update to the latest 1.1.1 beta version
This commit is contained in:
parent
1186311ade
commit
62ec0f1fa9
1
.gitignore
vendored
1
.gitignore
vendored
@ -39,3 +39,4 @@ openssl-1.0.0a-usa.tar.bz2
|
||||
/openssl-1.1.0g-hobbled.tar.xz
|
||||
/openssl-1.1.0h-hobbled.tar.xz
|
||||
/openssl-1.1.1-pre8-hobbled.tar.xz
|
||||
/openssl-1.1.1-pre9-hobbled.tar.xz
|
||||
|
@ -349,7 +349,7 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
|
||||
if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
69
ectest.c
69
ectest.c
@ -31,6 +31,7 @@ static int group_order_tests(EC_GROUP *group)
|
||||
{
|
||||
BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL;
|
||||
EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL;
|
||||
const EC_POINT *G = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
int i = 0, r = 0;
|
||||
|
||||
@ -38,6 +39,7 @@ static int group_order_tests(EC_GROUP *group)
|
||||
|| !TEST_ptr(n2 = BN_new())
|
||||
|| !TEST_ptr(order = BN_new())
|
||||
|| !TEST_ptr(ctx = BN_CTX_new())
|
||||
|| !TEST_ptr(G = EC_GROUP_get0_generator(group))
|
||||
|| !TEST_ptr(P = EC_POINT_new(group))
|
||||
|| !TEST_ptr(Q = EC_POINT_new(group))
|
||||
|| !TEST_ptr(R = EC_POINT_new(group))
|
||||
@ -49,7 +51,15 @@ static int group_order_tests(EC_GROUP *group)
|
||||
|| !TEST_true(EC_POINT_is_at_infinity(group, Q))
|
||||
|| !TEST_true(EC_GROUP_precompute_mult(group, ctx))
|
||||
|| !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx))
|
||||
|| !TEST_true(EC_POINT_is_at_infinity(group, Q)))
|
||||
|| !TEST_true(EC_POINT_is_at_infinity(group, Q))
|
||||
|| !TEST_true(EC_POINT_copy(P, G))
|
||||
|| !TEST_true(BN_one(n1))
|
||||
|| !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
|
||||
|| !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))
|
||||
|| !TEST_true(BN_sub(n1, order, n1))
|
||||
|| !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx))
|
||||
|| !TEST_true(EC_POINT_invert(group, Q, ctx))
|
||||
|| !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)))
|
||||
goto err;
|
||||
|
||||
for (i = 1; i <= 2; i++) {
|
||||
@ -62,6 +72,7 @@ static int group_order_tests(EC_GROUP *group)
|
||||
* EC_GROUP_precompute_mult has set up precomputation.
|
||||
*/
|
||||
|| !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx))
|
||||
|| (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx)))
|
||||
|| !TEST_true(BN_one(n1))
|
||||
/* n1 = 1 - order */
|
||||
|| !TEST_true(BN_sub(n1, n1, order))
|
||||
@ -181,16 +192,15 @@ static int prime_field_tests(void)
|
||||
"FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE"))
|
||||
|| !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256"
|
||||
"5044B0B7D7BFD8BA270B39432355FFB4"))
|
||||
|| !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
|
||||
|| !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
|
||||
|| !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9"
|
||||
"4A03C1D356C21122343280D6115C1D21"))
|
||||
|| !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0,
|
||||
ctx))
|
||||
|| !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
|
||||
|| !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
|
||||
|| !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF"
|
||||
"FFFF16A2E0B8F03E13DD29455C5C2A3D"))
|
||||
|| !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
|
||||
goto err;
|
||||
|
||||
TEST_info("NIST curve P-224 -- Generator");
|
||||
@ -205,8 +215,8 @@ static int prime_field_tests(void)
|
||||
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
|
||||
* and therefore setting the coordinates should fail.
|
||||
*/
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
|
||||
yplusone, ctx))
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
|
||||
ctx))
|
||||
|| !TEST_int_eq(EC_GROUP_get_degree(group), 224)
|
||||
|| !group_order_tests(group)
|
||||
|| !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))
|
||||
@ -221,17 +231,16 @@ static int prime_field_tests(void)
|
||||
"00000000FFFFFFFFFFFFFFFFFFFFFFFC"))
|
||||
|| !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC"
|
||||
"651D06B0CC53B0F63BCE3C3E27D2604B"))
|
||||
|| !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
|
||||
|| !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
|
||||
|
||||
|| !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2"
|
||||
"77037D812DEB33A0F4A13945D898C296"))
|
||||
|| !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1,
|
||||
ctx))
|
||||
|| !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
|
||||
|| !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
|
||||
|| !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF"
|
||||
"BCE6FAADA7179E84F3B9CAC2FC632551"))
|
||||
|| !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
|
||||
goto err;
|
||||
|
||||
TEST_info("NIST curve P-256 -- Generator");
|
||||
@ -246,8 +255,8 @@ static int prime_field_tests(void)
|
||||
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
|
||||
* and therefore setting the coordinates should fail.
|
||||
*/
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
|
||||
yplusone, ctx))
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
|
||||
ctx))
|
||||
|| !TEST_int_eq(EC_GROUP_get_degree(group), 256)
|
||||
|| !group_order_tests(group)
|
||||
|| !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))
|
||||
@ -265,19 +274,18 @@ static int prime_field_tests(void)
|
||||
|| !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19"
|
||||
"181D9C6EFE8141120314088F5013875A"
|
||||
"C656398D8A2ED19D2A85C8EDD3EC2AEF"))
|
||||
|| !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
|
||||
|| !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
|
||||
|
||||
|| !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74"
|
||||
"6E1D3B628BA79B9859F741E082542A38"
|
||||
"5502F25DBF55296C3A545E3872760AB7"))
|
||||
|| !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1,
|
||||
ctx))
|
||||
|| !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
|
||||
|| !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
|
||||
|| !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||
"FFFFFFFFFFFFFFFFC7634D81F4372DDF"
|
||||
"581A0DB248B0A77AECEC196ACCC52973"))
|
||||
|| !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
|
||||
goto err;
|
||||
|
||||
TEST_info("NIST curve P-384 -- Generator");
|
||||
@ -293,8 +301,8 @@ static int prime_field_tests(void)
|
||||
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
|
||||
* and therefore setting the coordinates should fail.
|
||||
*/
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
|
||||
yplusone, ctx))
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
|
||||
ctx))
|
||||
|| !TEST_int_eq(EC_GROUP_get_degree(group), 384)
|
||||
|| !group_order_tests(group)
|
||||
|| !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))
|
||||
@ -317,14 +325,13 @@ static int prime_field_tests(void)
|
||||
"A2DA725B99B315F3B8B489918EF109E1"
|
||||
"56193951EC7E937B1652C0BD3BB1BF07"
|
||||
"3573DF883D2C34F1EF451FD46B503F00"))
|
||||
|| !TEST_true(EC_GROUP_set_curve_GFp(group, p, a, b, ctx))
|
||||
|| !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
|
||||
|| !TEST_true(BN_hex2bn(&x, "C6"
|
||||
"858E06B70404E9CD9E3ECB662395B442"
|
||||
"9C648139053FB521F828AF606B4D3DBA"
|
||||
"A14B5E77EFE75928FE1DC127A2FFA8DE"
|
||||
"3348B3C1856A429BF97E7E31C2E5BD66"))
|
||||
|| !TEST_true(EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0,
|
||||
ctx))
|
||||
|| !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx))
|
||||
|| !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
|
||||
|| !TEST_true(BN_hex2bn(&z, "1FF"
|
||||
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
|
||||
@ -332,7 +339,7 @@ static int prime_field_tests(void)
|
||||
"51868783BF2F966B7FCC0148F709A5D0"
|
||||
"3BB5C9B8899C47AEBB6FB71E91386409"))
|
||||
|| !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
|
||||
goto err;
|
||||
|
||||
TEST_info("NIST curve P-521 -- Generator");
|
||||
@ -350,8 +357,8 @@ static int prime_field_tests(void)
|
||||
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
|
||||
* and therefore setting the coordinates should fail.
|
||||
*/
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates_GFp(group, P, x,
|
||||
yplusone, ctx))
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
|
||||
ctx))
|
||||
|| !TEST_int_eq(EC_GROUP_get_degree(group), 521)
|
||||
|| !group_order_tests(group)
|
||||
|| !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))
|
||||
@ -360,7 +367,7 @@ static int prime_field_tests(void)
|
||||
/* more tests using the last curve */
|
||||
|
||||
/* Restore the point that got mangled in the (x, y + 1) test. */
|
||||
|| !TEST_true(EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
|
||||
|| !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
|
||||
|| !TEST_true(EC_POINT_copy(Q, P))
|
||||
|| !TEST_false(EC_POINT_is_at_infinity(group, Q))
|
||||
|| !TEST_true(EC_POINT_dbl(group, P, P, ctx))
|
||||
@ -483,7 +490,7 @@ static int internal_curve_test_method(int n)
|
||||
* implementations of several NIST curves with characteristic > 3.
|
||||
*/
|
||||
struct nistp_test_params {
|
||||
const EC_METHOD *(*meth) ();
|
||||
const EC_METHOD *(*meth) (void);
|
||||
int degree;
|
||||
/*
|
||||
* Qx, Qy and D are taken from
|
||||
@ -611,7 +618,7 @@ static int nistp_single_test(int idx)
|
||||
|| !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
|
||||
|| !TEST_true(BN_hex2bn(&a, test->a))
|
||||
|| !TEST_true(BN_hex2bn(&b, test->b))
|
||||
|| !TEST_true(EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx))
|
||||
|| !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx))
|
||||
|| !TEST_ptr(G = EC_POINT_new(NISTP))
|
||||
|| !TEST_ptr(P = EC_POINT_new(NISTP))
|
||||
|| !TEST_ptr(Q = EC_POINT_new(NISTP))
|
||||
@ -623,13 +630,13 @@ static int nistp_single_test(int idx)
|
||||
* When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
|
||||
* and therefore setting the coordinates should fail.
|
||||
*/
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x,
|
||||
|| !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x,
|
||||
yplusone, ctx))
|
||||
|| !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y,
|
||||
|| !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y,
|
||||
ctx))
|
||||
|| !TEST_true(BN_hex2bn(&x, test->Gx))
|
||||
|| !TEST_true(BN_hex2bn(&y, test->Gy))
|
||||
|| !TEST_true(EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx))
|
||||
|| !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx))
|
||||
|| !TEST_true(BN_hex2bn(&order, test->order))
|
||||
|| !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))
|
||||
|| !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree))
|
||||
|
@ -1,357 +0,0 @@
|
||||
diff -up openssl-1.1.1-pre8/crypto/err/openssl.txt.bidi-shutdown openssl-1.1.1-pre8/crypto/err/openssl.txt
|
||||
--- openssl-1.1.1-pre8/crypto/err/openssl.txt.bidi-shutdown 2018-06-20 16:48:10.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/crypto/err/openssl.txt 2018-08-13 15:43:07.248438031 +0200
|
||||
@@ -2541,6 +2541,8 @@ SM2_R_INVALID_ENCODING:104:invalid encod
|
||||
SM2_R_INVALID_FIELD:105:invalid field
|
||||
SM2_R_NO_PARAMETERS_SET:109:no parameters set
|
||||
SM2_R_USER_ID_TOO_LARGE:106:user id too large
|
||||
+SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
|
||||
+ application data after close notify
|
||||
SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake
|
||||
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT:272:\
|
||||
attempt to reuse session in different context
|
||||
diff -up openssl-1.1.1-pre8/include/openssl/sslerr.h.bidi-shutdown openssl-1.1.1-pre8/include/openssl/sslerr.h
|
||||
--- openssl-1.1.1-pre8/include/openssl/sslerr.h.bidi-shutdown 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/include/openssl/sslerr.h 2018-08-13 15:43:07.250438079 +0200
|
||||
@@ -446,6 +446,7 @@ int ERR_load_SSL_strings(void);
|
||||
/*
|
||||
* SSL reason codes.
|
||||
*/
|
||||
+# define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291
|
||||
# define SSL_R_APP_DATA_IN_HANDSHAKE 100
|
||||
# define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
|
||||
# define SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE 143
|
||||
diff -up openssl-1.1.1-pre8/ssl/record/rec_layer_s3.c.bidi-shutdown openssl-1.1.1-pre8/ssl/record/rec_layer_s3.c
|
||||
--- openssl-1.1.1-pre8/ssl/record/rec_layer_s3.c.bidi-shutdown 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/record/rec_layer_s3.c 2018-08-13 15:43:07.250438079 +0200
|
||||
@@ -1457,40 +1457,6 @@ int ssl3_read_bytes(SSL *s, int type, in
|
||||
return -1;
|
||||
}
|
||||
|
||||
- /*
|
||||
- * In case of record types for which we have 'fragment' storage, fill
|
||||
- * that so that we can process the data at a fixed place.
|
||||
- */
|
||||
- {
|
||||
- size_t dest_maxlen = 0;
|
||||
- unsigned char *dest = NULL;
|
||||
- size_t *dest_len = NULL;
|
||||
-
|
||||
- if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
|
||||
- dest_maxlen = sizeof(s->rlayer.handshake_fragment);
|
||||
- dest = s->rlayer.handshake_fragment;
|
||||
- dest_len = &s->rlayer.handshake_fragment_len;
|
||||
- }
|
||||
-
|
||||
- if (dest_maxlen > 0) {
|
||||
- n = dest_maxlen - *dest_len; /* available space in 'dest' */
|
||||
- if (SSL3_RECORD_get_length(rr) < n)
|
||||
- n = SSL3_RECORD_get_length(rr); /* available bytes */
|
||||
-
|
||||
- /* now move 'n' bytes: */
|
||||
- memcpy(dest + *dest_len,
|
||||
- SSL3_RECORD_get_data(rr) + SSL3_RECORD_get_off(rr), n);
|
||||
- SSL3_RECORD_add_off(rr, n);
|
||||
- SSL3_RECORD_sub_length(rr, n);
|
||||
- *dest_len += n;
|
||||
- if (SSL3_RECORD_get_length(rr) == 0)
|
||||
- SSL3_RECORD_set_read(rr);
|
||||
-
|
||||
- if (*dest_len < dest_maxlen)
|
||||
- goto start; /* fragment was too small */
|
||||
- }
|
||||
- }
|
||||
-
|
||||
/*-
|
||||
* s->rlayer.handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
|
||||
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
|
||||
@@ -1583,12 +1549,70 @@ int ssl3_read_bytes(SSL *s, int type, in
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a
|
||||
- * shutdown */
|
||||
- s->rwstate = SSL_NOTHING;
|
||||
+ /*
|
||||
+ * If we've sent a close_notify but not yet received one back then ditch
|
||||
+ * anything we read.
|
||||
+ */
|
||||
+ if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
|
||||
+ /*
|
||||
+ * In TLSv1.3 this could get problematic if we receive a KeyUpdate
|
||||
+ * message after we sent a close_notify because we're about to ditch it,
|
||||
+ * so we won't be able to read a close_notify sent afterwards! We don't
|
||||
+ * support that.
|
||||
+ */
|
||||
SSL3_RECORD_set_length(rr, 0);
|
||||
SSL3_RECORD_set_read(rr);
|
||||
- return 0;
|
||||
+
|
||||
+ if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
|
||||
+ BIO *rbio;
|
||||
+
|
||||
+ if ((s->mode & SSL_MODE_AUTO_RETRY) != 0)
|
||||
+ goto start;
|
||||
+
|
||||
+ s->rwstate = SSL_READING;
|
||||
+ rbio = SSL_get_rbio(s);
|
||||
+ BIO_clear_retry_flags(rbio);
|
||||
+ BIO_set_retry_read(rbio);
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * The peer is continuing to send application data, but we have
|
||||
+ * already sent close_notify. If this was expected we should have
|
||||
+ * been called via SSL_read() and this would have been handled
|
||||
+ * above.
|
||||
+ * No alert sent because we already sent close_notify
|
||||
+ */
|
||||
+ SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES,
|
||||
+ SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY);
|
||||
+ }
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * For handshake data we have 'fragment' storage, so fill that so that we
|
||||
+ * can process the header at a fixed place. This is done after the
|
||||
+ * "SHUTDOWN" code above to avoid filling the fragment storage with data
|
||||
+ * that we're just going to discard.
|
||||
+ */
|
||||
+ if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
|
||||
+ size_t dest_maxlen = sizeof(s->rlayer.handshake_fragment);
|
||||
+ unsigned char *dest = s->rlayer.handshake_fragment;
|
||||
+ size_t *dest_len = &s->rlayer.handshake_fragment_len;
|
||||
+
|
||||
+ n = dest_maxlen - *dest_len; /* available space in 'dest' */
|
||||
+ if (SSL3_RECORD_get_length(rr) < n)
|
||||
+ n = SSL3_RECORD_get_length(rr); /* available bytes */
|
||||
+
|
||||
+ /* now move 'n' bytes: */
|
||||
+ memcpy(dest + *dest_len,
|
||||
+ SSL3_RECORD_get_data(rr) + SSL3_RECORD_get_off(rr), n);
|
||||
+ SSL3_RECORD_add_off(rr, n);
|
||||
+ SSL3_RECORD_sub_length(rr, n);
|
||||
+ *dest_len += n;
|
||||
+ if (SSL3_RECORD_get_length(rr) == 0)
|
||||
+ SSL3_RECORD_set_read(rr);
|
||||
+
|
||||
+ if (*dest_len < dest_maxlen)
|
||||
+ goto start; /* fragment was too small */
|
||||
}
|
||||
|
||||
if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) {
|
||||
diff -up openssl-1.1.1-pre8/ssl/ssl_err.c.bidi-shutdown openssl-1.1.1-pre8/ssl/ssl_err.c
|
||||
--- openssl-1.1.1-pre8/ssl/ssl_err.c.bidi-shutdown 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/ssl_err.c 2018-08-13 15:43:07.251438103 +0200
|
||||
@@ -720,6 +720,8 @@ static const ERR_STRING_DATA SSL_str_fun
|
||||
};
|
||||
|
||||
static const ERR_STRING_DATA SSL_str_reasons[] = {
|
||||
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY),
|
||||
+ "application data after close notify"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE),
|
||||
"app data in handshake"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),
|
||||
diff -up openssl-1.1.1-pre8/test/sslapitest.c.bidi-shutdown openssl-1.1.1-pre8/test/sslapitest.c
|
||||
--- openssl-1.1.1-pre8/test/sslapitest.c.bidi-shutdown 2018-06-20 16:48:15.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/test/sslapitest.c 2018-08-13 15:43:07.252438127 +0200
|
||||
@@ -4971,6 +4971,135 @@ static int test_ticket_callbacks(int tst
|
||||
return testresult;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Test bi-directional shutdown.
|
||||
+ * Test 0: TLSv1.2
|
||||
+ * Test 1: TLSv1.2, server continues to read/write after client shutdown
|
||||
+ * Test 2: TLSv1.3, no pending NewSessionTicket messages
|
||||
+ * Test 3: TLSv1.3, pending NewSessionTicket messages
|
||||
+ * Test 4: TLSv1.3, server continues to read/write after client shutdown, client
|
||||
+ * reads it
|
||||
+ * Test 5: TLSv1.3, server continues to read/write after client shutdown, client
|
||||
+ * doesn't read it
|
||||
+ */
|
||||
+static int test_shutdown(int tst)
|
||||
+{
|
||||
+ SSL_CTX *cctx = NULL, *sctx = NULL;
|
||||
+ SSL *clientssl = NULL, *serverssl = NULL;
|
||||
+ int testresult = 0;
|
||||
+ char msg[] = "A test message";
|
||||
+ char buf[80];
|
||||
+ size_t written, readbytes;
|
||||
+
|
||||
+#ifdef OPENSSL_NO_TLS1_2
|
||||
+ if (tst == 0)
|
||||
+ return 1;
|
||||
+#endif
|
||||
+#ifdef OPENSSL_NO_TLS1_3
|
||||
+ if (tst != 0)
|
||||
+ return 1;
|
||||
+#endif
|
||||
+
|
||||
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
|
||||
+ TLS_client_method(),
|
||||
+ TLS1_VERSION,
|
||||
+ (tst <= 1) ? TLS1_2_VERSION
|
||||
+ : TLS1_3_VERSION,
|
||||
+ &sctx, &cctx, cert, privkey))
|
||||
+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
|
||||
+ NULL, NULL)))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (tst == 3) {
|
||||
+ if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+ } else if (!TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE))) {
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ if (!TEST_int_eq(SSL_shutdown(clientssl), 0))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (tst >= 4) {
|
||||
+ /*
|
||||
+ * Reading on the server after the client has sent close_notify should
|
||||
+ * fail and provide SSL_ERROR_ZERO_RETURN
|
||||
+ */
|
||||
+ if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
|
||||
+ || !TEST_int_eq(SSL_get_error(serverssl, 0),
|
||||
+ SSL_ERROR_ZERO_RETURN)
|
||||
+ || !TEST_int_eq(SSL_get_shutdown(serverssl),
|
||||
+ SSL_RECEIVED_SHUTDOWN)
|
||||
+ /*
|
||||
+ * Even though we're shutdown on receive we should still be
|
||||
+ * able to write.
|
||||
+ */
|
||||
+ || !TEST_true(SSL_write(serverssl, msg, sizeof(msg)))
|
||||
+ || !TEST_int_eq(SSL_shutdown(serverssl), 1))
|
||||
+ goto end;
|
||||
+ if (tst == 4) {
|
||||
+ /* Should still be able to read data from server */
|
||||
+ if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf),
|
||||
+ &readbytes))
|
||||
+ || !TEST_size_t_eq(readbytes, sizeof(msg))
|
||||
+ || !TEST_int_eq(memcmp(msg, buf, readbytes), 0))
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* Writing on the client after sending close_notify shouldn't be possible */
|
||||
+ if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))
|
||||
+ goto end;
|
||||
+
|
||||
+ if (tst < 4) {
|
||||
+ /*
|
||||
+ * For these tests the client has sent close_notify but it has not yet
|
||||
+ * been received by the server. The server has not sent close_notify
|
||||
+ * yet.
|
||||
+ */
|
||||
+ if (!TEST_int_eq(SSL_shutdown(serverssl), 0)
|
||||
+ /*
|
||||
+ * Writing on the server after sending close_notify shouldn't
|
||||
+ * be possible.
|
||||
+ */
|
||||
+ || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))
|
||||
+ || !TEST_int_eq(SSL_shutdown(clientssl), 1)
|
||||
+ || !TEST_int_eq(SSL_shutdown(serverssl), 1))
|
||||
+ goto end;
|
||||
+ } else if (tst == 4) {
|
||||
+ /*
|
||||
+ * In this test the client has sent close_notify and it has been
|
||||
+ * received by the server which has responded with a close_notify. The
|
||||
+ * client needs to read the close_notify sent by the server.
|
||||
+ */
|
||||
+ if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
|
||||
+ goto end;
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * tst == 5
|
||||
+ *
|
||||
+ * The client has sent close_notify and is expecting a close_notify
|
||||
+ * back, but instead there is application data first. The shutdown
|
||||
+ * should fail with a fatal error.
|
||||
+ */
|
||||
+ if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
|
||||
+ || !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ testresult = 1;
|
||||
+
|
||||
+ end:
|
||||
+ SSL_free(serverssl);
|
||||
+ SSL_free(clientssl);
|
||||
+ SSL_CTX_free(sctx);
|
||||
+ SSL_CTX_free(cctx);
|
||||
+
|
||||
+ return testresult;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
if (!TEST_ptr(cert = test_get_argument(0))
|
||||
@@ -5068,6 +5197,7 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(test_ssl_pending, 2);
|
||||
ADD_ALL_TESTS(test_ssl_get_shared_ciphers, OSSL_NELEM(shared_ciphers_data));
|
||||
ADD_ALL_TESTS(test_ticket_callbacks, 12);
|
||||
+ ADD_ALL_TESTS(test_shutdown, 6);
|
||||
return 1;
|
||||
}
|
||||
|
||||
diff -up openssl-1.1.1-pre8/test/ssltestlib.c.bidi-shutdown openssl-1.1.1-pre8/test/ssltestlib.c
|
||||
--- openssl-1.1.1-pre8/test/ssltestlib.c.bidi-shutdown 2018-06-20 16:48:15.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/test/ssltestlib.c 2018-08-13 15:42:22.250355791 +0200
|
||||
@@ -680,12 +680,14 @@ int create_ssl_objects(SSL_CTX *serverct
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
|
||||
+/*
|
||||
+ * Create an SSL connection, but does not ready any post-handshake
|
||||
+ * NewSessionTicket messages.
|
||||
+ */
|
||||
+int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
|
||||
{
|
||||
- int retc = -1, rets = -1, err, abortctr = 0, i;
|
||||
+ int retc = -1, rets = -1, err, abortctr = 0;
|
||||
int clienterr = 0, servererr = 0;
|
||||
- unsigned char buf;
|
||||
- size_t readbytes;
|
||||
int isdtls = SSL_is_dtls(serverssl);
|
||||
|
||||
do {
|
||||
@@ -738,6 +740,22 @@ int create_ssl_connection(SSL *serverssl
|
||||
}
|
||||
} while (retc <=0 || rets <= 0);
|
||||
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Create an SSL connection including any post handshake NewSessionTicket
|
||||
+ * messages.
|
||||
+ */
|
||||
+int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
|
||||
+{
|
||||
+ int i;
|
||||
+ unsigned char buf;
|
||||
+ size_t readbytes;
|
||||
+
|
||||
+ if (!create_bare_ssl_connection(serverssl, clientssl, want))
|
||||
+ return 0;
|
||||
+
|
||||
/*
|
||||
* We attempt to read some data on the client side which we expect to fail.
|
||||
* This will ensure we have received the NewSessionTicket in TLSv1.3 where
|
||||
diff -up openssl-1.1.1-pre8/test/ssltestlib.h.bidi-shutdown openssl-1.1.1-pre8/test/ssltestlib.h
|
||||
--- openssl-1.1.1-pre8/test/ssltestlib.h.bidi-shutdown 2018-07-26 12:03:48.143770413 +0200
|
||||
+++ openssl-1.1.1-pre8/test/ssltestlib.h 2018-08-13 15:42:22.250355791 +0200
|
||||
@@ -18,6 +18,7 @@ int create_ssl_ctx_pair(const SSL_METHOD
|
||||
char *privkeyfile);
|
||||
int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
|
||||
SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio);
|
||||
+int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want);
|
||||
int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want);
|
||||
void shutdown_ssl_connection(SSL *serverssl, SSL *clientssl);
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,25 +1,7 @@
|
||||
diff -up openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre2/doc/man1/openssl.pod
|
||||
--- openssl-1.1.1-pre2/doc/man1/openssl.pod.man-rename 2018-02-27 14:40:43.000000000 +0100
|
||||
+++ openssl-1.1.1-pre2/doc/man1/openssl.pod 2018-03-06 15:32:44.737652939 +0100
|
||||
@@ -170,7 +170,7 @@ Create or examine a Netscape certificate
|
||||
|
||||
Online Certificate Status Protocol utility.
|
||||
|
||||
-=item L<B<passwd>|passwd(1)>
|
||||
+=item L<B<passwd>|sslpasswd(1)>
|
||||
|
||||
Generation of hashed passwords.
|
||||
|
||||
@@ -202,7 +202,7 @@ Public key algorithm cryptographic opera
|
||||
|
||||
Compute prime numbers.
|
||||
|
||||
-=item L<B<rand>|rand(1)>
|
||||
+=item L<B<rand>|sslrand(1)>
|
||||
|
||||
Generate pseudo-random bytes.
|
||||
|
||||
@@ -444,13 +444,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
|
||||
diff -up openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre9/doc/man1/openssl.pod
|
||||
--- openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename 2018-08-21 14:14:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre9/doc/man1/openssl.pod 2018-08-22 12:13:04.092568064 +0200
|
||||
@@ -482,13 +482,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
|
||||
L<ec(1)>, L<ecparam(1)>,
|
||||
L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
|
||||
L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
|
||||
|
14
openssl-1.1.1-seclevel-check.patch
Normal file
14
openssl-1.1.1-seclevel-check.patch
Normal file
@ -0,0 +1,14 @@
|
||||
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
|
||||
index df5cff79c9..e740a8c25d 100644
|
||||
--- a/ssl/ssl_cert.c
|
||||
+++ b/ssl/ssl_cert.c
|
||||
@@ -947,7 +947,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
|
||||
if (level >= 2 && c->algorithm_enc == SSL_RC4)
|
||||
return 0;
|
||||
/* Level 3: forward secure ciphersuites only */
|
||||
- if (level >= 3 && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
|
||||
+ if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
|
||||
+ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
|
||||
return 0;
|
||||
break;
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-07-25 10:13:06.325232356 +0200
|
||||
+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-25 10:18:27.067863251 +0200
|
||||
@@ -176,6 +176,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
diff -up openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl.system-cipherlist 2018-08-22 12:15:54.520742678 +0200
|
||||
+++ openssl-1.1.1-pre9/Configurations/unix-Makefile.tmpl 2018-08-22 12:15:54.554743511 +0200
|
||||
@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||
HTMLDIR=$(DOCDIR)/html
|
||||
|
||||
@ -12,7 +12,7 @@ diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist
|
||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||
# appended after the manpage file section number. "ssl" is popular,
|
||||
# resulting in files such as config.5ssl rather than config.5.
|
||||
@@ -199,6 +203,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
@@ -203,6 +207,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||
@ -20,19 +20,19 @@ diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.system-cipherlist
|
||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||
@{$config{CPPFLAGS}}) -}
|
||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||
diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Configure
|
||||
--- openssl-1.1.1-pre8/Configure.system-cipherlist 2018-06-20 16:48:09.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/Configure 2018-07-25 10:13:06.346232856 +0200
|
||||
@@ -21,7 +21,7 @@ use OpenSSL::Glob;
|
||||
|
||||
# see INSTALL for instructions.
|
||||
diff -up openssl-1.1.1-pre9/Configure.system-cipherlist openssl-1.1.1-pre9/Configure
|
||||
--- openssl-1.1.1-pre9/Configure.system-cipherlist 2018-08-21 14:14:11.000000000 +0200
|
||||
+++ openssl-1.1.1-pre9/Configure 2018-08-22 12:16:46.600018343 +0200
|
||||
@@ -24,7 +24,7 @@ use OpenSSL::Glob;
|
||||
my $orig_death_handler = $SIG{__DIE__};
|
||||
$SIG{__DIE__} = \&death_handler;
|
||||
|
||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
|
||||
# Options:
|
||||
#
|
||||
@@ -38,6 +38,9 @@ my $usage="Usage: Configure [no-<cipher>
|
||||
@@ -41,6 +41,9 @@ my $usage="Usage: Configure [no-<cipher>
|
||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||
# (Default: PREFIX/ssl)
|
||||
#
|
||||
@ -42,7 +42,7 @@ diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Confi
|
||||
# --cross-compile-prefix Add specified prefix to binutils components.
|
||||
#
|
||||
# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
|
||||
@@ -291,6 +294,7 @@ $config{prefix}="";
|
||||
@@ -295,6 +298,7 @@ $config{prefix}="";
|
||||
$config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
@ -50,7 +50,7 @@ diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Confi
|
||||
my $auto_threads=1; # enable threads automatically? true by default
|
||||
my $default_ranlib;
|
||||
|
||||
@@ -814,6 +818,10 @@ while (@argvcopy)
|
||||
@@ -817,6 +821,10 @@ while (@argvcopy)
|
||||
push @seed_sources, $x;
|
||||
}
|
||||
}
|
||||
@ -61,7 +61,7 @@ diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Confi
|
||||
elsif (/^--cross-compile-prefix=(.*)$/)
|
||||
{
|
||||
$user{CROSS_COMPILE}=$1;
|
||||
@@ -1000,6 +1008,8 @@ if ($target eq "HASH") {
|
||||
@@ -1003,6 +1011,8 @@ if ($target eq "HASH") {
|
||||
exit 0;
|
||||
}
|
||||
|
||||
@ -70,10 +70,10 @@ diff -up openssl-1.1.1-pre8/Configure.system-cipherlist openssl-1.1.1-pre8/Confi
|
||||
print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
|
||||
print "for $target\n";
|
||||
|
||||
diff -up openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre8/doc/man1/ciphers.pod
|
||||
--- openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist 2018-06-20 16:48:12.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/doc/man1/ciphers.pod 2018-07-25 10:13:06.346232856 +0200
|
||||
@@ -200,6 +200,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||
diff -up openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1-pre9/doc/man1/ciphers.pod
|
||||
--- openssl-1.1.1-pre9/doc/man1/ciphers.pod.system-cipherlist 2018-08-21 14:14:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre9/doc/man1/ciphers.pod 2018-08-22 12:15:54.555743536 +0200
|
||||
@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||
|
||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||
|
||||
@ -89,9 +89,9 @@ diff -up openssl-1.1.1-pre8/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1
|
||||
=item B<HIGH>
|
||||
|
||||
"High" encryption cipher suites. This currently means those with key lengths
|
||||
diff -up openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre8/include/openssl/ssl.h
|
||||
--- openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/include/openssl/ssl.h 2018-07-25 10:13:06.346232856 +0200
|
||||
diff -up openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist openssl-1.1.1-pre9/include/openssl/ssl.h
|
||||
--- openssl-1.1.1-pre9/include/openssl/ssl.h.system-cipherlist 2018-08-21 14:14:15.000000000 +0200
|
||||
+++ openssl-1.1.1-pre9/include/openssl/ssl.h 2018-08-22 12:15:54.557743585 +0200
|
||||
@@ -186,6 +186,11 @@ extern "C" {
|
||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||
@ -104,9 +104,9 @@ diff -up openssl-1.1.1-pre8/include/openssl/ssl.h.system-cipherlist openssl-1.1.
|
||||
|
||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||
# define SSL_SENT_SHUTDOWN 1
|
||||
diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_ciph.c
|
||||
--- openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/ssl_ciph.c 2018-07-25 10:36:36.475896866 +0200
|
||||
diff -up openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_ciph.c
|
||||
--- openssl-1.1.1-pre9/ssl/ssl_ciph.c.system-cipherlist 2018-08-21 14:14:15.000000000 +0200
|
||||
+++ openssl-1.1.1-pre9/ssl/ssl_ciph.c 2018-08-22 12:15:54.557743585 +0200
|
||||
@@ -9,6 +9,8 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
@ -116,7 +116,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <openssl/objects.h>
|
||||
@@ -1400,6 +1402,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
||||
@@ -1397,6 +1399,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -170,7 +170,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||
@@ -1413,15 +1462,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1410,15 +1459,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
const char *rule_p;
|
||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||
const SSL_CIPHER **ca_list = NULL;
|
||||
@ -198,7 +198,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
|
||||
#endif
|
||||
|
||||
/*
|
||||
@@ -1444,7 +1503,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1441,7 +1500,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||
if (co_list == NULL) {
|
||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||
@ -207,7 +207,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
|
||||
}
|
||||
|
||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||
@@ -1510,8 +1569,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1507,8 +1566,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
* in force within each class
|
||||
*/
|
||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||
@ -217,7 +217,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1556,9 +1614,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1553,9 +1611,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
@ -228,7 +228,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
|
||||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1584,8 +1641,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1581,8 +1638,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
if (!ok) { /* Rule processing failure */
|
||||
@ -238,7 +238,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1593,14 +1649,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1590,14 +1646,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
* if we cannot get one.
|
||||
*/
|
||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||
@ -259,7 +259,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
|
||||
sk_SSL_CIPHER_free(cipherstack);
|
||||
return NULL;
|
||||
}
|
||||
@@ -1632,6 +1692,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1629,6 +1689,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
*cipher_list = cipherstack;
|
||||
|
||||
return cipherstack;
|
||||
@ -274,9 +274,9 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1-pre8/
|
||||
}
|
||||
|
||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre8/ssl/ssl_lib.c
|
||||
--- openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist 2018-07-25 10:13:06.347232880 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-25 10:37:38.715394989 +0200
|
||||
diff -up openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre9/ssl/ssl_lib.c
|
||||
--- openssl-1.1.1-pre9/ssl/ssl_lib.c.system-cipherlist 2018-08-22 12:15:54.552743462 +0200
|
||||
+++ openssl-1.1.1-pre9/ssl/ssl_lib.c 2018-08-22 12:15:54.558743609 +0200
|
||||
@@ -658,7 +658,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||
ctx->tls13_ciphersuites,
|
||||
&(ctx->cipher_list),
|
||||
@ -286,7 +286,7 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre8/s
|
||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||
return 0;
|
||||
@@ -2931,7 +2931,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
@@ -2933,7 +2933,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
if (!ssl_create_cipher_list(ret->method,
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
@ -295,9 +295,9 @@ diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1-pre8/s
|
||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
diff -up openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist openssl-1.1.1-pre8/test/cipherlist_test.c
|
||||
--- openssl-1.1.1-pre8/test/cipherlist_test.c.system-cipherlist 2018-07-25 10:13:06.348232903 +0200
|
||||
+++ openssl-1.1.1-pre8/test/cipherlist_test.c 2018-07-25 10:39:08.887552814 +0200
|
||||
diff -up openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist openssl-1.1.1-pre9/test/cipherlist_test.c
|
||||
--- openssl-1.1.1-pre9/test/cipherlist_test.c.system-cipherlist 2018-08-21 14:14:15.000000000 +0200
|
||||
+++ openssl-1.1.1-pre9/test/cipherlist_test.c 2018-08-22 12:15:54.558743609 +0200
|
||||
@@ -217,7 +217,9 @@ static int test_default_cipherlist_expli
|
||||
|
||||
int setup_tests(void)
|
||||
|
@ -1,14 +1,14 @@
|
||||
diff -up openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override openssl-1.1.1-pre8/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1-pre8/include/openssl/opensslv.h.version-override 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/include/openssl/opensslv.h 2018-07-25 11:03:29.297543392 +0200
|
||||
diff -up openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override openssl-1.1.1-pre9/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1-pre9/include/openssl/opensslv.h.version-override 2018-08-22 12:25:31.959886929 +0200
|
||||
+++ openssl-1.1.1-pre9/include/openssl/opensslv.h 2018-08-22 12:26:17.997014595 +0200
|
||||
@@ -39,8 +39,8 @@ extern "C" {
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
-# define OPENSSL_VERSION_NUMBER 0x10101008L
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018"
|
||||
-# define OPENSSL_VERSION_NUMBER 0x10101009L
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018"
|
||||
+# define OPENSSL_VERSION_NUMBER 0x1010100fL
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018"
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018"
|
||||
|
||||
/*-
|
||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
||||
|
11
openssl.spec
11
openssl.spec
@ -19,12 +19,12 @@
|
||||
|
||||
%global _performance_build 1
|
||||
|
||||
%global prerelease pre8
|
||||
%global prerelease pre9
|
||||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1
|
||||
Release: 0.%{prerelease}.4%{?dist}
|
||||
Release: 0.%{prerelease}.1%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -60,7 +60,7 @@ Patch43: openssl-1.1.1-ignore-bound.patch
|
||||
Patch44: openssl-1.1.1-version-override.patch
|
||||
Patch45: openssl-1.1.0-weak-ciphers.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch70: openssl-1.1.1-bidi-shutdown.patch
|
||||
Patch70: openssl-1.1.1-seclevel-check.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -163,7 +163,7 @@ cp %{SOURCE13} test/
|
||||
%patch44 -p1 -b .version-override
|
||||
%patch45 -p1 -b .weak-ciphers
|
||||
|
||||
%patch70 -p1 -b .bidi-shutdown
|
||||
%patch70 -p1 -b .seclevel-check
|
||||
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
@ -444,6 +444,9 @@ export LD_LIBRARY_PATH
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Wed Aug 22 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.1
|
||||
- update to the latest 1.1.1 beta version
|
||||
|
||||
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.4
|
||||
- bidirectional shutdown fixes from upstream
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (openssl-1.1.1-pre8-hobbled.tar.xz) = eca0c8843c69fc3dcd1a27d56107368548f5674a64decc62ff48196d30485f287550bb671ca8bc48aeef482a8419462638bf152850c741e4554219230f4c4582
|
||||
SHA512 (openssl-1.1.1-pre9-hobbled.tar.xz) = 0f723cdb1789a8ea893bb6f194321e586d70ce1d19b9832072ab90c02805f4ab11fd762b5d7b4433063432c91a1904f9fac202e64f22b89f3df6cd6e2ef25401
|
||||
|
Loading…
Reference in New Issue
Block a user