- make CA dir readable - the private keys are in private subdir (#584810)

- do not move the libcrypto to /lib in the F12 package
This commit is contained in:
Tomáš Mráz 2010-05-18 16:24:02 +00:00
parent b825afeee6
commit 354ff9f60c
5 changed files with 203 additions and 2 deletions

View File

@ -0,0 +1,53 @@
diff -up openssl-1.0.0/ssl/d1_lib.c.dtls1 openssl-1.0.0/ssl/d1_lib.c
--- openssl-1.0.0/ssl/d1_lib.c.dtls1 2009-12-08 12:38:17.000000000 +0100
+++ openssl-1.0.0/ssl/d1_lib.c 2010-04-09 16:29:49.000000000 +0200
@@ -283,6 +283,16 @@ struct timeval* dtls1_get_timeout(SSL *s
timeleft->tv_usec += 1000000;
}
+ /* If remaining time is less than 15 ms, set it to 0
+ * to prevent issues because of small devergences with
+ * socket timeouts.
+ */
+ if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000)
+ {
+ memset(timeleft, 0, sizeof(struct timeval));
+ }
+
+
return timeleft;
}
diff -up openssl-1.0.0/ssl/d1_pkt.c.dtls1 openssl-1.0.0/ssl/d1_pkt.c
--- openssl-1.0.0/ssl/d1_pkt.c.dtls1 2009-10-04 18:52:35.000000000 +0200
+++ openssl-1.0.0/ssl/d1_pkt.c 2010-04-09 16:30:49.000000000 +0200
@@ -667,14 +667,14 @@ again:
if (rr->length == 0) goto again;
/* If this record is from the next epoch (either HM or ALERT),
- * buffer it since it cannot be processed at this time. Records
- * from the next epoch are marked as received even though they
- * are not processed, so as to prevent any potential resource
- * DoS attack */
+ * and a handshake is currently in progress, buffer it since it
+ * cannot be processed at this time. */
if (is_next_epoch)
{
- dtls1_record_bitmap_update(s, bitmap);
- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+ if (SSL_in_init(s) || s->in_handshake)
+ {
+ dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+ }
rr->length = 0;
s->packet_length = 0;
goto again;
@@ -809,7 +809,7 @@ start:
* buffer the application data for later processing rather
* than dropping the connection.
*/
- dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0);
+ dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
rr->length = 0;
goto start;
}

View File

@ -0,0 +1,79 @@
diff -up openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256 openssl-1.0.0/doc/ssl/SSL_library_init.pod
--- openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256 2006-03-12 01:37:55.000000000 +0100
+++ openssl-1.0.0/doc/ssl/SSL_library_init.pod 2010-04-09 16:33:11.000000000 +0200
@@ -15,7 +15,7 @@ SSL_library_init, OpenSSL_add_ssl_algori
=head1 DESCRIPTION
-SSL_library_init() registers the available ciphers and digests.
+SSL_library_init() registers the available SSL/TLS ciphers and digests.
OpenSSL_add_ssl_algorithms() and SSLeay_add_ssl_algorithms() are synonyms
for SSL_library_init().
@@ -27,24 +27,28 @@ SSL_library_init() is not reentrant.
=head1 WARNING
-SSL_library_init() only registers ciphers. Another important initialization
-is the seeding of the PRNG (Pseudo Random Number Generator), which has to
-be performed separately.
+SSL_library_init() adds ciphers and digests used directly and indirectly by
+SSL/TLS.
=head1 EXAMPLES
A typical TLS/SSL application will start with the library initialization,
-will provide readable error messages and will seed the PRNG.
+and provide readable error messages.
SSL_load_error_strings(); /* readable error messages */
SSL_library_init(); /* initialize library */
- actions_to_seed_PRNG();
=head1 RETURN VALUES
SSL_library_init() always returns "1", so it is safe to discard the return
value.
+=head1 NOTES
+
+OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init().
+Applications which need to use SHA2 in earlier versions of OpenSSL should call
+OpenSSL_add_all_algorithms() as well.
+
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>,
diff -up openssl-1.0.0/ssl/ssl_algs.c.sha256 openssl-1.0.0/ssl/ssl_algs.c
--- openssl-1.0.0/ssl/ssl_algs.c.sha256 2010-04-06 12:52:38.000000000 +0200
+++ openssl-1.0.0/ssl/ssl_algs.c 2010-04-09 16:34:41.000000000 +0200
@@ -111,6 +111,14 @@ int SSL_library_init(void)
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
#endif
+#ifndef OPENSSL_NO_SHA256
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+#endif
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
@@ -148,6 +156,14 @@ int SSL_library_init(void)
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
#endif
+#ifndef OPENSSL_NO_SHA256
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+#endif
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);

View File

@ -0,0 +1,22 @@
diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c
--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash 2010-01-12 18:27:10.000000000 +0100
+++ openssl-1.0.0/crypto/x509/x509_cmp.c 2010-04-06 16:44:52.000000000 +0200
@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA
{
unsigned long ret=0;
unsigned char md[16];
+ EVP_MD_CTX ctx;
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x,NULL);
- EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
+
+ EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)
+ && EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length)
+ && EVP_DigestFinal_ex(&ctx, md, NULL);
+ EVP_MD_CTX_cleanup(&ctx);
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)

View File

@ -0,0 +1,21 @@
diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org
--- openssl-1.0.0/Makefile.org.timezone 2010-03-30 11:08:40.000000000 +0200
+++ openssl-1.0.0/Makefile.org 2010-04-06 12:49:21.000000000 +0200
@@ -609,7 +609,7 @@ install_docs:
sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$$pod2man \
+ sh -c "TZ=UTC $$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
@@ -626,7 +626,7 @@ install_docs:
sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
- sh -c "$$pod2man \
+ sh -c "TZ=UTC $$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \

View File

@ -21,7 +21,7 @@
Summary: A general purpose cryptography library with TLS implementation Summary: A general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.0.0 Version: 1.0.0
Release: 1%{?dist} Release: 4%{?dist}
# We remove certain patented algorithms from the openssl source tarball # We remove certain patented algorithms from the openssl source tarball
# with the hobble-openssl script which is included below. # with the hobble-openssl script which is included below.
Source: openssl-%{version}-usa.tar.bz2 Source: openssl-%{version}-usa.tar.bz2
@ -39,6 +39,7 @@ Patch3: openssl-1.0.0-beta3-soversion.patch
Patch4: openssl-1.0.0-beta5-enginesdir.patch Patch4: openssl-1.0.0-beta5-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch Patch6: openssl-0.9.8b-test-use-localhost.patch
Patch7: openssl-1.0.0-timezone.patch
# Bug fixes # Bug fixes
Patch23: openssl-1.0.0-beta4-default-paths.patch Patch23: openssl-1.0.0-beta4-default-paths.patch
Patch24: openssl-0.9.8j-bad-mime.patch Patch24: openssl-0.9.8j-bad-mime.patch
@ -59,7 +60,10 @@ Patch49: openssl-1.0.0-beta4-algo-doc.patch
Patch50: openssl-1.0.0-beta4-dtls1-abi.patch Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
Patch51: openssl-1.0.0-version.patch Patch51: openssl-1.0.0-version.patch
Patch52: openssl-1.0.0-beta4-aesni.patch Patch52: openssl-1.0.0-beta4-aesni.patch
Patch53: openssl-1.0.0-name-hash.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch60: openssl-1.0.0-dtls1-backports.patch
Patch61: openssl-1.0.0-init-sha256.patch
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries
@ -118,6 +122,7 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch4 -p1 -b .enginesdir %patch4 -p1 -b .enginesdir
%patch5 -p1 -b .no-rpath %patch5 -p1 -b .no-rpath
%patch6 -p1 -b .use-localhost %patch6 -p1 -b .use-localhost
%patch7 -p1 -b .timezone
%patch23 -p1 -b .default-paths %patch23 -p1 -b .default-paths
%patch24 -p1 -b .bad-mime %patch24 -p1 -b .bad-mime
@ -138,7 +143,10 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch50 -p1 -b .dtls1-abi %patch50 -p1 -b .dtls1-abi
%patch51 -p1 -b .version %patch51 -p1 -b .version
%patch52 -p1 -b .aesni %patch52 -p1 -b .aesni
%patch53 -p1 -b .name-hash
%patch60 -p1 -b .dtls1
%patch61 -p1 -b .sha256
# Modify the various perl scripts to reference perl in the right location. # Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}` perl util/perlpath.pl `dirname %{__perl}`
@ -281,8 +289,11 @@ pushd $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc
mv CA.sh CA mv CA.sh CA
popd popd
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
# Ensure the openssl.cnf timestamp is identical across builds to avoid # Ensure the openssl.cnf timestamp is identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade # mulitlib conflicts and unnecessary renames on upgrade
@ -345,6 +356,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%{_sysconfdir}/pki/tls/misc/CA %{_sysconfdir}/pki/tls/misc/CA
%dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private %dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts
%{_sysconfdir}/pki/tls/misc/c_* %{_sysconfdir}/pki/tls/misc/c_*
%{_sysconfdir}/pki/tls/private %{_sysconfdir}/pki/tls/private
@ -383,6 +397,18 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
%changelog %changelog
* Tue May 18 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-4
- make CA dir readable - the private keys are in private subdir (#584810)
- do not move the libcrypto to /lib in the F12 package
* Fri Apr 9 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-3
- a few fixes from upstream CVS
- move libcrypto to /lib (#559953)
* Tue Apr 6 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-2
- set UTC timezone on pod2man run (#578842)
- make X509_NAME_hash_old work in FIPS mode
* Tue Mar 30 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-1 * Tue Mar 30 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-1
- update to final 1.0.0 upstream release - update to final 1.0.0 upstream release