- make CA dir readable - the private keys are in private subdir (#584810)

- do not move the libcrypto to /lib in the F12 package
2010-05-18 16:24:02 +00:00 · 2010-05-18 16:24:02 +00:00 · 354ff9f60c
commit 354ff9f60c
parent b825afeee6
5 changed files with 203 additions and 2 deletions
--- a/openssl-1.0.0-dtls1-backports.patch
+++ b/openssl-1.0.0-dtls1-backports.patch
@ -0,0 +1,53 @@
+diff -up openssl-1.0.0/ssl/d1_lib.c.dtls1 openssl-1.0.0/ssl/d1_lib.c
+--- openssl-1.0.0/ssl/d1_lib.c.dtls1	2009-12-08 12:38:17.000000000 +0100
+++ openssl-1.0.0/ssl/d1_lib.c	2010-04-09 16:29:49.000000000 +0200
+@@ -283,6 +283,16 @@ struct timeval* dtls1_get_timeout(SSL *s
+ 		timeleft->tv_usec += 1000000;
+ 		}
+ 
+	/* If remaining time is less than 15 ms, set it to 0
+	 * to prevent issues because of small devergences with
+	 * socket timeouts.
+	 */
+	if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000)
+		{
+		memset(timeleft, 0, sizeof(struct timeval));
+		}
+	
+
+ 	return timeleft;
+ 	}
+ 
+diff -up openssl-1.0.0/ssl/d1_pkt.c.dtls1 openssl-1.0.0/ssl/d1_pkt.c
+--- openssl-1.0.0/ssl/d1_pkt.c.dtls1	2009-10-04 18:52:35.000000000 +0200
+++ openssl-1.0.0/ssl/d1_pkt.c	2010-04-09 16:30:49.000000000 +0200
+@@ -667,14 +667,14 @@ again:
+ 	if (rr->length == 0) goto again;
+ 
+ 	/* If this record is from the next epoch (either HM or ALERT),
+-	 * buffer it since it cannot be processed at this time. Records
+-	 * from the next epoch are marked as received even though they
+-	 * are not processed, so as to prevent any potential resource
+-	 * DoS attack */
+	 * and a handshake is currently in progress, buffer it since it
+	 * cannot be processed at this time. */
+ 	if (is_next_epoch)
+ 		{
+-		dtls1_record_bitmap_update(s, bitmap);
+-		dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+		if (SSL_in_init(s) || s->in_handshake)
+			{
+			dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+			}
+ 		rr->length = 0;
+ 		s->packet_length = 0;
+ 		goto again;
+@@ -809,7 +809,7 @@ start:
+ 		 * buffer the application data for later processing rather
+ 		 * than dropping the connection.
+ 		 */
+-		dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0);
+		dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
+ 		rr->length = 0;
+ 		goto start;
+ 		}
--- a/openssl-1.0.0-init-sha256.patch
+++ b/openssl-1.0.0-init-sha256.patch
@ -0,0 +1,79 @@
+diff -up openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256 openssl-1.0.0/doc/ssl/SSL_library_init.pod
+--- openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256	2006-03-12 01:37:55.000000000 +0100
+++ openssl-1.0.0/doc/ssl/SSL_library_init.pod	2010-04-09 16:33:11.000000000 +0200
+@@ -15,7 +15,7 @@ SSL_library_init, OpenSSL_add_ssl_algori
+ 
+ =head1 DESCRIPTION
+ 
+-SSL_library_init() registers the available ciphers and digests.
+SSL_library_init() registers the available SSL/TLS ciphers and digests.
+ 
+ OpenSSL_add_ssl_algorithms() and SSLeay_add_ssl_algorithms() are synonyms
+ for SSL_library_init().
+@@ -27,24 +27,28 @@ SSL_library_init() is not reentrant. 
+ 
+ =head1 WARNING
+ 
+-SSL_library_init() only registers ciphers. Another important initialization
+-is the seeding of the PRNG (Pseudo Random Number Generator), which has to
+-be performed separately.
+SSL_library_init() adds ciphers and digests used directly and indirectly by
+SSL/TLS.
+ 
+ =head1 EXAMPLES
+ 
+ A typical TLS/SSL application will start with the library initialization,
+-will provide readable error messages and will seed the PRNG.
+and provide readable error messages.
+ 
+  SSL_load_error_strings();                /* readable error messages */
+  SSL_library_init();                      /* initialize library */
+- actions_to_seed_PRNG(); 
+ 
+ =head1 RETURN VALUES
+ 
+ SSL_library_init() always returns "1", so it is safe to discard the return
+ value.
+ 
+=head1 NOTES
+
+OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init().
+Applications which need to use SHA2 in earlier versions of OpenSSL should call
+OpenSSL_add_all_algorithms() as well.
+
+ =head1 SEE ALSO
+ 
+ L<ssl(3)|ssl(3)>, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>,
+diff -up openssl-1.0.0/ssl/ssl_algs.c.sha256 openssl-1.0.0/ssl/ssl_algs.c
+--- openssl-1.0.0/ssl/ssl_algs.c.sha256	2010-04-06 12:52:38.000000000 +0200
+++ openssl-1.0.0/ssl/ssl_algs.c	2010-04-09 16:34:41.000000000 +0200
+@@ -111,6 +111,14 @@ int SSL_library_init(void)
+ 	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ 	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+ #endif
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
+ 	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
+ 	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
+@@ -148,6 +156,14 @@ int SSL_library_init(void)
+ 	EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
+ 	EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
+ #endif
+#ifndef OPENSSL_NO_SHA256
+	EVP_add_digest(EVP_sha224());
+	EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+	EVP_add_digest(EVP_sha384());
+	EVP_add_digest(EVP_sha512());
+#endif
+ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
+ 	EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
+ 	EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
--- a/openssl-1.0.0-name-hash.patch
+++ b/openssl-1.0.0-name-hash.patch
@ -0,0 +1,22 @@
+diff -up openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash openssl-1.0.0/crypto/x509/x509_cmp.c
+--- openssl-1.0.0/crypto/x509/x509_cmp.c.name-hash	2010-01-12 18:27:10.000000000 +0100
+++ openssl-1.0.0/crypto/x509/x509_cmp.c	2010-04-06 16:44:52.000000000 +0200
+@@ -236,10 +236,17 @@ unsigned long X509_NAME_hash_old(X509_NA
+ 	{
+ 	unsigned long ret=0;
+ 	unsigned char md[16];
+	EVP_MD_CTX ctx; 
+ 
+ 	/* Make sure X509_NAME structure contains valid cached encoding */
+ 	i2d_X509_NAME(x,NULL);
+-	EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
+
+	EVP_MD_CTX_init(&ctx);
+	EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+        EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)
+		&& EVP_DigestUpdate(&ctx, x->bytes->data, x->bytes->length)
+		&& EVP_DigestFinal_ex(&ctx, md, NULL);
+	EVP_MD_CTX_cleanup(&ctx);
+ 
+ 	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
+ 		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
--- a/openssl-1.0.0-timezone.patch
+++ b/openssl-1.0.0-timezone.patch
@ -0,0 +1,21 @@
+diff -up openssl-1.0.0/Makefile.org.timezone openssl-1.0.0/Makefile.org
+--- openssl-1.0.0/Makefile.org.timezone	2010-03-30 11:08:40.000000000 +0200
+++ openssl-1.0.0/Makefile.org	2010-04-06 12:49:21.000000000 +0200
+@@ -609,7 +609,7 @@ install_docs:
+ 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
+ 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ 		(cd `$(PERL) util/dirname.pl $$i`; \
+-		sh -c "$$pod2man \
+		sh -c "TZ=UTC $$pod2man \
+ 			--section=$$sec --center=OpenSSL \
+ 			--release=$(VERSION) `basename $$i`") \
+ 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+@@ -626,7 +626,7 @@ install_docs:
+ 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
+ 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
+ 		(cd `$(PERL) util/dirname.pl $$i`; \
+-		sh -c "$$pod2man \
+		sh -c "TZ=UTC $$pod2man \
+ 			--section=$$sec --center=OpenSSL \
+ 			--release=$(VERSION) `basename $$i`") \
+ 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
--- a/openssl.spec
+++ b/openssl.spec
@ -21,7 +21,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.0
-Release: 1%{?dist}
+Release: 4%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@ -39,6 +39,7 @@ Patch3: openssl-1.0.0-beta3-soversion.patch
 Patch4: openssl-1.0.0-beta5-enginesdir.patch
 Patch5: openssl-0.9.8a-no-rpath.patch
 Patch6: openssl-0.9.8b-test-use-localhost.patch
+Patch7: openssl-1.0.0-timezone.patch
 # Bug fixes
 Patch23: openssl-1.0.0-beta4-default-paths.patch
 Patch24: openssl-0.9.8j-bad-mime.patch
@ -59,7 +60,10 @@ Patch49: openssl-1.0.0-beta4-algo-doc.patch
 Patch50: openssl-1.0.0-beta4-dtls1-abi.patch
 Patch51: openssl-1.0.0-version.patch
 Patch52: openssl-1.0.0-beta4-aesni.patch
+Patch53: openssl-1.0.0-name-hash.patch
 # Backported fixes including security fixes
+Patch60: openssl-1.0.0-dtls1-backports.patch
+Patch61: openssl-1.0.0-init-sha256.patch

 License: OpenSSL
 Group: System Environment/Libraries
@ -118,6 +122,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch4 -p1 -b .enginesdir
 %patch5 -p1 -b .no-rpath
 %patch6 -p1 -b .use-localhost
+%patch7 -p1 -b .timezone

 %patch23 -p1 -b .default-paths
 %patch24 -p1 -b .bad-mime
@ -138,7 +143,10 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch50 -p1 -b .dtls1-abi
 %patch51 -p1 -b .version
 %patch52 -p1 -b .aesni
+%patch53 -p1 -b .name-hash

+%patch60 -p1 -b .dtls1
+%patch61 -p1 -b .sha256
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`

@ -281,8 +289,11 @@ pushd  $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc
 mv CA.sh CA
 popd

-mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
 mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts

 # Ensure the openssl.cnf timestamp is identical across builds to avoid
 # mulitlib conflicts and unnecessary renames on upgrade
@ -345,6 +356,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %{_sysconfdir}/pki/tls/misc/CA
 %dir %{_sysconfdir}/pki/CA
 %dir %{_sysconfdir}/pki/CA/private
+%dir %{_sysconfdir}/pki/CA/certs
+%dir %{_sysconfdir}/pki/CA/crl
+%dir %{_sysconfdir}/pki/CA/newcerts
 %{_sysconfdir}/pki/tls/misc/c_*
 %{_sysconfdir}/pki/tls/private

@ -383,6 +397,18 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig

 %changelog
+* Tue May 18 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-4
+- make CA dir readable - the private keys are in private subdir (#584810)
+- do not move the libcrypto to /lib in the F12 package
+
+* Fri Apr  9 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-3
+- a few fixes from upstream CVS
+- move libcrypto to /lib (#559953)
+
+* Tue Apr  6 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-2
+- set UTC timezone on pod2man run (#578842)
+- make X509_NAME_hash_old work in FIPS mode
+
 * Tue Mar 30 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-1
 - update to final 1.0.0 upstream release