plat = (char *)getauxval(AT_PLATFORM);
|
||||||
|
+
|
||||||
|
+ OPENSSL_armcap_P |= hwcap & HWCAP_ARM_NEON ? ARMV7_NEON : 0;
|
||||||
|
+ OPENSSL_armcap_P |= plat ? (plat[1] == '7' ? ARMV7_TICK : 0) : 0;
|
||||||
|
+ }
|
||||||
|
+#else
|
||||||
|
+static sigset_t all_masked;
|
||||||
|
+static sigjmp_buf ill_jmp;
|
||||||
|
+static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
|
||||||
|
+
|
||||||
|
+void OPENSSL_cpuid_find(void)
|
||||||
|
{
|
||||||
|
- char *e;
|
||||||
|
struct sigaction ill_oact,ill_act;
|
||||||
|
sigset_t oset;
|
||||||
|
- static int trigger=0;
|
||||||
|
-
|
||||||
|
- if (trigger) return;
|
||||||
|
- trigger=1;
|
||||||
|
-
|
||||||
|
- if ((e=getenv("OPENSSL_armcap")))
|
||||||
|
- {
|
||||||
|
- OPENSSL_armcap_P=strtoul(e,NULL,0);
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
|
||||||
|
sigfillset(&all_masked);
|
||||||
|
sigdelset(&all_masked,SIGILL);
|
||||||
|
@@ -55,8 +52,6 @@ void OPENSSL_cpuid_setup(void)
|
||||||
|
sigdelset(&all_masked,SIGBUS);
|
||||||
|
sigdelset(&all_masked,SIGSEGV);
|
||||||
|
|
||||||
|
- OPENSSL_armcap_P = 0;
|
||||||
|
-
|
||||||
|
memset(&ill_act,0,sizeof(ill_act));
|
||||||
|
ill_act.sa_handler = ill_handler;
|
||||||
|
ill_act.sa_mask = all_masked;
|
||||||
|
@@ -78,3 +73,25 @@ void OPENSSL_cpuid_setup(void)
|
||||||
|
sigaction (SIGILL,&ill_oact,NULL);
|
||||||
|
sigprocmask(SIG_SETMASK,&oset,NULL);
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#if defined(__GNUC__) && __GNUC__>=2
|
||||||
|
+void OPENSSL_cpuid_setup(void) __attribute__((constructor));
|
||||||
|
+#endif
|
||||||
|
+void OPENSSL_cpuid_setup(void)
|
||||||
|
+ {
|
||||||
|
+ char *e;
|
||||||
|
+ static int trigger=0;
|
||||||
|
+
|
||||||
|
+ if (trigger) return;
|
||||||
|
+ trigger=1;
|
||||||
|
+
|
||||||
|
+ if ((e=getenv("OPENSSL_armcap")))
|
||||||
|
+ {
|
||||||
|
+ OPENSSL_armcap_P=strtoul(e,NULL,0);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ OPENSSL_armcap_P = 0;
|
||||||
|
+ OPENSSL_cpuid_find();
|
||||||
|
+ }
|
@ -1,33 +1,84 @@
|
|||||||
From 08f8933fa34d242383a1e12d4701acb1855686bf Mon Sep 17 00:00:00 2001
|
diff -up openssl-1.0.1e/crypto/pem/pem_info.c.backports openssl-1.0.1e/crypto/pem/pem_info.c
|
||||||
From: Nick Alcock <nix@esperi.org.uk>
|
--- openssl-1.0.1e/crypto/pem/pem_info.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
Date: Fri, 15 Feb 2013 17:44:11 +0000
|
+++ openssl-1.0.1e/crypto/pem/pem_info.c 2013-08-16 15:31:35.726003892 +0200
|
||||||
Subject: [PATCH] Fix POD errors to stop make install_docs dying with pod2man
|
@@ -167,6 +167,7 @@ start:
|
||||||
2.5.0+
|
#ifndef OPENSSL_NO_RSA
|
||||||
|
if (strcmp(name,PEM_STRING_RSA) == 0)
|
||||||
podlators 2.5.0 has switched to dying on POD syntax errors. This means
|
{
|
||||||
that a bunch of long-standing erroneous POD in the openssl documentation
|
+ d2i=(D2I_OF(void))d2i_RSAPrivateKey;
|
||||||
now leads to fatal errors from pod2man, halting installation.
|
if (xi->x_pkey != NULL)
|
||||||
|
{
|
||||||
Unfortunately POD constraints mean that you have to sort numeric lists
|
if (!sk_X509_INFO_push(ret,xi)) goto err;
|
||||||
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
|
diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports openssl-1.0.1e/crypto/rsa/rsa_pmeth.c
|
||||||
you want 1 to appear first. I've reshuffled such (alas, I wish there
|
--- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports 2013-08-16 15:31:35.697003256 +0200
|
||||||
were a better way but I don't know of one).
|
+++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-08-16 15:33:37.770673918 +0200
|
||||||
(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
|
@@ -582,6 +582,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CT
|
||||||
---
|
pm = RSA_NO_PADDING;
|
||||||
doc/crypto/X509_STORE_CTX_get_error.pod | 2 ++
|
else if (!strcmp(value, "oeap"))
|
||||||
doc/ssl/SSL_CTX_set_client_CA_list.pod | 8 ++++----
|
pm = RSA_PKCS1_OAEP_PADDING;
|
||||||
doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 4 ++++
|
+ else if (!strcmp(value, "oaep"))
|
||||||
doc/ssl/SSL_accept.pod | 10 +++++-----
|
+ pm = RSA_PKCS1_OAEP_PADDING;
|
||||||
doc/ssl/SSL_connect.pod | 10 +++++-----
|
else if (!strcmp(value, "x931"))
|
||||||
doc/ssl/SSL_do_handshake.pod | 10 +++++-----
|
pm = RSA_X931_PADDING;
|
||||||
doc/ssl/SSL_shutdown.pod | 10 +++++-----
|
else if (!strcmp(value, "pss"))
|
||||||
7 files changed, 30 insertions(+), 24 deletions(-)
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.backports openssl-1.0.1e/crypto/x509/x509_vfy.c
|
||||||
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.backports 2013-08-16 15:31:35.721003782 +0200
|
||||||
diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:31:35.726003892 +0200
|
||||||
index a883f6c..60e8332 100644
|
@@ -696,6 +696,7 @@ static int check_cert(X509_STORE_CTX *ct
|
||||||
--- a/doc/crypto/X509_STORE_CTX_get_error.pod
|
X509_CRL *crl = NULL, *dcrl = NULL;
|
||||||
+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
|
X509 *x;
|
||||||
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
|
int ok, cnum;
|
||||||
|
+ unsigned int last_reasons;
|
||||||
|
cnum = ctx->error_depth;
|
||||||
|
x = sk_X509_value(ctx->chain, cnum);
|
||||||
|
ctx->current_cert = x;
|
||||||
|
@@ -704,6 +705,7 @@ static int check_cert(X509_STORE_CTX *ct
|
||||||
|
ctx->current_reasons = 0;
|
||||||
|
while (ctx->current_reasons != CRLDP_ALL_REASONS)
|
||||||
|
{
|
||||||
|
+ last_reasons = ctx->current_reasons;
|
||||||
|
/* Try to retrieve relevant CRL */
|
||||||
|
if (ctx->get_crl)
|
||||||
|
ok = ctx->get_crl(ctx, &crl, x);
|
||||||
|
@@ -747,6 +749,15 @@ static int check_cert(X509_STORE_CTX *ct
|
||||||
|
X509_CRL_free(dcrl);
|
||||||
|
crl = NULL;
|
||||||
|
dcrl = NULL;
|
||||||
|
+ /* If reasons not updated we wont get anywhere by
|
||||||
|
+ * another iteration, so exit loop.
|
||||||
|
+ */
|
||||||
|
+ if (last_reasons == ctx->current_reasons)
|
||||||
|
+ {
|
||||||
|
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
|
||||||
|
+ ok = ctx->verify_cb(0, ctx);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
err:
|
||||||
|
X509_CRL_free(crl);
|
||||||
|
diff -up openssl-1.0.1e/crypto/x509/x_all.c.backports openssl-1.0.1e/crypto/x509/x_all.c
|
||||||
|
--- openssl-1.0.1e/crypto/x509/x_all.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/x509/x_all.c 2013-08-16 15:33:25.247399940 +0200
|
||||||
|
@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, c
|
||||||
|
|
||||||
|
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
|
||||||
|
{
|
||||||
|
+ x->cert_info->enc.modified = 1;
|
||||||
|
return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
|
||||||
|
x->cert_info->signature,
|
||||||
|
x->sig_alg, x->signature, x->cert_info, ctx);
|
||||||
|
@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY
|
||||||
|
|
||||||
|
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
|
||||||
|
{
|
||||||
|
+ x->crl->enc.modified = 1;
|
||||||
|
return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
|
||||||
|
x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
|
||||||
|
}
|
||||||
|
diff -up openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod
|
||||||
|
--- openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
|
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl
|
||||||
an application specific error. This will never be returned unless explicitly
|
an application specific error. This will never be returned unless explicitly
|
||||||
set by an application.
|
set by an application.
|
||||||
|
|
||||||
@ -36,55 +87,9 @@ index a883f6c..60e8332 100644
|
|||||||
=head1 NOTES
|
=head1 NOTES
|
||||||
|
|
||||||
The above functions should be used instead of directly referencing the fields
|
The above functions should be used instead of directly referencing the fields
|
||||||
diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports openssl-1.0.1e/doc/ssl/SSL_accept.pod
|
||||||
index 632b556..5e66133 100644
|
--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
|
||||||
@@ -66,16 +66,16 @@ values:
|
|
||||||
|
|
||||||
=over 4
|
|
||||||
|
|
||||||
-=item 1
|
|
||||||
-
|
|
||||||
-The operation succeeded.
|
|
||||||
-
|
|
||||||
=item 0
|
|
||||||
|
|
||||||
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
|
|
||||||
the X509_NAME could not be extracted from B<cacert>. Check the error stack
|
|
||||||
to find out the reason.
|
|
||||||
|
|
||||||
+=item 1
|
|
||||||
+
|
|
||||||
+The operation succeeded.
|
|
||||||
+
|
|
||||||
=back
|
|
||||||
|
|
||||||
=head1 EXAMPLES
|
|
||||||
diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
||||||
index b80e25b..7e60df5 100644
|
|
||||||
--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
||||||
+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
||||||
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
|
|
||||||
|
|
||||||
Return values from the server callback are interpreted as follows:
|
|
||||||
|
|
||||||
+=over 4
|
|
||||||
+
|
|
||||||
=item > 0
|
|
||||||
|
|
||||||
PSK identity was found and the server callback has provided the PSK
|
|
||||||
@@ -99,4 +101,6 @@ completely.
|
|
||||||
PSK identity was not found. An "unknown_psk_identity" alert message
|
|
||||||
will be sent and the connection setup fails.
|
|
||||||
|
|
||||||
+=back
|
|
||||||
+
|
|
||||||
=cut
|
|
||||||
diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
|
|
||||||
index cc724c0..b1c34d1 100644
|
|
||||||
--- a/doc/ssl/SSL_accept.pod
|
|
||||||
+++ b/doc/ssl/SSL_accept.pod
|
|
||||||
@@ -44,17 +44,17 @@ The following return values can occur:
|
@@ -44,17 +44,17 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -108,10 +113,9 @@ index cc724c0..b1c34d1 100644
|
|||||||
=item E<lt>0
|
=item E<lt>0
|
||||||
|
|
||||||
The TLS/SSL handshake was not successful because a fatal error occurred either
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
||||||
diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports openssl-1.0.1e/doc/ssl/SSL_connect.pod
|
||||||
index cc56ebb..946ca89 100644
|
--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
--- a/doc/ssl/SSL_connect.pod
|
+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
+++ b/doc/ssl/SSL_connect.pod
|
|
||||||
@@ -41,17 +41,17 @@ The following return values can occur:
|
@@ -41,17 +41,17 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -135,10 +139,52 @@ index cc56ebb..946ca89 100644
|
|||||||
=item E<lt>0
|
=item E<lt>0
|
||||||
|
|
||||||
The TLS/SSL handshake was not successful, because a fatal error occurred either
|
The TLS/SSL handshake was not successful, because a fatal error occurred either
|
||||||
diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
||||||
index 2435764..7f8cf24 100644
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
--- a/doc/ssl/SSL_do_handshake.pod
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
+++ b/doc/ssl/SSL_do_handshake.pod
|
@@ -66,16 +66,16 @@ values:
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
-=item 1
|
||||||
|
-
|
||||||
|
-The operation succeeded.
|
||||||
|
-
|
||||||
|
=item 0
|
||||||
|
|
||||||
|
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
|
||||||
|
the X509_NAME could not be extracted from B<cacert>. Check the error stack
|
||||||
|
to find out the reason.
|
||||||
|
|
||||||
|
+=item 1
|
||||||
|
+
|
||||||
|
+The operation succeeded.
|
||||||
|
+
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 EXAMPLES
|
||||||
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
||||||
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
|
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_
|
||||||
|
|
||||||
|
Return values from the server callback are interpreted as follows:
|
||||||
|
|
||||||
|
+=over 4
|
||||||
|
+
|
||||||
|
=item > 0
|
||||||
|
|
||||||
|
PSK identity was found and the server callback has provided the PSK
|
||||||
|
@@ -99,4 +101,6 @@ completely.
|
||||||
|
PSK identity was not found. An "unknown_psk_identity" alert message
|
||||||
|
will be sent and the connection setup fails.
|
||||||
|
|
||||||
|
+=back
|
||||||
|
+
|
||||||
|
=cut
|
||||||
|
diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
|
||||||
|
--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-08-16 15:31:35.727003914 +0200
|
||||||
@@ -45,17 +45,17 @@ The following return values can occur:
|
@@ -45,17 +45,17 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -162,10 +208,9 @@ index 2435764..7f8cf24 100644
|
|||||||
=item E<lt>0
|
=item E<lt>0
|
||||||
|
|
||||||
The TLS/SSL handshake was not successful because a fatal error occurred either
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
||||||
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
|
||||||
index 89911ac..42a89b7 100644
|
--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
||||||
--- a/doc/ssl/SSL_shutdown.pod
|
+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-08-16 15:31:35.728003935 +0200
|
||||||
+++ b/doc/ssl/SSL_shutdown.pod
|
|
||||||
@@ -92,11 +92,6 @@ The following return values can occur:
|
@@ -92,11 +92,6 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -178,7 +223,7 @@ index 89911ac..42a89b7 100644
|
|||||||
=item 0
|
=item 0
|
||||||
|
|
||||||
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
|
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
|
||||||
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be performed.
|
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be per
|
||||||
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
|
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
|
||||||
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
|
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
|
||||||
|
|
||||||
@ -190,26 +235,84 @@ index 89911ac..42a89b7 100644
|
|||||||
=item -1
|
=item -1
|
||||||
|
|
||||||
The shutdown was not successful because a fatal error occurred either
|
The shutdown was not successful because a fatal error occurred either
|
||||||
--
|
diff -up openssl-1.0.1e/ssl/d1_lib.c.backports openssl-1.0.1e/ssl/d1_lib.c
|
||||||
1.7.9.5
|
--- openssl-1.0.1e/ssl/d1_lib.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/d1_lib.c 2013-08-16 15:33:33.306576363 +0200
|
||||||
From 147dbb2fe3bead7a10e2f280261b661ce7af7adc Mon Sep 17 00:00:00 2001
|
@@ -196,6 +196,7 @@ void dtls1_free(SSL *s)
|
||||||
From: "Dr. Stephen Henson" <steve@openssl.org>
|
pqueue_free(s->d1->buffered_app_data.q);
|
||||||
Date: Mon, 11 Feb 2013 18:24:03 +0000
|
|
||||||
Subject: [PATCH] Fix for SSL_get_certificate
|
OPENSSL_free(s->d1);
|
||||||
|
+ s->d1 = NULL;
|
||||||
Now we set the current certificate to the one used by a server
|
}
|
||||||
there is no need to call ssl_get_server_send_cert which will
|
|
||||||
fail if we haven't sent a certificate yet.
|
void dtls1_clear(SSL *s)
|
||||||
---
|
diff -up openssl-1.0.1e/ssl/d1_pkt.c.backports openssl-1.0.1e/ssl/d1_pkt.c
|
||||||
ssl/ssl_lib.c | 4 +---
|
--- openssl-1.0.1e/ssl/d1_pkt.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
+++ openssl-1.0.1e/ssl/d1_pkt.c 2013-08-16 15:31:35.728003935 +0200
|
||||||
|
@@ -847,6 +847,12 @@ start:
|
||||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
}
|
||||||
index 14d143d..ff5a85a 100644
|
}
|
||||||
--- a/ssl/ssl_lib.c
|
|
||||||
+++ b/ssl/ssl_lib.c
|
+ if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
|
||||||
@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
|
+ {
|
||||||
|
+ rr->length = 0;
|
||||||
|
+ goto start;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* we now have a packet which can be read and processed */
|
||||||
|
|
||||||
|
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
|
||||||
|
@@ -1051,6 +1057,7 @@ start:
|
||||||
|
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
|
||||||
|
!s->s3->renegotiate)
|
||||||
|
{
|
||||||
|
+ s->d1->handshake_read_seq++;
|
||||||
|
s->new_session = 1;
|
||||||
|
ssl3_renegotiate(s);
|
||||||
|
if (ssl3_renegotiate_check(s))
|
||||||
|
diff -up openssl-1.0.1e/ssl/d1_srvr.c.backports openssl-1.0.1e/ssl/d1_srvr.c
|
||||||
|
--- openssl-1.0.1e/ssl/d1_srvr.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/d1_srvr.c 2013-08-16 15:31:35.728003935 +0200
|
||||||
|
@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s)
|
||||||
|
case SSL3_ST_SW_HELLO_REQ_B:
|
||||||
|
|
||||||
|
s->shutdown=0;
|
||||||
|
+ dtls1_clear_record_buffer(s);
|
||||||
|
dtls1_start_timer(s);
|
||||||
|
ret=dtls1_send_hello_request(s);
|
||||||
|
if (ret <= 0) goto end;
|
||||||
|
- s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
|
||||||
|
+ s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
|
||||||
|
s->state=SSL3_ST_SW_FLUSH;
|
||||||
|
s->init_num=0;
|
||||||
|
|
||||||
|
diff -up openssl-1.0.1e/ssl/s3_cbc.c.backports openssl-1.0.1e/ssl/s3_cbc.c
|
||||||
|
--- openssl-1.0.1e/ssl/s3_cbc.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/s3_cbc.c 2013-08-16 15:31:35.729003956 +0200
|
||||||
|
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s
|
||||||
|
unsigned padding_length, good, to_check, i;
|
||||||
|
const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
||||||
|
/* Check if version requires explicit IV */
|
||||||
|
- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
|
||||||
|
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
|
||||||
|
{
|
||||||
|
/* These lengths are all public so we can test them in
|
||||||
|
* non-constant time.
|
||||||
|
diff -up openssl-1.0.1e/ssl/ssl_lib.c.backports openssl-1.0.1e/ssl/ssl_lib.c
|
||||||
|
--- openssl-1.0.1e/ssl/ssl_lib.c.backports 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/ssl_lib.c 2013-08-16 15:31:35.729003956 +0200
|
||||||
|
@@ -1797,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||||
|
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
|
||||||
|
|
||||||
|
ret->extra_certs=NULL;
|
||||||
|
- ret->comp_methods=SSL_COMP_get_compression_methods();
|
||||||
|
+ /* No compression for DTLS */
|
||||||
|
+ if (meth->version != DTLS1_VERSION)
|
||||||
|
+ ret->comp_methods=SSL_COMP_get_compression_methods();
|
||||||
|
|
||||||
|
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
|
||||||
|
|
||||||
|
@@ -2792,9 +2794,7 @@ void ssl_clear_cipher_ctx(SSL *s)
|
||||||
/* Fix this function so that it takes an optional type parameter */
|
/* Fix this function so that it takes an optional type parameter */
|
||||||
X509 *SSL_get_certificate(const SSL *s)
|
X509 *SSL_get_certificate(const SSL *s)
|
||||||
{
|
{
|
||||||
@ -220,37 +323,23 @@ index 14d143d..ff5a85a 100644
|
|||||||
return(s->cert->key->x509);
|
return(s->cert->key->x509);
|
||||||
else
|
else
|
||||||
return(NULL);
|
return(NULL);
|
||||||
--
|
diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
|
||||||
1.7.9.5
|
index 3b6c469..e8a7518 100644
|
||||||
|
--- a/crypto/x86cpuid.pl
|
||||||
From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
|
+++ b/crypto/x86cpuid.pl
|
||||||
From: David Woodhouse <dwmw2@infradead.org>
|
@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
|
||||||
Date: Tue, 12 Feb 2013 14:55:32 +0000
|
&inc ("esi"); # number of cores
|
||||||
Subject: [PATCH] Check DTLS_BAD_VER for version number.
|
|
||||||
|
&mov ("eax",1);
|
||||||
The version check for DTLS1_VERSION was redundant as
|
+ &xor ("ecx","ecx");
|
||||||
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
|
&cpuid ();
|
||||||
check for DTLS1_BAD_VER for compatibility.
|
&bt ("edx",28);
|
||||||
|
&jnc (&label("generic"));
|
||||||
PR:2984
|
@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
|
||||||
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
|
|
||||||
---
|
&set_label("nocacheinfo");
|
||||||
ssl/s3_cbc.c | 2 +-
|
&mov ("eax",1);
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
+ &xor ("ecx","ecx");
|
||||||
|
&cpuid ();
|
||||||
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
|
&and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0
|
||||||
index 02edf3f..443a31e 100644
|
&cmp ("ebp",0);
|
||||||
--- a/ssl/s3_cbc.c
|
|
||||||
+++ b/ssl/s3_cbc.c
|
|
||||||
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
|
|
||||||
unsigned padding_length, good, to_check, i;
|
|
||||||
const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
|
||||||
/* Check if version requires explicit IV */
|
|
||||||
- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
|
|
||||||
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
|
|
||||||
{
|
|
||||||
/* These lengths are all public so we can test them in
|
|
||||||
* non-constant time.
|
|
||||||
--
|
|
||||||
1.7.9.5
|
|
||||||
|
|
||||||
|
46
openssl-1.0.1e-compat-symbols.patch
Normal file
46
openssl-1.0.1e-compat-symbols.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
diff -up openssl-1.0.1e/crypto/dsa/dsa_key.c.compat openssl-1.0.1e/crypto/dsa/dsa_key.c
|
||||||
|
--- openssl-1.0.1e/crypto/dsa/dsa_key.c.compat 2013-11-26 14:36:35.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/dsa/dsa_key.c 2013-12-11 16:34:58.638549687 +0100
|
||||||
|
@@ -68,6 +68,11 @@
|
||||||
|
#include <openssl/fips.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
|
+/* just a compatibility symbol - no-op */
|
||||||
|
+void FIPS_corrupt_dsa_keygen(void)
|
||||||
|
+ {
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
static int fips_check_dsa(DSA *dsa)
|
||||||
|
{
|
||||||
|
EVP_PKEY *pk;
|
||||||
|
diff -up openssl-1.0.1e/crypto/engine/eng_all.c.compat openssl-1.0.1e/crypto/engine/eng_all.c
|
||||||
|
--- openssl-1.0.1e/crypto/engine/eng_all.c.compat 2013-11-26 14:36:35.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/engine/eng_all.c 2013-12-11 16:32:13.512820424 +0100
|
||||||
|
@@ -62,6 +62,11 @@
|
||||||
|
#include <openssl/fips.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+/* just backwards compatibility symbol - no-op */
|
||||||
|
+void ENGINE_load_aesni (void)
|
||||||
|
+{
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
void ENGINE_load_builtin_engines(void)
|
||||||
|
{
|
||||||
|
/* Some ENGINEs need this */
|
||||||
|
diff -up openssl-1.0.1e/crypto/fips/fips.c.compat openssl-1.0.1e/crypto/fips/fips.c
|
||||||
|
--- openssl-1.0.1e/crypto/fips/fips.c.compat 2013-11-26 14:36:35.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/fips/fips.c 2013-12-11 16:38:52.524831858 +0100
|
||||||
|
@@ -111,6 +111,12 @@ int FIPS_module_mode(void)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* just a compat symbol - return NULL */
|
||||||
|
+const void *FIPS_rand_check(void)
|
||||||
|
+ {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
int FIPS_selftest_failed(void)
|
||||||
|
{
|
||||||
|
int ret = 0;
|
21
openssl-1.0.1e-cve-2013-4353.patch
Normal file
21
openssl-1.0.1e-cve-2013-4353.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
Fix for TLS record tampering bug. A carefully crafted invalid
|
||||||
|
handshake could crash OpenSSL with a NULL pointer exception.
|
||||||
|
Thanks to Anton Johansson for reporting this issues.
|
||||||
|
(CVE-2013-4353)
|
||||||
|
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
|
||||||
|
index 1e5dcab..53b9390 100644
|
||||||
|
--- a/ssl/s3_both.c
|
||||||
|
+++ b/ssl/s3_both.c
|
||||||
|
@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
|
||||||
|
{
|
||||||
|
const char *sender;
|
||||||
|
int slen;
|
||||||
|
-
|
||||||
|
+ /* If no new cipher setup return immediately: other functions will
|
||||||
|
+ * set the appropriate error.
|
||||||
|
+ */
|
||||||
|
+ if (s->s3->tmp.new_cipher == NULL)
|
||||||
|
+ return;
|
||||||
|
if (s->state & SSL_ST_CONNECT)
|
||||||
|
{
|
||||||
|
sender=s->method->ssl3_enc->server_finished_label;
|
111
openssl-1.0.1e-cve-2013-6449.patch
Normal file
111
openssl-1.0.1e-cve-2013-6449.patch
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
Use version in SSL_METHOD not SSL structure.
|
||||||
|
|
||||||
|
When deciding whether to use TLS 1.2 PRF and record hash algorithms
|
||||||
|
use the version number in the corresponding SSL_METHOD structure
|
||||||
|
instead of the SSL structure. The SSL structure version is sometimes
|
||||||
|
inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
|
||||||
|
(CVE-2013-6449)
|
||||||
|
|
||||||
|
Also preventively check EVP errors for handshake digests.
|
||||||
|
|
||||||
|
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||||
|
index bf832bb..c4ef273 100644
|
||||||
|
--- a/ssl/s3_lib.c
|
||||||
|
+++ b/ssl/s3_lib.c
|
||||||
|
@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
|
||||||
|
long ssl_get_algorithm2(SSL *s)
|
||||||
|
{
|
||||||
|
long alg2 = s->s3->tmp.new_cipher->algorithm2;
|
||||||
|
- if (TLS1_get_version(s) >= TLS1_2_VERSION &&
|
||||||
|
+ if (s->method->version == TLS1_2_VERSION &&
|
||||||
|
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
|
||||||
|
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
|
||||||
|
return alg2;
|
||||||
|
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
|
||||||
|
index ead01c8..1e5dcab 100644
|
||||||
|
--- a/ssl/s3_both.c
|
||||||
|
+++ b/ssl/s3_both.c
|
||||||
|
@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
|
||||||
|
|
||||||
|
i=s->method->ssl3_enc->final_finish_mac(s,
|
||||||
|
sender,slen,s->s3->tmp.finish_md);
|
||||||
|
+ if (i == 0)
|
||||||
|
+ return 0;
|
||||||
|
s->s3->tmp.finish_md_len = i;
|
||||||
|
memcpy(p, s->s3->tmp.finish_md, i);
|
||||||
|
p+=i;
|
||||||
|
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
|
||||||
|
index 804291e..c4bc4e7 100644
|
||||||
|
--- a/ssl/s3_pkt.c
|
||||||
|
+++ b/ssl/s3_pkt.c
|
||||||
|
@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
|
||||||
|
if (version != s->version)
|
||||||
|
{
|
||||||
|
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
|
||||||
|
- if ((s->version & 0xFF00) == (version & 0xFF00))
|
||||||
|
+ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
|
||||||
|
/* Send back error using their minor version number :-) */
|
||||||
|
s->version = (unsigned short)version;
|
||||||
|
al=SSL_AD_PROTOCOL_VERSION;
|
||||||
|
@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
|
||||||
|
slen=s->method->ssl3_enc->client_finished_label_len;
|
||||||
|
}
|
||||||
|
|
||||||
|
- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
|
||||||
|
+ i = s->method->ssl3_enc->final_finish_mac(s,
|
||||||
|
sender,slen,s->s3->tmp.peer_finish_md);
|
||||||
|
+ if (i == 0)
|
||||||
|
+ {
|
||||||
|
+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ s->s3->tmp.peer_finish_md_len = i;
|
||||||
|
|
||||||
|
return(1);
|
||||||
|
}
|
||||||
|
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
|
||||||
|
index e5a8b3f..52efed3 100644
|
||||||
|
--- a/ssl/s3_srvr.c
|
||||||
|
+++ b/ssl/s3_srvr.c
|
||||||
|
@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
|
||||||
|
(s->version != DTLS1_VERSION && s->client_version < s->version))
|
||||||
|
{
|
||||||
|
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
|
||||||
|
- if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
|
||||||
|
+ if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
|
||||||
|
+ !s->enc_write_ctx && !s->write_hash)
|
||||||
|
{
|
||||||
|
/* similar to ssl3_get_record, send alert using remote version number */
|
||||||
|
s->version = s->client_version;
|
||||||
|
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
|
||||||
|
index 809ad2e..72015f5 100644
|
||||||
|
--- a/ssl/t1_enc.c
|
||||||
|
+++ b/ssl/t1_enc.c
|
||||||
|
@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
|
||||||
|
if (mask & ssl_get_algorithm2(s))
|
||||||
|
{
|
||||||
|
int hashsize = EVP_MD_size(md);
|
||||||
|
- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
|
||||||
|
+ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
|
||||||
|
+ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
|
||||||
|
{
|
||||||
|
/* internal error: 'buf' is too small for this cipersuite! */
|
||||||
|
err = 1;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
|
||||||
|
- EVP_DigestFinal_ex(&ctx,q,&i);
|
||||||
|
- if (i != (unsigned int)hashsize) /* can't really happen */
|
||||||
|
+ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
|
||||||
|
+ !EVP_DigestFinal_ex(&ctx,q,&i) ||
|
||||||
|
+ (i != (unsigned int)hashsize))
|
||||||
|
err = 1;
|
||||||
|
- q+=i;
|
||||||
|
+ q+=hashsize;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
85
openssl-1.0.1e-cve-2013-6450.patch
Normal file
85
openssl-1.0.1e-cve-2013-6450.patch
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
Fix DTLS retransmission from previous session.
|
||||||
|
|
||||||
|
For DTLS we might need to retransmit messages from the previous session
|
||||||
|
so keep a copy of write context in DTLS retransmission buffers instead
|
||||||
|
of replacing it after sending CCS. CVE-2013-6450.
|
||||||
|
|
||||||
|
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
|
||||||
|
index 65ec001..7a5596a 100644
|
||||||
|
--- a/ssl/d1_both.c
|
||||||
|
+++ b/ssl/d1_both.c
|
||||||
|
@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
|
||||||
|
static void
|
||||||
|
dtls1_hm_fragment_free(hm_fragment *frag)
|
||||||
|
{
|
||||||
|
+
|
||||||
|
+ if (frag->msg_header.is_ccs)
|
||||||
|
+ {
|
||||||
|
+ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
|
||||||
|
+ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
|
||||||
|
+ }
|
||||||
|
if (frag->fragment) OPENSSL_free(frag->fragment);
|
||||||
|
if (frag->reassembly) OPENSSL_free(frag->reassembly);
|
||||||
|
OPENSSL_free(frag);
|
||||||
|
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
||||||
|
index 96ce9a7..e485907 100644
|
||||||
|
--- a/ssl/ssl_locl.h
|
||||||
|
+++ b/ssl/ssl_locl.h
|
||||||
|
@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
|
||||||
|
extern SSL3_ENC_METHOD SSLv3_enc_data;
|
||||||
|
extern SSL3_ENC_METHOD DTLSv1_enc_data;
|
||||||
|
|
||||||
|
+#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
|
||||||
|
+
|
||||||
|
#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
|
||||||
|
s_get_meth) \
|
||||||
|
const SSL_METHOD *func_name(void) \
|
||||||
|
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
|
||||||
|
index 72015f5..56db834 100644
|
||||||
|
--- a/ssl/t1_enc.c
|
||||||
|
+++ b/ssl/t1_enc.c
|
||||||
|
@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
|
||||||
|
s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
|
||||||
|
else
|
||||||
|
s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
|
||||||
|
- if (s->enc_write_ctx != NULL)
|
||||||
|
+ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
|
||||||
|
reuse_dd = 1;
|
||||||
|
- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
|
||||||
|
+ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
|
||||||
|
goto err;
|
||||||
|
- else
|
||||||
|
- /* make sure it's intialized in case we exit later with an error */
|
||||||
|
- EVP_CIPHER_CTX_init(s->enc_write_ctx);
|
||||||
|
dd= s->enc_write_ctx;
|
||||||
|
- mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
|
||||||
|
+ if (SSL_IS_DTLS(s))
|
||||||
|
+ {
|
||||||
|
+ mac_ctx = EVP_MD_CTX_create();
|
||||||
|
+ if (!mac_ctx)
|
||||||
|
+ goto err;
|
||||||
|
+ s->write_hash = mac_ctx;
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
|
||||||
|
#ifndef OPENSSL_NO_COMP
|
||||||
|
if (s->compress != NULL)
|
||||||
|
{
|
||||||
|
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
|
||||||
|
index 6fc469f..d14e8e4 100644
|
||||||
|
--- a/crypto/evp/digest.c
|
||||||
|
+++ b/crypto/evp/digest.c
|
||||||
|
@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count,
|
||||||
|
|
||||||
|
void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
|
||||||
|
{
|
||||||
|
- EVP_MD_CTX_cleanup(ctx);
|
||||||
|
- OPENSSL_free(ctx);
|
||||||
|
+ if (ctx)
|
||||||
|
+ {
|
||||||
|
+ EVP_MD_CTX_cleanup(ctx);
|
||||||
|
+ OPENSSL_free(ctx);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* This call frees resources associated with the context */
|
124
openssl-1.0.1e-ecc-suiteb.patch
Normal file
124
openssl-1.0.1e-ecc-suiteb.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
diff -up openssl-1.0.1e/apps/speed.c.suiteb openssl-1.0.1e/apps/speed.c
|
||||||
|
--- openssl-1.0.1e/apps/speed.c.suiteb 2013-11-08 18:02:53.815229706 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/speed.c 2013-11-08 18:04:47.016724297 +0100
|
||||||
|
@@ -966,49 +966,23 @@ int MAIN(int argc, char **argv)
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_ECDSA
|
||||||
|
- if (strcmp(*argv,"ecdsap160") == 0) ecdsa_doit[R_EC_P160]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsap192") == 0) ecdsa_doit[R_EC_P192]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsap224") == 0) ecdsa_doit[R_EC_P224]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2;
|
||||||
|
+ if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2;
|
||||||
|
else if (strcmp(*argv,"ecdsap384") == 0) ecdsa_doit[R_EC_P384]=2;
|
||||||
|
else if (strcmp(*argv,"ecdsap521") == 0) ecdsa_doit[R_EC_P521]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsak163") == 0) ecdsa_doit[R_EC_K163]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsak233") == 0) ecdsa_doit[R_EC_K233]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsak283") == 0) ecdsa_doit[R_EC_K283]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsak409") == 0) ecdsa_doit[R_EC_K409]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsak571") == 0) ecdsa_doit[R_EC_K571]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsab163") == 0) ecdsa_doit[R_EC_B163]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsab233") == 0) ecdsa_doit[R_EC_B233]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsab283") == 0) ecdsa_doit[R_EC_B283]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsab409") == 0) ecdsa_doit[R_EC_B409]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdsab571") == 0) ecdsa_doit[R_EC_B571]=2;
|
||||||
|
else if (strcmp(*argv,"ecdsa") == 0)
|
||||||
|
{
|
||||||
|
- for (i=0; i < EC_NUM; i++)
|
||||||
|
+ for (i=R_EC_P256; i <= R_EC_P521; i++)
|
||||||
|
ecdsa_doit[i]=1;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_ECDH
|
||||||
|
- if (strcmp(*argv,"ecdhp160") == 0) ecdh_doit[R_EC_P160]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhp192") == 0) ecdh_doit[R_EC_P192]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhp224") == 0) ecdh_doit[R_EC_P224]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2;
|
||||||
|
+ if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2;
|
||||||
|
else if (strcmp(*argv,"ecdhp384") == 0) ecdh_doit[R_EC_P384]=2;
|
||||||
|
else if (strcmp(*argv,"ecdhp521") == 0) ecdh_doit[R_EC_P521]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhk163") == 0) ecdh_doit[R_EC_K163]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhk233") == 0) ecdh_doit[R_EC_K233]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhk283") == 0) ecdh_doit[R_EC_K283]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhk409") == 0) ecdh_doit[R_EC_K409]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhk571") == 0) ecdh_doit[R_EC_K571]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhb163") == 0) ecdh_doit[R_EC_B163]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhb233") == 0) ecdh_doit[R_EC_B233]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhb283") == 0) ecdh_doit[R_EC_B283]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhb409") == 0) ecdh_doit[R_EC_B409]=2;
|
||||||
|
- else if (strcmp(*argv,"ecdhb571") == 0) ecdh_doit[R_EC_B571]=2;
|
||||||
|
else if (strcmp(*argv,"ecdh") == 0)
|
||||||
|
{
|
||||||
|
- for (i=0; i < EC_NUM; i++)
|
||||||
|
+ for (i=R_EC_P256; i <= R_EC_P521; i++)
|
||||||
|
ecdh_doit[i]=1;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -1097,15 +1071,11 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf(bio_err,"dsa512 dsa1024 dsa2048\n");
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_ECDSA
|
||||||
|
- BIO_printf(bio_err,"ecdsap160 ecdsap192 ecdsap224 ecdsap256 ecdsap384 ecdsap521\n");
|
||||||
|
- BIO_printf(bio_err,"ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
|
||||||
|
- BIO_printf(bio_err,"ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
|
||||||
|
+ BIO_printf(bio_err,"ecdsap256 ecdsap384 ecdsap521\n");
|
||||||
|
BIO_printf(bio_err,"ecdsa\n");
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_ECDH
|
||||||
|
- BIO_printf(bio_err,"ecdhp160 ecdhp192 ecdhp224 ecdhp256 ecdhp384 ecdhp521\n");
|
||||||
|
- BIO_printf(bio_err,"ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
|
||||||
|
- BIO_printf(bio_err,"ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
|
||||||
|
+ BIO_printf(bio_err,"ecdhp256 ecdhp384 ecdhp521\n");
|
||||||
|
BIO_printf(bio_err,"ecdh\n");
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -1184,11 +1154,11 @@ int MAIN(int argc, char **argv)
|
||||||
|
if (!FIPS_mode() || i != R_DSA_512)
|
||||||
|
dsa_doit[i]=1;
|
||||||
|
#ifndef OPENSSL_NO_ECDSA
|
||||||
|
- for (i=0; i<EC_NUM; i++)
|
||||||
|
+ for (i=R_EC_P256; i <= R_EC_P521; i++)
|
||||||
|
ecdsa_doit[i]=1;
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_ECDH
|
||||||
|
- for (i=0; i<EC_NUM; i++)
|
||||||
|
+ for (i=R_EC_P256; i <= R_EC_P521; i++)
|
||||||
|
ecdh_doit[i]=1;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
diff -up openssl-1.0.1e/ssl/t1_lib.c.suiteb openssl-1.0.1e/ssl/t1_lib.c
|
||||||
|
--- openssl-1.0.1e/ssl/t1_lib.c.suiteb 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/t1_lib.c 2013-11-08 18:05:27.551617554 +0100
|
||||||
|
@@ -204,31 +204,9 @@ static int nid_list[] =
|
||||||
|
|
||||||
|
static int pref_list[] =
|
||||||
|
{
|
||||||
|
- NID_sect571r1, /* sect571r1 (14) */
|
||||||
|
- NID_sect571k1, /* sect571k1 (13) */
|
||||||
|
NID_secp521r1, /* secp521r1 (25) */
|
||||||
|
- NID_sect409k1, /* sect409k1 (11) */
|
||||||
|
- NID_sect409r1, /* sect409r1 (12) */
|
||||||
|
NID_secp384r1, /* secp384r1 (24) */
|
||||||
|
- NID_sect283k1, /* sect283k1 (9) */
|
||||||
|
- NID_sect283r1, /* sect283r1 (10) */
|
||||||
|
- NID_secp256k1, /* secp256k1 (22) */
|
||||||
|
NID_X9_62_prime256v1, /* secp256r1 (23) */
|
||||||
|
- NID_sect239k1, /* sect239k1 (8) */
|
||||||
|
- NID_sect233k1, /* sect233k1 (6) */
|
||||||
|
- NID_sect233r1, /* sect233r1 (7) */
|
||||||
|
- NID_secp224k1, /* secp224k1 (20) */
|
||||||
|
- NID_secp224r1, /* secp224r1 (21) */
|
||||||
|
- NID_sect193r1, /* sect193r1 (4) */
|
||||||
|
- NID_sect193r2, /* sect193r2 (5) */
|
||||||
|
- NID_secp192k1, /* secp192k1 (18) */
|
||||||
|
- NID_X9_62_prime192v1, /* secp192r1 (19) */
|
||||||
|
- NID_sect163k1, /* sect163k1 (1) */
|
||||||
|
- NID_sect163r1, /* sect163r1 (2) */
|
||||||
|
- NID_sect163r2, /* sect163r2 (3) */
|
||||||
|
- NID_secp160k1, /* secp160k1 (15) */
|
||||||
|
- NID_secp160r1, /* secp160r1 (16) */
|
||||||
|
- NID_secp160r2, /* secp160r2 (17) */
|
||||||
|
};
|
||||||
|
|
||||||
|
int tls1_ec_curve_id2nid(int curve_id)
|
179
openssl-1.0.1e-fips-ctor.patch
Normal file
179
openssl-1.0.1e-fips-ctor.patch
Normal file
@ -0,0 +1,179 @@
|
|||||||
|
diff -up openssl-1.0.1e/crypto/fips/fips.c.fips-ctor openssl-1.0.1e/crypto/fips/fips.c
|
||||||
|
--- openssl-1.0.1e/crypto/fips/fips.c.fips-ctor 2013-09-26 13:52:30.767885457 +0200
|
||||||
|
+++ openssl-1.0.1e/crypto/fips/fips.c 2013-09-26 14:01:29.406010187 +0200
|
||||||
|
@@ -60,6 +60,8 @@
|
||||||
|
#include <dlfcn.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
#include "fips_locl.h"
|
||||||
|
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
@@ -198,8 +200,10 @@ bin2hex(void *buf, size_t len)
|
||||||
|
return hex;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#define HMAC_PREFIX "."
|
||||||
|
-#define HMAC_SUFFIX ".hmac"
|
||||||
|
+#define HMAC_PREFIX "."
|
||||||
|
+#ifndef HMAC_SUFFIX
|
||||||
|
+#define HMAC_SUFFIX ".hmac"
|
||||||
|
+#endif
|
||||||
|
#define READ_BUFFER_LENGTH 16384
|
||||||
|
|
||||||
|
static char *
|
||||||
|
@@ -279,19 +283,13 @@ end:
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-FIPSCHECK_verify(const char *libname, const char *symbolname)
|
||||||
|
+FIPSCHECK_verify(const char *path)
|
||||||
|
{
|
||||||
|
- char path[PATH_MAX+1];
|
||||||
|
- int rv;
|
||||||
|
+ int rv = 0;
|
||||||
|
FILE *hf;
|
||||||
|
char *hmacpath, *p;
|
||||||
|
char *hmac = NULL;
|
||||||
|
size_t n;
|
||||||
|
-
|
||||||
|
- rv = get_library_path(libname, symbolname, path, sizeof(path));
|
||||||
|
-
|
||||||
|
- if (rv < 0)
|
||||||
|
- return 0;
|
||||||
|
|
||||||
|
hmacpath = make_hmac_path(path);
|
||||||
|
if (hmacpath == NULL)
|
||||||
|
@@ -341,6 +339,53 @@ end:
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+verify_checksums(void)
|
||||||
|
+ {
|
||||||
|
+ int rv;
|
||||||
|
+ char path[PATH_MAX+1];
|
||||||
|
+ char *p;
|
||||||
|
+
|
||||||
|
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
|
||||||
|
+ are in the same directory */
|
||||||
|
+
|
||||||
|
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
|
||||||
|
+ if (rv < 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ rv = FIPSCHECK_verify(path);
|
||||||
|
+ if (!rv)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* replace libcrypto with libssl */
|
||||||
|
+ while ((p = strstr(path, "libcrypto.so")) != NULL)
|
||||||
|
+ {
|
||||||
|
+ p = stpcpy(p, "libssl");
|
||||||
|
+ memmove(p, p+3, strlen(p+2));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rv = FIPSCHECK_verify(path);
|
||||||
|
+ if (!rv)
|
||||||
|
+ return 0;
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifndef FIPS_MODULE_PATH
|
||||||
|
+#define FIPS_MODULE_PATH "/etc/system-fips"
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+FIPS_module_installed(void)
|
||||||
|
+ {
|
||||||
|
+ int rv;
|
||||||
|
+ rv = access(FIPS_MODULE_PATH, F_OK);
|
||||||
|
+ if (rv < 0 && errno != ENOENT)
|
||||||
|
+ rv = 0;
|
||||||
|
+
|
||||||
|
+ /* Installed == true */
|
||||||
|
+ return !rv;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
int FIPS_module_mode_set(int onoff, const char *auth)
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
@@ -379,15 +424,7 @@ int FIPS_module_mode_set(int onoff, cons
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if(!FIPSCHECK_verify("libcrypto.so." SHLIB_VERSION_NUMBER,"FIPS_mode_set"))
|
||||||
|
- {
|
||||||
|
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||||
|
- fips_selftest_fail = 1;
|
||||||
|
- ret = 0;
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if(!FIPSCHECK_verify("libssl.so." SHLIB_VERSION_NUMBER,"SSL_CTX_new"))
|
||||||
|
+ if(!verify_checksums())
|
||||||
|
{
|
||||||
|
FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
||||||
|
fips_selftest_fail = 1;
|
||||||
|
diff -up openssl-1.0.1e/crypto/fips/fips.h.fips-ctor openssl-1.0.1e/crypto/fips/fips.h
|
||||||
|
--- openssl-1.0.1e/crypto/fips/fips.h.fips-ctor 2013-09-26 13:52:30.814886515 +0200
|
||||||
|
+++ openssl-1.0.1e/crypto/fips/fips.h 2013-09-26 13:52:30.816886560 +0200
|
||||||
|
@@ -74,6 +74,7 @@ struct hmac_ctx_st;
|
||||||
|
|
||||||
|
int FIPS_module_mode_set(int onoff, const char *auth);
|
||||||
|
int FIPS_module_mode(void);
|
||||||
|
+int FIPS_module_installed(void);
|
||||||
|
const void *FIPS_rand_check(void);
|
||||||
|
int FIPS_selftest(void);
|
||||||
|
int FIPS_selftest_failed(void);
|
||||||
|
diff -up openssl-1.0.1e/crypto/o_init.c.fips-ctor openssl-1.0.1e/crypto/o_init.c
|
||||||
|
--- openssl-1.0.1e/crypto/o_init.c.fips-ctor 2013-09-26 13:52:30.807886357 +0200
|
||||||
|
+++ openssl-1.0.1e/crypto/o_init.c 2013-09-26 14:00:21.000000000 +0200
|
||||||
|
@@ -71,6 +71,9 @@ static void init_fips_mode(void)
|
||||||
|
char buf[2] = "0";
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
+ /* Ensure the selftests always run */
|
||||||
|
+ FIPS_mode_set(1);
|
||||||
|
+
|
||||||
|
if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL)
|
||||||
|
{
|
||||||
|
buf[0] = '1';
|
||||||
|
@@ -85,9 +88,15 @@ static void init_fips_mode(void)
|
||||||
|
* otherwise.
|
||||||
|
*/
|
||||||
|
|
||||||
|
- if (buf[0] == '1')
|
||||||
|
+ if (buf[0] != '1')
|
||||||
|
+ {
|
||||||
|
+ /* drop down to non-FIPS mode if it is not requested */
|
||||||
|
+ FIPS_mode_set(0);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
{
|
||||||
|
- FIPS_mode_set(1);
|
||||||
|
+ /* abort if selftest failed */
|
||||||
|
+ FIPS_selftest_check();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
@@ -96,13 +105,17 @@ static void init_fips_mode(void)
|
||||||
|
* Currently only sets FIPS callbacks
|
||||||
|
*/
|
||||||
|
|
||||||
|
-void OPENSSL_init_library(void)
|
||||||
|
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
|
||||||
|
{
|
||||||
|
static int done = 0;
|
||||||
|
if (done)
|
||||||
|
return;
|
||||||
|
done = 1;
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
+ if (!FIPS_module_installed())
|
||||||
|
+ {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
RAND_init_fips();
|
||||||
|
init_fips_mode();
|
||||||
|
if (!FIPS_mode())
|
2039
openssl-1.0.1e-fips-ec.patch
Normal file
2039
openssl-1.0.1e-fips-ec.patch
Normal file
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod
|
diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod
|
||||||
--- openssl-1.0.1e/doc/apps/cms.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/doc/apps/cms.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/apps/cms.pod 2013-04-30 16:29:25.020724103 +0200
|
+++ openssl-1.0.1e/doc/apps/cms.pod 2013-09-12 11:17:42.147092310 +0200
|
||||||
@@ -450,28 +450,28 @@ remains DER.
|
@@ -450,28 +450,28 @@ remains DER.
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -36,9 +36,109 @@ diff -up openssl-1.0.1e/doc/apps/cms.pod.manfix openssl-1.0.1e/doc/apps/cms.pod
|
|||||||
|
|
||||||
the message was verified correctly but an error occurred writing out
|
the message was verified correctly but an error occurred writing out
|
||||||
the signers certificates.
|
the signers certificates.
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/ec.pod.manfix openssl-1.0.1e/doc/apps/ec.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/ec.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/ec.pod 2013-09-12 11:17:42.147092310 +0200
|
||||||
|
@@ -93,10 +93,6 @@ prints out the public, private key compo
|
||||||
|
|
||||||
|
this option prevents output of the encoded version of the key.
|
||||||
|
|
||||||
|
-=item B<-modulus>
|
||||||
|
-
|
||||||
|
-this option prints out the value of the public key component of the key.
|
||||||
|
-
|
||||||
|
=item B<-pubin>
|
||||||
|
|
||||||
|
by default a private key is read from the input file: with this option a
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/openssl.pod.manfix openssl-1.0.1e/doc/apps/openssl.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/openssl.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/openssl.pod 2013-09-12 11:17:42.148092331 +0200
|
||||||
|
@@ -163,7 +163,7 @@ Create or examine a netscape certificate
|
||||||
|
|
||||||
|
Online Certificate Status Protocol utility.
|
||||||
|
|
||||||
|
-=item L<B<passwd>|passwd(1)>
|
||||||
|
+=item L<B<passwd>|sslpasswd(1)>
|
||||||
|
|
||||||
|
Generation of hashed passwords.
|
||||||
|
|
||||||
|
@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
|
||||||
|
|
||||||
|
Public key algorithm cryptographic operation utility.
|
||||||
|
|
||||||
|
-=item L<B<rand>|rand(1)>
|
||||||
|
+=item L<B<rand>|sslrand(1)>
|
||||||
|
|
||||||
|
Generate pseudo-random bytes.
|
||||||
|
|
||||||
|
@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
|
||||||
|
L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
|
||||||
|
L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
|
||||||
|
L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
|
||||||
|
-L<passwd(1)|passwd(1)>,
|
||||||
|
+L<sslpasswd(1)|sslpasswd(1)>,
|
||||||
|
L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
|
||||||
|
-L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
|
||||||
|
+L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
|
||||||
|
L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
|
||||||
|
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
|
||||||
|
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/s_client.pod.manfix openssl-1.0.1e/doc/apps/s_client.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/s_client.pod.manfix 2013-09-12 11:17:41.517078502 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-09-12 11:17:42.149092353 +0200
|
||||||
|
@@ -32,9 +32,14 @@ B<openssl> B<s_client>
|
||||||
|
[B<-ssl2>]
|
||||||
|
[B<-ssl3>]
|
||||||
|
[B<-tls1>]
|
||||||
|
+[B<-tls1_1>]
|
||||||
|
+[B<-tls1_2>]
|
||||||
|
+[B<-dtls1>]
|
||||||
|
[B<-no_ssl2>]
|
||||||
|
[B<-no_ssl3>]
|
||||||
|
[B<-no_tls1>]
|
||||||
|
+[B<-no_tls1_1>]
|
||||||
|
+[B<-no_tls1_2>]
|
||||||
|
[B<-bugs>]
|
||||||
|
[B<-cipher cipherlist>]
|
||||||
|
[B<-starttls protocol>]
|
||||||
|
@@ -44,6 +49,7 @@ B<openssl> B<s_client>
|
||||||
|
[B<-sess_out filename>]
|
||||||
|
[B<-sess_in filename>]
|
||||||
|
[B<-rand file(s)>]
|
||||||
|
+[B<-nextprotoneg protocols>]
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
@@ -182,7 +188,7 @@ Use the PSK key B<key> when using a PSK
|
||||||
|
given as a hexadecimal number without leading 0x, for example -psk
|
||||||
|
1a2b3c4d.
|
||||||
|
|
||||||
|
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
|
||||||
|
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
||||||
|
|
||||||
|
these options disable the use of certain SSL or TLS protocols. By default
|
||||||
|
the initial handshake uses a method which should be compatible with all
|
||||||
|
@@ -243,6 +249,17 @@ Multiple files can be specified separate
|
||||||
|
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
|
||||||
|
all others.
|
||||||
|
|
||||||
|
+=item B<-nextprotoneg protocols>
|
||||||
|
+
|
||||||
|
+enable Next Protocol Negotiation TLS extension and provide a list of
|
||||||
|
+comma-separated protocol names that the client should advertise
|
||||||
|
+support for. The list should contain most wanted protocols first.
|
||||||
|
+Protocol names are printable ASCII strings, for example "http/1.1" or
|
||||||
|
+"spdy/3".
|
||||||
|
+Empty list of protocols is treated specially and will cause the client to
|
||||||
|
+advertise support for the TLS extension but disconnect just after
|
||||||
|
+reciving ServerHello with a list of server supported protocols.
|
||||||
|
+
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 CONNECTED COMMANDS
|
||||||
diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime.pod
|
diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime.pod
|
||||||
--- openssl-1.0.1e/doc/apps/smime.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/doc/apps/smime.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/apps/smime.pod 2013-04-30 20:55:00.982603518 +0200
|
+++ openssl-1.0.1e/doc/apps/smime.pod 2013-09-12 11:17:42.150092375 +0200
|
||||||
@@ -308,28 +308,28 @@ remains DER.
|
@@ -308,28 +308,28 @@ remains DER.
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -74,9 +174,96 @@ diff -up openssl-1.0.1e/doc/apps/smime.pod.manfix openssl-1.0.1e/doc/apps/smime.
|
|||||||
|
|
||||||
the message was verified correctly but an error occurred writing out
|
the message was verified correctly but an error occurred writing out
|
||||||
the signers certificates.
|
the signers certificates.
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/s_server.pod.manfix openssl-1.0.1e/doc/apps/s_server.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/s_server.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-09-12 11:17:42.150092375 +0200
|
||||||
|
@@ -40,10 +40,16 @@ B<openssl> B<s_server>
|
||||||
|
[B<-ssl2>]
|
||||||
|
[B<-ssl3>]
|
||||||
|
[B<-tls1>]
|
||||||
|
+[B<-tls1_1>]
|
||||||
|
+[B<-tls1_2>]
|
||||||
|
+[B<-dtls1>]
|
||||||
|
[B<-no_ssl2>]
|
||||||
|
[B<-no_ssl3>]
|
||||||
|
[B<-no_tls1>]
|
||||||
|
+[B<-no_tls1_1>]
|
||||||
|
+[B<-no_tls1_2>]
|
||||||
|
[B<-no_dhe>]
|
||||||
|
+[B<-no_ecdhe>]
|
||||||
|
[B<-bugs>]
|
||||||
|
[B<-hack>]
|
||||||
|
[B<-www>]
|
||||||
|
@@ -54,6 +60,7 @@ B<openssl> B<s_server>
|
||||||
|
[B<-no_ticket>]
|
||||||
|
[B<-id_prefix arg>]
|
||||||
|
[B<-rand file(s)>]
|
||||||
|
+[B<-nextprotoneg protocols>]
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
@@ -131,6 +138,10 @@ a static set of parameters hard coded in
|
||||||
|
if this option is set then no DH parameters will be loaded effectively
|
||||||
|
disabling the ephemeral DH cipher suites.
|
||||||
|
|
||||||
|
+=item B<-no_ecdhe>
|
||||||
|
+
|
||||||
|
+if this option is set then ephemeral ECDH cipher suites will be disabled.
|
||||||
|
+
|
||||||
|
=item B<-no_tmp_rsa>
|
||||||
|
|
||||||
|
certain export cipher suites sometimes use a temporary RSA key, this option
|
||||||
|
@@ -201,7 +212,7 @@ Use the PSK key B<key> when using a PSK
|
||||||
|
given as a hexadecimal number without leading 0x, for example -psk
|
||||||
|
1a2b3c4d.
|
||||||
|
|
||||||
|
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
|
||||||
|
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
||||||
|
|
||||||
|
these options disable the use of certain SSL or TLS protocols. By default
|
||||||
|
the initial handshake uses a method which should be compatible with all
|
||||||
|
@@ -276,6 +287,14 @@ Multiple files can be specified separate
|
||||||
|
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
|
||||||
|
all others.
|
||||||
|
|
||||||
|
+=item B<-nextprotoneg protocols>
|
||||||
|
+
|
||||||
|
+enable Next Protocol Negotiation TLS extension and provide a
|
||||||
|
+comma-separated list of supported protocol names.
|
||||||
|
+The list should contain most wanted protocols first.
|
||||||
|
+Protocol names are printable ASCII strings, for example "http/1.1" or
|
||||||
|
+"spdy/3".
|
||||||
|
+
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 CONNECTED COMMANDS
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/verify.pod.manfix openssl-1.0.1e/doc/apps/verify.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/verify.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/verify.pod 2013-09-12 11:25:13.994994992 +0200
|
||||||
|
@@ -25,6 +25,7 @@ B<openssl> B<verify>
|
||||||
|
[B<-untrusted file>]
|
||||||
|
[B<-help>]
|
||||||
|
[B<-issuer_checks>]
|
||||||
|
+[B<-attime timestamp>]
|
||||||
|
[B<-verbose>]
|
||||||
|
[B<->]
|
||||||
|
[certificates]
|
||||||
|
@@ -80,6 +81,12 @@ rejected. The presence of rejection mess
|
||||||
|
anything is wrong; during the normal verification process, several
|
||||||
|
rejections may take place.
|
||||||
|
|
||||||
|
+=item B<-attime timestamp>
|
||||||
|
+
|
||||||
|
+Perform validation checks using the time specified by B<timestamp> and not
|
||||||
|
+the current system time. B<timestamp> is the number of seconds since
|
||||||
|
+01.01.1970 (UNIX time).
|
||||||
|
+
|
||||||
|
=item B<-policy arg>
|
||||||
|
|
||||||
|
Enable policy processing and add B<arg> to the user-initial-policy-set (see
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL_accept.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL_accept.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix 2013-04-30 15:30:40.000000000 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix 2013-09-12 11:17:42.129091915 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-04-30 21:17:28.057369256 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-09-12 11:17:42.156092507 +0200
|
||||||
@@ -44,13 +44,13 @@ The following return values can occur:
|
@@ -44,13 +44,13 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -95,7 +282,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.manfix openssl-1.0.1e/doc/ssl/SSL
|
|||||||
established.
|
established.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_clear.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_clear.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_clear.pod 2013-04-30 21:19:20.057609717 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_clear.pod 2013-09-12 11:17:42.158092551 +0200
|
||||||
@@ -56,12 +56,12 @@ The following return values can occur:
|
@@ -56,12 +56,12 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -112,9 +299,9 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_clear.pod.manfix openssl-1.0.1e/doc/ssl/SSL_
|
|||||||
The SSL_clear() operation was successful.
|
The SSL_clear() operation was successful.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix 2013-09-12 11:17:42.049090162 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-04-30 21:11:49.602141805 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-09-12 11:17:42.159092573 +0200
|
||||||
@@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may re
|
@@ -60,11 +60,11 @@ SSL_COMP_add_compression_method() may re
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
|
|
||||||
@ -129,8 +316,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod.manfix opens
|
|||||||
The operation failed. Check the error queue to find out the reason.
|
The operation failed. Check the error queue to find out the reason.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SSL_connect.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SSL_connect.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix 2013-04-30 15:30:40.000000000 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix 2013-09-12 11:17:42.130091937 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-04-30 21:15:09.791416694 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-09-12 11:17:42.161092616 +0200
|
||||||
@@ -41,13 +41,13 @@ The following return values can occur:
|
@@ -41,13 +41,13 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -149,7 +336,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.manfix openssl-1.0.1e/doc/ssl/SS
|
|||||||
established.
|
established.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod 2013-04-30 21:12:39.211201170 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod 2013-09-12 11:17:42.162092638 +0200
|
||||||
@@ -52,13 +52,13 @@ The following values are returned by all
|
@@ -52,13 +52,13 @@ The following values are returned by all
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -168,7 +355,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod.manfix openssl-1.0.1e/do
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-04-30 21:22:20.102446527 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-09-12 11:17:42.163092660 +0200
|
||||||
@@ -100,13 +100,13 @@ The following return values can occur:
|
@@ -100,13 +100,13 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -186,8 +373,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod.manfix openssl
|
|||||||
The operation succeeded.
|
The operation succeeded.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix 2013-04-30 15:30:40.000000000 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix 2013-09-12 11:17:42.132091981 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-04-30 21:23:02.644353105 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-09-12 11:17:42.164092682 +0200
|
||||||
@@ -66,13 +66,13 @@ values:
|
@@ -66,13 +66,13 @@ values:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -206,7 +393,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.manfix openssl-1.
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-04-30 21:15:37.490008175 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-09-12 11:17:42.166092726 +0200
|
||||||
@@ -64,13 +64,13 @@ return the following values:
|
@@ -64,13 +64,13 @@ return the following values:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -225,7 +412,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod.manfix openss
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix 2013-02-11 16:26:04.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-04-30 21:19:59.388447867 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-09-12 11:17:42.167092748 +0200
|
||||||
@@ -42,11 +42,11 @@ and SSL_set_ssl_method():
|
@@ -42,11 +42,11 @@ and SSL_set_ssl_method():
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -241,8 +428,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod.manfix openssl-1.0.1
|
|||||||
The operation succeeded.
|
The operation succeeded.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix 2013-04-30 15:30:40.000000000 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix 2013-09-12 11:17:42.133092003 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-04-30 21:14:20.037354235 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-09-12 11:17:42.168092770 +0200
|
||||||
@@ -96,7 +96,7 @@ data to B<psk> and return the length of
|
@@ -96,7 +96,7 @@ data to B<psk> and return the length of
|
||||||
connection will fail with decryption_error before it will be finished
|
connection will fail with decryption_error before it will be finished
|
||||||
completely.
|
completely.
|
||||||
@ -253,8 +440,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.manfix openssl
|
|||||||
PSK identity was not found. An "unknown_psk_identity" alert message
|
PSK identity was not found. An "unknown_psk_identity" alert message
|
||||||
will be sent and the connection setup fails.
|
will be sent and the connection setup fails.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix 2013-04-30 15:30:40.000000000 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix 2013-09-12 11:17:42.135092047 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-04-30 21:21:52.906866978 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-09-12 11:17:42.170092814 +0200
|
||||||
@@ -45,13 +45,13 @@ The following return values can occur:
|
@@ -45,13 +45,13 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -273,7 +460,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.manfix openssl-1.0.1e/doc/s
|
|||||||
established.
|
established.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_read.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_read.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_read.pod 2013-04-30 21:13:05.809769163 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_read.pod 2013-09-12 11:17:42.171092836 +0200
|
||||||
@@ -86,7 +86,7 @@ The following return values can occur:
|
@@ -86,7 +86,7 @@ The following return values can occur:
|
||||||
The read operation was successful; the return value is the number of
|
The read operation was successful; the return value is the number of
|
||||||
bytes actually read from the TLS/SSL connection.
|
bytes actually read from the TLS/SSL connection.
|
||||||
@ -285,7 +472,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_read.pod.manfix openssl-1.0.1e/doc/ssl/SSL_r
|
|||||||
shutdown due to a "close notify" alert sent by the peer (in which case
|
shutdown due to a "close notify" alert sent by the peer (in which case
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc/ssl/SSL_session_reused.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc/ssl/SSL_session_reused.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod 2013-04-30 21:16:30.000129487 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod 2013-09-12 11:17:42.172092857 +0200
|
||||||
@@ -27,11 +27,11 @@ The following return values can occur:
|
@@ -27,11 +27,11 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -302,7 +489,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_session_reused.pod.manfix openssl-1.0.1e/doc
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_fd.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_fd.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod 2013-04-30 21:20:49.594517776 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod 2013-09-12 11:17:42.174092901 +0200
|
||||||
@@ -35,11 +35,11 @@ The following return values can occur:
|
@@ -35,11 +35,11 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -319,7 +506,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_set_fd.pod.manfix openssl-1.0.1e/doc/ssl/SSL
|
|||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_session.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ssl/SSL_set_session.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod 2013-04-30 21:17:57.551999090 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod 2013-09-12 11:17:42.175092923 +0200
|
||||||
@@ -37,11 +37,11 @@ The following return values can occur:
|
@@ -37,11 +37,11 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -335,8 +522,8 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_set_session.pod.manfix openssl-1.0.1e/doc/ss
|
|||||||
The operation succeeded.
|
The operation succeeded.
|
||||||
|
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix 2013-04-30 15:30:40.000000000 +0200
|
--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix 2013-09-12 11:17:42.137092090 +0200
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-04-30 21:18:44.571853502 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-09-12 11:17:42.177092967 +0200
|
||||||
@@ -92,14 +92,14 @@ The following return values can occur:
|
@@ -92,14 +92,14 @@ The following return values can occur:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
@ -356,7 +543,7 @@ diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.manfix openssl-1.0.1e/doc/ssl/S
|
|||||||
and the peer's "close notify" alert was received.
|
and the peer's "close notify" alert was received.
|
||||||
diff -up openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix openssl-1.0.1e/doc/ssl/SSL_write.pod
|
diff -up openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix openssl-1.0.1e/doc/ssl/SSL_write.pod
|
||||||
--- openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
--- openssl-1.0.1e/doc/ssl/SSL_write.pod.manfix 2013-02-11 16:02:48.000000000 +0100
|
||||||
+++ openssl-1.0.1e/doc/ssl/SSL_write.pod 2013-04-30 21:13:31.129309841 +0200
|
+++ openssl-1.0.1e/doc/ssl/SSL_write.pod 2013-09-12 11:17:42.177092967 +0200
|
||||||
@@ -79,7 +79,7 @@ The following return values can occur:
|
@@ -79,7 +79,7 @@ The following return values can occur:
|
||||||
The write operation was successful, the return value is the number of
|
The write operation was successful, the return value is the number of
|
||||||
bytes actually written to the TLS/SSL connection.
|
bytes actually written to the TLS/SSL connection.
|
||||||
|
1070
openssl-1.0.1e-new-fips-reqs.patch
Normal file
1070
openssl-1.0.1e-new-fips-reqs.patch
Normal file
File diff suppressed because it is too large
Load Diff
25
openssl-1.0.1e-no-md5-verify.patch
Normal file
25
openssl-1.0.1e-no-md5-verify.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.1e/crypto/asn1/a_verify.c
|
||||||
|
--- openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/asn1/a_verify.c 2013-11-13 16:30:04.628791616 +0100
|
||||||
|
@@ -56,6 +56,9 @@
|
||||||
|
* [including the GNU Public Licence.]
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
+
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
|
||||||
|
@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
|
||||||
|
goto err;
|
||||||
|
ret = -1;
|
||||||
|
}
|
||||||
|
+ else if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL)
|
||||||
|
+ {
|
||||||
|
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
else
|
||||||
|
{
|
||||||
|
const EVP_MD *type;
|
330
openssl-1.0.1e-trusted-first.patch
Normal file
330
openssl-1.0.1e-trusted-first.patch
Normal file
@ -0,0 +1,330 @@
|
|||||||
|
diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
|
||||||
|
--- openssl-1.0.1e/apps/apps.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/apps.c 2013-08-16 15:42:39.920534769 +0200
|
||||||
|
@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg
|
||||||
|
flags |= X509_V_FLAG_NOTIFY_POLICY;
|
||||||
|
else if (!strcmp(arg, "-check_ss_sig"))
|
||||||
|
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
|
||||||
|
+ else if (!strcmp(arg, "-trusted_first"))
|
||||||
|
+ flags |= X509_V_FLAG_TRUSTED_FIRST;
|
||||||
|
else
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c
|
||||||
|
--- openssl-1.0.1e/apps/cms.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/cms.c 2013-08-16 15:43:56.671213879 +0200
|
||||||
|
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
||||||
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c
|
||||||
|
--- openssl-1.0.1e/apps/ocsp.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/ocsp.c 2013-08-16 15:49:47.477572414 +0200
|
||||||
|
@@ -595,6 +595,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf (bio_err, "-path path to use in OCSP request\n");
|
||||||
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
BIO_printf (bio_err, "-VAfile file validator certificates file\n");
|
||||||
|
BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
|
||||||
|
BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
|
||||||
|
diff -up openssl-1.0.1e/apps/s_client.c.trusted-first openssl-1.0.1e/apps/s_client.c
|
||||||
|
--- openssl-1.0.1e/apps/s_client.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/apps/s_client.c 2013-08-16 15:49:00.727542994 +0200
|
||||||
|
@@ -298,6 +298,7 @@ static void sc_usage(void)
|
||||||
|
BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
|
||||||
|
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
||||||
|
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
|
||||||
|
+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
|
BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
||||||
|
BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
|
||||||
|
BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
|
||||||
|
diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c
|
||||||
|
--- openssl-1.0.1e/apps/smime.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/smime.c 2013-08-16 15:46:44.024875150 +0200
|
||||||
|
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
||||||
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
+ BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_server.c
|
||||||
|
--- openssl-1.0.1e/apps/s_server.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/apps/s_server.c 2013-08-16 15:48:19.469634430 +0200
|
||||||
|
@@ -501,6 +501,7 @@ static void sv_usage(void)
|
||||||
|
BIO_printf(bio_err," -state - Print the SSL states\n");
|
||||||
|
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
||||||
|
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
|
||||||
|
+ BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
|
BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
|
||||||
|
BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
|
||||||
|
BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
|
||||||
|
diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c
|
||||||
|
--- openssl-1.0.1e/apps/s_time.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/apps/s_time.c 2013-08-16 15:47:35.862674188 +0200
|
||||||
|
@@ -179,6 +179,7 @@ static void s_time_usage(void)
|
||||||
|
file if not specified by this option\n\
|
||||||
|
-CApath arg - PEM format directory of CA's\n\
|
||||||
|
-CAfile arg - PEM format file of CA's\n\
|
||||||
|
+-trusted_first - Use trusted CA's first when building the trust chain\n\
|
||||||
|
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
|
||||||
|
|
||||||
|
printf( "usage: s_time <args>\n\n" );
|
||||||
|
diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c
|
||||||
|
--- openssl-1.0.1e/apps/ts.c.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/apps/ts.c 2013-08-16 15:45:27.766206812 +0200
|
||||||
|
@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
|
||||||
|
"[-queryfile request.tsq] "
|
||||||
|
"-in response.tsr [-token_in] "
|
||||||
|
- "-CApath ca_path -CAfile ca_file.pem "
|
||||||
|
+ "-CApath ca_path -CAfile ca_file.pem -trusted_first"
|
||||||
|
"-untrusted cert_file.pem\n");
|
||||||
|
cleanup:
|
||||||
|
/* Clean up. */
|
||||||
|
diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c
|
||||||
|
--- openssl-1.0.1e/apps/verify.c.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/apps/verify.c 2013-08-16 15:46:09.720124654 +0200
|
||||||
|
@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
|
||||||
|
end:
|
||||||
|
if (ret == 1) {
|
||||||
|
- BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
|
||||||
|
+ BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
|
||||||
|
BIO_printf(bio_err," [-attime timestamp]");
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
BIO_printf(bio_err," [-engine e]");
|
||||||
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c
|
||||||
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-08-16 15:42:39.864533545 +0200
|
||||||
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:42:39.921534791 +0200
|
||||||
|
@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||||
|
|
||||||
|
/* If we are self signed, we break */
|
||||||
|
if (ctx->check_issued(ctx, x,x)) break;
|
||||||
|
+ /* If asked see if we can find issuer in trusted store first */
|
||||||
|
+ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
|
||||||
|
+ {
|
||||||
|
+ ok = ctx->get_issuer(&xtmp, ctx, x);
|
||||||
|
+ if (ok < 0)
|
||||||
|
+ return ok;
|
||||||
|
+ /* If successful for now free up cert so it
|
||||||
|
+ * will be picked up again later.
|
||||||
|
+ */
|
||||||
|
+ if (ok > 0)
|
||||||
|
+ {
|
||||||
|
+ X509_free(xtmp);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* If we were passed a cert chain, use it first */
|
||||||
|
if (ctx->untrusted != NULL)
|
||||||
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h
|
||||||
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-08-16 15:42:39.356522432 +0200
|
||||||
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-08-16 15:42:39.922534813 +0200
|
||||||
|
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
|
||||||
|
#define X509_V_FLAG_USE_DELTAS 0x2000
|
||||||
|
/* Check selfsigned CA signature */
|
||||||
|
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
|
||||||
|
+/* Use trusted store first */
|
||||||
|
+#define X509_V_FLAG_TRUSTED_FIRST 0x8000
|
||||||
|
|
||||||
|
|
||||||
|
#define X509_VP_FLAG_DEFAULT 0x1
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/cms.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/cms.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/cms.pod 2013-08-16 15:50:48.723921117 +0200
|
||||||
|
@@ -35,6 +35,7 @@ B<openssl> B<cms>
|
||||||
|
[B<-print>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
[B<-CApath dir>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-md digest>]
|
||||||
|
[B<-[cipher]>]
|
||||||
|
[B<-nointern>]
|
||||||
|
@@ -238,6 +239,12 @@ B<-verify>. This directory must be a sta
|
||||||
|
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||||
|
to each certificate.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before untrusted certificates
|
||||||
|
+from the message when building the trust chain to verify certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-md digest>
|
||||||
|
|
||||||
|
digest algorithm to use when signing or resigning. If not present then the
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/ocsp.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/ocsp.pod 2013-08-16 15:52:20.106933403 +0200
|
||||||
|
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
|
||||||
|
[B<-path>]
|
||||||
|
[B<-CApath dir>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-VAfile file>]
|
||||||
|
[B<-validity_period n>]
|
||||||
|
[B<-status_age n>]
|
||||||
|
@@ -138,6 +139,13 @@ or "/" by default.
|
||||||
|
file or pathname containing trusted CA certificates. These are used to verify
|
||||||
|
the signature on the OCSP response.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory over certificates provided
|
||||||
|
+in the response or residing in other certificates file when building the trust
|
||||||
|
+chain to verify responder certificate.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-verify_other file>
|
||||||
|
|
||||||
|
file containing additional certificates to search when attempting to locate
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/apps/s_client.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/s_client.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/s_client.pod 2013-08-16 15:53:17.364194159 +0200
|
||||||
|
@@ -17,6 +17,7 @@ B<openssl> B<s_client>
|
||||||
|
[B<-pass arg>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-reconnect>]
|
||||||
|
[B<-pause>]
|
||||||
|
[B<-showcerts>]
|
||||||
|
@@ -107,7 +108,7 @@ also used when building the client certi
|
||||||
|
A file containing trusted certificates to use during server authentication
|
||||||
|
and to use when attempting to build the client certificate chain.
|
||||||
|
|
||||||
|
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||||
|
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
|
||||||
|
|
||||||
|
Set various certificate chain valiadition option. See the
|
||||||
|
L<B<verify>|verify(1)> manual page for details.
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps/smime.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/smime.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/smime.pod 2013-08-16 15:56:12.497050767 +0200
|
||||||
|
@@ -15,6 +15,9 @@ B<openssl> B<smime>
|
||||||
|
[B<-pk7out>]
|
||||||
|
[B<-[cipher]>]
|
||||||
|
[B<-in file>]
|
||||||
|
+[B<-CAfile file>]
|
||||||
|
+[B<-CApath dir>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-certfile file>]
|
||||||
|
[B<-signer file>]
|
||||||
|
[B<-recip file>]
|
||||||
|
@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
|
||||||
|
is a hash of each subject name (using B<x509 -hash>) should be linked
|
||||||
|
to each certificate.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory over certificates provided
|
||||||
|
+in the message when building the trust chain to verify a certificate.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-md digest>
|
||||||
|
|
||||||
|
digest algorithm to use when signing or resigning. If not present then the
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/apps/s_server.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/s_server.pod.trusted-first 2013-08-16 15:42:39.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/doc/apps/s_server.pod 2013-08-16 15:54:33.609873214 +0200
|
||||||
|
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
|
||||||
|
[B<-state>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-nocert>]
|
||||||
|
[B<-cipher cipherlist>]
|
||||||
|
[B<-quiet>]
|
||||||
|
@@ -168,6 +169,12 @@ and to use when attempting to build the
|
||||||
|
is also used in the list of acceptable client CAs passed to the client when
|
||||||
|
a certificate is requested.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before other certificates
|
||||||
|
+when building the trust chain to verify client certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-state>
|
||||||
|
|
||||||
|
prints out the SSL session states.
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/apps/s_time.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/s_time.pod.trusted-first 2013-02-11 16:02:48.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/s_time.pod 2013-08-16 15:55:12.651732938 +0200
|
||||||
|
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
|
||||||
|
[B<-key filename>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-reuse>]
|
||||||
|
[B<-new>]
|
||||||
|
[B<-verify depth>]
|
||||||
|
@@ -76,6 +77,12 @@ also used when building the client certi
|
||||||
|
A file containing trusted certificates to use during server authentication
|
||||||
|
and to use when attempting to build the client certificate chain.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory over the certificates provided
|
||||||
|
+by the server when building the trust chain to verify server certificate.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-new>
|
||||||
|
|
||||||
|
performs the timing test using a new session ID for each connection.
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/ts.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/ts.pod 2013-08-16 15:57:17.399479957 +0200
|
||||||
|
@@ -46,6 +46,7 @@ B<-verify>
|
||||||
|
[B<-token_in>]
|
||||||
|
[B<-CApath> trusted_cert_path]
|
||||||
|
[B<-CAfile> trusted_certs.pem]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-untrusted> cert_file.pem]
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
|
||||||
|
or B<-CApath> must be specified.
|
||||||
|
(Optional)
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before other certificates
|
||||||
|
+when building the trust chain to verify certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-untrusted> cert_file.pem
|
||||||
|
|
||||||
|
Set of additional untrusted certificates in PEM format which may be
|
||||||
|
diff -up openssl-1.0.1e/doc/apps/verify.pod.trusted-first openssl-1.0.1e/doc/apps/verify.pod
|
||||||
|
--- openssl-1.0.1e/doc/apps/verify.pod.trusted-first 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/doc/apps/verify.pod 2013-08-16 15:58:00.267423925 +0200
|
||||||
|
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
|
||||||
|
B<openssl> B<verify>
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
+[B<-trusted_first>]
|
||||||
|
[B<-purpose purpose>]
|
||||||
|
[B<-policy arg>]
|
||||||
|
[B<-ignore_critical>]
|
||||||
|
@@ -56,6 +57,12 @@ in PEM format concatenated together.
|
||||||
|
A file of untrusted certificates. The file should contain multiple certificates
|
||||||
|
in PEM format concatenated together.
|
||||||
|
|
||||||
|
+=item B<-trusted_first>
|
||||||
|
+
|
||||||
|
+Use certificates in CA file or CA directory before the certificates in the untrusted
|
||||||
|
+file when building the trust chain to verify certificates.
|
||||||
|
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
|
||||||
|
+
|
||||||
|
=item B<-purpose purpose>
|
||||||
|
|
||||||
|
The intended use for the certificate. If this option is not specified,
|
63
openssl-1.0.1e-version.patch
Normal file
63
openssl-1.0.1e-version.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
diff -up openssl-1.0.1e/crypto/cversion.c.version openssl-1.0.1e/crypto/cversion.c
|
||||||
|
--- openssl-1.0.1e/crypto/cversion.c.version 2013-02-11 16:02:47.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/cversion.c 2013-07-26 12:28:12.739161925 +0200
|
||||||
|
@@ -62,7 +62,7 @@
|
||||||
|
#include "buildinf.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-const char *SSLeay_version(int t)
|
||||||
|
+const char *_current_SSLeay_version(int t)
|
||||||
|
{
|
||||||
|
if (t == SSLEAY_VERSION)
|
||||||
|
return OPENSSL_VERSION_TEXT;
|
||||||
|
@@ -110,8 +110,25 @@ const char *SSLeay_version(int t)
|
||||||
|
return("not available");
|
||||||
|
}
|
||||||
|
|
||||||
|
-unsigned long SSLeay(void)
|
||||||
|
+const char *_original_SSLeay_version(int t)
|
||||||
|
+ {
|
||||||
|
+ if (t == SSLEAY_VERSION)
|
||||||
|
+ return "OpenSSL 1.0.0-fips 29 Mar 2010";
|
||||||
|
+ else
|
||||||
|
+ return _current_SSLeay_version(t);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+unsigned long _original_SSLeay(void)
|
||||||
|
+ {
|
||||||
|
+ return(0x10000003);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+unsigned long _current_SSLeay(void)
|
||||||
|
{
|
||||||
|
return(SSLEAY_VERSION_NUMBER);
|
||||||
|
}
|
||||||
|
|
||||||
|
+__asm__(".symver _original_SSLeay,SSLeay@");
|
||||||
|
+__asm__(".symver _original_SSLeay_version,SSLeay_version@");
|
||||||
|
+__asm__(".symver _current_SSLeay,SSLeay@@OPENSSL_1.0.1");
|
||||||
|
+__asm__(".symver _current_SSLeay_version,SSLeay_version@@OPENSSL_1.0.1");
|
||||||
|
diff -up openssl-1.0.1e/Makefile.shared.version openssl-1.0.1e/Makefile.shared
|
||||||
|
--- openssl-1.0.1e/Makefile.shared.version 2013-07-26 12:23:43.615545603 +0200
|
||||||
|
+++ openssl-1.0.1e/Makefile.shared 2013-07-26 12:23:43.701547398 +0200
|
||||||
|
@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
|
||||||
|
SHLIB_SUFFIX=; \
|
||||||
|
ALLSYMSFLAGS='-Wl,--whole-archive'; \
|
||||||
|
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
|
||||||
|
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
||||||
|
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--default-symver,--version-script=version.map -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
|
||||||
|
|
||||||
|
DO_GNU_APP=LDFLAGS="$(CFLAGS)"
|
||||||
|
|
||||||
|
diff -up openssl-1.0.1e/version.map.version openssl-1.0.1e/version.map
|
||||||
|
--- openssl-1.0.1e/version.map.version 2013-07-26 12:23:43.701547398 +0200
|
||||||
|
+++ openssl-1.0.1e/version.map 2013-07-26 12:29:10.698371472 +0200
|
||||||
|
@@ -0,0 +1,8 @@
|
||||||
|
+OPENSSL_1.0.1 {
|
||||||
|
+ global:
|
||||||
|
+ SSLeay;
|
||||||
|
+ SSLeay_version;
|
||||||
|
+ local:
|
||||||
|
+ _original*;
|
||||||
|
+ _current*;
|
||||||
|
+};
|
12
openssl-1.0.1e-weak-ciphers.patch
Normal file
12
openssl-1.0.1e-weak-ciphers.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up openssl-1.0.1e/ssl/ssl.h.weak-ciphers openssl-1.0.1e/ssl/ssl.h
|
||||||
|
--- openssl-1.0.1e/ssl/ssl.h.weak-ciphers 2013-12-18 15:50:40.881620314 +0100
|
||||||
|
+++ openssl-1.0.1e/ssl/ssl.h 2013-12-18 14:25:25.596566704 +0100
|
||||||
|
@@ -331,7 +331,7 @@ extern "C" {
|
||||||
|
/* The following cipher list is used by default.
|
||||||
|
* It also is substituted when an application-defined cipher list string
|
||||||
|
* starts with 'DEFAULT'. */
|
||||||
|
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
|
||||||
|
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
|
||||||
|
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
|
||||||
|
* starts with a reasonable order, and all we have to do for DEFAULT is
|
||||||
|
* throwing out anonymous and unencrypted ciphersuites!
|
2
openssl-fips.conf
Normal file
2
openssl-fips.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
-b /usr/lib{,64}/libcrypto.so.*
|
||||||
|
-b /usr/lib{,64}/libssl.so.*
|
Loading…
Reference in New Issue
Block a user