parent
7325c65a3e
commit
3bdf494b4f
53
openssl-1.0.0-dtls1-backports.patch
Normal file
53
openssl-1.0.0-dtls1-backports.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
diff -up openssl-1.0.0/ssl/d1_lib.c.dtls1 openssl-1.0.0/ssl/d1_lib.c
|
||||||
|
--- openssl-1.0.0/ssl/d1_lib.c.dtls1 2009-12-08 12:38:17.000000000 +0100
|
||||||
|
+++ openssl-1.0.0/ssl/d1_lib.c 2010-04-09 16:29:49.000000000 +0200
|
||||||
|
@@ -283,6 +283,16 @@ struct timeval* dtls1_get_timeout(SSL *s
|
||||||
|
timeleft->tv_usec += 1000000;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* If remaining time is less than 15 ms, set it to 0
|
||||||
|
+ * to prevent issues because of small devergences with
|
||||||
|
+ * socket timeouts.
|
||||||
|
+ */
|
||||||
|
+ if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000)
|
||||||
|
+ {
|
||||||
|
+ memset(timeleft, 0, sizeof(struct timeval));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
return timeleft;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssl-1.0.0/ssl/d1_pkt.c.dtls1 openssl-1.0.0/ssl/d1_pkt.c
|
||||||
|
--- openssl-1.0.0/ssl/d1_pkt.c.dtls1 2009-10-04 18:52:35.000000000 +0200
|
||||||
|
+++ openssl-1.0.0/ssl/d1_pkt.c 2010-04-09 16:30:49.000000000 +0200
|
||||||
|
@@ -667,14 +667,14 @@ again:
|
||||||
|
if (rr->length == 0) goto again;
|
||||||
|
|
||||||
|
/* If this record is from the next epoch (either HM or ALERT),
|
||||||
|
- * buffer it since it cannot be processed at this time. Records
|
||||||
|
- * from the next epoch are marked as received even though they
|
||||||
|
- * are not processed, so as to prevent any potential resource
|
||||||
|
- * DoS attack */
|
||||||
|
+ * and a handshake is currently in progress, buffer it since it
|
||||||
|
+ * cannot be processed at this time. */
|
||||||
|
if (is_next_epoch)
|
||||||
|
{
|
||||||
|
- dtls1_record_bitmap_update(s, bitmap);
|
||||||
|
- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
|
||||||
|
+ if (SSL_in_init(s) || s->in_handshake)
|
||||||
|
+ {
|
||||||
|
+ dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
|
||||||
|
+ }
|
||||||
|
rr->length = 0;
|
||||||
|
s->packet_length = 0;
|
||||||
|
goto again;
|
||||||
|
@@ -809,7 +809,7 @@ start:
|
||||||
|
* buffer the application data for later processing rather
|
||||||
|
* than dropping the connection.
|
||||||
|
*/
|
||||||
|
- dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0);
|
||||||
|
+ dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
|
||||||
|
rr->length = 0;
|
||||||
|
goto start;
|
||||||
|
}
|
79
openssl-1.0.0-init-sha256.patch
Normal file
79
openssl-1.0.0-init-sha256.patch
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
diff -up openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256 openssl-1.0.0/doc/ssl/SSL_library_init.pod
|
||||||
|
--- openssl-1.0.0/doc/ssl/SSL_library_init.pod.sha256 2006-03-12 01:37:55.000000000 +0100
|
||||||
|
+++ openssl-1.0.0/doc/ssl/SSL_library_init.pod 2010-04-09 16:33:11.000000000 +0200
|
||||||
|
@@ -15,7 +15,7 @@ SSL_library_init, OpenSSL_add_ssl_algori
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
-SSL_library_init() registers the available ciphers and digests.
|
||||||
|
+SSL_library_init() registers the available SSL/TLS ciphers and digests.
|
||||||
|
|
||||||
|
OpenSSL_add_ssl_algorithms() and SSLeay_add_ssl_algorithms() are synonyms
|
||||||
|
for SSL_library_init().
|
||||||
|
@@ -27,24 +27,28 @@ SSL_library_init() is not reentrant.
|
||||||
|
|
||||||
|
=head1 WARNING
|
||||||
|
|
||||||
|
-SSL_library_init() only registers ciphers. Another important initialization
|
||||||
|
-is the seeding of the PRNG (Pseudo Random Number Generator), which has to
|
||||||
|
-be performed separately.
|
||||||
|
+SSL_library_init() adds ciphers and digests used directly and indirectly by
|
||||||
|
+SSL/TLS.
|
||||||
|
|
||||||
|
=head1 EXAMPLES
|
||||||
|
|
||||||
|
A typical TLS/SSL application will start with the library initialization,
|
||||||
|
-will provide readable error messages and will seed the PRNG.
|
||||||
|
+and provide readable error messages.
|
||||||
|
|
||||||
|
SSL_load_error_strings(); /* readable error messages */
|
||||||
|
SSL_library_init(); /* initialize library */
|
||||||
|
- actions_to_seed_PRNG();
|
||||||
|
|
||||||
|
=head1 RETURN VALUES
|
||||||
|
|
||||||
|
SSL_library_init() always returns "1", so it is safe to discard the return
|
||||||
|
value.
|
||||||
|
|
||||||
|
+=head1 NOTES
|
||||||
|
+
|
||||||
|
+OpenSSL 0.9.8o and 1.0.0a and later added SHA2 algorithms to SSL_library_init().
|
||||||
|
+Applications which need to use SHA2 in earlier versions of OpenSSL should call
|
||||||
|
+OpenSSL_add_all_algorithms() as well.
|
||||||
|
+
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
L<ssl(3)|ssl(3)>, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>,
|
||||||
|
diff -up openssl-1.0.0/ssl/ssl_algs.c.sha256 openssl-1.0.0/ssl/ssl_algs.c
|
||||||
|
--- openssl-1.0.0/ssl/ssl_algs.c.sha256 2010-04-06 12:52:38.000000000 +0200
|
||||||
|
+++ openssl-1.0.0/ssl/ssl_algs.c 2010-04-09 16:34:41.000000000 +0200
|
||||||
|
@@ -111,6 +111,14 @@ int SSL_library_init(void)
|
||||||
|
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
|
||||||
|
EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
|
||||||
|
#endif
|
||||||
|
+#ifndef OPENSSL_NO_SHA256
|
||||||
|
+ EVP_add_digest(EVP_sha224());
|
||||||
|
+ EVP_add_digest(EVP_sha256());
|
||||||
|
+#endif
|
||||||
|
+#ifndef OPENSSL_NO_SHA512
|
||||||
|
+ EVP_add_digest(EVP_sha384());
|
||||||
|
+ EVP_add_digest(EVP_sha512());
|
||||||
|
+#endif
|
||||||
|
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
|
||||||
|
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
|
||||||
|
EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
|
||||||
|
@@ -148,6 +156,14 @@ int SSL_library_init(void)
|
||||||
|
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
|
||||||
|
EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
|
||||||
|
#endif
|
||||||
|
+#ifndef OPENSSL_NO_SHA256
|
||||||
|
+ EVP_add_digest(EVP_sha224());
|
||||||
|
+ EVP_add_digest(EVP_sha256());
|
||||||
|
+#endif
|
||||||
|
+#ifndef OPENSSL_NO_SHA512
|
||||||
|
+ EVP_add_digest(EVP_sha384());
|
||||||
|
+ EVP_add_digest(EVP_sha512());
|
||||||
|
+#endif
|
||||||
|
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
|
||||||
|
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
|
||||||
|
EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
|
30
openssl.spec
30
openssl.spec
@ -21,7 +21,7 @@
|
|||||||
Summary: A general purpose cryptography library with TLS implementation
|
Summary: A general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.0
|
Version: 1.0.0
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
# We remove certain patented algorithms from the openssl source tarball
|
# We remove certain patented algorithms from the openssl source tarball
|
||||||
# with the hobble-openssl script which is included below.
|
# with the hobble-openssl script which is included below.
|
||||||
Source: openssl-%{version}-usa.tar.bz2
|
Source: openssl-%{version}-usa.tar.bz2
|
||||||
@ -62,6 +62,8 @@ Patch51: openssl-1.0.0-version.patch
|
|||||||
Patch52: openssl-1.0.0-beta4-aesni.patch
|
Patch52: openssl-1.0.0-beta4-aesni.patch
|
||||||
Patch53: openssl-1.0.0-name-hash.patch
|
Patch53: openssl-1.0.0-name-hash.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
|
Patch60: openssl-1.0.0-dtls1-backports.patch
|
||||||
|
Patch61: openssl-1.0.0-init-sha256.patch
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -143,6 +145,8 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||||||
%patch52 -p1 -b .aesni
|
%patch52 -p1 -b .aesni
|
||||||
%patch53 -p1 -b .name-hash
|
%patch53 -p1 -b .name-hash
|
||||||
|
|
||||||
|
%patch60 -p1 -b .dtls1
|
||||||
|
%patch61 -p1 -b .sha256
|
||||||
# Modify the various perl scripts to reference perl in the right location.
|
# Modify the various perl scripts to reference perl in the right location.
|
||||||
perl util/perlpath.pl `dirname %{__perl}`
|
perl util/perlpath.pl `dirname %{__perl}`
|
||||||
|
|
||||||
@ -228,8 +232,8 @@ make -C test apps tests
|
|||||||
%{?__debug_package:%{__debug_install_post}} \
|
%{?__debug_package:%{__debug_install_post}} \
|
||||||
%{__arch_install_post} \
|
%{__arch_install_post} \
|
||||||
%{__os_install_post} \
|
%{__os_install_post} \
|
||||||
crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
|
crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{version}.hmac \
|
||||||
ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
|
ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{soversion}.hmac \
|
||||||
crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
|
crypto/fips/fips_standalone_sha1 $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
|
||||||
ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
|
ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
|
||||||
%{nil}
|
%{nil}
|
||||||
@ -244,11 +248,17 @@ mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl
|
|||||||
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/
|
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/
|
||||||
rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man
|
rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man
|
||||||
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
||||||
|
mkdir $RPM_BUILD_ROOT/%{_lib}
|
||||||
|
mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} $RPM_BUILD_ROOT/%{_lib}
|
||||||
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
||||||
chmod 755 ${lib}
|
chmod 755 ${lib}
|
||||||
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
|
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
|
||||||
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
|
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
|
||||||
|
done
|
||||||
|
for lib in $RPM_BUILD_ROOT/%{_lib}/*.so.%{version} ; do
|
||||||
|
chmod 755 ${lib}
|
||||||
|
ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
|
||||||
|
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion}
|
||||||
done
|
done
|
||||||
|
|
||||||
# Install a makefile for generating keys and self-signed certs, and a script
|
# Install a makefile for generating keys and self-signed certs, and a script
|
||||||
@ -355,9 +365,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
|
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
|
||||||
|
|
||||||
%attr(0755,root,root) %{_bindir}/openssl
|
%attr(0755,root,root) %{_bindir}/openssl
|
||||||
%attr(0755,root,root) %{_libdir}/*.so.%{version}
|
%attr(0755,root,root) /%{_lib}/libcrypto.so.%{version}
|
||||||
%attr(0755,root,root) %{_libdir}/*.so.%{soversion}
|
%attr(0755,root,root) /%{_lib}/libcrypto.so.%{soversion}
|
||||||
%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac
|
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
||||||
|
%attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}
|
||||||
|
%attr(0644,root,root) /%{_lib}/.libcrypto.so.*.hmac
|
||||||
%attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac
|
%attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac
|
||||||
%attr(0755,root,root) %{_libdir}/openssl
|
%attr(0755,root,root) %{_libdir}/openssl
|
||||||
%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]*
|
%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]*
|
||||||
@ -387,6 +399,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||||||
%postun -p /sbin/ldconfig
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 9 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-3
|
||||||
|
- a few fixes from upstream CVS
|
||||||
|
- move libcrypto to /lib (#559953)
|
||||||
|
|
||||||
* Tue Apr 6 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-2
|
* Tue Apr 6 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-2
|
||||||
- set UTC timezone on pod2man run (#578842)
|
- set UTC timezone on pod2man run (#578842)
|
||||||
- make X509_NAME_hash_old work in FIPS mode
|
- make X509_NAME_hash_old work in FIPS mode
|
||||||
|
Loading…
Reference in New Issue
Block a user