rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity

minor upstream release 1.0.2i fixing security issues

Browse Source 
- move man pages for perl based scripts to perl subpackage (#1377617)
This commit is contained in:
Tomas Mraz 2016-09-22 14:16:05 +02:00
parent 9fc25c1d28
commit 6e67274c62
12 changed files with 525 additions and 582 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -29,3 +29,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.2f-hobbled.tar.xz
/openssl-1.0.2g-hobbled.tar.xz
/openssl-1.0.2h-hobbled.tar.xz
/openssl-1.0.2i-hobbled.tar.xz

24
openssl-1.0.2a-chil-fixes.patch
View File

@ -1,24 +0,0 @@
diff -up openssl-1.0.2a/engines/e_chil.c.chil openssl-1.0.2a/engines/e_chil.c
--- openssl-1.0.2a/engines/e_chil.c.chil 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/engines/e_chil.c 2015-04-21 17:06:25.480293443 +0200
@@ -1247,6 +1247,11 @@ static int hwcrhk_insert_card(const char
UI *ui;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
+ /* Despite what the documentation says prompt_info can be
+ * an empty string.
+ */
+ if (prompt_info && !*prompt_info)
+ prompt_info = NULL;
if (cactx) {
if (cactx->ui_method)
@@ -1268,7 +1273,7 @@ static int hwcrhk_insert_card(const char
ui = UI_new_method(ui_method);
if (ui) {
- char answer;
+ char answer = '\0';
char buf[BUFSIZ];
/*
* Despite what the documentation says wrong_info can be an empty

61
openssl-1.0.2a-enc-fail.patch
View File

@ -1,61 +0,0 @@
diff -up openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2a/crypto/evp/bio_enc.c
--- openssl-1.0.2a/crypto/evp/bio_enc.c.enc-fail 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/evp/bio_enc.c 2015-04-22 18:10:06.491819948 +0200
@@ -201,10 +201,14 @@ static int enc_read(BIO *b, char *out, i
break;
}
} else {
- EVP_CipherUpdate(&(ctx->cipher),
- (unsigned char *)ctx->buf, &ctx->buf_len,
- (unsigned char *)&(ctx->buf[BUF_OFFSET]), i);
- ctx->cont = 1;
+ if (!EVP_CipherUpdate(&(ctx->cipher),
+ (unsigned char *)ctx->buf, &ctx->buf_len,
+ (unsigned char *)&(ctx->buf[BUF_OFFSET]),
+ i)) {
+ ctx->ok = 0;
+ ctx->cont = 0;
+ } else
+ ctx->cont = 1;
/*
* Note: it is possible for EVP_CipherUpdate to decrypt zero
* bytes because this is or looks like the final block: if this
@@ -260,9 +264,13 @@ static int enc_write(BIO *b, const char
ctx->buf_off = 0;
while (inl > 0) {
n = (inl > ENC_BLOCK_SIZE) ? ENC_BLOCK_SIZE : inl;
- EVP_CipherUpdate(&(ctx->cipher),
- (unsigned char *)ctx->buf, &ctx->buf_len,
- (unsigned char *)in, n);
+ if (!EVP_CipherUpdate(&(ctx->cipher),
+ (unsigned char *)ctx->buf, &ctx->buf_len,
+ (unsigned char *)in, n)) {
+ BIO_copy_next_retry(b);
+ ctx->ok = 0;
+ return ret - inl;
+ }
inl -= n;
in += n;
@@ -298,8 +306,9 @@ static long enc_ctrl(BIO *b, int cmd, lo
case BIO_CTRL_RESET:
ctx->ok = 1;
ctx->finished = 0;
- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
- ctx->cipher.encrypt);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
+ ctx->cipher.encrypt))
+ ctx->ok = 0;
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
break;
case BIO_CTRL_EOF: /* More to read */
@@ -421,7 +430,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI
b->init = 1;
ctx = (BIO_ENC_CTX *)b->ptr;
- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e))
+ ctx->ok = 0;
if (b->callback != NULL)
b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);

12
openssl-1.0.2h-dtls-bad-ver.patch
View File

@ -1,12 +0,0 @@
diff -up openssl-1.0.2h/ssl/ssl_lib.c.dtls-bad-ver openssl-1.0.2h/ssl/ssl_lib.c
--- openssl-1.0.2h/ssl/ssl_lib.c.dtls-bad-ver 2016-05-03 18:06:45.000000000 +0200
+++ openssl-1.0.2h/ssl/ssl_lib.c 2016-08-10 13:47:33.995530954 +0200
@@ -1828,7 +1828,7 @@ int SSL_export_keying_material(SSL *s, u
const unsigned char *p, size_t plen,
int use_context)
{
- if (s->version < TLS1_VERSION)
+ if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,

15
openssl-1.0.2i-chil-fixes.patch Normal file
View File

@ -0,0 +1,15 @@
diff -up openssl-1.0.2i/engines/e_chil.c.chil openssl-1.0.2i/engines/e_chil.c
--- openssl-1.0.2i/engines/e_chil.c.chil 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/engines/e_chil.c 2016-09-22 13:49:32.532017102 +0200
@@ -1274,6 +1274,11 @@ static int hwcrhk_insert_card(const char
UI *ui;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
+ /* Despite what the documentation says prompt_info can be
+ * an empty string.
+ */
+ if (prompt_info && !*prompt_info)
+ prompt_info = NULL;
if (cactx) {
if (cactx->ui_method)

25
openssl-1.0.2i-enc-fail.patch Normal file
View File

@ -0,0 +1,25 @@
diff -up openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail openssl-1.0.2i/crypto/evp/bio_enc.c
--- openssl-1.0.2i/crypto/evp/bio_enc.c.enc-fail 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/evp/bio_enc.c 2016-09-22 13:58:24.592381002 +0200
@@ -307,8 +307,9 @@ static long enc_ctrl(BIO *b, int cmd, lo
case BIO_CTRL_RESET:
ctx->ok = 1;
ctx->finished = 0;
- EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
- ctx->cipher.encrypt);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), NULL, NULL, NULL, NULL,
+ ctx->cipher.encrypt))
+ ctx->ok = 0;
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
break;
case BIO_CTRL_EOF: /* More to read */
@@ -430,7 +431,8 @@ void BIO_set_cipher(BIO *b, const EVP_CI
b->init = 1;
ctx = (BIO_ENC_CTX *)b->ptr;
- EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e);
+ if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e))
+ ctx->ok = 0;
if (b->callback != NULL)
b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L);

641
openssl-1.0.2h-fips.patch → openssl-1.0.2i-fips.patch
View File

File diff suppressed because it is too large Load Diff

109
openssl-1.0.2f-new-fips-reqs.patch → openssl-1.0.2i-new-fips-reqs.patch
View File

@ -1,24 +1,23 @@
diff -up openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2f/crypto/bn/bn_rand.c
--- openssl-1.0.2f/crypto/bn/bn_rand.c.fips-reqs 2016-01-28 14:38:30.000000000 +0100
+++ openssl-1.0.2f/crypto/bn/bn_rand.c 2016-01-28 16:36:22.811387420 +0100
@@ -141,9 +141,11 @@ static int bnrand(int pseudorand, BIGNUM
goto err;
diff -up openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2i/crypto/bn/bn_rand.c
--- openssl-1.0.2i/crypto/bn/bn_rand.c.fips-reqs 2016-09-22 13:54:26.533848449 +0200
+++ openssl-1.0.2i/crypto/bn/bn_rand.c 2016-09-22 13:56:52.169233060 +0200
@@ -141,8 +141,11 @@ static int bnrand(int pseudorand, BIGNUM
}
- /* make a random number and set the top and bottom bits */
/* make a random number and set the top and bottom bits */
- time(&tim);
- RAND_add(&tim, sizeof(tim), 0.0);
+ if (!FIPS_mode()) { /* in FIPS mode the RNG is always properly seeded or the module fails */
+ /* make a random number and set the top and bottom bits */
+ if (!FIPS_mode()) {
+ /* in FIPS mode the RNG is always properly seeded or the module fails */
+ time(&tim);
+ RAND_add(&tim, sizeof(tim), 0.0);
+ }
if (pseudorand) {
if (RAND_pseudo_bytes(buf, bytes) == -1)
diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh_gen.c
--- openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs 2016-01-28 16:36:22.767386408 +0100
+++ openssl-1.0.2f/crypto/dh/dh_gen.c 2016-01-28 16:36:22.811387420 +0100
/* We ignore the value of pseudorand and always call RAND_bytes */
if (RAND_bytes(buf, bytes) <= 0)
diff -up openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2i/crypto/dh/dh_gen.c
--- openssl-1.0.2i/crypto/dh/dh_gen.c.fips-reqs 2016-09-22 13:54:26.489847426 +0200
+++ openssl-1.0.2i/crypto/dh/dh_gen.c 2016-09-22 13:54:26.533848449 +0200
@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret,
return 0;
}
@ -28,9 +27,9 @@ diff -up openssl-1.0.2f/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2f/crypto/dh/dh
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
goto err;
}
diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h
--- openssl-1.0.2f/crypto/dh/dh.h.fips-reqs 2016-01-28 16:36:22.767386408 +0100
+++ openssl-1.0.2f/crypto/dh/dh.h 2016-01-28 16:36:22.812387443 +0100
diff -up openssl-1.0.2i/crypto/dh/dh.h.fips-reqs openssl-1.0.2i/crypto/dh/dh.h
--- openssl-1.0.2i/crypto/dh/dh.h.fips-reqs 2016-09-22 13:54:26.489847426 +0200
+++ openssl-1.0.2i/crypto/dh/dh.h 2016-09-22 13:54:26.534848472 +0200
@@ -78,6 +78,7 @@
# endif
@ -39,9 +38,9 @@ diff -up openssl-1.0.2f/crypto/dh/dh.h.fips-reqs openssl-1.0.2f/crypto/dh/dh.h
# define DH_FLAG_CACHE_MONT_P 0x01
diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_gen.c
--- openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs 2016-01-28 16:36:22.768386431 +0100
+++ openssl-1.0.2f/crypto/dsa/dsa_gen.c 2016-01-28 16:36:22.812387443 +0100
diff -up openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_gen.c
--- openssl-1.0.2i/crypto/dsa/dsa_gen.c.fips-reqs 2016-09-22 13:54:26.490847450 +0200
+++ openssl-1.0.2i/crypto/dsa/dsa_gen.c 2016-09-22 13:54:26.534848472 +0200
@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
}
@ -57,9 +56,9 @@ diff -up openssl-1.0.2f/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2f/crypto/dsa
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
goto err;
}
diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa.h
--- openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs 2016-01-28 16:36:22.768386431 +0100
+++ openssl-1.0.2f/crypto/dsa/dsa.h 2016-01-28 16:36:22.812387443 +0100
diff -up openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2i/crypto/dsa/dsa.h
--- openssl-1.0.2i/crypto/dsa/dsa.h.fips-reqs 2016-09-22 13:54:26.490847450 +0200
+++ openssl-1.0.2i/crypto/dsa/dsa.h 2016-09-22 13:54:26.534848472 +0200
@@ -89,6 +89,7 @@
# endif
@ -80,9 +79,9 @@ diff -up openssl-1.0.2f/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2f/crypto/dsa/dsa
* Rabin-Miller
*/
# define DSA_is_prime(n, callback, cb_arg) \
diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa/dsa_key.c
--- openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100
+++ openssl-1.0.2f/crypto/dsa/dsa_key.c 2016-01-28 16:36:22.812387443 +0100
diff -up openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2i/crypto/dsa/dsa_key.c
--- openssl-1.0.2i/crypto/dsa/dsa_key.c.fips-reqs 2016-09-22 13:54:26.532848426 +0200
+++ openssl-1.0.2i/crypto/dsa/dsa_key.c 2016-09-22 13:54:26.534848472 +0200
@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa)
# ifdef OPENSSL_FIPS
@ -92,9 +91,9 @@ diff -up openssl-1.0.2f/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2f/crypto/dsa
DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/fips.c
--- openssl-1.0.2f/crypto/fips/fips.c.fips-reqs 2016-01-28 16:36:22.810387397 +0100
+++ openssl-1.0.2f/crypto/fips/fips.c 2016-01-28 16:36:22.813387467 +0100
diff -up openssl-1.0.2i/crypto/fips/fips.c.fips-reqs openssl-1.0.2i/crypto/fips/fips.c
--- openssl-1.0.2i/crypto/fips/fips.c.fips-reqs 2016-09-22 13:54:26.532848426 +0200
+++ openssl-1.0.2i/crypto/fips/fips.c 2016-09-22 13:54:26.534848472 +0200
@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons
ret = 0;
goto end;
@ -128,9 +127,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips.c.fips-reqs openssl-1.0.2f/crypto/fips/
ret = 1;
goto end;
}
diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_dh_selftest.c
--- openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-01-28 16:36:22.813387467 +0100
+++ openssl-1.0.2f/crypto/fips/fips_dh_selftest.c 2016-01-28 16:36:22.813387467 +0100
diff -up openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_dh_selftest.c
--- openssl-1.0.2i/crypto/fips/fips_dh_selftest.c.fips-reqs 2016-09-22 13:54:26.535848495 +0200
+++ openssl-1.0.2i/crypto/fips/fips_dh_selftest.c 2016-09-22 13:54:26.535848495 +0200
@@ -0,0 +1,162 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@ -294,9 +293,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2f/
+ return ret;
+}
+#endif
diff -up openssl-1.0.2f/crypto/fips/fips.h.fips-reqs openssl-1.0.2f/crypto/fips/fips.h
--- openssl-1.0.2f/crypto/fips/fips.h.fips-reqs 2016-01-28 16:36:22.806387305 +0100
+++ openssl-1.0.2f/crypto/fips/fips.h 2016-01-28 16:36:22.813387467 +0100
diff -up openssl-1.0.2i/crypto/fips/fips.h.fips-reqs openssl-1.0.2i/crypto/fips/fips.h
--- openssl-1.0.2i/crypto/fips/fips.h.fips-reqs 2016-09-22 13:54:26.527848309 +0200
+++ openssl-1.0.2i/crypto/fips/fips.h 2016-09-22 13:54:26.535848495 +0200
@@ -96,6 +96,7 @@ extern "C" {
int FIPS_selftest_dsa(void);
int FIPS_selftest_ecdsa(void);
@ -305,9 +304,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips.h.fips-reqs openssl-1.0.2f/crypto/fips/
void FIPS_corrupt_rng(void);
void FIPS_rng_stick(void);
void FIPS_x931_stick(int onoff);
diff -up openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_post.c
--- openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs 2016-01-28 16:36:22.803387236 +0100
+++ openssl-1.0.2f/crypto/fips/fips_post.c 2016-01-28 16:36:22.813387467 +0100
diff -up openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_post.c
--- openssl-1.0.2i/crypto/fips/fips_post.c.fips-reqs 2016-09-22 13:54:26.524848240 +0200
+++ openssl-1.0.2i/crypto/fips/fips_post.c 2016-09-22 13:54:26.535848495 +0200
@@ -99,6 +99,8 @@ int FIPS_selftest(void)
rv = 0;
if (!FIPS_selftest_dsa())
@ -317,9 +316,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2f/crypto/
if (!FIPS_selftest_ecdh())
rv = 0;
return rv;
diff -up openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c
--- openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs 2016-01-28 16:36:22.778386661 +0100
+++ openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c 2016-01-28 16:36:22.814387489 +0100
diff -up openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c
--- openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c.fips-reqs 2016-09-22 13:54:26.499847659 +0200
+++ openssl-1.0.2i/crypto/fips/fips_rsa_selftest.c 2016-09-22 13:54:26.537848542 +0200
@@ -60,68 +60,107 @@
#ifdef OPENSSL_FIPS
@ -974,9 +973,9 @@ diff -up openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2f
RSA_free(key);
return ret;
}
diff -up openssl-1.0.2f/crypto/fips/Makefile.fips-reqs openssl-1.0.2f/crypto/fips/Makefile
--- openssl-1.0.2f/crypto/fips/Makefile.fips-reqs 2016-01-28 16:36:22.803387236 +0100
+++ openssl-1.0.2f/crypto/fips/Makefile 2016-01-28 16:36:22.814387489 +0100
diff -up openssl-1.0.2i/crypto/fips/Makefile.fips-reqs openssl-1.0.2i/crypto/fips/Makefile
--- openssl-1.0.2i/crypto/fips/Makefile.fips-reqs 2016-09-22 13:54:26.524848240 +0200
+++ openssl-1.0.2i/crypto/fips/Makefile 2016-09-22 13:54:26.537848542 +0200
@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
@ -995,9 +994,9 @@ diff -up openssl-1.0.2f/crypto/fips/Makefile.fips-reqs openssl-1.0.2f/crypto/fip
LIBCRYPTO=-L.. -lcrypto
diff -up openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2f/crypto/rand/rand_lcl.h
--- openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs 2016-01-28 16:36:22.516380636 +0100
+++ openssl-1.0.2f/crypto/rand/rand_lcl.h 2016-01-28 16:36:22.814387489 +0100
diff -up openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2i/crypto/rand/rand_lcl.h
--- openssl-1.0.2i/crypto/rand/rand_lcl.h.fips-reqs 2016-09-22 13:54:26.261842127 +0200
+++ openssl-1.0.2i/crypto/rand/rand_lcl.h 2016-09-22 13:54:26.537848542 +0200
@@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H
# define HEADER_RAND_LCL_H
@ -1007,9 +1006,9 @@ diff -up openssl-1.0.2f/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2f/crypto/r
# if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
diff -up openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2f/crypto/rand/rand_lib.c
--- openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs 2016-01-28 14:38:31.000000000 +0100
+++ openssl-1.0.2f/crypto/rand/rand_lib.c 2016-01-28 16:36:22.814387489 +0100
diff -up openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2i/crypto/rand/rand_lib.c
--- openssl-1.0.2i/crypto/rand/rand_lib.c.fips-reqs 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/rand/rand_lib.c 2016-09-22 13:54:26.537848542 +0200
@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx,
double entropy)
{
@ -1033,9 +1032,9 @@ diff -up openssl-1.0.2f/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2f/crypto/r
return 1;
}
diff -up openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2f/crypto/rsa/rsa_gen.c
--- openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs 2016-01-28 16:36:22.781386731 +0100
+++ openssl-1.0.2f/crypto/rsa/rsa_gen.c 2016-01-28 16:36:22.814387489 +0100
diff -up openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2i/crypto/rsa/rsa_gen.c
--- openssl-1.0.2i/crypto/rsa/rsa_gen.c.fips-reqs 2016-09-22 13:54:26.502847728 +0200
+++ openssl-1.0.2i/crypto/rsa/rsa_gen.c 2016-09-22 13:54:26.538848565 +0200
@@ -1,5 +1,6 @@
/* crypto/rsa/rsa_gen.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
@ -1337,9 +1336,9 @@ diff -up openssl-1.0.2f/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2f/crypto/rsa
ok = 1;
err:
if (ok == -1) {
diff -up openssl-1.0.2f/ssl/t1_enc.c.fips-reqs openssl-1.0.2f/ssl/t1_enc.c
--- openssl-1.0.2f/ssl/t1_enc.c.fips-reqs 2016-01-28 14:56:08.000000000 +0100
+++ openssl-1.0.2f/ssl/t1_enc.c 2016-01-28 16:36:22.814387489 +0100
diff -up openssl-1.0.2i/ssl/t1_enc.c.fips-reqs openssl-1.0.2i/ssl/t1_enc.c
--- openssl-1.0.2i/ssl/t1_enc.c.fips-reqs 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/ssl/t1_enc.c 2016-09-22 13:54:26.538848565 +0200
@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask,
return ret;
}

76
openssl-1.0.2a-secure-getenv.patch → openssl-1.0.2i-secure-getenv.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_api.c
--- openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/conf/conf_api.c 2015-04-21 17:14:12.757214532 +0200
diff -up openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_api.c
--- openssl-1.0.2i/crypto/conf/conf_api.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/conf/conf_api.c 2016-09-22 13:51:29.847742209 +0200
@@ -63,6 +63,8 @@
# define NDEBUG
#endif
@ -28,9 +28,9 @@ diff -up openssl-1.0.2a/crypto/conf/conf_api.c.secure-getenv openssl-1.0.2a/cryp
}
#if 0 /* There's no way to provide error checking
diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/crypto/conf/conf_mod.c
--- openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/conf/conf_mod.c 2015-04-21 17:13:24.165078848 +0200
diff -up openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2i/crypto/conf/conf_mod.c
--- openssl-1.0.2i/crypto/conf/conf_mod.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/conf/conf_mod.c 2016-09-22 13:51:29.847742209 +0200
@@ -57,6 +57,8 @@
*
*/
@ -40,7 +40,7 @@ diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/cryp
#include <stdio.h>
#include <ctype.h>
#include <openssl/crypto.h>
@@ -526,7 +528,7 @@ char *CONF_get1_default_config_file(void
@@ -530,7 +532,7 @@ char *CONF_get1_default_config_file(void
char *file;
int len;
@ -49,9 +49,9 @@ diff -up openssl-1.0.2a/crypto/conf/conf_mod.c.secure-getenv openssl-1.0.2a/cryp
if (file)
return BUF_strdup(file);
diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/crypto/engine/eng_list.c
--- openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv 2015-04-21 17:13:24.165078848 +0200
+++ openssl-1.0.2a/crypto/engine/eng_list.c 2015-04-21 17:15:53.180561603 +0200
diff -up openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2i/crypto/engine/eng_list.c
--- openssl-1.0.2i/crypto/engine/eng_list.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/engine/eng_list.c 2016-09-22 13:51:29.847742209 +0200
@@ -62,6 +62,8 @@
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
@ -61,7 +61,7 @@ diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/cr
#include "eng_int.h"
/*
@@ -368,10 +370,10 @@ ENGINE *ENGINE_by_id(const char *id)
@@ -369,10 +371,10 @@ ENGINE *ENGINE_by_id(const char *id)
*/
if (strcmp(id, "dynamic")) {
# ifdef OPENSSL_SYS_VMS
@ -74,9 +74,9 @@ diff -up openssl-1.0.2a/crypto/engine/eng_list.c.secure-getenv openssl-1.0.2a/cr
load_dir = ENGINESDIR;
# endif
iterator = ENGINE_by_id("dynamic");
diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypto/md5/md5_dgst.c
--- openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv 2015-04-21 17:13:24.156078637 +0200
+++ openssl-1.0.2a/crypto/md5/md5_dgst.c 2015-04-21 17:13:24.165078848 +0200
diff -up openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2i/crypto/md5/md5_dgst.c
--- openssl-1.0.2i/crypto/md5/md5_dgst.c.secure-getenv 2016-09-22 13:51:29.840742047 +0200
+++ openssl-1.0.2i/crypto/md5/md5_dgst.c 2016-09-22 13:51:29.847742209 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
@ -96,9 +96,9 @@ diff -up openssl-1.0.2a/crypto/md5/md5_dgst.c.secure-getenv openssl-1.0.2a/crypt
OpenSSLDie(__FILE__, __LINE__, "Digest MD5 forbidden in FIPS mode!");
return private_MD5_Init(c);
}
diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_init.c
--- openssl-1.0.2a/crypto/o_init.c.secure-getenv 2015-04-21 17:13:24.142078310 +0200
+++ openssl-1.0.2a/crypto/o_init.c 2015-04-21 17:13:24.165078848 +0200
diff -up openssl-1.0.2i/crypto/o_init.c.secure-getenv openssl-1.0.2i/crypto/o_init.c
--- openssl-1.0.2i/crypto/o_init.c.secure-getenv 2016-09-22 13:51:29.830741814 +0200
+++ openssl-1.0.2i/crypto/o_init.c 2016-09-22 13:51:30.046746834 +0200
@@ -53,6 +53,8 @@
*
*/
@ -117,19 +117,19 @@ diff -up openssl-1.0.2a/crypto/o_init.c.secure-getenv openssl-1.0.2a/crypto/o_in
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/crypto/rand/randfile.c
--- openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/rand/randfile.c 2015-04-21 17:13:24.165078848 +0200
@@ -60,6 +60,8 @@
#if !defined(OPENSSL_SYS_VXWORKS)
# define _XOPEN_SOURCE 500
#endif
diff -up openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv openssl-1.0.2i/crypto/rand/randfile.c
--- openssl-1.0.2i/crypto/rand/randfile.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/rand/randfile.c 2016-09-22 13:53:17.222237626 +0200
@@ -55,6 +55,8 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include <errno.h>
#include <stdio.h>
@@ -292,14 +294,12 @@ const char *RAND_file_name(char *buf, si
@@ -327,14 +329,12 @@ const char *RAND_file_name(char *buf, si
struct stat sb;
#endif
@ -146,9 +146,9 @@ diff -up openssl-1.0.2a/crypto/rand/randfile.c.secure-getenv openssl-1.0.2a/cryp
#ifdef DEFAULT_HOME
if (s == NULL) {
s = DEFAULT_HOME;
diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto/x509/by_dir.c
--- openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/x509/by_dir.c 2015-04-21 17:13:24.165078848 +0200
diff -up openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2i/crypto/x509/by_dir.c
--- openssl-1.0.2i/crypto/x509/by_dir.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/x509/by_dir.c 2016-09-22 13:51:30.047746858 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
@ -167,9 +167,9 @@ diff -up openssl-1.0.2a/crypto/x509/by_dir.c.secure-getenv openssl-1.0.2a/crypto
if (dir)
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
else
diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypto/x509/by_file.c
--- openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv 2015-04-21 17:13:24.118077749 +0200
+++ openssl-1.0.2a/crypto/x509/by_file.c 2015-04-21 17:13:24.166078871 +0200
diff -up openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv openssl-1.0.2i/crypto/x509/by_file.c
--- openssl-1.0.2i/crypto/x509/by_file.c.secure-getenv 2016-09-22 13:51:29.812741396 +0200
+++ openssl-1.0.2i/crypto/x509/by_file.c 2016-09-22 13:51:30.047746858 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
@ -188,9 +188,9 @@ diff -up openssl-1.0.2a/crypto/x509/by_file.c.secure-getenv openssl-1.0.2a/crypt
if (file)
ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0);
diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/crypto/x509/x509_vfy.c
--- openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-21 17:19:14.948277272 +0200
diff -up openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2i/crypto/x509/x509_vfy.c
--- openssl-1.0.2i/crypto/x509/x509_vfy.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/crypto/x509/x509_vfy.c 2016-09-22 13:51:30.048746881 +0200
@@ -56,6 +56,8 @@
* [including the GNU Public Licence.]
*/
@ -200,7 +200,7 @@ diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/cryp
#include <stdio.h>
#include <time.h>
#include <errno.h>
@@ -550,7 +552,7 @@ static int check_chain_extensions(X509_S
@@ -620,7 +622,7 @@ static int check_chain_extensions(X509_S
* A hack to keep people who don't want to modify their software
* happy
*/
@ -209,9 +209,9 @@ diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.secure-getenv openssl-1.0.2a/cryp
allow_proxy_certs = 1;
purpose = ctx->param->purpose;
}
diff -up openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2a/engines/ccgost/gost_ctl.c
--- openssl-1.0.2a/engines/ccgost/gost_ctl.c.secure-getenv 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/engines/ccgost/gost_ctl.c 2015-04-21 17:19:53.897187577 +0200
diff -up openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv openssl-1.0.2i/engines/ccgost/gost_ctl.c
--- openssl-1.0.2i/engines/ccgost/gost_ctl.c.secure-getenv 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/engines/ccgost/gost_ctl.c 2016-09-22 13:51:30.048746881 +0200
@@ -6,6 +6,8 @@
* Implementation of control commands for GOST engine *
* OpenSSL 0.9.9 libraries required *

112
openssl-1.0.2h-trusted-first-doc.patch → openssl-1.0.2i-trusted-first-doc.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.0.2h/apps/cms.c.trusted-first openssl-1.0.2h/apps/cms.c
--- openssl-1.0.2h/apps/cms.c.trusted-first 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/apps/cms.c 2016-05-03 18:01:16.729556976 +0200
diff -up openssl-1.0.2i/apps/cms.c.trusted-first openssl-1.0.2i/apps/cms.c
--- openssl-1.0.2i/apps/cms.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/cms.c 2016-09-22 14:01:27.436630359 +0200
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
@ -10,9 +10,9 @@ diff -up openssl-1.0.2h/apps/cms.c.trusted-first openssl-1.0.2h/apps/cms.c
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2h/apps/ocsp.c.trusted-first openssl-1.0.2h/apps/ocsp.c
--- openssl-1.0.2h/apps/ocsp.c.trusted-first 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/apps/ocsp.c 2016-05-03 18:01:16.730556998 +0200
diff -up openssl-1.0.2i/apps/ocsp.c.trusted-first openssl-1.0.2i/apps/ocsp.c
--- openssl-1.0.2i/apps/ocsp.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/ocsp.c 2016-09-22 14:01:27.436630359 +0200
@@ -537,6 +537,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,
"-CAfile file trusted certificates file\n");
@ -22,10 +22,10 @@ diff -up openssl-1.0.2h/apps/ocsp.c.trusted-first openssl-1.0.2h/apps/ocsp.c
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-VAfile file validator certificates file\n");
diff -up openssl-1.0.2h/apps/s_client.c.trusted-first openssl-1.0.2h/apps/s_client.c
--- openssl-1.0.2h/apps/s_client.c.trusted-first 2016-05-03 18:01:16.696556246 +0200
+++ openssl-1.0.2h/apps/s_client.c 2016-05-03 18:01:16.730556998 +0200
@@ -333,6 +333,8 @@ static void sc_usage(void)
diff -up openssl-1.0.2i/apps/s_client.c.trusted-first openssl-1.0.2i/apps/s_client.c
--- openssl-1.0.2i/apps/s_client.c.trusted-first 2016-09-22 14:01:27.402629569 +0200
+++ openssl-1.0.2i/apps/s_client.c 2016-09-22 14:01:27.436630359 +0200
@@ -330,6 +330,8 @@ static void sc_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err,
@ -34,9 +34,9 @@ diff -up openssl-1.0.2h/apps/s_client.c.trusted-first openssl-1.0.2h/apps/s_clie
" -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err,
" -reconnect - Drop and re-make the connection with the same Session-ID\n");
diff -up openssl-1.0.2h/apps/smime.c.trusted-first openssl-1.0.2h/apps/smime.c
--- openssl-1.0.2h/apps/smime.c.trusted-first 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/apps/smime.c 2016-05-03 18:01:16.730556998 +0200
diff -up openssl-1.0.2i/apps/smime.c.trusted-first openssl-1.0.2i/apps/smime.c
--- openssl-1.0.2i/apps/smime.c.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/smime.c 2016-09-22 14:01:27.436630359 +0200
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
"-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
@ -46,10 +46,10 @@ diff -up openssl-1.0.2h/apps/smime.c.trusted-first openssl-1.0.2h/apps/smime.c
"-no_alt_chains only ever use the first certificate chain found\n");
BIO_printf(bio_err,
"-crl_check check revocation status of signer's certificate using CRLs\n");
diff -up openssl-1.0.2h/apps/s_server.c.trusted-first openssl-1.0.2h/apps/s_server.c
--- openssl-1.0.2h/apps/s_server.c.trusted-first 2016-05-03 18:01:16.666555583 +0200
+++ openssl-1.0.2h/apps/s_server.c 2016-05-03 18:01:16.731557020 +0200
@@ -578,6 +578,8 @@ static void sv_usage(void)
diff -up openssl-1.0.2i/apps/s_server.c.trusted-first openssl-1.0.2i/apps/s_server.c
--- openssl-1.0.2i/apps/s_server.c.trusted-first 2016-09-22 14:01:27.374628918 +0200
+++ openssl-1.0.2i/apps/s_server.c 2016-09-22 14:01:27.437630382 +0200
@@ -571,6 +571,8 @@ static void sv_usage(void)
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err,
@ -58,9 +58,9 @@ diff -up openssl-1.0.2h/apps/s_server.c.trusted-first openssl-1.0.2h/apps/s_serv
" -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err,
" -nocert - Don't use any certificates (Anon-DH)\n");
diff -up openssl-1.0.2h/apps/s_time.c.trusted-first openssl-1.0.2h/apps/s_time.c
--- openssl-1.0.2h/apps/s_time.c.trusted-first 2016-05-03 18:01:16.661555472 +0200
+++ openssl-1.0.2h/apps/s_time.c 2016-05-03 18:01:16.731557020 +0200
diff -up openssl-1.0.2i/apps/s_time.c.trusted-first openssl-1.0.2i/apps/s_time.c
--- openssl-1.0.2i/apps/s_time.c.trusted-first 2016-09-22 14:01:27.368628779 +0200
+++ openssl-1.0.2i/apps/s_time.c 2016-09-22 14:01:27.437630382 +0200
@@ -182,6 +182,7 @@ static void s_time_usage(void)
file if not specified by this option\n\
-CApath arg - PEM format directory of CA's\n\
@ -69,9 +69,9 @@ diff -up openssl-1.0.2h/apps/s_time.c.trusted-first openssl-1.0.2h/apps/s_time.c
-cipher - preferred cipher to use, play with 'openssl ciphers'\n\n";
printf("usage: s_time <args>\n\n");
diff -up openssl-1.0.2h/apps/ts.c.trusted-first openssl-1.0.2h/apps/ts.c
--- openssl-1.0.2h/apps/ts.c.trusted-first 2016-05-03 18:01:16.694556202 +0200
+++ openssl-1.0.2h/apps/ts.c 2016-05-03 18:01:16.731557020 +0200
diff -up openssl-1.0.2i/apps/ts.c.trusted-first openssl-1.0.2i/apps/ts.c
--- openssl-1.0.2i/apps/ts.c.trusted-first 2016-09-22 14:01:27.400629522 +0200
+++ openssl-1.0.2i/apps/ts.c 2016-09-22 14:01:27.437630382 +0200
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
"ts -verify [-data file_to_hash] [-digest digest_bytes] "
"[-queryfile request.tsq] "
@ -81,11 +81,11 @@ diff -up openssl-1.0.2h/apps/ts.c.trusted-first openssl-1.0.2h/apps/ts.c
"-untrusted cert_file.pem\n");
cleanup:
/* Clean up. */
diff -up openssl-1.0.2h/apps/verify.c.trusted-first openssl-1.0.2h/apps/verify.c
--- openssl-1.0.2h/apps/verify.c.trusted-first 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/apps/verify.c 2016-05-03 18:01:16.731557020 +0200
diff -up openssl-1.0.2i/apps/verify.c.trusted-first openssl-1.0.2i/apps/verify.c
--- openssl-1.0.2i/apps/verify.c.trusted-first 2016-09-22 14:01:27.438630405 +0200
+++ openssl-1.0.2i/apps/verify.c 2016-09-22 14:02:37.951269140 +0200
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
end:
usage:
if (ret == 1) {
BIO_printf(bio_err,
- "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
@ -93,9 +93,9 @@ diff -up openssl-1.0.2h/apps/verify.c.trusted-first openssl-1.0.2h/apps/verify.c
BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " [-engine e]");
diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/cms.pod
--- openssl-1.0.2h/doc/apps/cms.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/doc/apps/cms.pod 2016-05-03 18:01:16.731557020 +0200
diff -up openssl-1.0.2i/doc/apps/cms.pod.trusted-first openssl-1.0.2i/doc/apps/cms.pod
--- openssl-1.0.2i/doc/apps/cms.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/cms.pod 2016-09-22 14:01:27.438630405 +0200
@@ -35,6 +35,7 @@ B<openssl> B<cms>
[B<-print>]
[B<-CAfile file>]
@ -104,7 +104,7 @@ diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/c
[B<-no_alt_chains>]
[B<-md digest>]
[B<-[cipher]>]
@@ -245,6 +246,12 @@ B<-verify>. This directory must be a sta
@@ -248,6 +249,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
@ -117,9 +117,9 @@ diff -up openssl-1.0.2h/doc/apps/cms.pod.trusted-first openssl-1.0.2h/doc/apps/c
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first openssl-1.0.2h/doc/apps/ocsp.pod
--- openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first 2016-05-03 18:01:16.695556224 +0200
+++ openssl-1.0.2h/doc/apps/ocsp.pod 2016-05-03 18:02:16.021868012 +0200
diff -up openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first openssl-1.0.2i/doc/apps/ocsp.pod
--- openssl-1.0.2i/doc/apps/ocsp.pod.trusted-first 2016-09-22 14:01:27.401629545 +0200
+++ openssl-1.0.2i/doc/apps/ocsp.pod 2016-09-22 14:01:27.438630405 +0200
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
[B<-path>]
[B<-CApath dir>]
@ -142,9 +142,9 @@ diff -up openssl-1.0.2h/doc/apps/ocsp.pod.trusted-first openssl-1.0.2h/doc/apps/
=item B<-no_alt_chains>
See L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/apps/s_client.pod
--- openssl-1.0.2h/doc/apps/s_client.pod.trusted-first 2016-05-03 18:01:16.706556467 +0200
+++ openssl-1.0.2h/doc/apps/s_client.pod 2016-05-03 18:01:16.732557042 +0200
diff -up openssl-1.0.2i/doc/apps/s_client.pod.trusted-first openssl-1.0.2i/doc/apps/s_client.pod
--- openssl-1.0.2i/doc/apps/s_client.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
+++ openssl-1.0.2i/doc/apps/s_client.pod 2016-09-22 14:01:27.438630405 +0200
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
[B<-pass arg>]
[B<-CApath directory>]
@ -153,7 +153,7 @@ diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/a
[B<-no_alt_chains>]
[B<-reconnect>]
[B<-pause>]
@@ -124,7 +125,7 @@ also used when building the client certi
@@ -125,7 +126,7 @@ also used when building the client certi
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
@ -162,9 +162,9 @@ diff -up openssl-1.0.2h/doc/apps/s_client.pod.trusted-first openssl-1.0.2h/doc/a
Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps/smime.pod
--- openssl-1.0.2h/doc/apps/smime.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/doc/apps/smime.pod 2016-05-03 18:01:16.732557042 +0200
diff -up openssl-1.0.2i/doc/apps/smime.pod.trusted-first openssl-1.0.2i/doc/apps/smime.pod
--- openssl-1.0.2i/doc/apps/smime.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/smime.pod 2016-09-22 14:01:27.438630405 +0200
@@ -15,6 +15,9 @@ B<openssl> B<smime>
[B<-pk7out>]
[B<-[cipher]>]
@ -175,7 +175,7 @@ diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps
[B<-no_alt_chains>]
[B<-certfile file>]
[B<-signer file>]
@@ -147,6 +150,12 @@ B<-verify>. This directory must be a sta
@@ -150,6 +153,12 @@ B<-verify>. This directory must be a sta
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
@ -188,9 +188,9 @@ diff -up openssl-1.0.2h/doc/apps/smime.pod.trusted-first openssl-1.0.2h/doc/apps
=item B<-md digest>
digest algorithm to use when signing or resigning. If not present then the
diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/apps/s_server.pod
--- openssl-1.0.2h/doc/apps/s_server.pod.trusted-first 2016-05-03 18:01:16.706556467 +0200
+++ openssl-1.0.2h/doc/apps/s_server.pod 2016-05-03 18:01:16.732557042 +0200
diff -up openssl-1.0.2i/doc/apps/s_server.pod.trusted-first openssl-1.0.2i/doc/apps/s_server.pod
--- openssl-1.0.2i/doc/apps/s_server.pod.trusted-first 2016-09-22 14:01:27.412629801 +0200
+++ openssl-1.0.2i/doc/apps/s_server.pod 2016-09-22 14:01:27.438630405 +0200
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
[B<-state>]
[B<-CApath directory>]
@ -199,7 +199,7 @@ diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/a
[B<-no_alt_chains>]
[B<-nocert>]
[B<-cipher cipherlist>]
@@ -177,6 +178,12 @@ and to use when attempting to build the
@@ -178,6 +179,12 @@ and to use when attempting to build the
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
@ -212,9 +212,9 @@ diff -up openssl-1.0.2h/doc/apps/s_server.pod.trusted-first openssl-1.0.2h/doc/a
=item B<-no_alt_chains>
See the L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.2h/doc/apps/s_time.pod.trusted-first openssl-1.0.2h/doc/apps/s_time.pod
--- openssl-1.0.2h/doc/apps/s_time.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/doc/apps/s_time.pod 2016-05-03 18:01:16.732557042 +0200
diff -up openssl-1.0.2i/doc/apps/s_time.pod.trusted-first openssl-1.0.2i/doc/apps/s_time.pod
--- openssl-1.0.2i/doc/apps/s_time.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/s_time.pod 2016-09-22 14:01:27.439630429 +0200
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
[B<-key filename>]
[B<-CApath directory>]
@ -236,9 +236,9 @@ diff -up openssl-1.0.2h/doc/apps/s_time.pod.trusted-first openssl-1.0.2h/doc/app
=item B<-new>
performs the timing test using a new session ID for each connection.
diff -up openssl-1.0.2h/doc/apps/ts.pod.trusted-first openssl-1.0.2h/doc/apps/ts.pod
--- openssl-1.0.2h/doc/apps/ts.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/doc/apps/ts.pod 2016-05-03 18:01:16.732557042 +0200
diff -up openssl-1.0.2i/doc/apps/ts.pod.trusted-first openssl-1.0.2i/doc/apps/ts.pod
--- openssl-1.0.2i/doc/apps/ts.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/ts.pod 2016-09-22 14:01:27.439630429 +0200
@@ -46,6 +46,7 @@ B<-verify>
[B<-token_in>]
[B<-CApath> trusted_cert_path]
@ -260,9 +260,9 @@ diff -up openssl-1.0.2h/doc/apps/ts.pod.trusted-first openssl-1.0.2h/doc/apps/ts
=item B<-untrusted> cert_file.pem
Set of additional untrusted certificates in PEM format which may be
diff -up openssl-1.0.2h/doc/apps/verify.pod.trusted-first openssl-1.0.2h/doc/apps/verify.pod
--- openssl-1.0.2h/doc/apps/verify.pod.trusted-first 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/doc/apps/verify.pod 2016-05-03 18:01:16.732557042 +0200
diff -up openssl-1.0.2i/doc/apps/verify.pod.trusted-first openssl-1.0.2i/doc/apps/verify.pod
--- openssl-1.0.2i/doc/apps/verify.pod.trusted-first 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/doc/apps/verify.pod 2016-09-22 14:01:27.439630429 +0200
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
B<openssl> B<verify>
[B<-CApath directory>]
@ -271,7 +271,7 @@ diff -up openssl-1.0.2h/doc/apps/verify.pod.trusted-first openssl-1.0.2h/doc/app
[B<-purpose purpose>]
[B<-policy arg>]
[B<-ignore_critical>]
@@ -85,6 +86,12 @@ If a valid CRL cannot be found an error
@@ -86,6 +87,12 @@ If a valid CRL cannot be found an error
A file of untrusted certificates. The file should contain multiple certificates
in PEM format concatenated together.

29
openssl.spec
View File

@ -22,8 +22,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.2h
Release: 3%{?dist}
Version: 1.0.2i
Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -56,7 +56,7 @@ Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-1.0.2a-x509.patch
Patch35: openssl-1.0.2a-version-add-engines.patch
Patch39: openssl-1.0.2a-ipv6-apps.patch
Patch40: openssl-1.0.2h-fips.patch
Patch40: openssl-1.0.2i-fips.patch
Patch45: openssl-1.0.2a-env-zlib.patch
Patch47: openssl-1.0.2a-readme-warning.patch
Patch49: openssl-1.0.1i-algo-doc.patch
@ -66,18 +66,18 @@ Patch56: openssl-1.0.2a-rsa-x931.patch
Patch58: openssl-1.0.2a-fips-md5-allow.patch
Patch60: openssl-1.0.2a-apps-dgst.patch
Patch63: openssl-1.0.2a-xmpp-starttls.patch
Patch65: openssl-1.0.2a-chil-fixes.patch
Patch65: openssl-1.0.2i-chil-fixes.patch
Patch66: openssl-1.0.2h-pkgconfig.patch
Patch68: openssl-1.0.2a-secure-getenv.patch
Patch68: openssl-1.0.2i-secure-getenv.patch
Patch70: openssl-1.0.2a-fips-ec.patch
Patch71: openssl-1.0.2g-manfix.patch
Patch72: openssl-1.0.2a-fips-ctor.patch
Patch73: openssl-1.0.2c-ecc-suiteb.patch
Patch74: openssl-1.0.2a-no-md5-verify.patch
Patch75: openssl-1.0.2a-compat-symbols.patch
Patch76: openssl-1.0.2f-new-fips-reqs.patch
Patch76: openssl-1.0.2i-new-fips-reqs.patch
Patch78: openssl-1.0.2a-cc-reqs.patch
Patch90: openssl-1.0.2a-enc-fail.patch
Patch90: openssl-1.0.2i-enc-fail.patch
Patch92: openssl-1.0.2a-system-cipherlist.patch
Patch93: openssl-1.0.2g-disable-sslv2v3.patch
Patch94: openssl-1.0.2d-secp256k1.patch
@ -86,8 +86,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch
# Backported fixes including security fixes
Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch
Patch82: openssl-1.0.2h-trusted-first-doc.patch
Patch83: openssl-1.0.2h-dtls-bad-ver.patch
Patch82: openssl-1.0.2i-trusted-first-doc.patch
License: OpenSSL
Group: System Environment/Libraries
@ -211,7 +210,6 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64
%patch82 -p1 -b .trusted-first
%patch83 -p1 -b .dtls-bad-ver
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -457,7 +455,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%dir %{_sysconfdir}/pki/CA/newcerts
%{_sysconfdir}/pki/tls/misc/c_*
%attr(0755,root,root) %{_bindir}/openssl
%attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]*
%attr(0644,root,root) %{_mandir}/man1*/*
%exclude %{_mandir}/man1*/*.pl*
%exclude %{_mandir}/man1*/c_rehash*
%exclude %{_mandir}/man1*/tsget*
%attr(0644,root,root) %{_mandir}/man5*/*
%attr(0644,root,root) %{_mandir}/man7*/*
@ -494,6 +495,8 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/c_rehash
%attr(0644,root,root) %{_mandir}/man1*/*.pl*
%attr(0644,root,root) %{_mandir}/man1*/c_rehash*
%attr(0644,root,root) %{_mandir}/man1*/tsget*
%{_sysconfdir}/pki/tls/misc/*.pl
%{_sysconfdir}/pki/tls/misc/tsget
@ -502,6 +505,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2i-1
- minor upstream release 1.0.2i fixing security issues
- move man pages for perl based scripts to perl subpackage (#1377617)
* Wed Aug 10 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2h-3
- fix regression in Cisco AnyConnect VPN support (#1354588)

2
sources
View File

@ -1 +1 @@
020793e7b8901a1ac62d38f3a77f9a0c openssl-1.0.2h-hobbled.tar.xz
449bf5f62fc5d4e712b2405988debaa1 openssl-1.0.2i-hobbled.tar.xz