- listen on ipv6 wildcard in s_server so we accept connections
from both ipv4 and ipv6 (#601612) - fix openssl speed command so it can be used in the FIPS mode with FIPS allowed ciphers
This commit is contained in:
parent
540056f0e0
commit
09127ac54a
57
openssl-1.0.0c-apps-ipv6listen.patch
Normal file
57
openssl-1.0.0c-apps-ipv6listen.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
diff -up openssl-1.0.0c/apps/s_socket.c.ipv6listen openssl-1.0.0c/apps/s_socket.c
|
||||||
|
--- openssl-1.0.0c/apps/s_socket.c.ipv6listen 2011-01-24 16:44:18.000000000 +0100
|
||||||
|
+++ openssl-1.0.0c/apps/s_socket.c 2011-01-24 16:56:25.000000000 +0100
|
||||||
|
@@ -335,15 +335,16 @@ int do_server(char *port, int type, int
|
||||||
|
|
||||||
|
static int init_server(int *sock, char *port, int type)
|
||||||
|
{
|
||||||
|
- struct addrinfo *res, *res0, hints;
|
||||||
|
+ struct addrinfo *res, *res0 = NULL, hints;
|
||||||
|
char * failed_call = NULL;
|
||||||
|
- char port_name[8];
|
||||||
|
int s;
|
||||||
|
int e;
|
||||||
|
|
||||||
|
if (!ssl_sock_init()) return(0);
|
||||||
|
|
||||||
|
memset(&hints, '\0', sizeof(hints));
|
||||||
|
+ hints.ai_family = AF_INET6;
|
||||||
|
+tryipv4:
|
||||||
|
hints.ai_socktype = type;
|
||||||
|
hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
|
||||||
|
|
||||||
|
@@ -365,6 +366,12 @@ static int init_server(int *sock, char *
|
||||||
|
failed_call = "socket";
|
||||||
|
goto nextres;
|
||||||
|
}
|
||||||
|
+ if (hints.ai_family == AF_INET6)
|
||||||
|
+ {
|
||||||
|
+ int j = 0;
|
||||||
|
+ setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||||
|
+ (void *) &j, sizeof j);
|
||||||
|
+ }
|
||||||
|
#if defined SOL_SOCKET && defined SO_REUSEADDR
|
||||||
|
{
|
||||||
|
int j = 1;
|
||||||
|
@@ -392,9 +399,19 @@ nextres:
|
||||||
|
close(s);
|
||||||
|
res = res->ai_next;
|
||||||
|
}
|
||||||
|
- freeaddrinfo(res0);
|
||||||
|
+ if (res0)
|
||||||
|
+ freeaddrinfo(res0);
|
||||||
|
|
||||||
|
- if (s == INVALID_SOCKET) { perror("socket"); return(0); }
|
||||||
|
+ if (s == INVALID_SOCKET)
|
||||||
|
+ {
|
||||||
|
+ if (hints.ai_family == AF_INET6)
|
||||||
|
+ {
|
||||||
|
+ hints.ai_family = AF_INET;
|
||||||
|
+ goto tryipv4;
|
||||||
|
+ }
|
||||||
|
+ perror("socket");
|
||||||
|
+ return(0);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
perror(failed_call);
|
||||||
|
return(0);
|
94
openssl-1.0.0c-speed-fips.patch
Normal file
94
openssl-1.0.0c-speed-fips.patch
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
diff -up openssl-1.0.0c/apps/speed.c.spfips openssl-1.0.0c/apps/speed.c
|
||||||
|
--- openssl-1.0.0c/apps/speed.c.spfips 2010-11-18 14:22:26.000000000 +0100
|
||||||
|
+++ openssl-1.0.0c/apps/speed.c 2011-01-24 17:25:32.000000000 +0100
|
||||||
|
@@ -100,6 +100,9 @@
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/objects.h>
|
||||||
|
+#ifdef OPENSSL_FIPS
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
+#endif
|
||||||
|
#if !defined(OPENSSL_SYS_MSDOS)
|
||||||
|
#include OPENSSL_UNISTD
|
||||||
|
#endif
|
||||||
|
@@ -908,7 +911,12 @@ int MAIN(int argc, char **argv)
|
||||||
|
#ifndef OPENSSL_NO_RSA
|
||||||
|
if (strcmp(*argv,"rsa") == 0)
|
||||||
|
{
|
||||||
|
+#ifdef OPENSSL_FIPS
|
||||||
|
+ if (!FIPS_mode())
|
||||||
|
+#endif
|
||||||
|
+ {
|
||||||
|
rsa_doit[R_RSA_512]=1;
|
||||||
|
+ }
|
||||||
|
rsa_doit[R_RSA_1024]=1;
|
||||||
|
rsa_doit[R_RSA_2048]=1;
|
||||||
|
rsa_doit[R_RSA_4096]=1;
|
||||||
|
@@ -918,7 +926,12 @@ int MAIN(int argc, char **argv)
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
if (strcmp(*argv,"dsa") == 0)
|
||||||
|
{
|
||||||
|
+#ifdef OPENSSL_FIPS
|
||||||
|
+ if (!FIPS_mode())
|
||||||
|
+#endif
|
||||||
|
+ {
|
||||||
|
dsa_doit[R_DSA_512]=1;
|
||||||
|
+ }
|
||||||
|
dsa_doit[R_DSA_1024]=1;
|
||||||
|
dsa_doit[R_DSA_2048]=1;
|
||||||
|
}
|
||||||
|
@@ -1193,30 +1206,54 @@ int MAIN(int argc, char **argv)
|
||||||
|
AES_set_encrypt_key(key32,256,&aes_ks3);
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_CAMELLIA
|
||||||
|
+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML])
|
||||||
|
+ {
|
||||||
|
Camellia_set_key(key16,128,&camellia_ks1);
|
||||||
|
Camellia_set_key(ckey24,192,&camellia_ks2);
|
||||||
|
Camellia_set_key(ckey32,256,&camellia_ks3);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_IDEA
|
||||||
|
+ if (doit[D_CBC_IDEA])
|
||||||
|
+ {
|
||||||
|
idea_set_encrypt_key(key16,&idea_ks);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_SEED
|
||||||
|
+ if (doit[D_CBC_SEED])
|
||||||
|
+ {
|
||||||
|
SEED_set_key(key16,&seed_ks);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_RC4
|
||||||
|
+ if (doit[D_RC4])
|
||||||
|
+ {
|
||||||
|
RC4_set_key(&rc4_ks,16,key16);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_RC2
|
||||||
|
+ if (doit[D_CBC_RC2])
|
||||||
|
+ {
|
||||||
|
RC2_set_key(&rc2_ks,16,key16,128);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_RC5
|
||||||
|
+ if (doit[D_CBC_RC5])
|
||||||
|
+ {
|
||||||
|
RC5_32_set_key(&rc5_ks,16,key16,12);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_BF
|
||||||
|
+ if (doit[D_CBC_BF])
|
||||||
|
+ {
|
||||||
|
BF_set_key(&bf_ks,16,key16);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_CAST
|
||||||
|
+ if (doit[D_CBC_CAST])
|
||||||
|
+ {
|
||||||
|
CAST_set_key(&cast_ks,16,key16);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_RSA
|
||||||
|
memset(rsa_c,0,sizeof(rsa_c));
|
12
openssl.spec
12
openssl.spec
@ -21,7 +21,7 @@
|
|||||||
Summary: A general purpose cryptography library with TLS implementation
|
Summary: A general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.0c
|
Version: 1.0.0c
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
# We remove certain patented algorithms from the openssl source tarball
|
# We remove certain patented algorithms from the openssl source tarball
|
||||||
# with the hobble-openssl script which is included below.
|
# with the hobble-openssl script which is included below.
|
||||||
Source: openssl-%{version}-usa.tar.bz2
|
Source: openssl-%{version}-usa.tar.bz2
|
||||||
@ -62,6 +62,8 @@ Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
|
|||||||
Patch51: openssl-1.0.0c-version.patch
|
Patch51: openssl-1.0.0c-version.patch
|
||||||
Patch52: openssl-1.0.0b-aesni.patch
|
Patch52: openssl-1.0.0b-aesni.patch
|
||||||
Patch53: openssl-1.0.0-name-hash.patch
|
Patch53: openssl-1.0.0-name-hash.patch
|
||||||
|
Patch54: openssl-1.0.0c-speed-fips.patch
|
||||||
|
Patch55: openssl-1.0.0c-apps-ipv6listen.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
@ -144,6 +146,8 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||||||
%patch51 -p1 -b .version
|
%patch51 -p1 -b .version
|
||||||
%patch52 -p1 -b .aesni
|
%patch52 -p1 -b .aesni
|
||||||
%patch53 -p1 -b .name-hash
|
%patch53 -p1 -b .name-hash
|
||||||
|
%patch54 -p1 -b .spfips
|
||||||
|
%patch55 -p1 -b .ipv6listen
|
||||||
|
|
||||||
# Modify the various perl scripts to reference perl in the right location.
|
# Modify the various perl scripts to reference perl in the right location.
|
||||||
perl util/perlpath.pl `dirname %{__perl}`
|
perl util/perlpath.pl `dirname %{__perl}`
|
||||||
@ -393,6 +397,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun -p /sbin/ldconfig
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0c-2
|
||||||
|
- listen on ipv6 wildcard in s_server so we accept connections
|
||||||
|
from both ipv4 and ipv6 (#601612)
|
||||||
|
- fix openssl speed command so it can be used in the FIPS mode
|
||||||
|
with FIPS allowed ciphers
|
||||||
|
|
||||||
* Fri Dec 3 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0c-1
|
* Fri Dec 3 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0c-1
|
||||||
- new upstream version fixing CVE-2010-4180
|
- new upstream version fixing CVE-2010-4180
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user